OpenVPN - Instalação e configuração
Este artigo demonstra como podemos fechar uma VPN Site-to-Site entre 2 redes. Todas as configurações utilizadas foram feitas em ambiente de teste e produção.
Parte 6: Criando as rotas e liberando portas na matriz e filial
Criando as rotas
Para adicionar a rota com destino a rede da filial, execute de dentro do servidor da matriz o seguinte comando:# ip route add 10.2.40.0/24 dev tun0 via 10.2.60.2
Para adicionar a rota com destino a rede da matriz, execute de dentro do servidor da filial o seguinte comando:
# ip route add 10.2.30.0/24 dev tun0 via 10.2.60.1
Bom, agora é só testar. Tente pingar de dentro de uma máquina da LAN da matriz com destino a LAN da filial. Vale lembrar também que temos que colocar toda a sequência de comandos acima no rc.local de sua distro, para que a mesma carregue as configurações ao iniciar o sistema operacional.
Librando porta 5000 e 1194 UDP matriz
Na sua regra de iptables no servidor matriz você de adicionar estas regras para permitir o tráfego UDP na porta 5000:Obs.: Você deve autorizar apenas o IP do servidor filial.
#########################################
FILIAL=200.201.202.203
###Liberando porta 5000
##########################################################
############### Liberando acesso OPENVPN ####################
###########################################################
echo ""
echo "$COLOR[44;37m Liberando Acesso OPENVPN$COLOR[0m"
echo ""
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -p udp -d $FILIAL --dport 5000 -j ACCEPT
iptables -A FORWARD -p udp -s $FILIAL --dport 5000 -j ACCEPT
iptables -A FORWARD -p udp -d $FILIAL --sport 5000 -j ACCEPT
iptables -A FORWARD -p udp -s $FILIAL --sport 5000 -j ACCEPT
iptables -A INPUT -p udp -d $FILIAL --dport 5000 -j ACCEPT
iptables -A INPUT -p udp -s $FILIAL --dport 5000 -j ACCEPT
iptables -A INPUT -p udp -d $FILIAL --sport 5000 -j ACCEPT
iptables -A INPUT -p udp -s $FILIAL --sport 5000 -j ACCEPT
iptables -A OUTPUT -p udp -d $FILIAL --dport 5000 -j ACCEPT
iptables -A OUTPUT -p udp -s $FILIAL --dport 5000 -j ACCEPT
iptables -A OUTPUT -p udp -d $FILIAL --sport 5000 -j ACCEPT
iptables -A OUTPUT -p udp -s $FILIAL --sport 5000 -j ACCEPT
iptables -A FORWARD -p udp -d $FILIAL --dport 1194 -j ACCEPT
iptables -A FORWARD -p udp -s $FILIAL --dport 1194 -j ACCEPT
iptables -A FORWARD -p udp -d $FILIAL --sport 1194 -j ACCEPT
iptables -A FORWARD -p udp -s $FILIAL --sport 1194 -j ACCEPT
iptables -A INPUT -p udp -d $FILIAL --dport 1194 -j ACCEPT
iptables -A INPUT -p udp -s $FILIAL --dport 1194 -j ACCEPT
iptables -A INPUT -p udp -d $FILIAL --sport 1194 -j ACCEPT
iptables -A INPUT -p udp -s $FILIAL --sport 1194 -j ACCEPT
iptables -A OUTPUT -p udp -d $FILIAL --dport 1194 -j ACCEPT
iptables -A OUTPUT -p udp -s $FILIAL --dport 1194 -j ACCEPT
iptables -A OUTPUT -p udp -d $FILIAL --sport 1194 -j ACCEPT
iptables -A OUTPUT -p udp -s $FILIAL --sport 1194 -j ACCEPT
FILIAL=200.201.202.203
###Liberando porta 5000
##########################################################
############### Liberando acesso OPENVPN ####################
###########################################################
echo ""
echo "$COLOR[44;37m Liberando Acesso OPENVPN$COLOR[0m"
echo ""
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -p udp -d $FILIAL --dport 5000 -j ACCEPT
iptables -A FORWARD -p udp -s $FILIAL --dport 5000 -j ACCEPT
iptables -A FORWARD -p udp -d $FILIAL --sport 5000 -j ACCEPT
iptables -A FORWARD -p udp -s $FILIAL --sport 5000 -j ACCEPT
iptables -A INPUT -p udp -d $FILIAL --dport 5000 -j ACCEPT
iptables -A INPUT -p udp -s $FILIAL --dport 5000 -j ACCEPT
iptables -A INPUT -p udp -d $FILIAL --sport 5000 -j ACCEPT
iptables -A INPUT -p udp -s $FILIAL --sport 5000 -j ACCEPT
iptables -A OUTPUT -p udp -d $FILIAL --dport 5000 -j ACCEPT
iptables -A OUTPUT -p udp -s $FILIAL --dport 5000 -j ACCEPT
iptables -A OUTPUT -p udp -d $FILIAL --sport 5000 -j ACCEPT
iptables -A OUTPUT -p udp -s $FILIAL --sport 5000 -j ACCEPT
iptables -A FORWARD -p udp -d $FILIAL --dport 1194 -j ACCEPT
iptables -A FORWARD -p udp -s $FILIAL --dport 1194 -j ACCEPT
iptables -A FORWARD -p udp -d $FILIAL --sport 1194 -j ACCEPT
iptables -A FORWARD -p udp -s $FILIAL --sport 1194 -j ACCEPT
iptables -A INPUT -p udp -d $FILIAL --dport 1194 -j ACCEPT
iptables -A INPUT -p udp -s $FILIAL --dport 1194 -j ACCEPT
iptables -A INPUT -p udp -d $FILIAL --sport 1194 -j ACCEPT
iptables -A INPUT -p udp -s $FILIAL --sport 1194 -j ACCEPT
iptables -A OUTPUT -p udp -d $FILIAL --dport 1194 -j ACCEPT
iptables -A OUTPUT -p udp -s $FILIAL --dport 1194 -j ACCEPT
iptables -A OUTPUT -p udp -d $FILIAL --sport 1194 -j ACCEPT
iptables -A OUTPUT -p udp -s $FILIAL --sport 1194 -j ACCEPT
Liberando porta 5000 e 1194 UDP filial
Está regra vai no servidor filial, liberando apenas o IP do servidor matriz:
MATRIZ=200.201.202.200
###Liberando porta 5000 e 1194 UDP
##########################################################
############### Liberando acesso OPENVPN ####################
###########################################################
echo ""
echo "$COLOR[44;37m Liberando Acesso OPENVPN$COLOR[0m"
echo ""
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -p udp -d $MATRIZ --dport 5000 -j ACCEPT
iptables -A FORWARD -p udp -s $MATRIZ --dport 5000 -j ACCEPT
iptables -A FORWARD -p udp -d $MATRIZ --sport 5000 -j ACCEPT
iptables -A FORWARD -p udp -s $MATRIZ --sport 5000 -j ACCEPT
iptables -A INPUT -p udp -d $MATRIZ --dport 5000 -j ACCEPT
iptables -A INPUT -p udp -s $MATRIZ --dport 5000 -j ACCEPT
iptables -A INPUT -p udp -d $MATRIZ --sport 5000 -j ACCEPT
iptables -A INPUT -p udp -s $MATRIZ --sport 5000 -j ACCEPT
iptables -A OUTPUT -p udp -d $MATRIZ --dport 5000 -j ACCEPT
iptables -A OUTPUT -p udp -s $MATRIZ --dport 5000 -j ACCEPT
iptables -A OUTPUT -p udp -d $MATRIZ --sport 5000 -j ACCEPT
iptables -A OUTPUT -p udp -s $MATRIZ --sport 5000 -j ACCEPT
iptables -A FORWARD -p udp -d $MATRIZ --dport 1194 -j ACCEPT
iptables -A FORWARD -p udp -s $MATRIZ --dport 1194 -j ACCEPT
iptables -A FORWARD -p udp -d $MATRIZ --sport 1194 -j ACCEPT
iptables -A FORWARD -p udp -s $MATRIZ --sport 1194 -j ACCEPT
iptables -A INPUT -p udp -d $MATRIZ --dport 1194 -j ACCEPT
iptables -A INPUT -p udp -s $MATRIZ --dport 1194 -j ACCEPT
iptables -A INPUT -p udp -d $MATRIZ --sport 1194 -j ACCEPT
iptables -A INPUT -p udp -s $MATRIZ --sport 1194 -j ACCEPT
iptables -A OUTPUT -p udp -d $MATRIZ --dport 1194 -j ACCEPT
iptables -A OUTPUT -p udp -s $MATRIZ --dport 1194 -j ACCEPT
iptables -A OUTPUT -p udp -d $MATRIZ --sport 1194 -j ACCEPT
iptables -A OUTPUT -p udp -s $MATRIZ --sport 1194 -j ACCEPT
###Liberando porta 5000 e 1194 UDP
##########################################################
############### Liberando acesso OPENVPN ####################
###########################################################
echo ""
echo "$COLOR[44;37m Liberando Acesso OPENVPN$COLOR[0m"
echo ""
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -p udp -d $MATRIZ --dport 5000 -j ACCEPT
iptables -A FORWARD -p udp -s $MATRIZ --dport 5000 -j ACCEPT
iptables -A FORWARD -p udp -d $MATRIZ --sport 5000 -j ACCEPT
iptables -A FORWARD -p udp -s $MATRIZ --sport 5000 -j ACCEPT
iptables -A INPUT -p udp -d $MATRIZ --dport 5000 -j ACCEPT
iptables -A INPUT -p udp -s $MATRIZ --dport 5000 -j ACCEPT
iptables -A INPUT -p udp -d $MATRIZ --sport 5000 -j ACCEPT
iptables -A INPUT -p udp -s $MATRIZ --sport 5000 -j ACCEPT
iptables -A OUTPUT -p udp -d $MATRIZ --dport 5000 -j ACCEPT
iptables -A OUTPUT -p udp -s $MATRIZ --dport 5000 -j ACCEPT
iptables -A OUTPUT -p udp -d $MATRIZ --sport 5000 -j ACCEPT
iptables -A OUTPUT -p udp -s $MATRIZ --sport 5000 -j ACCEPT
iptables -A FORWARD -p udp -d $MATRIZ --dport 1194 -j ACCEPT
iptables -A FORWARD -p udp -s $MATRIZ --dport 1194 -j ACCEPT
iptables -A FORWARD -p udp -d $MATRIZ --sport 1194 -j ACCEPT
iptables -A FORWARD -p udp -s $MATRIZ --sport 1194 -j ACCEPT
iptables -A INPUT -p udp -d $MATRIZ --dport 1194 -j ACCEPT
iptables -A INPUT -p udp -s $MATRIZ --dport 1194 -j ACCEPT
iptables -A INPUT -p udp -d $MATRIZ --sport 1194 -j ACCEPT
iptables -A INPUT -p udp -s $MATRIZ --sport 1194 -j ACCEPT
iptables -A OUTPUT -p udp -d $MATRIZ --dport 1194 -j ACCEPT
iptables -A OUTPUT -p udp -s $MATRIZ --dport 1194 -j ACCEPT
iptables -A OUTPUT -p udp -d $MATRIZ --sport 1194 -j ACCEPT
iptables -A OUTPUT -p udp -s $MATRIZ --sport 1194 -j ACCEPT
Utilizo o openVPN em alguns clientes p/ interligar matriz-filial e é muito show! gostei bastante da sua dica do roteamento automático, eu ja tinha notado que quando reiniciava o openvpn ele perdia as rotas e depois eu executava um script p/ refazer a rota novamente! com sua dica não vou mais precisar!
Parabéns!