New subject: {Disarmed} Re: jak nastavit openvpn server na debianu

6 Jan 2017

Ahoj,

snazim se nastavit openvpn server tak, abych pres nej mohl pristupovat 
dal do inernetu, ale nedari se mi to.
Sel jsem podle tohoto navodu:
https://blog.sslmarket.cz/ssl/nastaveni-openvpn-na-serveru-s-debian-8-jessi…

a podari se mi pres vpn dostat na server, ale dal uz ne (ani nepingnu). 
Predpokladam, ze je nejaky problem v nastaveni iptables, zkousel jsem i

|iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -j MASQUERADE|

i podle navodu z https://kb.vpsfree.cz/navody/server/openvpn

iptables -t nat -A POSTROUTING  -o venet0 -j SNAT --to x.x.x.x
|Diky za jakekoliv nakopnuti nebo upravu vpsfree navodu. Pavel Švojgr --- 
vypisy nastaveni ---- |

# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  10.8.0.0/24          anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

# tail /var/log/syslog

Jan  6 16:35:09 svojgr ovpn-server[10656]: 188.122.208.66:37508 [swed] 
Peer Connection Initiated with [AF_INET]188.122.208.66:37508
Jan  6 16:35:09 svojgr ovpn-server[10656]: swed/188.122.208.66:37508 
MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Jan  6 16:35:09 svojgr ovpn-server[10656]: swed/188.122.208.66:37508 
MULTI: Learn: 10.8.0.6 -> swed/188.122.208.66:37508
Jan  6 16:35:09 svojgr ovpn-server[10656]: swed/188.122.208.66:37508 
MULTI: primary virtual IP for swed/188.122.208.66:37508: 10.8.0.6
Jan  6 16:35:11 svojgr ovpn-server[10656]: swed/188.122.208.66:37508 
PUSH: Received control message: 'PUSH_REQUEST'
Jan  6 16:35:11 svojgr ovpn-server[10656]: swed/188.122.208.66:37508 
send_push_reply(): safe_cap=940
Jan  6 16:35:11 svojgr ovpn-server[10656]: swed/188.122.208.66:37508 
SENT CONTROL [swed]: 'PUSH_REPLY,redirect-gateway def1,route 
10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 
10.8.0.5' (status=1)

# cat server.conf
mode server
port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key # privátní klíč serveru, nikam nepřenášet!
dh dh2048.pem

server 10.8.0.0 255.255.255.0

#push "redirect-gateway autolocal" #přesměrování všeho provozu do tunelu
push "redirect-gateway def1"
#push "dhcp-option DNS 217.31.204.130" #budete používat otevřené 
resolvery CZ.NICu
#push "dhcp-option DNS 193.29.206.206"

#tls-server
#tls-auth ta.key 0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
user nobody
group users
status openvpn-status.log
verb 3

# cat /etc/sysctl.conf |grep ip_forward
net.ipv4.ip_forward=1

# cat openvpn-status.log
OpenVPN CLIENT LIST
Updated,Fri Jan  6 16:42:17 2017
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
swed,188.122.208.66:58268,75127,4993,Fri Jan  6 16:41:55 2017
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.6,swed,188.122.208.66:58268,Fri Jan  6 16:42:16 2017
GLOBAL STATS
Max bcast/mcast queue length,0
END

# iptables-save
# Generated by iptables-save v1.4.21 on Fri Jan  6 16:57:14 2017
*raw
:PREROUTING ACCEPT [198913:44347927]
:OUTPUT ACCEPT [177047:151548665]
COMMIT
# Completed on Fri Jan  6 16:57:14 2017
# Generated by iptables-save v1.4.21 on Fri Jan  6 16:57:14 2017
*nat
:PREROUTING ACCEPT [2998:172636]
:POSTROUTING ACCEPT [1398:83622]
:OUTPUT ACCEPT [1398:83622]
-A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
COMMIT
# Completed on Fri Jan  6 16:57:14 2017
# Generated by iptables-save v1.4.21 on Fri Jan  6 16:57:14 2017
*mangle
:PREROUTING ACCEPT [178768:43049496]
:INPUT ACCEPT [178768:43049496]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [177047:151548665]
:POSTROUTING ACCEPT [177047:151548665]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,RST,PSH,ACK,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,RST,ACK,URG -j DROP
-A PREROUTING -s 224.0.0.0/3 -j DROP
-A PREROUTING -s 169.254.0.0/16 -j DROP
-A PREROUTING -s 172.16.0.0/12 -j DROP
-A PREROUTING -s 192.0.2.0/24 -j DROP
-A PREROUTING -s 192.168.0.0/16 -j DROP
-A PREROUTING -s 10.0.0.0/8 -j DROP
-A PREROUTING -s 0.0.0.0/8 -j DROP
-A PREROUTING -s 240.0.0.0/5 -j DROP
-A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
-A PREROUTING -p icmp -j DROP
-A PREROUTING -f -j DROP
COMMIT
# Completed on Fri Jan  6 16:57:14 2017
# Generated by iptables-save v1.4.21 on Fri Jan  6 16:57:14 2017
*filter
:INPUT ACCEPT [8741:3756481]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7936:4515300]
COMMIT
# Completed on Fri Jan  6 16:57:14 2017