Configuration d'un serveur OpenVPN pontée avec une carte réseau IP publique unique
J'ai essayé de configurer un serveur OpenVPN bridge sans grand succès. J'ai des VPS exécutant Ubuntu avec une carte réseau, qui lui a assigné une adresse IP publique statique. Je veux pouvoir avoir quelques clients pour m'y connecter et former un réseau qui fonctionnerait comme un réseau local normal avec une diffusion fonctionnelle.
Schéma des connexions physiques:
J'aimerais avoir laptop
et desktop
et server
sur un seul réseau disons 10.0.0.0/24
. Avec les configurations ci-dessous, je n'ai pu me connecter qu'au serveur OpenVPN, mais il n'y a pas de connexion réelle entre les machines. Le plus loin que je le fasse fonctionner, c'est que server
ne peut voir que les demandes ARP
venant des clients, mais ne renvoie aucune réponse. Je ne peux pas ping server
d'un client, d'un client quelconque du server
. Je fais évidemment quelque chose de mal, mais je ne peux pas mettre le doigt dessus. Dites-moi qu'il y a une faute de frappe quelque part.
server
' l interfaces :
root@server:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet manual
up ip link set $IFACE addr f2:3c:91:69:33:c2 promisc on up
down ip link set $IFACE down
auto tap0
iface tap0 inet manual
pre-up openvpn --mktun --dev $IFACE
up ip link set $IFACE addr f2:3c:91:69:33:c1 promisc on up
down ip link set $IFACE down
post-down openvpn --rmtun --dev $IFACE
auto br0
iface br0 inet dhcp
bridge_ports eth0 tap0
bridge_fd 0
bridge_stp off
pre-up ip link set $IFACE addr f2:3c:91:69:33:c3 # DHCP filters by MAC
server
Le transfert IPv4 est activé :
root@server:~# sysctl -p
net.ipv4.ip_forward = 1
server
configuration :
proto udp
dev tap0
port 1194
local vpn.server.tld
server-bridge 10.0.0.2 255.255.255.0 10.0.0.128 10.0.0.254
push "route 10.0.0.0 255.255.255.0"
client-to-client
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
tls-server
tls-auth keys/ta.key 0
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 60
comp-lzo
status /var/log/openvpn.status
log /var/log/openvpn.log
verb 3
desktop
configuration :
client
proto udp
dev tap
port 20251 # forwarded in office router
remote vpn.server.tld 1194
ca ../keys/ca.crt
cert ../keys/tomasz@desktop.crt
key ../keys/tomasz@desktop.key
tls-client
tls-auth ../keys/ta.key 1
ns-cert-type server
persist-key
persist-tun
keepalive 10 60
comp-lzo
resolv-retry infinite
server
journal de connexion :
root@server:~# tail -n 40 -f /var/log/openvpn.log
Sat Jul 27 00:32:30 2013 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Feb 13 2013
Sat Jul 27 00:32:30 2013 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Sat Jul 27 00:32:30 2013 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Jul 27 00:32:30 2013 Diffie-Hellman initialized with 1024 bit key
Sat Jul 27 00:32:30 2013 Control Channel Authentication: using 'keys/ta.key' as a OpenVPN static key file
Sat Jul 27 00:32:30 2013 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jul 27 00:32:30 2013 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jul 27 00:32:30 2013 TLS-Auth MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sat Jul 27 00:32:30 2013 Socket Buffers: R=[212992->131072] S=[212992->131072]
Sat Jul 27 00:32:30 2013 TUN/TAP device tap0 opened
Sat Jul 27 00:32:30 2013 TUN/TAP TX queue length set to 100
Sat Jul 27 00:32:30 2013 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Sat Jul 27 00:32:30 2013 GID set to nogroup
Sat Jul 27 00:32:30 2013 UID set to nobody
Sat Jul 27 00:32:30 2013 UDPv4 link local (bound): [AF_INET]79.123.43.99:1194
Sat Jul 27 00:32:30 2013 UDPv4 link remote: [undef]
Sat Jul 27 00:32:30 2013 MULTI: multi_init called, r=256 v=256
Sat Jul 27 00:32:30 2013 IFCONFIG POOL: base=10.0.0.128 size=127, ipv6=0
Sat Jul 27 00:32:30 2013 Initialization Sequence Completed
Sat Jul 27 00:32:44 2013 MULTI: multi_create_instance called
Sat Jul 27 00:32:44 2013 168.87.4.12:20251 Re-using SSL/TLS context
Sat Jul 27 00:32:44 2013 168.87.4.12:20251 LZO compression initialized
Sat Jul 27 00:32:44 2013 168.87.4.12:20251 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sat Jul 27 00:32:44 2013 168.87.4.12:20251 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Sat Jul 27 00:32:44 2013 168.87.4.12:20251 Local Options hash (VER=V4): '360696c5'
Sat Jul 27 00:32:44 2013 168.87.4.12:20251 Expected Remote Options hash (VER=V4): '13a273ba'
Sat Jul 27 00:32:44 2013 168.87.4.12:20251 TLS: Initial packet from [AF_INET]89.77.180.128:20251, sid=d27be456 62dc0bf7
Sat Jul 27 00:32:44 2013 168.87.4.12:20251 VERIFY OK: depth=1, /C=**/ST=**/L=**/O=**/CN=**_Certification_Authority
Sat Jul 27 00:32:44 2013 168.87.4.12:20251 VERIFY OK: depth=0, /C=**/ST=**/L=**/O=**/CN=tomasz@desktop
Sat Jul 27 00:32:44 2013 168.87.4.12:20251 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jul 27 00:32:44 2013 168.87.4.12:20251 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jul 27 00:32:44 2013 168.87.4.12:20251 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jul 27 00:32:44 2013 168.87.4.12:20251 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jul 27 00:32:44 2013 168.87.4.12:20251 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Jul 27 00:32:44 2013 168.87.4.12:20251 [tomasz@desktop] Peer Connection Initiated with [AF_INET]168.87.4.12:20251
Sat Jul 27 00:32:44 2013 tomasz@desktop/168.87.4.12:20251 MULTI_sva: pool returned IPv4=10.0.0.128, IPv6=1::2100:0:0:0
Sat Jul 27 00:32:46 2013 tomasz@desktop/168.87.4.12:20251 PUSH: Received control message: 'PUSH_REQUEST'
Sat Jul 27 00:32:46 2013 tomasz@desktop/168.87.4.12:20251 send_push_reply(): safe_cap=960
Sat Jul 27 00:32:46 2013 tomasz@desktop/168.87.4.12:20251 SENT CONTROL [tomasz@desktop]: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,route-gateway 10.0.0.2,ping 10,ping-restart 60,ifconfig 10.0.0.128 255.255.255.0' (status=1)
Sat Jul 27 00:32:47 2013 tomasz@desktop/168.87.4.12:20251 MULTI: Learn: aa:7c:1d:c2:42:e1 -> tomasz@desktop/168.87.4.12:20251
server
' s routes et interfaces avec OpenVPN en cours d'exécution :
root@remote:~# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 79.123.43.1 0.0.0.0 UG 0 0 0 br0
79.123.43.0 * 255.255.255.0 U 0 0 0 br0
root@server:~# ifconfig
br0 Link encap:Ethernet HWaddr f2:3c:91:69:33:c3
inet addr:79.123.43.99 Bcast:79.123.43.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:450 errors:0 dropped:0 overruns:0 frame:0
TX packets:467 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:48685 (48.6 KB) TX bytes:53043 (53.0 KB)
eth0 Link encap:Ethernet HWaddr f2:3c:91:69:33:c2
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:20803 errors:0 dropped:0 overruns:0 frame:0
TX packets:26066 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2190355 (2.1 MB) TX bytes:3683757 (3.6 MB)
Interrupt:76
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:1183 errors:0 dropped:0 overruns:0 frame:0
TX packets:1183 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:433649 (433.6 KB) TX bytes:433649 (433.6 KB)
tap0 Link encap:Ethernet HWaddr f2:3c:91:69:33:c1
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:39 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1158 (1.1 KB) TX bytes:3390 (3.3 KB)
desktop
' s journal de connexion :
tomasz@desktop:$ sudo openvpn --config desktop.ovpn
Sat Jul 27 00:58:33 2013 OpenVPN 2.3.2 x86_64-apple-darwin12.4.0 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jul 24 2013
Sat Jul 27 00:58:33 2013 Control Channel Authentication: using '../keys/ta.key' as a OpenVPN static key file
Sat Jul 27 00:58:33 2013 UDPv4 link local (bound): [undef]
Sat Jul 27 00:58:33 2013 UDPv4 link remote: [AF_INET]79.123.43.99:1194
Sat Jul 27 00:58:33 2013 [vpn.server.tld] Peer Connection Initiated with [AF_INET]79.123.43.99:1194
Sat Jul 27 00:58:36 2013 TUN/TAP device /dev/tap0 opened
Sat Jul 27 00:58:36 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Jul 27 00:58:36 2013 /sbin/ifconfig tap0 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
Sat Jul 27 00:58:36 2013 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Sat Jul 27 00:58:36 2013 /sbin/ifconfig tap0 10.0.0.128 netmask 255.255.255.0 mtu 1500 up
route: writing to routing socket: File exists
add net 10.0.0.0: gateway 10.0.0.2: File exists
Sat Jul 27 00:58:36 2013 Initialization Sequence Completed
desktop
' s routes et interfaces avec OpenVPN en cours d'exécution :
tomasz@desktop$ ifconfig
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:26:bb:10:6e:14
inet6 fe80::226:bbff:fe10:6e14%en1 prefixlen 64 scopeid 0x5
inet 192.168.0.250 netmask 0xffffff00 broadcast 192.168.0.255
media: autoselect
status: active
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether aa:7c:1d:c2:42:e1
inet 10.0.0.128 netmask 0xffffff00 broadcast 10.0.0.255
open (pid 14700)
tomasz@desktop$ netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.0.1 UGSc 15 760 en1
10/24 link#8 UC 2 0 tap0
10.0.0.255 ff:ff:ff:ff:ff:ff UHLWbI 0 4 tap0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 7 1873 lo0
169.254 link#5 UCS 0 0 en1
192.168.0 link#5 UCS 3 0 en1
192.168.0.1 80:c6:ab:cf:61:54 UHLWIir 16 4568 en1 704
192.168.0.250 127.0.0.1 UHS 0 0 lo0
192.168.0.255 ff:ff:ff:ff:ff:ff UHLWbI 0 4 en1
Lors d'une tentative de ping server
depuis desktop
:
tomasz@desktop:~$ ping -c 1 10.0.0.2
PING 10.0.0.2 (10.0.0.2): 56 data bytes
--- 10.0.0.2 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
tomasz@server:~$ sudo tcpdump -nel -i tap0
tcpdump: WARNING: tap0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap0, link-type EN10MB (Ethernet), capture size 65535 bytes
01:02:44.023108 8a:13:46:10:03:ac > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.2 tell 10.0.0.128, length 28