[linux] OpenVPN, masquerading a routovanie
Lubomir Host
rajo na platon.sk
Úterý Leden 4 21:59:26 CET 2005
On Tue, Jan 04, 2005 at 04:42:59PM +0100, Pogac Daniel wrote:
> Podla mna ta predchadzajuci mail zle naviedol.
> Na server1 musis dat
> route add net 192.168.0.0 mask 255.255.255.0 gw 10.0.0.2
Mas pravdu, tento prikaz pomohol v tom, ze so server1 mozem pingovat
pocitace s lokalnou adresou za fw1. Spravna syntax ale u mna bola:
route add -net 192.168.0.0/16 gw 10.0.0.2
Dalsi problem, ze preco mi to asi nechodilo bol podla vsetkeho velmi
prisny firewall (teda oba firewally). Ked som povolil vsetku komunikaciu
na zariadeniach tun+ tap+, a pridal prislusne pravidla pre routovanie na
fw1, zacalo mi to chodit:
SERVER1 + FW1
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A OUTPUT -o tap+ -j ACCEPT
FW1:
route add -host 23.45.67.89 gw 12.34.56.1;
route add default gw 10.0.0.1
Ale este stale to nechodi tak, ako by malo. Vyzera to byt na problem
s UDP paketmi, ktore akosi odmietaju chodit cez tunel. ICMP a TCP ide
v pohode. Kvoli tomu, ze nejde UDP potom samozrejme nejde DNS atd. Kde
moze byt este zadrhel?
Kazdopadne diik za rady. ;-)
rajo
> > On Fri, Dec 31, 2004 at 09:34:11AM +0100, Ing. Jan ONDREJ wrote:
> > > > Mam lokalnu siet 192.168.0.0/16, ktora je pripojena cez firewall/router
> > > > (oznacme si ho FW1) do internetu. FW1 ma 2 sietove karty eth0 a eth1.
> > > > eth0 je vonkajsi interface s adresou 12.34.56.78, vnutorny interface ma
> > > > IP 192.168.0.1.
> > > >
> > > > Na internete je umiestneny dalsi server (oznacme si ho SERVER1), ktory
> > > > ma iba jednu sietovu kartu eth0 a IP adresu 23.45.67.89.
> > > >
> > > > Mam rozbehnuty sifrovany OpenVPN tunel medzi FW1 a SERVER1. Na FW1 ma
> > > > tunelovy interface tun0 IP adresu 10.0.0.2, tun0 interface na serveri
> > > > SERVER1 ma IP 10.0.0.1. Na oboch FW1 a SERVER1 viem pingnut obe adresy
> > > > 10.0.0.1 a 10.0.0.2, cize OpenVPN tunel funguje bez problemov.
> > [...snip...]
> > > > FW1:
> > > > ------------------------------------------%<------------------------------------------
> > > > root na fw1# route -n
> > > > Kernel IP routing table
> > > > Destination Gateway Genmask Flags Metric Ref Use Iface
> > > > 10.0.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
> > > > 12.34.56.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> > > > 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> > > > 0.0.0.0 12.34.56.1 0.0.0.0 UG 0 0 0 eth0
> > >
> > > Tu musis pridat routu na SERVER1 cez sucasnu branu a na cely zvysok
> > > cez tun0.
> > >
> > > route add -host 23.45.67.89 gw 12.34.56.1
> > > route add default gw 10.0.0.1
> >
> > Skusil som tieto dva prikazy a routovacia tabulka bola nasledovna, ale
> > pakety sa zacali niekde zahadovat:
> >
> > --------------------------------------%<--------------------------------------
> > Kernel IP routing table
> > Destination Gateway Genmask Flags Metric Ref Use Iface
> > 23.45.67.89 12.34.56.78 255.255.255.255 UGH 0 0 0 eth0
> > 10.0.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
> > 12.34.56.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> > 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> > 0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 tun0
> > 0.0.0.0 12.34.56.1 0.0.0.0 UG 0 0 0 eth0
> > --------------------------------------%<--------------------------------------
--
Lubomir Host 'rajo' <rajo AT platon.sk> ICQ #: 257322664
Platon Software Development Group http://platon.sk/
http://www.gnu.org/philosophy/no-word-attachments.html
Další informace o konferenci linux