[vpsFree.cz: community-list] jak nastavit openvpn server na debianu
Pavel Švojgr
pavel at svojgr.com
Fri Jan 6 18:17:04 CET 2017
Ahoj,
snazim se nastavit openvpn server tak, abych pres nej mohl pristupovat
dal do inernetu, ale nedari se mi to.
Sel jsem podle tohoto navodu:
https://blog.sslmarket.cz/ssl/nastaveni-openvpn-na-serveru-s-debian-8-jessie/
a podari se mi pres vpn dostat na server, ale dal uz ne (ani nepingnu).
Predpokladam, ze je nejaky problem v nastaveni iptables, zkousel jsem i
|iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -j MASQUERADE|
i podle navodu z https://kb.vpsfree.cz/navody/server/openvpn
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to x.x.x.x
|Diky za jakekoliv nakopnuti nebo upravu vpsfree navodu. Pavel Švojgr ---
vypisy nastaveni ---- |
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.8.0.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# tail /var/log/syslog
Jan 6 16:35:09 svojgr ovpn-server[10656]: 188.122.208.66:37508 [swed]
Peer Connection Initiated with [AF_INET]188.122.208.66:37508
Jan 6 16:35:09 svojgr ovpn-server[10656]: swed/188.122.208.66:37508
MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Jan 6 16:35:09 svojgr ovpn-server[10656]: swed/188.122.208.66:37508
MULTI: Learn: 10.8.0.6 -> swed/188.122.208.66:37508
Jan 6 16:35:09 svojgr ovpn-server[10656]: swed/188.122.208.66:37508
MULTI: primary virtual IP for swed/188.122.208.66:37508: 10.8.0.6
Jan 6 16:35:11 svojgr ovpn-server[10656]: swed/188.122.208.66:37508
PUSH: Received control message: 'PUSH_REQUEST'
Jan 6 16:35:11 svojgr ovpn-server[10656]: swed/188.122.208.66:37508
send_push_reply(): safe_cap=940
Jan 6 16:35:11 svojgr ovpn-server[10656]: swed/188.122.208.66:37508
SENT CONTROL [swed]: 'PUSH_REPLY,redirect-gateway def1,route
10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6
10.8.0.5' (status=1)
# cat server.conf
mode server
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # privátní klíč serveru, nikam nepřenášet!
dh dh2048.pem
server 10.8.0.0 255.255.255.0
#push "redirect-gateway autolocal" #přesměrování všeho provozu do tunelu
push "redirect-gateway def1"
#push "dhcp-option DNS 217.31.204.130" #budete používat otevřené
resolvery CZ.NICu
#push "dhcp-option DNS 193.29.206.206"
#tls-server
#tls-auth ta.key 0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
user nobody
group users
status openvpn-status.log
verb 3
# cat /etc/sysctl.conf |grep ip_forward
net.ipv4.ip_forward=1
# cat openvpn-status.log
OpenVPN CLIENT LIST
Updated,Fri Jan 6 16:42:17 2017
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
swed,188.122.208.66:58268,75127,4993,Fri Jan 6 16:41:55 2017
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.6,swed,188.122.208.66:58268,Fri Jan 6 16:42:16 2017
GLOBAL STATS
Max bcast/mcast queue length,0
END
# iptables-save
# Generated by iptables-save v1.4.21 on Fri Jan 6 16:57:14 2017
*raw
:PREROUTING ACCEPT [198913:44347927]
:OUTPUT ACCEPT [177047:151548665]
COMMIT
# Completed on Fri Jan 6 16:57:14 2017
# Generated by iptables-save v1.4.21 on Fri Jan 6 16:57:14 2017
*nat
:PREROUTING ACCEPT [2998:172636]
:POSTROUTING ACCEPT [1398:83622]
:OUTPUT ACCEPT [1398:83622]
-A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
COMMIT
# Completed on Fri Jan 6 16:57:14 2017
# Generated by iptables-save v1.4.21 on Fri Jan 6 16:57:14 2017
*mangle
:PREROUTING ACCEPT [178768:43049496]
:INPUT ACCEPT [178768:43049496]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [177047:151548665]
:POSTROUTING ACCEPT [177047:151548665]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,PSH,ACK,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,ACK,URG -j DROP
-A PREROUTING -s 224.0.0.0/3 -j DROP
-A PREROUTING -s 169.254.0.0/16 -j DROP
-A PREROUTING -s 172.16.0.0/12 -j DROP
-A PREROUTING -s 192.0.2.0/24 -j DROP
-A PREROUTING -s 192.168.0.0/16 -j DROP
-A PREROUTING -s 10.0.0.0/8 -j DROP
-A PREROUTING -s 0.0.0.0/8 -j DROP
-A PREROUTING -s 240.0.0.0/5 -j DROP
-A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
-A PREROUTING -p icmp -j DROP
-A PREROUTING -f -j DROP
COMMIT
# Completed on Fri Jan 6 16:57:14 2017
# Generated by iptables-save v1.4.21 on Fri Jan 6 16:57:14 2017
*filter
:INPUT ACCEPT [8741:3756481]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7936:4515300]
COMMIT
# Completed on Fri Jan 6 16:57:14 2017
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vpsfree.cz/pipermail/community-list/attachments/20170106/92c6b591/attachment-0002.html>
More information about the Community-list
mailing list