El servidor VPN (Linux) está detrás de un enrutador. Quiero conectarme desde una red externa a mi servidor VPN y acceder a dispositivos en la red local del servidor (y el servidor mismo).
El rango de direcciones de la red local es 192.168.178.0/24
También reenvié algunos puertos a mi servidor VPN: 1194, 80, 21, 443, 1723
!! Eliminé información anterior porque se alcanzó el límite del cuerpo !!
EDIT 4: Lista completa de configuraciones actuales: Esta es la configuración de mi servidor:
port 1194
proto udp
dev tap
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/VPNServer.crt
key /etc/openvpn/easy-rsa/keys/VPNServer.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server-bridge 192.168.178.1 255.255.255.0 192.168.178.111 192.168.178.120
push "route-gateway 192.168.178.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 192.168.178.1"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 3
La configuración de mi cliente se ve así.
port 1194
client
dev tap
proto udp
remote mydyndns
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
La configuración de mi interfaz para el servidor se ve así:
auto lo
iface lo inet loopback
allow-hotplug eth0
auto br0
iface br0 inet static
address 192.168.178.123
netmask 255.255.255.0
gateway 192.168.178.1
bridge_ports eth0
dns-nameservers 192.168.178.1
iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down
Y mi rc.local
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
Y mi salida sysctl net.ipv4.ip_forward es net.ipv4.ip_forward = 1
La salida de mi registro de cliente es la siguiente:
Fri Sep 12 13:03:58 2014 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 7 2014
Fri Sep 12 13:03:58 2014 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.05
Enter Management Password:
Fri Sep 12 13:03:58 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Sep 12 13:03:58 2014 Need hold release from management interface, waiting...
Fri Sep 12 13:03:59 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Sep 12 13:03:59 2014 MANAGEMENT: CMD 'state on'
Fri Sep 12 13:03:59 2014 MANAGEMENT: CMD 'log all on'
Fri Sep 12 13:03:59 2014 MANAGEMENT: CMD 'hold off'
Fri Sep 12 13:03:59 2014 MANAGEMENT: CMD 'hold release'
Fri Sep 12 13:03:59 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Sep 12 13:03:59 2014 MANAGEMENT: >STATE:1410519839,RESOLVE,,,
Fri Sep 12 13:04:00 2014 UDPv4 link local: [undef]
Fri Sep 12 13:04:00 2014 UDPv4 link remote: [AF_INET]86.103.178.165:1194
Fri Sep 12 13:04:00 2014 MANAGEMENT: >STATE:1410519840,WAIT,,,
Fri Sep 12 13:04:00 2014 MANAGEMENT: >STATE:1410519840,AUTH,,,
Fri Sep 12 13:04:00 2014 TLS: Initial packet from [AF_INET]86.103.178.165:1194, sid=bebc894c 68e04336
Fri Sep 12 13:04:02 2014 VERIFY OK: depth=1, C=DE, ST=SH, L=Kiel, OU=changeme, CN=j0chn.spdns.de, name=changeme, [email protected]
Fri Sep 12 13:04:02 2014 VERIFY OK: nsCertType=SERVER
Fri Sep 12 13:04:02 2014 VERIFY OK: depth=0, C=DE, ST=SH, L=Kiel, OU=changeme, CN=j0chn.spdns.de, name=changeme, [email protected]
Fri Sep 12 13:04:05 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 12 13:04:05 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 12 13:04:05 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 12 13:04:05 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 12 13:04:05 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Sep 12 13:04:05 2014 [j0chn.spdns.de] Peer Connection Initiated with [AF_INET]86.103.178.165:1194
Fri Sep 12 13:04:06 2014 MANAGEMENT: >STATE:1410519846,GET_CONFIG,,,
Fri Sep 12 13:04:08 2014 SENT CONTROL [j0chn.spdns.de]: 'PUSH_REQUEST' (status=1)
Fri Sep 12 13:04:08 2014 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.178.1,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 192.168.178.1,route-gateway 192.168.178.1,ping 10,ping-restart 120,ifconfig 192.168.178.112 255.255.255.0'
Fri Sep 12 13:04:08 2014 OPTIONS IMPORT: timers and/or timeouts modified
Fri Sep 12 13:04:08 2014 OPTIONS IMPORT: --ifconfig/up options modified
Fri Sep 12 13:04:08 2014 OPTIONS IMPORT: route options modified
Fri Sep 12 13:04:08 2014 OPTIONS IMPORT: route-related options modified
Fri Sep 12 13:04:08 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Sep 12 13:04:08 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Sep 12 13:04:08 2014 MANAGEMENT: >STATE:1410519848,ASSIGN_IP,,192.168.178.112,
Fri Sep 12 13:04:08 2014 open_tun, tt->ipv6=0
Fri Sep 12 13:04:08 2014 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{4DD19686-B673-493E-99DB-23F3D1AF7239}.tap
Fri Sep 12 13:04:08 2014 TAP-Windows Driver Version 9.21
Fri Sep 12 13:04:08 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.178.112/255.255.255.0 on interface {4DD19686-B673-493E-99DB-23F3D1AF7239} [DHCP-serv: 192.168.178.0, lease-time: 31536000]
Fri Sep 12 13:04:08 2014 Successful ARP Flush on interface [25] {4DD19686-B673-493E-99DB-23F3D1AF7239}
Fri Sep 12 13:04:13 2014 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Fri Sep 12 13:04:13 2014 C:\WINDOWS\system32\route.exe ADD 86.103.178.165 MASK 255.255.255.255 192.168.42.129
Fri Sep 12 13:04:13 2014 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Fri Sep 12 13:04:13 2014 Route addition via IPAPI succeeded [adaptive]
Fri Sep 12 13:04:13 2014 C:\WINDOWS\system32\route.exe ADD 192.168.42.129 MASK 255.255.255.255 192.168.42.129 IF 24
Fri Sep 12 13:04:13 2014 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Fri Sep 12 13:04:13 2014 Route addition via IPAPI succeeded [adaptive]
Fri Sep 12 13:04:13 2014 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.178.1
Fri Sep 12 13:04:13 2014 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Fri Sep 12 13:04:13 2014 Route addition via IPAPI succeeded [adaptive]
Fri Sep 12 13:04:13 2014 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.178.1
Fri Sep 12 13:04:13 2014 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Fri Sep 12 13:04:13 2014 Route addition via IPAPI succeeded [adaptive]
Fri Sep 12 13:04:13 2014 Initialization Sequence Completed
Fri Sep 12 13:04:13 2014 MANAGEMENT: >STATE:1410519853,CONNECTED,SUCCESS,192.168.178.112,86.103.178.165
Edición 5: el nuevo registro del servidor.
Fri Sep 12 17:15:07 2014 MULTI: multi_create_instance called
Fri Sep 12 17:15:07 2014 109.47.193.65:62284 Re-using SSL/TLS context
Fri Sep 12 17:15:07 2014 109.47.193.65:62284 LZO compression initialized
Fri Sep 12 17:15:07 2014 109.47.193.65:62284 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Sep 12 17:15:07 2014 109.47.193.65:62284 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Sep 12 17:15:07 2014 109.47.193.65:62284 Local Options hash (VER=V4): 'f7df56b8'
Fri Sep 12 17:15:07 2014 109.47.193.65:62284 Expected Remote Options hash (VER=V4): 'd79ca330'
Fri Sep 12 17:15:07 2014 109.47.193.65:62284 TLS: Initial packet from [AF_INET]109.47.193.65:62284, sid=c07bdc21 48d01394
Fri Sep 12 17:15:08 2014 109.47.193.65:62284 VERIFY OK: depth=1, /C=DE/ST=SH/L=Kiel/OU=changeme/CN=j0chn.spdns.de/name=changeme/ema$
Fri Sep 12 17:15:08 2014 109.47.193.65:62284 VERIFY OK: depth=0, /C=DE/ST=SH/L=Kiel/OU=changeme/CN=j0chns/name=changeme/emailAddres$
Fri Sep 12 17:15:09 2014 109.47.193.65:62284 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 12 17:15:09 2014 109.47.193.65:62284 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 12 17:15:09 2014 109.47.193.65:62284 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 12 17:15:09 2014 109.47.193.65:62284 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 12 17:15:09 2014 109.47.193.65:62284 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Sep 12 17:15:09 2014 109.47.193.65:62284 [j0chns] Peer Connection Initiated with [AF_INET]109.47.193.65:62284
Fri Sep 12 17:15:09 2014 j0chns/109.47.193.65:62284 MULTI_sva: pool returned IPv4=192.168.178.111, IPv6=bccd:800:8ced:200:14c2:700:$
Fri Sep 12 17:15:11 2014 j0chns/109.47.193.65:62284 PUSH: Received control message: 'PUSH_REQUEST'
Fri Sep 12 17:15:11 2014 j0chns/109.47.193.65:62284 send_push_reply(): safe_cap=960
Fri Sep 12 17:15:11 2014 j0chns/109.47.193.65:62284 SENT CONTROL [j0chns]: 'PUSH_REPLY,route-gateway 192.168.178.1,redirect-gateway$
Fri Sep 12 17:15:11 2014 j0chns/109.47.193.65:62284 MULTI: Learn: 00:ff:4d:d1:96:86 -> j0chns/109.47.193.65:62284
Fri Sep 12 17:18:14 2014 MULTI: multi_create_instance called
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Re-using SSL/TLS context
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 LZO compression initialized
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Local Options hash (VER=V4): 'f7df56b8'
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Expected Remote Options hash (VER=V4): 'd79ca330'
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 TLS: Initial packet from [AF_INET]86.103.178.165:57350, sid=25abeaaa 58473451
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 VERIFY OK: depth=1, /C=DE/ST=SH/L=Kiel/OU=changeme/CN=j0chn.spdns.de/name=changeme/em$
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 VERIFY OK: depth=0, /C=DE/ST=SH/L=Kiel/OU=changeme/CN=j0chns/name=changeme/emailAddre$
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 [j0chns] Peer Connection Initiated with [AF_INET]86.103.178.165:57350
Fri Sep 12 17:18:14 2014 j0chns/86.103.178.165:57350 MULTI_sva: pool returned IPv4=192.168.178.112, IPv6=bccd:800:8ced:200:14c2:700$
Fri Sep 12 17:18:17 2014 j0chns/86.103.178.165:57350 PUSH: Received control message: 'PUSH_REQUEST'
Fri Sep 12 17:18:17 2014 j0chns/86.103.178.165:57350 send_push_reply(): safe_cap=960
Fri Sep 12 17:18:17 2014 j0chns/86.103.178.165:57350 SENT CONTROL [j0chns]: 'PUSH_REPLY,route-gateway 192.168.178.1,redirect-gatewa$
Fri Sep 12 17:18:18 2014 j0chns/86.103.178.165:57350 MULTI: Learn: 00:ff:4d:d1:96:86 -> j0chns/86.103.178.165:57350
Y otra edición:
aumenté el nivel detallado de 3 a 9 y obtuve nueva información:
Sat Sep 13 17:36:11 2014 us=76111 TLS State Error: No TLS state for client [AF_INET]86.103.202.242:55140, opcode=6
Sat Sep 13 17:36:11 2014 us=76308 GET INST BY REAL: 86.103.202.242:55140 [failed]
¿Quizás esto pueda ayudar?
fuente
sysctl net.ipv4.ip_forward
; qué distribución de Linux estás usandoRespuestas:
A su archivo de cliente le faltan la dirección IP del servidor remoto y la indicación del puerto en el que contactar al servidor. En otras palabras, te falta:
Además, no entiendo por qué está utilizando la subred 10.8.0.0/24 para sus clientes. Ya ha escogido un grifo de interfaz para un OpenVPN en puente (buena elección, hace que el acceso a todos los ordenadores de la LAN mucho más fácil sin costo adicional), así que no hay razón para usar una subred distinta. Su archivo de servidor debe contener las declaraciones
La primera instrucción indica al servidor que dibuje direcciones IP para clientes remotos en el grupo 192.168.178. (111-120). Solo asegúrese de que el servidor DHCP en su LAN no esté tratando de usar estas direcciones en sí mismo, en cuyo caso tendrá que elegir un grupo diferente para el grupo OpenVPN. Las otras declaraciones son obvias.
Por último, no debería haber necesidad de definir rutas separadas, aparte de las declaraciones anteriores.
EDITAR:
necesita cambiar iptables y hacer un puente en el servidor.
Cambie su archivo / etc / netorking / interfaces para que se vea así:
auto lo iface lo inet loopback
auto br0 iface br0 inet dirección estática 192.168.178.123 netmask 255.255.255.0 gateway 192.168.178.1 bridge_ports eth0 dns-nameservers 192.168.178.1
iface eth0 inet manual up ifconfig $ IFACE 0.0.0.0 up up conjunto de enlaces ip $ IFACE promisc on down enlace de ip set $ IFACE promisc off down ifconfig $ IFACE down
Reinicie el servidor para que esto surta efecto. Verifique que el servidor esté correctamente conectado a internet. Luego cambie las reglas de iptables de la siguiente manera:
Inicie el servidor OpenVPN y agregue la interfaz tap0 al puente,
Ahora intente conectarse desde el cliente.
EDITAR 2:
Esta regla de iptables
debiera ser
Además, utilice tap0 en lugar de tocar en el archivo de configuración del servidor. Reinicie y hágamelo saber, por favor.
fuente