Desconexão cliente OpenVPN

At0mix
(usa Debian)

Enviado em 05/11/2014 - 10:48h

Olá pessoal do VOL.
Estou a alguns dias enfrentando o problema de desconexão do cliente VPN.
O cliente conecta normalmente, e após um determinado tempo ele desconecta (aprox os 120 segundos do keepalive) e não reconecta automaticamente. Se reiniciar o cliente ele volta normalmente. Testei diversas configurações e não estou encontrando o problema.
Fico grato se alguém tiver algo para contribuir. Obrigado!

Meu ambiente:

Minha Empresa:
FW : Etho: 192.168.1.0/24
Eth1: 192.168.2.0/24

Serv VPN:
Eth0: 192.168.2.40/24
Tun0: 10.254.0.1/24



Scrip Firewall
#!bin/bash

#Zerando as regras;
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F
iptables -X
iptables -t mangle -F

#adicionando modulos no kernel;
modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack
modprobe iptable_mangle
modprobe iptable_filter
modprobe ipt_LOG
modprobe ipt_limit
modprobe ipt_state
#modprobe ipt_unclean
modprobe ipt_REDIRECT
modprobe ipt_owner
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_nat_pptp
modprobe ip_conntrack_pptp
modprobe pptp

#Liberando encaminhamento de pacotes;
echo "1" > /proc/sys/net/ipv4/ip_forward

#Teste VPN
iptables -t nat -A PREROUTING -d 192.168.2.1 -p tcp --dport 5001 -j DNAT --to 192.168.2.40
iptables -t nat -A PREROUTING -d 192.168.2.1 -p udp --dport 5001 -j DNAT --to 192.168.2.40

#compartilhando a Internet;
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT

#Logs
iptables -A INPUT -j LOG

#Proxy transparente, tratando dos protocolos UDP e TCP, e movendo o trafego das portas 80,443 para 3128;
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8080 -j REDIRECT --to-port 3128

#Liberando acesso a portas
iptables -A INPUT -p tcp --dport 5001 -j ACCEPT #Porta VPN
iptables -A INPUT -p udp --dport 5001 -j ACCEPT #porta VPN
iptables -A FORWARD -p tcp --sport 5001 -j ACCEPT
iptables -A FORWARD -p udp --sport 5001 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT #SSH
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT #Acesso remoto
iptables -A INPUT -p udp --dport 3389 -j ACCEPT #aCESSO remoto
iptables -A INPUT -p tcp --dport 3350 -j ACCEPT #Area de trabalho Remota
iptables -A INPUT -p udp --dport 3350 -j ACCEPT #Area de trabalho remota
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT #Squid
iptables -A INPUT -p tcp --dport 10000 -j ACCEPT #Porta Webmin
iptables -A INPUT -p tcp --dport 5001 -j ACCEPT #Porta VPN
iptables -A INPUT -p udp --dport 5001 -j ACCEPT #porta VPN
iptables -A FORWARD -p tcp --sport 5001 -j ACCEPT
iptables -A FORWARD -p udp --sport 5001 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT #Webmin
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5001 -j DNAT --to 192.168.2.40 #Encaminha os pacotes da porta 5001 para o servidor de VPN
#iptables -t nat -A PREROUTING -i eth0 -p udp --dport 1816 -j DNAT --to 192.168.2.40 #Encaminha pacotes icmp keepalive para servidor da vpn

#Libera Squid para Rede Interna
iptables -A INPUT -p tcp --dport 3128 -s 192.168.2.0/24 -j ACCEPT
iptables -A INPUT -s 192.168.2.0/24 -j ACCEPT

#Permitir UDP/DNS e FTP
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#Permitir e bloquear
iptables -A INPUT -i eth0 -j DROP
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -P FORWARD ACCEPT


exit 0


######################################################################################################

Script Servidor VPN

# Script de compartilhamento da internet para a vpn e configurações
#Zerando as regras;
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F
iptables -X
iptables -t mangle -F

#adicionando modulos no kernel;
modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack
modprobe iptable_mangle
modprobe iptable_filter
modprobe ipt_LOG
modprobe ipt_limit
modprobe ipt_state
modprobe ipt_REDIRECT
modprobe ipt_owner
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_nat_pptp
modprobe ip_conntrack_pptp
modprobe pptp

#echo 1 > /proc/sys/net/ipv4/ip_forward

# Politica de Acesso
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
echo "Politicas Aplicadas"

##### regras da vpn######

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD ACCEPT
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i tun0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A INPUT -p tcp --dport 5001 -j ACCEPT
iptables -A INPUT -p udp --dport 5001 -j ACCEPT
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
echo "Rede VPN ativada"

#Faz masquerade da conexão
iptables -A FORWARD -s 10.254.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 10.254.0.0/24 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.254.0.0/24 -o eth0 -j MASQUERADE


# Encaminha pacotes enviados da interface local para o IP do cliente
iptables -t nat -A POSTROUTING -d 192.168.0.0/24 -s 10.254.0.0/24 -j ACCEPT

#Liebra VPN
iptables -A INPUT -p tcp --dport 5001 -j ACCEPT #Porta VPN
iptables -A INPUT -p udp --dport 5001 -j ACCEPT #porta VPN
iptables -A INPUT -i eth0 -p udp -m udp --dport 5001 -j ACCEPT #Libera conexão clientes VPN UDP
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 5001 -j ACCEPT #Libera conexão clientes VPN TCP


# Politica de Acesso
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
echo "Politicas Aplicadas"

exit 0

######################################################################################################

server.conf - VPN
#Arquivo de configuração do OpenVPN

local 192.168.2.40
proto udp
port 5001
dev tun
server 10.254.0.0 255.255.255.0
push "route 10.254.0.0 255.255.255.0"
route 10.254.0.0 255.0.0.0 #Roteamento do cliente
comp-lzo
keepalive 5 120
float
max-clients 100
persist-key
persist-tun
log-append /var/log/openvpn.log
cipher AES-128-CBC
verb 3
dh /etc/openvpn/keys/dh1024.pem
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key

status /var/log/openvpn.stats

######################################################################################################
client.conf

client
dev tun
proto udp
remote remoto.dyndns.com
port 5001
pull
comp-lzo
persist-key
persist-tun
remote-cert-tls server
keepalive 5 120
tls-client
cipher AES-128-CBC
ca keys/ca.crt
cert keys/teste3.crt
key keys/teste3.key
dh keys/dh1024.pem
route-method exe
route-delay 2
verb 3