[Løst] Oppsett av openvpn på centos 6.3 - problemer med å route all trafikk over vpn

[trrunde]

Har satt opp en ny server som jeg tenkte å kjøre openvpn på, har installert centos 6.3 og har fulgt en guide jeg fant på internett:

http://library.linod...penvpn/centos-6

 

Jeg får opp vpn uten problemer og jeg kan pinge vpn serveren, men med en gang jeg la inn push "redirect-gateway def1" slik at den skal route all trafikk over vpn tunell så kommer jeg ikke på nett lenger.

Jeg har kontakt med vpn serveren men det er alt. Regner med det er en iptables regel eller ipv4 forwarding regel jeg har glemt, men nå har jeg sett meg blind på oppsettet.

 

openvpn server.conf:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.10.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.10.10.0 255.255.255.0"
client-config-dir ccd
route 10.11.12.0 255.255.255.0
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 3
mute 5

 

Klient config:

client
dev tun
proto udp
remote *.*.*.* 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert pfsense.crt
key pfsense.key
ns-cert-type server
comp-lzo
;mute 20

 

Iptables:

trrunde@web openvpn]$ sudo iptables-save
[sudo] password for trrunde:
# Generated by iptables-save v1.4.7 on Fri Dec 28 15:53:15 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1335:160766]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
-A INPUT -s IPADRESSEN MIN/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.10.10.0/24 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.10.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Dec 28 15:53:15 2012
# Generated by iptables-save v1.4.7 on Fri Dec 28 15:53:15 2012
*nat
:PREROUTING ACCEPT [571:36871]
:POSTROUTING ACCEPT [300:20674]
:OUTPUT ACCEPT [300:20674]
-A POSTROUTING -s 10.10.10.0/24 -j SNAT --to-source IPADRESSE PÅ VPN SERVER
COMMIT
# Completed on Fri Dec 28 15:53:15 2012
[trrunde@web openvpn]$

 

sysctl.conf

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536
# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296

 

ccd/pfsense config:

ifconfig-push 10.10.10.10 10.10.10.1
iroute 10.11.12.0 255.255.255.0
push "redirect-gateway def1"

 

 

Edit: Fant feilen... var en iptables regel som lå litt feilplassert:

 

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Endret 28. desember 2012 av trrunde