OpenVPN - servidor ubuntu - cliente IOS -

1. OpenVPN - servidor ubuntu - cliente IOS -

Paulo Ventura
pw44

(usa KUbuntu)

Enviado em 11/08/2020 - 16:49h

Ola colegas.

tenho o openvpn instado e não consigo faze-lo funcionar corretamente.

A intenção é que todo o trafego seja encapsulado no tunel e o que for para a rede local (do servidor) possa ser acessado como se na mesma rede e o que for para fora da mesma forma, ou seja, o vpn servindo como extensão da minha rede local.

Mas não funciona corretamente - leva muito tempo para resolver, não resolve os internos, os extenos funcionam.

ambiente: servidor: ubuntu server 18.04 lts, openvpn OpenVPN 2.4.4
cliente: ios (iphone) com openvpn client

servidor:


management localhost 1196 /etc/openvpn/server/management-password
dev tun
proto udp
port 1194
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
tls-crypt /etc/openvpn/server/tc.key
crl-verify /etc/openvpn/server/crl.pem
ecdh-curve secp384r1
topology subnet
server 10.30.30.0 255.255.255.0
push "route 192.168.80.0 255.255.255.0"
;push "redirect-gateway local def1 bypass-dhcp"
push "redirect-gateway local def1"
push "remote-gateway vpn_server_ip"
push "dhcp-option DNS 192.168.80.4"
push "dhcp-option DOMAIN wollny.com.br"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
cipher AES-256-CBC
auth SHA512
;compress lz4-v2
;push "compress lz4-v2"
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
;log-append /var/log/openvpn.log
explicit-exit-notify 1
;syslog
verb 5


cliente:

client
dev tun
proto udp
remote myserver.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
auth SHA512
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-crypt>



iptables como abaixo:


cat /lib/systemd/system/openvpn-iptables.service
[Unit]
Before=network.target
[Service]
Type=oneshot


ExecStart=/sbin/iptables -A INPUT -i enp2s0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
ExecStart=/sbin/iptables -A INPUT -i tun+ -j ACCEPT
ExecStart=/sbin/iptables -A FORWARD -i tun+ -j ACCEPT
ExecStart=/sbin/iptables -A FORWARD -i tun+ -o enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStart=/sbin/iptables -A FORWARD -i tun+ -o enp2s0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ExecStart=/sbin/iptables -A FORWARD -i enp2s0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStart=/sbin/iptables -A FORWARD -i enp2s0 -o tun+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ExecStart=/sbin/iptables -A FORWARD -i tun+ -s 10.30.30.0/24 -d 0.0.0.0/0 -j ACCEPT
ExecStart=/sbin/iptables -A FORWARD -i tun+ -s 10.30.30.0/24 -d 0.0.0.0/0 -m conntrack --ctstate NEW -j ACCEPT
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.30.30.0/24 -o enp2s0 -j MASQUERADE
ExecStart=/sbin/iptables -A OUTPUT -o tun+ -j ACCEPT




ExecStop=/sbin/iptables -D INPUT -i enp2s0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
ExecStop=/sbin/iptables -D INPUT -i tun+ -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -i tun+ -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -i tun+ -o enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -i tun+ -o enp2s0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -i enp2s0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -i enp2s0 -o tun+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -i tun+ -s 10.30.30.0/24 -d 0.0.0.0/0 -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -i tun+ -s 10.30.30.0/24 -d 0.0.0.0/0 -m conntrack --ctstate NEW -j ACCEPT
ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.30.30.0/24 -o enp2s0 -j MASQUERADE
ExecStop=/sbin/iptables -D OUTPUT -o tun+ -j ACCEPT

RemainAfterExit=yes
[Install]
WantedBy=multi-user.target



alguem com mais experiencia pode ajudar a resolver isto?

Agradeço antecipado.


  






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner
Linux banner
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts