у меня стоит ipnat с правилом , может что то нужно добавить?
и виндовый сервак имеет сеть 192.168.0.0.24 а у меня фре 192.168.1.0/24, это нормально?
Код: Выделить всё
map tun0 192.168.1.0/24 -> 84.x.x.x/32 portmap tcp/udp auto
map tun0 192.168.1.0/24 -> 84.x.x.x/32
ipfw
Код: Выделить всё
#!/bin/sh
ipfw="/sbin/ipfw"
LanOut="tun0"
NetOut="0/32"
IpOut="84.x.x.x"
LanIn1="re0"
LanIn2="fxp0"
LanBR="bridge0"
NetIn="192.168.1.0/24"
${ipfw} -f flush
${ipfw} -f pipe flush
${ipfw} -f queue flush
${ipfw} pipe 1 config bw 2150Kbit/s mask dst-ip 0xffffffff
${ipfw} pipe 2 config bw 750Kbit/s mask src-ip 0xffffffff
${ipfw} add 10 check-state
${ipfw} add 130 deny ip from any to ${IpOut} 21,22,135-139,443,445 via ${LanOut}
${ipfw} add 200 allow ip from any to any via lo0
${ipfw} add 210 deny ip from any to 127.0.0.0/8
${ipfw} add 220 deny ip from 127.0.0.0/8 to any
# NetIn -> LanOut
${ipfw} add 300 deny ip from ${NetIn} to any in via ${LanOut}
${ipfw} add 420 deny ip from any to 192.168.0.0/16 in via ${LanOut}
${ipfw} add 440 deny ip from any to 224.0.0.0/4 in via ${LanOut}
${ipfw} add 450 deny ip from any to 240.0.0.0/4 in via ${LanOut}
${ipfw} add 460 deny ip from any to 0.0.0.0/8 in via ${LanOut}
${ipfw} add 510 deny icmp from any to 255.255.255.255 via ${LanOut}
${ipfw} add 520 deny icmp from any to any frag
${ipfw} add 620 deny ip from 192.168.0.0/16 to any out via ${LanOut}
${ipfw} add 640 deny ip from 224.0.0.0/4 to any out via ${LanOut}
${ipfw} add 650 deny ip from 240.0.0.0/4 to any out via ${LanOut}
${ipfw} add 660 deny ip from 0.0.0.0/8 to any out via ${LanOut}
${ipfw} add 662 allow ip from any to ${NetIn} iplen 0-500 src-port 80
${ipfw} add 663 allow ip from any to ${NetIn} tcpflags ack iplen 0-128
${ipfw} add 665 pipe 1 ip from not ${NetIn} to ${NetIn} out
${ipfw} add 667 pipe 2 ip from ${NetIn} to not me in
${ipfw} add 670 allow icmp from any to any icmptypes 0,8,11
${ipfw} add 1000 allow tcp from any to any established
${ipfw} add 1200 allow ip from any to any via ${LanIn1}
${ipfw} add 1210 allow ip from any to any via ${LanOut}
${ipfw} add 1220 allow ip from ${NetIn} to ${NetIn} via ${LanBR}
${ipfw} add 1230 allow ip from any to any via ${LanIn2}
${ipfw} add 65535 deny ip from any to any
а вот полный лог клиента.
я так понел непроходит какойто сертифекат проверки, да?
Код: Выделить всё
Mon Nov 30 16:37:35 2009 Restart pause, 2 second(s)
Mon Nov 30 16:37:37 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Nov 30 16:37:37 2009 Re-using SSL/TLS context
Mon Nov 30 16:37:37 2009 LZO compression initialized
Mon Nov 30 16:37:37 2009 Control Channel MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ]
Mon Nov 30 16:37:37 2009 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Nov 30 16:37:37 2009 Local Options hash (VER=V4): '03fa487d'
Mon Nov 30 16:37:37 2009 Expected Remote Options hash (VER=V4): '1056bce3'
Mon Nov 30 16:37:37 2009 UDPv4 link local (bound): [undef]:4000
Mon Nov 30 16:37:37 2009 UDPv4 link remote: 84.42.28.194:4000
Mon Nov 30 16:37:37 2009 TLS: Initial packet from 84.42.28.194:4000, sid=10edfc58 fdefe2f2
Mon Nov 30 16:37:37 2009 VERIFY OK: depth=1, /C=KG/ST=NA/L=BISHKEK/O=SERVER/OU=SERVER/CN=SERVER/emailAddress=me@myhost.mydomain
Mon Nov 30 16:37:37 2009 VERIFY nsCertType ERROR: /C=KG/ST=NA/O=SERVER/OU=SERVER/CN=SERVER/emailAddress=me@myhost.mydomain, require nsCertType=CLIENT
Mon Nov 30 16:37:37 2009 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Nov 30 16:37:37 2009 TLS Error: TLS object -> incoming plaintext read error
Mon Nov 30 16:37:37 2009 TLS Error: TLS handshake failed
Mon Nov 30 16:37:37 2009 TCP/UDP: Closing socket
Mon Nov 30 16:37:37 2009 SIGUSR1[soft,tls-error] received, process restarting
Mon Nov 30 16:37:37 2009 Restart pause, 2 second(s)
ifconfig
Код: Выделить всё
re0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=3898<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
ether 00:21:91:d4:d8:c2
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet 1000baseTX <full-duplex>
status: active
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:50:ba:00:7c:be
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=2009<RXCSUM,VLAN_MTU,WOL_MAGIC>
ether 00:90:27:e0:11:2e
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet 100baseTX <full-duplex>
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet 127.0.0.1 netmask 0xff000000
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether d6:6b:2e:ad:74:3c
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: fxp0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 3 priority 128 path cost 55
member: re0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 1 priority 128 path cost 55
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492
inet 84.x.x.x --> 84.x.x.x netmask 0xffffffff
Opened by PID 448
tun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
inet 10.10.200.1 --> 10.10.200.2 netmask 0xffffffff
Opened by PID 2530
... Да освятится имя твое и pасшиpение твое, Господи...