Доброго времени суток.
Внезапно поломался openvpn.
конфиг сервера
root@vpn:~# cat /etc/openvpn/vpn.fqdn.conf
port 2194
proto udp
dev tun0
ca keys/dp-ca/ca.crt
cert keys/dp-ca/srv.ru.fqdn.vpn-master.crt
key keys/dp-ca/srv.ru.fqdn.vpn-master.key
dh keys/dp-ca/dh2048.pem
server 192.168.192.0 255.255.240.0
crl-verify keys/dp-ca/crl.pem
#cipher BF-CBC
cipher AES-256-CBC
keysize 256
user nobody
group nogroup
status servers/vpn.fqdn.ru/logs/openvpn-status.log
log-append servers/vpn.fqdn.ru/logs/openvpn.log
verb 3
mute 20
tun-mtu 1500
keepalive 10 30
client-config-dir /etc/openvpn/servers/vpn.fqdn.ru/ccd
tls-server
client-to-client
comp-lzo
persist-key
persist-tun
ccd-exclusive
mode server
multihome
push "dhcp-option DNS 192.168.176.62"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DOMAIN dp.vpn"
push "route 192.168.176.0 255.255.240.0"
root@vpn:~# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 10.0.3.1 0.0.0.0 UG 0 0 0 eth0
10.0.3.0 * 255.255.255.0 U 0 0 0 eth0
192.168.192.0 192.168.192.2 255.255.240.0 UG 0 0 0 tun0
192.168.192.2 * 255.255.255.255 UH 0 0 0 tun0
root@vpn:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default
link/ipip 0.0.0.0 brd 0.0.0.0
3: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default
link/sit 0.0.0.0 brd 0.0.0.0
4: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default
link/tunnel6 :: brd ::
29: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 192.168.192.1 peer 192.168.192.2/32 scope global tun0
valid_lft forever preferred_lft forever
316: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:16:3e:80:7d:f5 brd ff:ff:ff:ff:ff:ff
inet 10.0.3.102/24 brd 10.0.3.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::216:3eff:fe80:7df5/64 scope link
valid_lft forever preferred_lft forever
сервак это lxc контейнер, на котороый с hosta cl8 iptables перенаправляет запросы по порту, но там всё точно ок. инфа с хоста
root@cl8:~# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 51.255.68.254 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 192.168.176.105 255.255.255.0 UG 0 0 0 tun0
10.0.3.0 * 255.255.255.0 U 0 0 0 lxcbr0
51.255.68.0 * 255.255.255.0 U 0 0 0 eth0
172.17.0.0 * 255.255.0.0 U 0 0 0 docker0
178.33.104.170 * 255.255.255.255 UH 0 0 0 lxcbr0
192.168.160.0 192.168.176.105 255.255.255.0 UG 0 0 0 tun0
192.168.176.0 192.168.176.105 255.255.240.0 UG 0 0 0 tun0
192.168.176.105 * 255.255.255.255 UH 0 0 0 tun0
root@cl8:~# cat /etc/network/iptables.up
# Generated by iptables-save v1.4.21 on Wed Mar 9 13:59:34 2016
*raw
:PREROUTING ACCEPT [4020721875:2876467267843]
:OUTPUT ACCEPT [84108421:128211972445]
COMMIT
# Completed on Wed Mar 9 13:59:34 2016
# Generated by iptables-save v1.4.21 on Wed Mar 9 13:59:34 2016
*nat
:PREROUTING ACCEPT [40:3953]
:INPUT ACCEPT [7:224]
:OUTPUT ACCEPT [6:376]
:POSTROUTING ACCEPT [39:2160]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -d 51.255.68.86/32 -p tcp -m tcp --dport 4080 -j DNAT --to-destination 10.0.3.102:8080
-A PREROUTING -d 51.255.68.86/32 -p udp -m udp --dport 2194 -j DNAT --to-destination 10.0.3.102:2194
-A PREROUTING -d 51.255.68.86/32 -p tcp -m tcp --dport 2194 -j DNAT --to-destination 10.0.3.102:2194
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 5000 -j MASQUERADE
-A POSTROUTING -s 172.17.0.5/32 -d 172.17.0.5/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 8088 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 8086 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -d 192.168.176.106/32 ! -i docker0 -p tcp -m tcp --dport 5000 -j DNAT --to-destination 172.17.0.4:5000
-A DOCKER -d 192.168.176.106/32 ! -i docker0 -p tcp -m tcp --dport 8085 -j DNAT --to-destination 172.17.0.5:80
-A DOCKER -d 51.255.68.86/32 ! -i docker0 -p tcp -m tcp --dport 8088 -j DNAT --to-destination 172.17.0.2:8088
-A DOCKER -d 51.255.68.86/32 ! -i docker0 -p tcp -m tcp --dport 8086 -j DNAT --to-destination 172.17.0.2:8086
COMMIT
# Completed on Wed Mar 9 13:59:34 2016
# Generated by iptables-save v1.4.21 on Wed Mar 9 13:59:34 2016
*mangle
:PREROUTING ACCEPT [4020712824:2876462562996]
:INPUT ACCEPT [76361858:99560950957]
:FORWARD ACCEPT [3943928602:2776840061587]
:OUTPUT ACCEPT [84098632:128210993717]
:POSTROUTING ACCEPT [4028027214:2905051053452]
-A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed Mar 9 13:59:34 2016
# Generated by iptables-save v1.4.21 on Wed Mar 9 13:59:34 2016
*filter
:INPUT ACCEPT [99:24342]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [54:19854]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1022 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3022 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4022 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5022 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6022 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 13306 -j ACCEPT
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT
-A DOCKER-ISOLATION -j RETURN
COMMIT
# Completed on Wed Mar 9 13:59:34 2016
root@cl8:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN group default
link/ether f6:07:b1:86:93:70 brd ff:ff:ff:ff:ff:ff
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default
link/ether e2:56:66:87:c5:2e brd ff:ff:ff:ff:ff:ff
4: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
link/ether 96:77:08:2b:d3:10 brd ff:ff:ff:ff:ff:ff
5: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
link/ether 6e:03:07:70:73:e3 brd ff:ff:ff:ff:ff:ff
6: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 0c:c4:7a:7b:96:8e brd ff:ff:ff:ff:ff:ff
inet 51.255.68.86/24 brd 51.255.68.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 2001:41d0:1008:1056::/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::ec4:7aff:fe7b:968e/64 scope link
valid_lft forever preferred_lft forever
7: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 0c:c4:7a:7b:96:8f brd ff:ff:ff:ff:ff:ff
8: teql0: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 100
link/void
9: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default
link/ipip 0.0.0.0 brd 0.0.0.0
10: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default
link/sit 0.0.0.0 brd 0.0.0.0
11: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default
link/tunnel6 :: brd ::
12: lxcbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether fe:1f:86:f8:a9:31 brd ff:ff:ff:ff:ff:ff
inet 10.0.3.1/24 brd 10.0.3.255 scope global lxcbr0
valid_lft forever preferred_lft forever
inet6 fe80::602e:4aff:fe5b:d2bc/64 scope link
valid_lft forever preferred_lft forever
318: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1200 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 192.168.176.106 peer 192.168.176.105/32 scope global tun0
valid_lft forever preferred_lft forever
и с моей машины
[root@krylovstage ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:ae:e1:6e brd ff:ff:ff:ff:ff:ff
inet 192.168.1.30/24 brd 192.168.1.255 scope global eth0
inet6 fe80::20c:29ff:feae:e16e/64 scope link
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/[65534]
inet 192.168.192.10 peer 192.168.192.9/32 scope global tun0
[root@krylovstage ~]# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.192.9 * 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.192.0 192.168.192.9 255.255.240.0 UG 0 0 0 tun0
192.168.176.0 192.168.192.9 255.255.240.0 UG 0 0 0 tun0
link-local * 255.255.0.0 U 0 0 0 eth0
default router 0.0.0.0 UG 0 0 0 eth0
никак не пойму, в чем косяк. не ходит vpn и всё. прошу помощи.
