Temat: relayd i openvpn
Witam,
TL-WR842ND skonfigurowałem tak aby pracował jako bridge client, wszystko działa ok. Chcę teraz skonfigurować OpenVPN'a i mam z tym problem. OpenVPN startuje i niby wszystko jest OK ale nie mogę z innego klienta pingować TL-WR842ND. Podejrzewam, że mam źle skonfigurowany firewall. Będe wdzięczny za pomoc jak poprawnie skonfigurować openvpn'a z bridge client.
network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option ifname 'eth0'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.0.1'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
option type 'bridge'
config switch
option name 'eth0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'eth0'
option vlan '1'
option ports '0 1 2 3 4'
config interface 'wwan'
option proto 'dhcp'
config interface 'stabridge'
option proto 'relay'
list network 'lan'
list network 'wwan'
option ipaddr '192.168.1.134'wireless:
config wifi-device 'radio0'
option type 'mac80211'
option macaddr 'f8:d1:11:70:5e:7a'
option hwmode '11ng'
option htmode 'HT20'
list ht_capab 'SHORT-GI-20'
list ht_capab 'SHORT-GI-40'
list ht_capab 'TX-STBC'
list ht_capab 'RX-STBC1'
list ht_capab 'DSSS_CCK-40'
option disabled '0'
option channel '6'
option txpower '20'
option country 'US'
config wifi-iface
option network 'wwan'
option ssid 'TP-LINK_C33CDC'
option encryption 'psk2'
option device 'radio0'
option mode 'sta'
option bssid 'F8:D1:11:4E:72:9A'
option key 'xxxx'dhcp:
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wwan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option _name 'openvpn'
option src 'stabridge'
option target 'ACCEPT'
option proto 'udp'
option dest_port '1194'firewall.user:
iptables -I OUTPUT -o tap+ -j ACCEPT
iptables -I INPUT -i tap+ -j ACCEPT
iptables -I FORWARD -o tap+ -j ACCEPT
iptables -I FORWARD -i tap+ -j ACCEPT
iptables -I OUTPUT -o tap+ -j ACCEPT
iptables -I INPUT -i tap+ -j ACCEPT
iptables -I FORWARD -o tap+ -j ACCEPT
iptables -I FORWARD -i tap+ -j ACCEPT
iptables -I OUTPUT -o tap+ -j ACCEPT
iptables -I INPUT -i tap+ -j ACCEPT
iptables -I FORWARD -o tap+ -j ACCEPT
iptables -I FORWARD -i tap+ -j ACCEPT
iptables -I OUTPUT -o tap+ -j ACCEPT
iptables -I INPUT -i tap+ -j ACCEPT
iptables -I FORWARD -o tap+ -j ACCEPT
iptables -I FORWARD -i tap+ -j ACCEPTpo uruchomieniu openvpn'a:
Tue Aug 21 21:01:06 2012 OpenVPN 2.2.2 mips-openwrt-linux [SSL] [LZO2] [EPOLL] built on May 31 2012
Tue Aug 21 21:01:06 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Aug 21 21:01:06 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Aug 21 21:01:06 2012 WARNING: file '/etc/openvpn/keys/client011.key' is group or others accessible
Tue Aug 21 21:01:06 2012 Control Channel MTU parms [ L:1557 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Aug 21 21:01:06 2012 Socket Buffers: R=[163840->131072] S=[163840->131072]
Tue Aug 21 21:01:06 2012 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
Tue Aug 21 21:01:06 2012 UDPv4 link local: [undef]
Tue Aug 21 21:01:06 2012 UDPv4 link remote: xx.xxx.xxx.xxx:xxxx
Tue Aug 21 21:01:06 2012 TLS: Initial packet from xx.xxx.xxx.xxx:xxxx, sid=02d6e6be 96c60c32
Tue Aug 21 21:01:06 2012 VERIFY OK: depth=1, /C=PL/ST=Poland/L=Katowice/O=net.xxx.org/CN=ca/emailAddress=ca@xxx.pl
Tue Aug 21 21:01:06 2012 VERIFY OK: depth=0, /C=PL/ST=Poland/O=net.xxx.org/CN=vpnser/emailAddress=vpnser@xxx.pl
Tue Aug 21 21:01:07 2012 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Aug 21 21:01:07 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Aug 21 21:01:07 2012 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Aug 21 21:01:07 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Aug 21 21:01:07 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Aug 21 21:01:07 2012 [vpnser] Peer Connection Initiated with xx.xxx.xxx.xxx:xxxx
Tue Aug 21 21:01:09 2012 SENT CONTROL [vpnser]: 'PUSH_REQUEST' (status=1)
Tue Aug 21 21:01:09 2012 PUSH: Received control message: 'PUSH_REPLY,route 6.6.7.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 6.6.7.45 6.6.7.46'
Tue Aug 21 21:01:09 2012 OPTIONS IMPORT: timers and/or timeouts modified
Tue Aug 21 21:01:09 2012 OPTIONS IMPORT: --ifconfig/up options modified
Tue Aug 21 21:01:09 2012 OPTIONS IMPORT: route options modified
Tue Aug 21 21:01:09 2012 TUN/TAP device tun0 opened
Tue Aug 21 21:01:09 2012 TUN/TAP TX queue length set to 100
Tue Aug 21 21:01:09 2012 /sbin/ifconfig tun0 6.6.7.45 pointopoint 6.6.7.46 mtu 1500
Tue Aug 21 21:01:09 2012 /sbin/route add -net 6.6.7.0 netmask 255.255.255.0 gw 6.6.7.46
Tue Aug 21 21:01:09 2012 Initialization Sequence Completed