Portál AbcLinuxu, 5. května 2025 21:40
Ale ide o to ze chcem prepojit 2 lokality, Aby sa navzajom videli. To znamena ze uzivatel siete B sa dostane na datove ulozisko na A a opacne.(a boli v jednom IP rozsahu, to moc nechcem).Skusal som vcera vsetko mozne. Od bridgu atd. ale zatial sa mi to nedari. Je lepsie maju vsetci rovnaky IP rozsah? Rad si necham poradit.
Řešení dotazu:
client-to-clientA push route pro oba subnety, urcite bych nechal rozdilne subnety, byla by to komplikace navic.. NN
mode server #local 192.168.1.2 port 443 #proto tcp proto tcp-server dev tap0 ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh1024.pem 10.1.1.0 255.255.255.0 #VPN siet push "route 192.168.1.0 255.255.255.0" # route-up "route delete -net 10.1.1.0/24" route-up "route add -net 10.1.1.0/24 tun0" client-config-dir ccd route 192.168.1.0 255.255.255.0 # #server-bridge 192.168.1.2 255.255.255.0 192.168.1.128 192.168.1.254 #server 10.1.1.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 ;mute 20 log /var/log/openvpn.logToto je konfigurak servera. Takze rozdielne subnety pouzit. Ale ako dosiahnut toho aby to co je za serverom bolo vyditelne aj pre ostatych uzivatelov VPN?
#!/bin/bash
#################################
# NastavenĂ Skriptu pro Ethernet bridge
#Vpn a NatovĂĄnĂ
#################################
# nazev Brdige
br="br0"
#VPN adapter
tap="tap0"
#NastavenĂ sitovky
eth="eth0"
eth_ip="192.168.1.2"
eth_netmask="255.255.255.0"
#ip adresa Gateway na internet
gat="192.168.1.1"
#Stop Vpn serveru
/etc/init.d/openvpn stop
#otevreme Tap0
for t in $tap; do
openvpn --mktun --dev $t
done
#vymazem Ip adresy
for t in $tap; do
ip addr flush dev $t
done
for t in $eth; do
ip addr flush dev $t
done
#Promsic mod nastavĂme na obe sitovky
for t in $tap; do
ifconfig $t promisc up
done
for t in $eth; do
ifconfig $t promisc up
done
#pridame br0
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
#nazhavime br0
ifconfig $br $eth_ip netmask $eth_netmask up
#startujem VPN
/etc/init.d/openvpn start
#PRIDAME GATEWAJ
route add default gateway $gat
#route add -net 192.168.1.0 netmask 255.255.255.0 gateway $gat
push "route 192.168.2.0 255.255.255.0"NN
server 192.168.2.0 255.255.255.0 #VPN siet push "route 192.168.1.0 255.255.255.0" # Sit Serveru (NAT) push "route 192.168.2.0 255.255.255.0" # Siet klientov #route-up "route delete -net 10.1.1.0/24" #route-up "route add -net 10.1.1.0/24 tun0" client-config-dir ccd route 192.168.1.0 255.255.255.0 # Aby klienti na VPN mohli routovat do siteroutovacia tabulka serveru
:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
The last step, and one that is often forgotten, is to add a route to the server's LAN gateway which directs 192.168.4.0/24 to the OpenVPN server box..NN
server:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.1.1.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.1.1.0 10.1.1.2 255.255.255.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
server:~# ifconfig
eth0 Link encap:Ethernet HWaddr 70:71:bc:6b:cf:3b
inet addr:192.168.1.2 Bcast:192.168.1.254 Mask:255.255.255.0
inet6 addr: fe80::7271:bcff:fe6b:cf3b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:112285641 errors:0 dropped:0 overruns:0 frame:0
TX packets:63398330 errors:0 dropped:32 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4294223257 (3.9 GiB) TX bytes:1859404317 (1.7 GiB)
Interrupt:218 Base address:0xa000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:476795 errors:0 dropped:0 overruns:0 frame:0
TX packets:476795 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:64154220 (61.1 MiB) TX bytes:64154220 (61.1 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.1.1.1 P-t-P:10.1.1.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
server:~#
OPENVPN Log clienta
tail -f /var/log/openvpn.log Sun Oct 31 11:32:49 2010 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] Sun Oct 31 11:32:49 2010 Local Options hash (VER=V4): '69109d17' Sun Oct 31 11:32:49 2010 Expected Remote Options hash (VER=V4): 'c0103fa8' Sun Oct 31 11:32:49 2010 Attempting to establish TCP connection with IP:443 [nonblock] Sun Oct 31 11:32:50 2010 TCP connection established with IP:443 Sun Oct 31 11:32:50 2010 TCPv4_CLIENT link local: [undef] Sun Oct 31 11:32:50 2010 TCPv4_CLIENT link remote: IP:443 Sun Oct 31 11:32:50 2010 TLS: Initial packet from IP:443, sid=eba06d60 3f36bee1 Sun Oct 31 11:32:52 2010 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@myhost.mydomain Sun Oct 31 11:32:52 2010 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@myhost.mydomain Sun Oct 31 11:32:55 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Sun Oct 31 11:32:55 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Oct 31 11:32:55 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Sun Oct 31 11:32:55 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Oct 31 11:32:55 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Sun Oct 31 11:32:55 2010 [server] Peer Connection Initiated with blabalaa Sun Oct 31 11:32:57 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Sun Oct 31 11:32:57 2010 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.1.1.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.1.1.6 10.1.1.5' Sun Oct 31 11:32:57 2010 OPTIONS IMPORT: timers and/or timeouts modified Sun Oct 31 11:32:57 2010 OPTIONS IMPORT: --ifconfig/up options modified Sun Oct 31 11:32:57 2010 OPTIONS IMPORT: route options modified Sun Oct 31 11:32:57 2010 ROUTE default_gateway=10.253.151.70 Sun Oct 31 11:32:57 2010 TUN/TAP device tun0 opened Sun Oct 31 11:32:57 2010 TUN/TAP TX queue length set to 100 Sun Oct 31 11:32:57 2010 /sbin/ifconfig tun0 10.1.1.6 pointopoint 10.1.1.5 mtu 1500 Sun Oct 31 11:32:57 2010 /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.1.1.5 Sun Oct 31 11:32:57 2010 /sbin/route add -net 10.1.1.0 netmask 255.255.255.0 gw 10.1.1.5 Sun Oct 31 11:32:57 2010 Initialization Sequence CompletedRoutovacia tabulka klienta + ifconfig
[root@Lister marek]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.1.1.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 10.1.1.5 255.255.255.0 UG 0 0 0 tun0
10.1.1.0 10.1.1.5 255.255.255.0 UG 0 0 0 tun0
10.0.0.0 0.0.0.0 255.0.0.0 U 1 0 0 eth1
0.0.0.0 IP 0.0.0.0 UG 0 0 0 eth1
[root@Lister marek]# ifconfig
eth1 Link encap:Ethernet HWaddr 00:30:04:00:AC:0E
inet addr:IP Bcast:10.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:195 errors:0 dropped:0 overruns:0 frame:0
TX packets:193 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:31552 (30.8 Kb) TX bytes:25274 (24.6 Kb)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:280 (280.0 b) TX bytes:280 (280.0 b)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.1.1.6 P-t-P:10.1.1.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Skusal som vela toho. No zatial sa mi to nepodarilo...
iptables -t nat -A POSTROUTING -s 10.1.1.6 -o eth0 -j MASQUERADEMozno niekomu pomoze...
Záleží teda, jakou přesně topologii teda máš.
server:~# cat /etc/openvpn/server.conf mode server local 192.168.1.2 port 443 proto tcp-server dev tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh1024.pem server 192.168.2.0 255.255.255.0 push "route 192.168.1.0 255.255.255.0" ifconfig-pool-persist ipp.txt client-to-client keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 ping 15 ping-restart 45 ping-timer-rem ;mute 20 log /var/log/openvpn.log server:~#Routovacia tabulka + ifconfig
server:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.2.0 192.168.2.2 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
server:~# ifconfig
eth0 Link encap:Ethernet HWaddr 70:71:bc:6b:cf:3b
inet addr:192.168.1.2 Bcast:192.168.1.254 Mask:255.255.255.0
inet6 addr: fe80::7271:bcff:fe6b:cf3b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1758340 errors:0 dropped:0 overruns:0 frame:0
TX packets:2371836 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:883648193 (842.7 MiB) TX bytes:3065624284 (2.8 GiB)
Interrupt:219 Base address:0xa000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:20485 errors:0 dropped:0 overruns:0 frame:0
TX packets:20485 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2563045 (2.4 MiB) TX bytes:2563045 (2.4 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.2.1 P-t-P:192.168.2.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:564 errors:0 dropped:0 overruns:0 frame:0
TX packets:386 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:52018 (50.7 KiB) TX bytes:45320 (44.2 KiB)
server:~#
A chcem sa spytat ta volba push "route add" je ina od push "route" ? (vlastne otazka smeruje na volbu add)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.2.1 P-t-P:192.168.2.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:390 errors:0 dropped:0 overruns:0 frame:0
TX packets:602 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:47688 (46.5 Kb) TX bytes:59578 (58.1 Kb)
Preco je u tun0 P-t-P:192.168.2.2 (odkial sa tam zobrala 2?) a maska siete 255.255.255.255 ked v konfigu mam pozite
server 192.168.2.0 255.255.255.0 push "route 192.168.1.0 255.255.255.0"V routovacej tabulke servera je teda potrebny prvy riadok?
server:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.2.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 192.168.2.0 192.168.2.2 255.255.255.0 UG 0 0 0 tun0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0Dakujem zatial si nieco o tom nastudujem...
Svůj config Vám sem klidně hodim, ale až večer po 9 hodině. Nemám u sebe na flashdisku certifikáty, kterými přistupuji přes SSH k serveru
mode server tls-server dev tap0 # port - UDP port 1194 # Routa do patra 1 push "route 192.168.1.0 255.255.255.0 10.10.10.254" # Routa do patra 2 push "route 192.168.2.0 255.255.255.0 10.10.10.254" duplicate-cn # CA sekce ca /etc/ssl/Firma_CA/cacert.pem dh /etc/ssl/Firma_CA/dh1024.pem cert /etc/ssl/Firma_CA/certs/servercert.crt key /etc/ssl/Firma_CA/certs/serverkey.key log-append /var/log/openvpn status /var/run/openvpn/vpn.status 10 # Certifikáty klientů client-config-dir /etc/openvpn/klient user nobody group nobody comp-lzo verb 3
Tiskni
Sdílej:
ISSN 1214-1267, (c) 1999-2007 Stickfish s.r.o.