1 Temat przez artur5236 (edytowany przez artur5236 2024-05-20 10:23:20)

  • Zarejestrowany: 2014-07-22
  • Posty: 174

Temat: OpenVPN i vlany

Cześć,
Mam taką architekturę, serwer openvpn 10.8.0.1/24.
Router z klientem z podsiecią 192.168.1.0/24.
Router z klientem z podsiecią 192.168.5.0/24.
Obecnie zezwoloną mam komunikację z 192.168.1.0/24 do 192.168.5.0/24 i na odwrót (wszystko działa).

Na routerze z klientem z podsiecią 192.168.1.0/24, dodałem nowy vlan z podsiecią 192.168.3.0/24.
Obecnie mam problem aby z podsieci 192.168.5.0/24 dostać się do 192.168.3.0/24.
Mógłbym prosić o pomoc jak skonfigurować taki dostęp?

2 Odpowiedź przez Cezary

  • Skąd: Warszawa
  • Zarejestrowany: 2006-02-25
  • Posty: 116,055

Odp: OpenVPN i vlany

Dodajesz następne trasy na serwerze i konfigi u klientow, identycznie jak dla poprzednich klas.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

Cezary's Strona

3 Odpowiedź przez artur5236

  • Zarejestrowany: 2014-07-22
  • Posty: 174

Odp: OpenVPN i vlany

Na serwerze dodałem:
route 192.168.3.0 255.255.255.0
Pojawiła się trasa ale ping nie dociera.

artur@vps778934:~$ ip route
default via 51.178.48.1 dev eth0
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
51.178.48.1 dev eth0 scope link
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.30.0.0/16 dev br-77180715dc64 proto kernel scope link src 172.30.0.1
192.168.0.0/24 via 10.8.0.1 dev tun0
192.168.1.0/24 via 10.8.0.1 dev tun0
192.168.3.0/24 via 10.8.0.1 dev tun0
192.168.5.0/24 via 10.8.0.1 dev tun0
192.168.10.0/24 via 10.8.0.1 dev tun0
192.168.16.0/20 dev br-f0fc2b3c961d proto kernel scope link src 192.168.16.1
artur@vps778934:~$ ping 192.168.3.1
PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.
^C
--- 192.168.3.1 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6142ms

artur@vps778934:~$

4 Odpowiedź przez Cezary

  • Skąd: Warszawa
  • Zarejestrowany: 2006-02-25
  • Posty: 116,055

Odp: OpenVPN i vlany

To jeszcze firewall na kliencie i zezwolenie pomiędzy tym vlanem a vpn.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

Cezary's Strona

5 Odpowiedź przez artur5236 (edytowany przez artur5236 2024-05-20 11:09:34)

  • Zarejestrowany: 2014-07-22
  • Posty: 174

Odp: OpenVPN i vlany

Ma zrobione coś takiego, powinno wystarczyć?

config forwarding
        option dest 'home'
        option src 'vpn'

home to jest właśnie 192.168.3.0/24

6 Odpowiedź przez Cezary

  • Skąd: Warszawa
  • Zarejestrowany: 2006-02-25
  • Posty: 116,055

Odp: OpenVPN i vlany

I ew w drugą stronę.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

Cezary's Strona

7 Odpowiedź przez artur5236

  • Zarejestrowany: 2014-07-22
  • Posty: 174

Odp: OpenVPN i vlany

Niestety nie działa, nawet jak dodałem regułę w dwie strony.

8 Odpowiedź przez Cezary

  • Skąd: Warszawa
  • Zarejestrowany: 2006-02-25
  • Posty: 116,055

Odp: OpenVPN i vlany

Pokaż  konfug sieci, firewalla, konfig  klienta  i serwera openvpn.  I wynik route -n oraz ifconfig

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

Cezary's Strona

9 Odpowiedź przez artur5236 (edytowany przez artur5236 2024-05-20 13:23:36)

  • Zarejestrowany: 2014-07-22
  • Posty: 174

Odp: OpenVPN i vlany

Konfig klienta (192.168.1.0):
network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6e:b494:279d::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option ipv6 '0'
        option delegate '0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.1'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr '78:d2:94:79:7d:e8'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr '78:d2:94:79:7d:e9'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '6t 3 2 1 0'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 4'
        option vid '2'

config interface 'vpn'
        option ifname 'tun0'
        option proto 'none'

config interface 'wan'
        option proto 'dhcp'
        option ifname 'eth0.2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '6t 3t 1t'

config interface 'vlan3'
        option proto 'static'
        option ifname 'eth0.3'
        option type 'bridge'
        option netmask '255.255.255.0'
        option ipaddr '192.168.3.1'

fiewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option network 'vpn'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'vpn'

config zone
        option name 'home'
        list network 'vlan3'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'
        option output 'ACCEPT'

config forwarding
        option dest 'wan'
        option src 'home'

config forwarding
        option dest 'home'
        option src 'lan'

config forwarding
        option dest 'home'
        option src 'vpn'

route -n klient

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0.2
10.8.0.0        10.8.0.1        255.255.255.0   UG    0      0        0 tun0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0.2
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 br-vlan3
192.168.5.0     10.8.0.1        255.255.255.0   UG    0      0        0 tun0
192.168.10.0    10.8.0.1        255.255.255.0   UG    0      0        0 tun0

ifconfig klient

br-lan    Link encap:Ethernet  HWaddr 78:D2:94:79:7D:E8
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:64593743 errors:0 dropped:58 overruns:0 frame:0
          TX packets:83091493 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:17528793308 (16.3 GiB)  TX bytes:64718517626 (60.2 GiB)

br-vlan3  Link encap:Ethernet  HWaddr B0:39:56:51:76:78
          inet addr:192.168.3.1  Bcast:192.168.3.255  Mask:255.255.255.0
          inet6 addr: fe80::b239:56ff:fe51:7678/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3667528 errors:0 dropped:9 overruns:0 frame:0
          TX packets:10795806 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1114690429 (1.0 GiB)  TX bytes:15146712712 (14.1 GiB)

eth0      Link encap:Ethernet  HWaddr B0:39:56:51:76:78
          inet6 addr: fe80::b239:56ff:fe51:7678/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:171269249 errors:7 dropped:0 overruns:0 frame:0
          TX packets:159201675 errors:1 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:100701590456 (93.7 GiB)  TX bytes:88473664611 (82.3 GiB)
          Interrupt:17

eth0.1    Link encap:Ethernet  HWaddr 78:D2:94:79:7D:E8
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:61756189 errors:0 dropped:15909 overruns:0 frame:0
          TX packets:76591098 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:17112267020 (15.9 GiB)  TX bytes:56533829731 (52.6 GiB)

eth0.2    Link encap:Ethernet  HWaddr 78:D2:94:79:7D:E9
          inet addr:192.168.0.10  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::7ad2:94ff:fe79:7de9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:92368082 errors:0 dropped:0 overruns:0 frame:0
          TX packets:62550817 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:79333888900 (73.8 GiB)  TX bytes:19703814817 (18.3 GiB)

eth0.3    Link encap:Ethernet  HWaddr B0:39:56:51:76:78
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2060444 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6563500 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:497022746 (473.9 MiB)  TX bytes:10123431889 (9.4 GiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:279482 errors:0 dropped:0 overruns:0 frame:0
          TX packets:279482 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:24164034 (23.0 MiB)  TX bytes:24164034 (23.0 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.11  P-t-P:10.8.0.11  Mask:255.255.255.0
          inet6 addr: fe80::715:bb6f:da97:3f66/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:110365 errors:0 dropped:0 overruns:0 frame:0
          TX packets:130606 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:9758774 (9.3 MiB)  TX bytes:15206472 (14.5 MiB)

wlan0     Link encap:Ethernet  HWaddr B0:39:56:51:76:78
          inet6 addr: fe80::b239:56ff:fe51:7678/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:980269 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1395302 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:496866363 (473.8 MiB)  TX bytes:1803200130 (1.6 GiB)

wlan0-1   Link encap:Ethernet  HWaddr B2:39:56:51:76:78
          inet6 addr: fe80::b039:56ff:fe51:7678/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:130149 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2228533 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9467696 (9.0 MiB)  TX bytes:193568686 (184.6 MiB)

wlan1     Link encap:Ethernet  HWaddr B0:39:56:51:76:7C
          inet6 addr: fe80::b239:56ff:fe51:767c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:432899 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1774773 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:119262234 (113.7 MiB)  TX bytes:3292914849 (3.0 GiB)


Konfig serwera openvpn:

dev tun
port '5236'
cipher AES-256-GCM
proto 'udp'
tls-server
server 10.8.0.0 255.255.255.0
log '/var/log/openvpn.log'
status '/var/log/openvpn/openvpn-status.log'
verb '3'
ca '/etc/openvpn/ca.crt'
cert '/etc/openvpn/serwer.crt'
key '/etc/openvpn/serwer.key'
dh '/etc/openvpn/dh2048.pem'
route-gateway 10.8.0.1
route 192.168.1.0 255.255.255.0
route 192.168.5.0 255.255.255.0
#route 192.168.10.0 255.255.255.0
#route 192.168.0.0 255.255.255.0
route 192.168.3.0 255.255.255.0
push 'route 10.8.0.0 255.255.255.0'
push 'route 192.168.5.0 255.255.255.0'
push 'route 192.168.1.0 255.255.255.0'
#push 'route 192.168.10.0 255.255.255.0'
#push 'route 192.168.3.0 255.255.255.0'
push 'dhcp-option DNS 10.8.0.1'
topology subnet
client-to-client
#plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so login
client-config-dir ccd
keepalive 10 60

Serwer openvpn mam na debianie, tam nie działa komenda route -n ale dodaję zwykłą ip route

default via 51.178.48.1 dev eth0
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
51.178.48.1 dev eth0 scope link
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.30.0.0/16 dev br-77180715dc64 proto kernel scope link src 172.30.0.1
192.168.0.0/24 via 10.8.0.1 dev tun0
192.168.1.0/24 via 10.8.0.1 dev tun0
192.168.3.0/24 via 10.8.0.1 dev tun0
192.168.5.0/24 via 10.8.0.1 dev tun0
192.168.10.0/24 via 10.8.0.1 dev tun0
192.168.16.0/20 dev br-f0fc2b3c961d proto kernel scope link src 192.168.16.1

10 Odpowiedź przez artur5236

  • Zarejestrowany: 2014-07-22
  • Posty: 174

Odp: OpenVPN i vlany

Ktoś ma jakiś pomysł?