[MASOCH-L] Roteamento entre 2 redes atrás de OpenVPN

Wed Sep 1 16:49:19 -03 2010

  Acho que vc só comeu bola invertendo as redes.

Da uma olhada neste exemplo em produção que tenho aqui:

#############
VPN Server:
route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
10.0.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
xxx.xxx.xxx.128  0.0.0.0         255.255.255.128 U     0      0        0 
eth0
192.168.9.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.8.0     10.0.0.2        255.255.255.0   UG    0      0        0 tun0
0.0.0.0         xxx.xxx.xxx.129  0.0.0.0         UG    0      0        0 
eth0

ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:76:6e:a0:b0
           inet addr:xxx.xxx.xxx.131  Bcast:xxx.xxx.xxx.255  
Mask:255.255.255.128
           inet6 addr: fe80::216:76ff:fe6e:a0b0/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:833527056 errors:27 dropped:382 overruns:2 frame:0
           TX packets:1152695383 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:2674232040 (2.4 GiB)  TX bytes:1800737225 (1.6 GiB)
           Interrupt:21 Base address:0x1200

eth1      Link encap:Ethernet  HWaddr 00:05:1c:12:f3:94
           inet addr:192.168.9.1  Bcast:192.168.9.255  Mask:255.255.255.0
           inet6 addr: fe80::205:1cff:fe12:f394/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:955921695 errors:0 dropped:0 overruns:0 frame:0
           TX packets:552397828 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:1813129448 (1.6 GiB)  TX bytes:1722794680 (1.6 GiB)
           Interrupt:17 Base address:0x1000

lo        Link encap:Local Loopback
           inet addr:127.0.0.1  Mask:255.0.0.0
           inet6 addr: ::1/128 Scope:Host
           UP LOOPBACK RUNNING  MTU:16436  Metric:1
           RX packets:33369 errors:0 dropped:0 overruns:0 frame:0
           TX packets:33369 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:21555028 (20.5 MiB)  TX bytes:21555028 (20.5 MiB)

tun0      Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet addr:10.0.0.1  P-t-P:10.0.0.2  Mask:255.255.255.255
           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
           RX packets:655125703 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1047791806 errors:0 dropped:137504 overruns:0 
carrier:0
           collisions:0 txqueuelen:100
           RX bytes:199429247 (190.1 MiB)  TX bytes:1978168608 (1.8 GiB)

##############
VPN Client:
  route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
10.0.0.1        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
xxx.xxx.xxx.0    0.0.0.0         255.255.255.128 U     0      0        0 
eth0
192.168.9.0     10.0.0.1        255.255.255.0   UG    0      0        0 tun0
192.168.8.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 tun0

ifconfig
eth0      Link encap:Ethernet  HWaddr 00:24:81:b3:d4:eb
           inet addr:xxx.xxx.xxx.2  Bcast:xxx.xxx.xxx.127  
Mask:255.255.255.128
           inet6 addr: fe80::224:81ff:feb3:d4eb/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:1050668475 errors:0 dropped:0 overruns:0 frame:0
           TX packets:726501574 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:100
           RX bytes:2175185864 (2.0 GiB)  TX bytes:100730747 (96.0 MiB)
           Memory:f0180000-f01a0000

eth1      Link encap:Ethernet  HWaddr 00:60:08:ad:5c:a8
           inet addr:192.168.8.1  Bcast:192.168.8.255  Mask:255.255.255.0
           inet6 addr: fe80::260:8ff:fead:5ca8/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:735896213 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1047928274 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:1898847654 (1.7 GiB)  TX bytes:294359726 (280.7 MiB)
           Interrupt:20 Base address:0x1100

lo        Link encap:Local Loopback
           inet addr:127.0.0.1  Mask:255.0.0.0
           inet6 addr: ::1/128 Scope:Host
           UP LOOPBACK RUNNING  MTU:16436  Metric:1
           RX packets:406255 errors:0 dropped:0 overruns:0 frame:0
           TX packets:406255 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:50453105 (48.1 MiB)  TX bytes:50453105 (48.1 MiB)

tun0      Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet addr:10.0.0.2  P-t-P:10.0.0.1  Mask:255.255.255.255
           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
           RX packets:1047648476 errors:0 dropped:0 overruns:0 frame:0
           TX packets:725927171 errors:0 dropped:1554721 overruns:0 
carrier:0
           collisions:0 txqueuelen:100
           RX bytes:1775638638 (1.6 GiB)  TX bytes:3375087263 (3.1 GiB)

As minhas redes são 192.168.8.0/24 de um lado e 192.168.9.0/24 em outro 
local, o tunnel VPN é 10.0.0.0 e a rede publica xxx.xxx.xxx.0/25 e 
xxx.xxx.xxx.128/25

Att,
Egberto Monteiro

Em 09/01/2010 03:52 PM, Marcio Merlone escreveu:
>  Colegas,
>
> Desculpem o tamanho da questão e sejam caridosos com este bizonho que 
> vos fala e confessa a incapacidade de rotear duas redes por uma VPN 
> com o OpenVPN 2.1.0-1ubuntu1.1. Preciso de ajuda para fazer as duas 
> redes se enxergar pela VPN, ou seja, o cliente e servidor ovpn vão ter 
> que rotear de uma rede pra outra (não só o cliente e servidor, mas as 
> redes todas). Todos os envolvidos estão em redes lógicas e geográficas 
> distintas e (ainda) sem iptables. Resumindo:
>
> Servidor: 192.168.0.100/24 (Default GW = 192.168.0.254 = gw.dominio)
> Cliente: 10.1.0.1/16 (a VPN fecha via internet)
> Rede para a VPN: 10.255.0.0/24
>
> Server.conf:
> port 1194
> proto udp
> dev tun
> ca ca.crt
> cert server.crt
> key server.key
> dh dh1024.pem
> server 10.255.0.0 255.255.255.0
> ifconfig-pool-persist ipp.txt
> client-config-dir ccd
> route 10.1.0.0 255.255.0.0
> route 10.255.0.0 255.255.0.0
> push "route 192.168.0.0 255.255.255.0"
> push "dhcp-option WINS 192.168.0.1"
> client-to-client
> keepalive 10 120
> tls-auth ta.key 0 # This file is secret
> comp-lzo
> user nobody
> group nogroup
> persist-key
> persist-tun
> status openvpn-status.log
> verb 3
> mute 20
> script-security 1 execve
>
> Configuração para cliente em 'ccd\cliente':
> iroute 10.1.0.0 255.255.255.0
> ifconfig-push 10.255.0.2 10.255.0.1
>
> No default gateway da rede 192.168.0.0 (192.168.0.254) foi configurada 
> a rota para a rede 10.1.0.0 via o 192.168.0.100.
>
> Desta forma, quando subo a VPN, uma máquina qualquer da rede 
> 192.168.0.0/24 consegue pingar o cliente 10.1.0.1, mas não uma máquina 
> na rede, por exemplo o 10.1.0.3 (que sei que existe e é ip fixo):
>
> root at desktop:~# traceroute 10.1.0.1
> traceroute to 10.1.0.1 (10.1.0.1), 30 hops max, 60 byte packets
>  1  gw.dominio (192.168.0.254)  0.409 ms  0.453 ms  0.548 ms
>  2  ovpn.dominio (192.168.0.100)  0.731 ms  0.758 ms  0.774 ms
>  3  10.1.0.1 (10.1.0.1)  21.512 ms  22.055 ms  22.730 ms
> root at desktop:~#
>
> root at desktop:~# traceroute 10.1.0.3
> traceroute to 10.1.0.3 (10.1.0.3), 30 hops max, 60 byte packets
>  1  gw.dominio (192.168.0.254)  0.422 ms  0.495 ms  0.589 ms
>  2  ovpn.dominio (192.168.0.100)  0.720 ms  0.759 ms  0.811 ms
>  3  10.255.0.2 (10.255.0.2)  21.766 ms  22.897 ms  23.498 ms
>  4  * * *
>  5  * * *
>  6  *^C
> root at desktop:~#
>
> O que me estranha é que o terceiro salto é diferente. Quando 
> estabelecida a VPN, as tabelas de roteamento ficam:
>
> Servidor:
> root at ovpn:/etc/openvpn# route -n
> Tabela de Roteamento IP do Kernel
> Destino         Roteador        MáscaraGen.    Opções Métrica Ref   
> Uso Iface
> 10.255.0.2      0.0.0.0         255.255.255.255 UH    0      0        
> 0 tun0
> 10.255.0.0      10.255.0.2      255.255.255.0   UG    0      0        
> 0 tun0
> 192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        
> 0 eth3
> 10.1.0.0        10.255.0.2      255.255.0.0     UG    0      0        
> 0 tun0
> 10.255.0.0      10.255.0.2      255.255.0.0     UG    0      0        
> 0 tun0
> 0.0.0.0         192.168.0.254   0.0.0.0         UG    0      0        
> 0 eth3
> root at ovpn:/etc/openvpn#
>
> Cliente:
> root at cliente:/etc/network# route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    
> Use Iface
> 10.255.0.1      0.0.0.0         255.255.255.255 UH    0      0        
> 0 tun0
> 187.17.143.160  0.0.0.0         255.255.255.252 U     0      0        
> 0 eth1
> 10.255.0.0      10.255.0.1      255.255.255.0   UG    0      0        
> 0 tun0
> 192.168.0.0     10.255.0.1      255.255.255.0   UG    0      0        
> 0 tun0
> 10.1.0.0        0.0.0.0         255.255.0.0     U     0      0        
> 0 eth0
> 0.0.0.0         187.17.143.162  0.0.0.0         UG    100    0        
> 0 eth1
> root at cliente:/etc/network#
>
> A pergunta é: ondé quieu tô comendo bola?
>
> Grato por qualquer dica, rtfm, link, etc. Depois que eu resolver isso, 
> ainda vou ter que adicionar mais outra rede cliente e fazer as duas se 
> enxergarem pela VPN...
>