Temat: Openvpn dostęp do LAN
Cześć, chciałbym prosić o pomoc, bo walczę z tym już tydzień i nie mogę się uporać. Chciałbym móc dostawać się ze świata poprzez OpenVPN do domowej sieci LAN. Serwerem jest Archer C7 v5, a klientem Openvpn jest Android. Klient na telefonie to: OpenVPN Connect ver 3.3.0 (8367) - Android ver 11. Dodam, że gdy na TP linku było oryginalne oprogramowanie to do serwera VPN łączyłem się komórką miałem także dostęp do sieci LAN. Aktualnie dostęp VPN do routera działa, łączę się, mogę się zalogować do routera po IP 10.8.x.1 ale do lan już nie. Próbowałem już przeróżnych konfiguracji w firewall: forwarding, odblokowanie ruchu z sieci VPN do LAN, opcji push na serwerze w konfiguracji OpenVPN w stylu: push "192.168.0.0 255.255.255.0" ale nadal nie mam dostępu do LAN korzystając z OpenWrt. Czy mógłbby ktoś podpowiedzieć jak powinna wyglądać prawidłowa konfiguracja (firewall, network itd)
Poniżej konfiguracja całości:
root@OpenWrt:~# cat /etc/os-release
NAME="OpenWrt"
VERSION="22.03.0"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt 22.03.0"
VERSION_ID="22.03.0"
HOME_URL="https://openwrt.org/"
BUG_URL="https://bugs.openwrt.org/"
SUPPORT_URL="https://forum.openwrt.org/"
BUILD_ID="r19685-512e76967f"
OPENWRT_BOARD="ath79/generic"
OPENWRT_ARCH="mips_24kc"
OPENWRT_TAINTS=""
OPENWRT_DEVICE_MANUFACTURER="OpenWrt"
OPENWRT_DEVICE_MANUFACTURER_URL="https://openwrt.org/"
OPENWRT_DEVICE_PRODUCT="Generic"
OPENWRT_DEVICE_REVISION="v0"
OPENWRT_RELEASE="OpenWrt 22.03.0 r19685-512e76967f"root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd72:b3d7:684e::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
list ipaddr '192.168.0.1/24'
config device
option name 'eth0.2'
option macaddr '1c:4b:f3:60:29:c4'
config interface 'wan'
option device 'eth0.2'
option proto 'pppoe'
option username 'xxxxxxxxxxxxx'
option password 'yyyyyyyy'
option ipv6 'auto'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'ovpn'
option proto 'none'
option device 'tun0'
config device
option name 'eth0'
config device
option name 'tun0'
option ipv6 '0'root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name '443'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.0.50'
option dest_port '443'
config redirect
option dest 'lan'
option target 'DNAT'
option name '80'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.0.50'
option dest_port '80'
config zone
option name 'ovpn_fw'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
list network 'ovpn'
option input 'REJECT'
config rule
option name 'Allow-OpenVPN'
list proto 'udp'
option src 'wan'
option dest_port '11944'
option target 'ACCEPT'
config rule
option name 'vpn to lan'
list proto 'all'
option src 'ovpn_fw'
option dest 'lan'
option target 'ACCEPT'root@OpenWrt:~# cat /etc/config/openvpn
config openvpn 'custom_config'
option config '/etc/openvpn/my-vpn.conf'
config openvpn 'sample_server'
option proto 'udp'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh2048.pem'
option ifconfig_pool_persist '/tmp/ipp.txt'
option keepalive '10 120'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-status.log'
option verb '5'
option port '11944'
list push '192.168.0.0 255.255.255.0'
option server '10.8.x.0 255.255.255.0'
option comp_lzo 'adaptive'
option enabled '1'Fragment logu z klienta VPN:
20:45:49.262 -- Session is ACTIVE
20:45:49.264 -- EVENT: GET_CONFIG
20:45:49.268 -- Sending PUSH_REQUEST to server...
20:45:49.372 -- OPTIONS:
0 [192.168.0.0] [255.255.255.0]
1 [route] [10.8.x.1]
2 [topology] [net30]
3 [ping] [10]
4 [ping-restart] [120]
5 [ifconfig] [10.8.x.6] [10.8.x.5]
6 [peer-id] [0]
7 [cipher] [AES-256-GCM]
20:45:49.373 -- PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: NONE
key-derivation: OpenVPN PRF
compress: LZO_STUB
peer ID: 0
20:45:49.375 -- EVENT: ASSIGN_IP
20:45:49.403 -- Connected via tun
20:45:49.404 -- LZO-ASYM init swap=0 asym=1
20:45:49.405 -- Comp-stub init swap=0
20:45:49.407 -- EVENT: CONNECTED info='xxxxx.xxxx.pl:11944 (xx.xx.xx.xx) via /UDPv4 on tun/10.8.x.6/ gw=[10.8.x.5/]'