salut
se da un vps cu Openvpn:
Code:
root@vps ~ > ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
RX bytes:1295300 (1.2 MB) TX bytes:1295300 (1.2 MB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.2 P-t-P:127.0.0.2 Bcast:0.0.0.0 Mask:255.255.255.255
RX bytes:264275751 (264.2 MB) TX bytes:293221619 (293.2 MB)
venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:x.x.x.x P-t-P:x.x.x.x Bcast:x.x.x.255 Mask:255.255.255.0
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
se mai da un client local legat prin Openvpn la vps:
Code:
root@lunix:~# ifconfig
enp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.44 netmask 255.255.255.0 broadcast 192.168.0.255
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5
deci tunelul vpn e în picioare, merge. de pe vps pot da ping pe 10.8.0.6 (serverul local) si-l vede; si invers la fel
nu am reusit sa fac rutarea traficului de pe serverul local pe vps în ambele directii, inclusiv deschiderea porturilor pe vps înspre serverul local.
arhitectura ar fii cam asta:
Code:
| VPS |
(x.x.x. IP)| |10.8.0.6
{INTERNET}=============={venet0:0 tun0}=============<internal network 192.168.0.44
| \ / |
| +----------------------+ |
| | iptables and | |
| | routing engine | |
| +--+----------------+--+ |
| |*1 |*2 |
| (openvpn)-------{tun0} |
| 10.8.0.5 10.8.0.1 |
pe server am activat IP forwarding in /etc/sysctl.conf prin "net.ipv4.ip_forward = 1"
am încercat tot felul de reguli pentru iptables, dar nu am reusit.
cel mai logic ar fii:
Code:
# Allow traffic initiated from VPN to access LAN
iptables -I FORWARD -i tun0 -o venet0 -s 10.8.0.0/24 -d 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Allow traffic initiated from VPN to access "the world"
iptables -I FORWARD -i tun0 -o venet0:0 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Allow traffic initiated from LAN to access "the world"
iptables -I FORWARD -i venet0 -o venet0:0 -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Notice that -I is used, so when listing it (iptables -vxnL) it
# will be reversed. This is intentional in this demonstration.
# Masquerade traffic from VPN to "the world" -- done in the nat table
iptables -t nat -I POSTROUTING -o venet0:0 -s 10.8.0.0/24 -j MASQUERADE
# Masquerade traffic from LAN to "the world"
iptables -t nat -I POSTROUTING -o venet0:0 -s 192.168.0.0/24 -j MASQUERADE
dar nu vrea...
Cine ma poate "lumina"? dau o bere!
PS: ideea e ca in viitorul apropiat tot mai multi provideri de internet vor trece la ipv6 pentru clienţii lor, şi vor fii multe schimbări în reţelistica "schimbului de informaţii"