Temat: OpenVPN (routed) 2xTL-WR1043ND, Gargoyle 1.5.9 - konfiguracja
Mam problem z połączeniem urządzeń które pracują w sieci wg. schematu załączonego w pdf niżej:
Schemat sieci:
http://hexen2k.neostrada.pl/vpn/schemat_vpn.pdf
Potrzebuję utworzyć niezależny kanał do połączenia kilku urządzeń w sieć. Zwykłe przekierowania nie wchodzą w grę dlatego pojawiła się potrzeba VPN.
Urządzenia to TP-Link TL-WR1043ND z nowo wgranym najnowszym FW Gargoyle 1.5.9. Wyklikałem konfigurację w serwerze z OpenVPN GUI i pobrałem plik konfiguracyjny do drugiego routera.
Na łączu ADSL Neostrady gdzie jest podłączony Serwer VPN zrobiłem przekierowanie portu 1194 (w routerze ADSL).
Na łączu LAN SZKOLA nie było robionych żadnych przekierowań - pytanie czy muszę także przekierować port 1194 czy nie jest to potrzebne do klienta ? (wyczytałem na forum że nie, ale wolę się upewnić).
Połączenie VPN między routerami działa prawidłowo (przynajmniej pokazuje poprawne statysu że połączone).
Problemem jest sytuacja taka że gdy jestem na komputerze podłączonym do sieci przez klienta (np. Komputer1 IP:192.168.3.101) to mogę pingować do obu routerów czyli (192.168.3.1, 192.168.2.1) oraz do komputerów połączonych do serwera VPN (tj. z końcówką IP:2.x) - czyli w jedną stronę sieć działa w pełni poprawnie. Natomiast będąc na komputerze podłączonym do serwera to mogę pingować tylko do jednego routera (192.168.2.1). Nie widzę w ogóle sieci 192.168.3.1, nie dochodzą pingi do komputerów o IP:192.168.3.x.
Przeszukałem wiele tematów na tym forum oraz w google 
ale niestety nie udało mi się tego uruchomić aby komunikacja była możliwa w obie strony. Bardzo proszę o wskazówki od czego zacząć próby. Coś zdaje mi się że jakieś trasy albo firewall trzeba skonfigurować ale jak dokładnie ? 
No i czy potrzebne to przekierowanie do klienta VPN ?
Zamieszczam screeny konfiguracji OpenVPN z obu routerów (na screenie serwera akurat nie połączone bo był restartowany, normalnie jest tam też status o poprawnym połączeniu):
Konfiguracja Serwera:
----------------------------------------------------------------
| |
| Gargoyle PL 1.5.9.1 (f73df29) |
| OpenWrt Attitude Adjustment 12.09-rc1 (r35093) |
| Zbudowano: 2013-01-11 15:56 CET |
| |
| Cezary Jackiewicz (obsy), http://eko.one.pl |
| |
----------------------------------------------------------------
root@Gargoyle:/etc/config# cat network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option ifname 'eth0.1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option dns '194.204.152.34 194.204.159.1'
option ipaddr '192.168.2.1'
config interface 'wan'
option ifname 'eth0.2'
option dns '194.204.152.34 194.204.159.1'
option peerdns '0'
option proto 'static'
option ipaddr '192.168.1.211'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
config switch
option name 'rtl8366rb'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'rtl8366rb'
option vlan '1'
option ports '1 2 3 4 5t'
config switch_vlan
option device 'rtl8366rb'
option vlan '2'
option ports '0 5t'
config interface 'vpn'
option ifname 'tun0'
option proto 'none'
option defaultroute '0'
option peerdns '0'
#recznie dodane
config 'route'
option 'interface' 'lan'
option 'target' '192.168.3.0'
option 'netmask' '255.255.255.0'
option 'gateway' '10.8.0.2'
option 'metric' '2'
#########################################################
root@Gargoyle:/etc/config# cat openvpn
config openvpn 'custom_config'
option script_security '3'
option up '/etc/openvpn.up'
option down '/etc/openvpn.down'
option enable '1'
option config '/etc/openvpn/server.conf'
#########################################################
root@Gargoyle:/etc/config# cat firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option force_router_dns '1'
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
option network 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include
option path '/usr/lib/gargoyle_firewall_util/gargoyle_additions.firewall'
config include 'openvpn_include_file'
option path '/etc/openvpn.firewall'
config zone 'vpn_zone'
option name 'vpn'
option network 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
option masq '1'
config forwarding 'vpn_lan_forwarding'
option src 'lan'
option dest 'vpn'
config remote_accept 'ra_openvpn'
option zone 'wan'
option local_port '1194'
option remote_port '1194'
option proto 'udp'
config forwarding 'vpn_wan_forwarding'
option src 'vpn'
option dest 'wan'
config remote_accept 'ra_80_8080'
option local_port '80'
option remote_port '8080'
option proto 'tcp'
option zone 'wan'
config remote_accept 'ra_22_22'
option local_port '22'
option remote_port '22'
option proto 'tcp'
option zone 'wan'
#############################################
root@Gargoyle:/etc/config# cat openvpn_gargoyle
config server 'server'
option internal_ip '10.8.0.1'
option internal_mask '255.255.255.0'
option port '1194'
option cipher 'BF-CBC'
option keysize '128'
option enabled 'true'
option duplicate_cn 'true'
option subnet_access 'true'
option subnet_mask '255.255.255.0'
option pool '10.8.0.2 10.8.0.254 255.255.255.0'
option subnet_ip '192.168.2.0'
option proto 'udp'
option client_to_client 'true'
option redirect_gateway 'false'
config client 'client'
option enabled 'false'
config allowed_client 'client1'
option id 'client1'
option name 'Client1'
option enabled 'true'
option remote 'domena1.dyndns.org'
############################################
root@Gargoyle:~# route -e
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0.2
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0.2
192.168.2.0 * 255.255.255.0 U 0 0 0 br-lanKonfiguracja klienta
config openvpn 'custom_config'
option script_security '3'
option up '/etc/openvpn.up'
option down '/etc/openvpn.down'
option config '/etc/openvpn/grouter_client_iheyrpvauojg.conf'
option enable '1'
root@Gargoyle:/etc/config# cat openvpn_gargoyle
config server 'server'
option enabled 'false'
option internal_ip '10.8.0.1'
option internal_mask '255.255.255.0'
option port '1194'
option proto 'udp'
option cipher 'BF-CBC'
option keysize '128'
option client_to_client 'false'
option duplicate_cn 'false'
option redirect_gateway 'true'
option subnet_access 'false'
config client 'client'
option enabled 'true'
option id 'grouter_client_iheyrpvauojg'
root@Gargoyle:/etc/config# cat firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option force_router_dns '1'
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
option network 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include
option path '/usr/lib/gargoyle_firewall_util/gargoyle_additions.firewall'
config include 'openvpn_include_file'
option path '/etc/openvpn.firewall'
config zone 'vpn_zone'
option name 'vpn'
option network 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
option masq '1'
config forwarding 'vpn_lan_forwarding'
option src 'lan'
option dest 'vpn'
config remote_accept 'ra_80_8080'
option local_port '80'
option remote_port '8080'
option proto 'tcp'
option zone 'wan'
config remote_accept 'ra_22_22'
option local_port '22'
option remote_port '22'
option proto 'tcp'
option zone 'wan'
root@Gargoyle:/etc/config# route -e
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0.2
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0.2
192.168.2.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun0
192.168.3.0 * 255.255.255.0 U 0 0 0 br-lan