Ciężki orzech ten VPN...
No więc opowiadam.
1. Wbiłem na roota na serwer NND. Wykonałem:
$ iptables -I FORWARD -i tun0 -o eth1 -j ACCEPT
$ iptables -I FORWARD -i eth1 -o tun0 -j ACCEPT
eth1 na serwerze to interfejs LAN-owy.
2. Na serwerze NND odpalam VPN-a:
$ openvpn /etc/openvpn/server.conf
3. Na kliencie odpalam "klienta" VNC:
$ sudo openvpn /etc/openvpn/client.conf
Nawiązuje się połączenie:
administrator@msi:~$ sudo openvpn /etc/openvpn/client.conf
Fri Nov 6 19:22:45 2009 OpenVPN 2.1_rc19 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 13 2009
Fri Nov 6 19:22:45 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Nov 6 19:22:45 2009 /usr/sbin/openvpn-vulnkey -q /etc/openvpn/static.key
Fri Nov 6 19:22:46 2009 WARNING: file '/etc/openvpn/static.key' is group or others accessible
Fri Nov 6 19:22:46 2009 LZO compression initialized
Fri Nov 6 19:22:46 2009 TUN/TAP device tun1 opened
Fri Nov 6 19:22:46 2009 /sbin/ifconfig tun1 10.8.0.2 pointopoint 10.8.0.1 mtu 1500
SIOCADDRT: File exists
Fri Nov 6 19:22:46 2009 ERROR: Linux route add command failed: external program exited with error status: 7
Fri Nov 6 19:22:46 2009 Attempting to establish TCP connection with 79.187.84.194:1194 [nonblock]
Fri Nov 6 19:22:47 2009 TCP connection established with 79.187.84.194:1194
Fri Nov 6 19:22:47 2009 TCPv4_CLIENT link local: [undef]
Fri Nov 6 19:22:47 2009 TCPv4_CLIENT link remote: 79.187.82.111:1194
Fri Nov 6 19:22:56 2009 Peer Connection Initiated with 79.187.82.111:1194
Fri Nov 6 19:22:56 2009 Initialization Sequence Completed
Teraz u siebie na kliencie mam:
administrator@msi:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:13:d3:fd:44:ba
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:22 Base address:0xe800
eth1 Link encap:Ethernet HWaddr 00:13:ce:15:c6:72
inet addr:192.168.2.105 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::213:ceff:fe11:c675/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9726 errors:16 dropped:16 overruns:0 frame:0
TX packets:8255 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5913661 (5.9 MB) TX bytes:1179941 (1.1 MB)
Interrupt:17 Base address:0xe000 Memory:fbffc000-fbffcfff
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:841 errors:0 dropped:0 overruns:0 frame:0
TX packets:841 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:92263 (92.2 KB) TX bytes:92263 (92.2 KB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.2 P-t-P:10.8.0.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:321 (321.0 B)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.2 P-t-P:10.8.0.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
4. Sprawdzam, gdzie daje się pingować od strony klienta:
administrator@msi:~$ ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2) 56(84) bytes of data.
64 bytes from 10.8.0.2: icmp_seq=1 ttl=64 time=0.051 ms
64 bytes from 10.8.0.2: icmp_seq=2 ttl=64 time=0.044 ms
administrator@msi:~$ ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
^C
--- 10.8.0.1 ping statistics ---
56 packets transmitted, 0 received, 100% packet loss, time 55361ms
Czyli na 10.8.0.2 daje się pingować, na 10.8.0.1 nie.
Dla przypomnienia konfig klienta:
dev tun
remote serwer-vpn.pl 1194
ifconfig 10.8.0.2 10.8.0.1
secret /etc/openvpn/static.key
proto tcp-client
route 192.168.0.0 255.255.255.0
comp-lzo
Zgodnie z
opisem:
10.8.0.1 - koniec tunelu na serwerze - tu nie pinguje (pingowianie z konsoli klienta)
10.8.0.2 - koniec tunelu na kliencie - tu pinguje bez problemu (pingowianie z konsoli klienta)
Czyli nie mogę dostać się do końca tunelu po stronie serwera, lokalnie jest ok.
5. Przechodzę więc na konsolę serwera i próbuję to samo:
Do przewidzenia...
[root@server-vpn vpn]# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.190 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=0.164 ms
[root@server-vpn vpn]# ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2) 56(84) bytes of data.
--- 10.8.0.2 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4014ms
Czyli sytuacja podobna, lokalnie (a zate na odwrót):
10.8.0.1 - koniec tunelu na serwerze - tu pinguje prawidłowo (pingowianie z konsoli serwera)
10.8.0.2 - koniec tunelu na kliencie - tu nie pinguje (pingowianie z konsoli serwera)
Czyli nie mogę zapingować z jednego końca tunelu VPN na drugi, ani w jedną, ani w drugą stronę.
A to chyba nie jest sytuacja prawidłowa?