[linux] OpenVPN, masquerading a routovanie
Lubomir Host
rajo na platon.sk
Pátek Prosinec 31 01:22:36 CET 2004
Zdravim.
Mam taky mensi problem s konfiguraciou siete.
Mam lokalnu siet 192.168.0.0/16, ktora je pripojena cez firewall/router
(oznacme si ho FW1) do internetu. FW1 ma 2 sietove karty eth0 a eth1.
eth0 je vonkajsi interface s adresou 12.34.56.78, vnutorny interface ma
IP 192.168.0.1.
Na internete je umiestneny dalsi server (oznacme si ho SERVER1), ktory
ma iba jednu sietovu kartu eth0 a IP adresu 23.45.67.89.
Mam rozbehnuty sifrovany OpenVPN tunel medzi FW1 a SERVER1. Na FW1 ma
tunelovy interface tun0 IP adresu 10.0.0.2, tun0 interface na serveri
SERVER1 ma IP 10.0.0.1. Na oboch FW1 a SERVER1 viem pingnut obe adresy
10.0.0.1 a 10.0.0.2, cize OpenVPN tunel funguje bez problemov.
Na FW1 som rozbehol NAT, cize lubovolny pocitac v lokalnej sieti
192.168.0.0/16 vie vytvorit spojenie s lubovolnym serverom v internete.
Tento server v internete teda vidi klienta z lokalnej siete pod IP
adresou FW1, teda 12.34.56.78. Taktiez tento pocitac v lokalnej sieti
vie pingnut IP adresu 10.0.0.1, cize vie pristupovat cez sifrovany kanal
na SERVER1. To je vsetko OK.
Ako dosiahnut to, aby vsetka komunikacia z lokalnej siete sla najprv cez
sifrovany kanal na SERVER1, tuto sa opat prenatovala a do internetu sli
spojenia ako keby so serveru SERVER1? Co musim zmenit na terajsej
konfiguracii?
Terajsia konfiguracia je zhruba nasledovna:
SERVER1:
------------------------------------------%<------------------------------------------
root na server1# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
23.45.67.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
0.0.0.0 23.45.67.1 0.0.0.0 UG 0 0 0 eth0
root na server1# ifconfig
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:23.45.67.89 Bcast:23.45.67.255 Mask:255.255.255.0
inet6 addr: xxxx::xxxx:xxxx::xxx:xxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6649872 errors:0 dropped:0 overruns:0 frame:3
TX packets:520015 errors:0 dropped:0 overruns:0 carrier:0
collisions:21212 txqueuelen:1000
RX bytes:959800416 (915.3 MiB) TX bytes:403275559 (384.5 MiB)
Interrupt:11 Base address:0xe000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:31943 errors:0 dropped:0 overruns:0 frame:0
TX packets:31943 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:66187669 (63.1 MiB) TX bytes:66187669 (63.1 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-10-00-00-00-00-00-00-00-00-00
inet addr:10.0.0.1 P-t-P:10.0.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:240851 errors:0 dropped:0 overruns:0 frame:0
TX packets:259510 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:20156007 (19.2 MiB) TX bytes:308591266 (294.2 MiB)
------------------------------------------%<------------------------------------------
FW1:
------------------------------------------%<------------------------------------------
root na fw1# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
12.34.56.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 12.34.56.1 0.0.0.0 UG 0 0 0 eth0
root na fw1# ifconfig
eth0 Link encap:Ethernet HWaddr 00:00:21:D8:3A:5B
inet addr:12.34.56.78 Bcast:255.255.255.255 Mask:255.255.255.0
inet6 addr: xxxx::xxxx:xxxx::xxx:xxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12466 errors:0 dropped:0 overruns:0 frame:0
TX packets:16056 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3895721 (3.7 MiB) TX bytes:1716209 (1.6 MiB)
Interrupt:11 Base address:0xdc00
eth1 Link encap:Ethernet HWaddr 00:00:21:EF:65:D4
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::200:21ff:feef:65d4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:52140 errors:0 dropped:0 overruns:0 frame:0
TX packets:52151 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4246376 (4.0 MiB) TX bytes:31442969 (29.9 MiB)
Interrupt:12 Base address:0xda00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1261 errors:0 dropped:0 overruns:0 frame:0
TX packets:1261 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:93993 (91.7 KiB) TX bytes:93993 (91.7 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-10-00-00-00-00-00-00-00-00-00
inet addr:10.0.0.2 P-t-P:10.0.0.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:3892 errors:0 dropped:0 overruns:0 frame:0
TX packets:3449 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:4348623 (4.1 MiB) TX bytes:318215 (310.7 KiB)
------------------------------------------%<------------------------------------------
Na FW1 natovanie vytvaram takto:
-----------------------------------%<-----------------------------------
...nejake pravidla iptables
iptables -t nat -A POSTROUTING -s 192.168.0.1/255.255.255.0 -o eth0 -j MASQUERADE
...nejake dalsie pravidla
-----------------------------------%<-----------------------------------
Ak som v uvedenom prikaze iptables zamenil eth0 sa tun0, nat akosi nefungoval.
Diik, rajo
--
Lubomir Host 'rajo' <rajo AT platon.sk> ICQ #: 257322664
Platon Software Development Group http://platon.sk/
http://www.gnu.org/philosophy/no-word-attachments.html
Další informace o konferenci linux