Чего есть:
"Сервер" на freebsd 6.2
На время тестирования упростил конфиг до минимума:
Код: Выделить всё
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret /usr/local/etc/openvpn/keys/static.key
user nobody
group nobody
log /var/log/openvpn/openvpn.log
status /var/log/openvpn/openvpn-status.log
Код: Выделить всё
${ipfw} add allow all from any to any via tun0
Клиенты. Клиентов вообще будет несколько, но пока экспериментирую с ними по очереди. Клиенты на freebsd, linux, и наверно на венде.
Сначала о мелкой проблеме, которую догадываюсь как решить
Клиент с freebsd 6.2.
Конфиг:
Код: Выделить всё
dev tun
remote 81.211.121.16
ifconfig 10.8.0.2 10.8.0.1
secret /usr/local/etc/openvpn/keys/static.key
user nobody
group nobody
log /var/log/openvpn/openvpn.log
status /var/log/openvpn/openvpn-status.log
Соединение поднимается:
Код: Выделить всё
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
Opened by PID 73592
Код: Выделить всё
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 81.211.121.1 UGS 0 319542 rl0
10.8.0.2 10.8.0.1 UH 0 4 tun0
81.211.121/24 link#2 UC 0 0 rl0
81.211.121.1 00:0f:a3:3e:32:51 UHLW 2 0 rl0 1015
127.0.0.1 127.0.0.1 UH 0 2 lo0
192.168.0 link#1 UC 0 0 ste0
192.168.0.12 00:18:f3:9e:40:da UHLW 1 204807 ste0 1014
Код: Выделить всё
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 87.237.119.1 UGS 0 24068724 rl0
10.8.0.1 10.8.0.2 UH 0 2 tun0
87.237.96/19 link#1 UC 0 0 rl0
87.237.112.10 00:13:7f:42:96:1a UHLW 1 9 rl0 1149
87.237.119.1 00:13:7f:42:96:1a UHLW 2 0 rl0 1197
127.0.0.1 127.0.0.1 UH 0 2363 lo0
192.168.0 link#2 UC 0 0 rl1
Проблема номер 2. Основная (ради нее столько букв написал . Линукс. Конфиг клиентский точно такой же, буква в букву.
Соединение проходит, в логах все нормально.
/sbin/ifconfig
Код: Выделить всё
tun0 Link encap:Point-to-Point Protocol
inet addr:10.8.0.2 P-t-P:10.8.0.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Маршрутизация:
Код: Выделить всё
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.8.0.1 * 255.255.255.255 UH 0 0 0 tun0
83.136.242.204 * 255.255.255.252 U 0 0 0 eth0
192.168.10.0 * 255.255.255.0 U 0 0 0 eth1
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 205.242.telrost 0.0.0.0 UG 0 0 0 eth0
Код: Выделить всё
[root@promhimservice olga]# ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2) 56(84) bytes of data.
64 bytes from 10.8.0.2: icmp_seq=1 ttl=64 time=0.096 ms
64 bytes from 10.8.0.2: icmp_seq=2 ttl=64 time=0.058 ms
--- 10.8.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.058/0.077/0.096/0.019 ms
[root@promhimservice olga]# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
--- 10.8.0.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3018ms
Код: Выделить всё
# Generated by iptables-save v1.2.7a on Tue Mar 13 16:11:48 2007
*mangle
:PREROUTING ACCEPT [144934:75620552]
:INPUT ACCEPT [135348:74305874]
:FORWARD ACCEPT [9586:1314678]
:OUTPUT ACCEPT [151527:87215494]
:POSTROUTING ACCEPT [161101:88529164]
COMMIT
# Completed on Tue Mar 13 16:11:48 2007
# Generated by iptables-save v1.2.7a on Tue Mar 13 16:11:48 2007
*filter
:INPUT DROP [155:10236]
:FORWARD DROP [0:0]
:OUTPUT DROP [12:1008]
:bad_packets - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]
-A INPUT -i tun0 -j ACCEPT #вот это правило
-A INPUT -i lo -j ACCEPT
-A INPUT -j bad_packets
-A INPUT -d 224.0.0.1 -j DROP
-A INPUT -s 192.168.10.0/255.255.255.0 -i eth1 -j ACCEPT
-A INPUT -d 192.168.10.255 -i eth1 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -j tcp_inbound
-A INPUT -i eth0 -p udp -j udp_inbound
-A INPUT -i eth0 -p icmp -j icmp_packets
-A INPUT -d 255.255.255.255 -j DROP
-A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT #вот это правило
-A FORWARD -j bad_packets
-A FORWARD -i eth1 -p tcp -j tcp_outbound
-A FORWARD -i eth1 -p udp -j udp_outbound
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 192.168.10.1 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "
-A bad_packets -m state --state INVALID -j LOG --log-prefix "fp=bad_packets:1 a=DROP "
-A bad_packets -m state --state INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -i eth1 -p tcp -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "fp=bad_tcp_packets:1 a=DROP "
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -f -j LOG --log-prefix "fp=icmp_packets:1 a=DROP "
-A icmp_packets -p icmp -f -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -m tcp --dport 80 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 443 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 21 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --sport 20 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 1352 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 25 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 110 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 143 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 995 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 993 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 5000:5100 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -m udp --dport 53 -j ACCEPT
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
COMMIT
# Completed on Tue Mar 13 16:11:48 2007
# Generated by iptables-save v1.2.7a on Tue Mar 13 16:11:48 2007
*nat
:PREROUTING ACCEPT [601:65037]
:POSTROUTING ACCEPT [10:840]
:OUTPUT ACCEPT [6335:384893]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth0 -j SNAT --to-source 83.136.242.206
COMMIT
# Completed on Tue Mar 13 16:11:48 2007