salut

se da un vps cu Openvpn:

Code:
root@vps ~ > ifconfig
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          RX bytes:1295300 (1.2 MB)  TX bytes:1295300 (1.2 MB)


tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:127.0.0.2  P-t-P:127.0.0.2  Bcast:0.0.0.0  Mask:255.255.255.255
          RX bytes:264275751 (264.2 MB)  TX bytes:293221619 (293.2 MB)


venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:x.x.x.x  P-t-P:x.x.x.x  Bcast:x.x.x.255  Mask:255.255.255.0
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
se mai da un client local legat prin Openvpn la vps:

Code:
root@lunix:~# ifconfig
enp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.44  netmask 255.255.255.0  broadcast 192.168.0.255


lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0


tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5
deci tunelul vpn e în picioare, merge. de pe vps pot da ping pe 10.8.0.6 (serverul local) si-l vede; si invers la fel

nu am reusit sa fac rutarea traficului de pe serverul local pe vps în ambele directii, inclusiv deschiderea porturilor pe vps înspre serverul local.

arhitectura ar fii cam asta:

Code:
                         |            VPS                 |
              (x.x.x. IP)|                                |10.8.0.6
 {INTERNET}=============={venet0:0                    tun0}=============<internal network 192.168.0.44
                         |   \                        /   |
                         |    +----------------------+    |
                         |    | iptables and         |    |
                         |    | routing engine       |    |
                         |    +--+----------------+--+    |
                         |       |*1              |*2     |
                         |     (openvpn)-------{tun0}     |
                         |      10.8.0.5      10.8.0.1    |
pe server am activat IP forwarding in /etc/sysctl.conf prin "net.ipv4.ip_forward = 1"
am încercat tot felul de reguli pentru iptables, dar nu am reusit.
cel mai logic ar fii:

Code:
# Allow traffic initiated from VPN to access LAN
    iptables -I FORWARD -i tun0 -o venet0 -s 10.8.0.0/24 -d 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT


    # Allow traffic initiated from VPN to access "the world"
    iptables -I FORWARD -i tun0 -o venet0:0 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT


    # Allow traffic initiated from LAN to access "the world"
    iptables -I FORWARD -i venet0 -o venet0:0 -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT


    # Allow established traffic to pass back and forth
    iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


    # Notice that -I is used, so when listing it (iptables -vxnL) it
    # will be reversed.  This is intentional in this demonstration.


    # Masquerade traffic from VPN to "the world" -- done in the nat table
    iptables -t nat -I POSTROUTING -o venet0:0 -s 10.8.0.0/24 -j MASQUERADE


    # Masquerade traffic from LAN to "the world"
    iptables -t nat -I POSTROUTING -o venet0:0 -s 192.168.0.0/24 -j MASQUERADE


dar nu vrea...

Cine ma poate "lumina"? dau o bere!


PS: ideea e ca in viitorul apropiat tot mai multi provideri de internet vor trece la ipv6 pentru clienţii lor, şi vor fii multe schimbări în reţelistica "schimbului de informaţii"