Tak jak zapowiadałem - zacząłem od nowa, na nowych wersjach OpenWRT po obu stronach.
Jedyny efekt jest taki, że urządzenia w lanie klienta mają dostęp do internetu, ale przez modem, z pominięciem VPNa - tak mówi traceroute
Nadal routery się widzą, a klienty w obu lanach nie widzą nawet drugiego routera. W żadną stronę.
Nic nowego nie udało mi się osiągnąć
Żeby się co chwilę nie zastanawiać zmieniłem adresację VPN
Jest
A - Lan głównego routera, servera VPN z dostępem do sieci: 192.168.1.1
B - Lan drugiego routera, klienta VPN: 192.168.2.1
C - Adresacja VPN: 192.168.9.1
Poniżej mój konfig:
Firewall na serwerze:
firewall.@zone[2]=zone
firewall.@zone[2].name='vpn'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network='vpn'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='vpn'
firewall.@forwarding[1].dest='wan'
firewall.@rule[9]=rule
firewall.@rule[9].name='openvpn'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].src='wan'
firewall.@rule[9].proto='udp'
firewall.@rule[9].dest_port='1194'
Network (na serwerze)
root@server:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd67:6631:8743::/48'
network.globals.packet_steering='1'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2' 'lan3' 'lan4'
network.@device[0].ipv6='0'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.delegate='0'
network.wan=interface
network.wan.device='wan'
network.wan.proto='dhcp'
network.wan.hostname='*'
network.wan6=interface
network.wan6.device='wan'
network.wan6.proto='dhcpv6'
network.vpn=interface
network.vpn.device='tun0'
network.vpn.proto='none'
Na kliencie mam
root@client:~# ip route show table main
default via 192.168.8.1 dev eth1 src 192.168.8.100
192.168.2.0/24 dev br-lan scope link src 192.168.2.1
192.168.8.0/24 dev eth1 scope link src 192.168.8.100
192.168.9.0/24 dev tun0 scope link src 192.168.9.2
root@client:~# ip route add default via 192.168.9.1 dev tun0
zmiana na poniższe nie pomogło, jedynie odcięło dostęp do internetu
root@client:~# ip route show table main
default via 192.168.9.1 dev tun0
192.168.2.0/24 dev br-lan scope link src 192.168.2.1
192.168.8.0/24 dev eth1 scope link src 192.168.8.100
192.168.9.0/24 dev tun0 scope link src 192.168.9.2
traceroute na serwerze
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 46 byte packets
1 192.168.8.1 (192.168.8.1) 17.766 ms 17.609 ms 19.511 ms
2 172.18.121.202 (172.18.121.202) 39.694 ms 14.636 ms 23.149 ms
3 172.18.216.67 (172.18.216.67) 32.759 ms 25.633 ms 19.082 ms
4 172.18.216.33 (172.18.216.33) 15.223 ms 172.18.216.34 (172.18.216.34) 27.365 ms 16.503 ms
5 * * *
6 80.50.105.129 (80.50.105.129) 34.663 ms 26.375 ms 60.944 ms
7 195.116.35.198 (195.116.35.198) 36.631 ms 28.063 ms 39.742 ms
8 72.14.214.158 (72.14.214.158) 24.275 ms 24.196 ms 24.188 ms
9 64.233.174.229 (64.233.174.229) 34.958 ms 192.178.96.241 (192.178.96.241) 38.085 ms 64.233.174.229 (64.233.174.229) 23.451 ms
10 216.239.40.43 (216.239.40.43) 36.753 ms 209.85.250.175 (209.85.250.175) 25.272 ms 209.85.252.109 (209.85.252.109) 26.992 ms
11 dns.google (8.8.8.8) 36.515 ms 34.109 ms 29.423 ms
Logi z servera:
2024-02-23 23:46:46 31.61.172.182:3004 TLS: Initial packet from [AF_INET]31.61.172.182:3004, sid=69e22315 2727b077
2024-02-23 23:46:46 31.61.172.182:3004 VERIFY OK: depth=1, CN=server
2024-02-23 23:46:46 31.61.172.182:3004 VERIFY OK: depth=0, CN=client
2024-02-23 23:46:46 31.61.172.182:3004 peer info: IV_VER=2.5.8
2024-02-23 23:46:46 31.61.172.182:3004 peer info: IV_PLAT=linux
2024-02-23 23:46:46 31.61.172.182:3004 peer info: IV_PROTO=6
2024-02-23 23:46:46 31.61.172.182:3004 peer info: IV_NCP=2
2024-02-23 23:46:46 31.61.172.182:3004 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2024-02-23 23:46:46 31.61.172.182:3004 peer info: IV_LZ4=1
2024-02-23 23:46:46 31.61.172.182:3004 peer info: IV_LZ4v2=1
2024-02-23 23:46:46 31.61.172.182:3004 peer info: IV_LZO=1
2024-02-23 23:46:46 31.61.172.182:3004 peer info: IV_COMP_STUB=1
2024-02-23 23:46:46 31.61.172.182:3004 peer info: IV_COMP_STUBv2=1
2024-02-23 23:46:46 31.61.172.182:3004 peer info: IV_TCPNL=1
2024-02-23 23:46:46 31.61.172.182:3004 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2024-02-23 23:46:46 31.61.172.182:3004 [client] Peer Connection Initiated with [AF_INET]31.61.172.182:3004
2024-02-23 23:46:46 client/31.61.172.182:3004 MULTI_sva: pool returned IPv4=192.168.9.2, IPv6=(Not enabled)
2024-02-23 23:46:46 client/31.61.172.182:3004 MULTI: Learn: 192.168.9.2 -> client/31.61.172.182:3004
2024-02-23 23:46:46 client/31.61.172.182:3004 MULTI: primary virtual IP for client/31.61.172.182:3004: 192.168.9.2
2024-02-23 23:46:46 client/31.61.172.182:3004 Data Channel: using negotiated cipher 'AES-256-GCM'
2024-02-23 23:46:46 client/31.61.172.182:3004 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-02-23 23:46:46 client/31.61.172.182:3004 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-02-23 23:46:46 client/31.61.172.182:3004 SENT CONTROL [client]: 'PUSH_REPLY,route-gateway 192.168.9.1,topology subnet,ifconfig 192.168.9.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Logi z klienta
root@client:~# tail -f /tmp/openvpn.log
2024-02-23 23:46:47 OPTIONS IMPORT: data channel crypto options modified
2024-02-23 23:46:47 Data Channel: using negotiated cipher 'AES-256-GCM'
2024-02-23 23:46:47 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-02-23 23:46:47 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-02-23 23:46:47 TUN/TAP device tun0 opened
2024-02-23 23:46:47 net_iface_mtu_set: mtu 1500 for tun0
2024-02-23 23:46:47 net_iface_up: set tun0 up
2024-02-23 23:46:47 net_addr_v4_add: 192.168.9.2/24 dev tun0
2024-02-23 23:46:47 /usr/libexec/openvpn-hotplug up client tun0 1500 1552 192.168.9.2 255.255.255.0 init
2024-02-23 23:46:47 Initialization Sequence Completed
Podejrzane wydawało mi się (na serwerze) network.vpn.proto=none. Jednak zmiana na udp (+commit, +restart openvpn) nie pomogła.
Nadal nie wiem co zrobić, proszę o pomoc.
EDIT: dodałem jeszcze
firewall.@zone[2].masq='1'
bo nie było, ale bez efektu
-----------------------
Acha, i jeszcze poprawki do artykułu: certfikaty są tworzone w innych miejscach, niż openvpn ich potem szuka.
W konfiguracji OpenVPN na serwerze zamiast
# uci set openvpn.home.ca=/etc/openvpn/ca.crt
# uci set openvpn.home.cert=/etc/openvpn/serwer.crt
# uci set openvpn.home.key=/etc/openvpn/serwer.key
(...)
# uci set openvpn.home.dh=/etc/openvpn/dh.pem
Powinno być
# uci set openvpn.home.ca=/etc/easy-rsa/pki/ca.crt
# uci set openvpn.home.cert=/etc/easy-rsa/pki/issued/serwer.crt
# uci set openvpn.home.key=/etc/easy-rsa/pki/private/serwer.key
(...)
# uci set openvpn.home.dh=/etc/easy-rsa/pki/dh.pem