[linux] OpenVPN, masquerading a routovanie
Ing. Jan ONDREJ
ondrejj na upjs.sk
Pátek Prosinec 31 09:34:11 CET 2004
> Mam lokalnu siet 192.168.0.0/16, ktora je pripojena cez firewall/router
> (oznacme si ho FW1) do internetu. FW1 ma 2 sietove karty eth0 a eth1.
> eth0 je vonkajsi interface s adresou 12.34.56.78, vnutorny interface ma
> IP 192.168.0.1.
>
> Na internete je umiestneny dalsi server (oznacme si ho SERVER1), ktory
> ma iba jednu sietovu kartu eth0 a IP adresu 23.45.67.89.
>
> Mam rozbehnuty sifrovany OpenVPN tunel medzi FW1 a SERVER1. Na FW1 ma
> tunelovy interface tun0 IP adresu 10.0.0.2, tun0 interface na serveri
> SERVER1 ma IP 10.0.0.1. Na oboch FW1 a SERVER1 viem pingnut obe adresy
> 10.0.0.1 a 10.0.0.2, cize OpenVPN tunel funguje bez problemov.
>
> Na FW1 som rozbehol NAT, cize lubovolny pocitac v lokalnej sieti
> 192.168.0.0/16 vie vytvorit spojenie s lubovolnym serverom v internete.
> Tento server v internete teda vidi klienta z lokalnej siete pod IP
> adresou FW1, teda 12.34.56.78. Taktiez tento pocitac v lokalnej sieti
> vie pingnut IP adresu 10.0.0.1, cize vie pristupovat cez sifrovany kanal
> na SERVER1. To je vsetko OK.
>
> Ako dosiahnut to, aby vsetka komunikacia z lokalnej siete sla najprv cez
> sifrovany kanal na SERVER1, tuto sa opat prenatovala a do internetu sli
> spojenia ako keby so serveru SERVER1? Co musim zmenit na terajsej
> konfiguracii?
>
> Terajsia konfiguracia je zhruba nasledovna:
>
> SERVER1:
> ------------------------------------------%<------------------------------------------
> root na server1# route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 10.0.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
> 23.45.67.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
> 0.0.0.0 23.45.67.1 0.0.0.0 UG 0 0 0 eth0
>
> root na server1# ifconfig
> eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
> inet addr:23.45.67.89 Bcast:23.45.67.255 Mask:255.255.255.0
> inet6 addr: xxxx::xxxx:xxxx::xxx:xxx/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:6649872 errors:0 dropped:0 overruns:0 frame:3
> TX packets:520015 errors:0 dropped:0 overruns:0 carrier:0
> collisions:21212 txqueuelen:1000
> RX bytes:959800416 (915.3 MiB) TX bytes:403275559 (384.5 MiB)
> Interrupt:11 Base address:0xe000
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:31943 errors:0 dropped:0 overruns:0 frame:0
> TX packets:31943 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:66187669 (63.1 MiB) TX bytes:66187669 (63.1 MiB)
>
> tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-10-00-00-00-00-00-00-00-00-00
> inet addr:10.0.0.1 P-t-P:10.0.0.2 Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
> RX packets:240851 errors:0 dropped:0 overruns:0 frame:0
> TX packets:259510 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:100
> RX bytes:20156007 (19.2 MiB) TX bytes:308591266 (294.2 MiB)
> ------------------------------------------%<------------------------------------------
>
> FW1:
> ------------------------------------------%<------------------------------------------
> root na fw1# route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 10.0.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
> 12.34.56.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> 0.0.0.0 12.34.56.1 0.0.0.0 UG 0 0 0 eth0
Tu musis pridat routu na SERVER1 cez sucasnu branu a na cely zvysok
cez tun0.
route add -host 23.45.67.89 gw 12.34.56.1
route add default gw 10.0.0.1
# ak som poplietol syntax, tak si to oprav :)
>
> root na fw1# ifconfig
> eth0 Link encap:Ethernet HWaddr 00:00:21:D8:3A:5B
> inet addr:12.34.56.78 Bcast:255.255.255.255 Mask:255.255.255.0
> inet6 addr: xxxx::xxxx:xxxx::xxx:xxx/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:12466 errors:0 dropped:0 overruns:0 frame:0
> TX packets:16056 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:3895721 (3.7 MiB) TX bytes:1716209 (1.6 MiB)
> Interrupt:11 Base address:0xdc00
>
> eth1 Link encap:Ethernet HWaddr 00:00:21:EF:65:D4
> inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
> inet6 addr: fe80::200:21ff:feef:65d4/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:52140 errors:0 dropped:0 overruns:0 frame:0
> TX packets:52151 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:4246376 (4.0 MiB) TX bytes:31442969 (29.9 MiB)
> Interrupt:12 Base address:0xda00
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:1261 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1261 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:93993 (91.7 KiB) TX bytes:93993 (91.7 KiB)
>
> tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-10-00-00-00-00-00-00-00-00-00
> inet addr:10.0.0.2 P-t-P:10.0.0.1 Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
> RX packets:3892 errors:0 dropped:0 overruns:0 frame:0
> TX packets:3449 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:100
> RX bytes:4348623 (4.1 MiB) TX bytes:318215 (310.7 KiB)
> ------------------------------------------%<------------------------------------------
>
> Na FW1 natovanie vytvaram takto:
>
> -----------------------------------%<-----------------------------------
> ...nejake pravidla iptables
> iptables -t nat -A POSTROUTING -s 192.168.0.1/255.255.255.0 -o eth0 -j MASQUERADE
> ...nejake dalsie pravidla
> -----------------------------------%<-----------------------------------
>
> Ak som v uvedenom prikaze iptables zamenil eth0 sa tun0, nat akosi nefungoval.
To budes musiet asi zmenit tiez, ale najskor to routovanie.
Popripade ten -o nepotrebujes, iptables si to urci sam.
SAL
Další informace o konferenci linux