Chcę ot tunelować cały lokalny ruch sieciowy i połączenie OpneVPN. Mam serwer Ubuntu skonfigurowany w Internecie (i działa z mojego laptopa) i teraz próbuję skonfigurować Raspberry, aby przejął cały ruch na eth0 i tunelował go przez eth1.
Nie mogę go jednak uruchomić. Spodziewałem się, że w ifconfig będzie mniej więcej „tun0”, ale nie ma:
pi@raspberrypi ~ $ ifconfig
eth0 Link encap:Ethernet HWaddr b8:27:eb:63:05:18
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1974 errors:0 dropped:0 overruns:0 frame:0
TX packets:159 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:130750 (127.6 KiB) TX bytes:9302 (9.0 KiB)
eth1 Link encap:Ethernet HWaddr 00:0e:c6:fa:85:06
inet addr:192.168.0.252 Bcast:192.168.15.255 Mask:255.255.240.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:46828 errors:0 dropped:1006 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4085487 (3.8 MiB) TX bytes:761137 (743.2 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:150 errors:0 dropped:0 overruns:0 frame:0
TX packets:150 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10495 (10.2 KiB) TX bytes:10495 (10.2 KiB)
Dodałem następujące zasady do iptables (i przyjęcia samouczka)
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "Use VPN IP for eth0"
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE -m comment --comment "Use VPN IP for tun0"
sudo iptables -A FORWARD -s192.168.0.0/24 -i eth1 -o eth0 -m conntrack --ctstate NEW -j REJECT -m comment --comment "Block traffic from clients to eth0"
sudo iptables -A FORWARD -s192.168.0.0/24 -i eth1 -o tun0 -m conntrack --ctstate NEW -j ACCEPT -m comment --comment "Allow only traffic from clients to tun0"
Ale przy braku tun0 chyba nic nie przekieruje. Ponadto, podczas gdy połączenie internetowe działa na RPi, nie przechodzi ono przez tunel, ale bezpośrednio do Internetu.
Wreszcie jest to mój plik konfiguracyjny dla openVPN (z usuniętymi certyfikatami na końcu):
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
#ifconfig 10.8.0.2 10.8.0.1
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote xxx.xxx.xxx.xxx 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
Oto elementy dziennika w syslog:
Apr 12 16:06:26 raspberrypi ovpn-server[3279]: OpenVPN 2.2.1 arm-linux-gnueabihf [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014
Apr 12 16:06:26 raspberrypi ovpn-server[3279]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Apr 12 16:06:26 raspberrypi ovpn-server[3279]: LZO compression initialized
Apr 12 16:06:26 raspberrypi ovpn-server[3279]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Apr 12 16:06:26 raspberrypi ovpn-server[3279]: Socket Buffers: R=[163840->131072] S=[163840->131072]
Apr 12 16:06:26 raspberrypi ovpn-server[3279]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Apr 12 16:06:26 raspberrypi ovpn-server[3279]: Local Options hash (VER=V4): '41690919'
Apr 12 16:06:26 raspberrypi ovpn-server[3279]: Expected Remote Options hash (VER=V4): '530fdded'
Apr 12 16:06:26 raspberrypi ovpn-server[3280]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Apr 12 16:06:26 raspberrypi ovpn-server[3280]: UDPv4 link local: [undef]
Apr 12 16:06:26 raspberrypi ovpn-server[3280]: UDPv4 link remote: [AF_INET]185.27.174.62:1194
Apr 12 16:06:26 raspberrypi ovpn-server[3280]: TLS: Initial packet from [AF_INET]185.27.174.62:1194, sid=9bf9a964 2f78ece0
Apr 12 16:06:26 raspberrypi ovpn-server[3280]: VERIFY OK: depth=1, /C=IE/ST=KE/L=xxx/O=xxx/OU=IT/CN=VPN_tunnel_cert/name=server/emailAddress=xxx
Apr 12 16:06:26 raspberrypi ovpn-server[3280]: VERIFY OK: nsCertType=SERVER
Apr 12 16:06:26 raspberrypi ovpn-server[3280]: VERIFY OK: depth=0, /C=IE/ST=KE/L=xxx/O=xxx/OU=IT/CN=server/name=server/emailAddress=xxx
Apr 12 16:07:26 raspberrypi ovpn-server[3280]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 12 16:07:26 raspberrypi ovpn-server[3280]: TLS Error: TLS handshake failed
Apr 12 16:07:26 raspberrypi ovpn-server[3280]: TCP/UDP: Closing socket
Apr 12 16:07:26 raspberrypi ovpn-server[3280]: SIGUSR1[soft,tls-error] received, process restarting
Apr 12 16:07:26 raspberrypi ovpn-server[3280]: Restart pause, 2 second(s)
Apr 12 16:07:28 raspberrypi ovpn-server[3280]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Apr 12 16:07:28 raspberrypi ovpn-server[3280]: Re-using SSL/TLS context
Apr 12 16:07:28 raspberrypi ovpn-server[3280]: LZO compression initialized
Apr 12 16:07:28 raspberrypi ovpn-server[3280]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Apr 12 16:07:28 raspberrypi ovpn-server[3280]: Socket Buffers: R=[163840->131072] S=[163840->131072]
Apr 12 16:07:28 raspberrypi ovpn-server[3280]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Apr 12 16:07:28 raspberrypi ovpn-server[3280]: Local Options hash (VER=V4): '41690919'
Apr 12 16:07:28 raspberrypi ovpn-server[3280]: Expected Remote Options hash (VER=V4): '530fdded'
Apr 12 16:07:28 raspberrypi ovpn-server[3280]: UDPv4 link local: [undef]
Apr 12 16:07:28 raspberrypi ovpn-server[3280]: UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Apr 12 16:07:28 raspberrypi ovpn-server[3280]: TLS: Initial packet from [AF_INET]185.27.174.62:1194, sid=d2b65489 e5492d4d
Apr 12 16:07:28 raspberrypi ovpn-server[3280]: VERIFY OK: depth=1, /C=IE/ST=KE/L=xxx/O=xxx/OU=IT/CN=VPN_tunnel_cert/name=server/emailAddress=xxx
Apr 12 16:07:28 raspberrypi ovpn-server[3280]: VERIFY OK: nsCertType=SERVER
Apr 12 16:07:28 raspberrypi ovpn-server[3280]: VERIFY OK: depth=0, /C=IE/ST=KE/L=xxx/O=xxx/OU=IT/CN=server/name=server/emailAddress=xxx
Ok, uruchomiłem ponownie i teraz otrzymuję odpowiedź, gdy zaktualizowałem post. Wygląda na to, że występuje problem z uzgadnianiem TLS.
—
Luuk D. Jansen,
Ok, wystąpił problem z certyfikatem, użyłem innego (mojego laptopa) i zadziałało.
—
Luuk D. Jansen
verb 3.