История изменений
Исправление ipeacocks, (текущая версия) :
Ну у меня и так был один клиент с ключем PSK.
Поменял как вы рекомендовали, конфиг сервера (10.129.18.182):
# Port and protocol
port 1194
proto udp
# Emulated network interface
dev tun
# Server's certificates/key
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
# Diffie-Hellman key
dh dh2048.pem
# OpenVPN client's address pool
server 10.8.0.0 255.255.255.0
# Persist list of IPs and client's names
ifconfig-pool-persist ipp.txt
client-config-dir ccd
route 10.135.0.0 255.255.0.0
# With this option we can use one key/cert
# on many clients at the same time
duplicate-cn
# All traffic from clients goes to vpn interface
# push "redirect-gateway def1 bypass-dhcp"
# Push DNS-settings to client
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Timeouts
# default 10 120
keepalive 50 200
# TLS authentication secret
tls-auth ta.key 0 # This file is secret
key-direction 0
# Minimal TLS version for connection
tls-version-min 1.2
# TLS cipheres. We are using only most secure ones.
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
# Encryption algorithm for traffic
cipher AES-256-CBC
# HMAC auth
auth SHA256
# Traffic commpression
comp-lzo
# Redusing daemon's privileges after initialization.
user nobody
group nogroup
# Persistence of client's interface/key
# after server restarting
persist-key
persist-tun
# Logging parameters
status openvpn-status.log
log-append /var/log/openvpn.log
verb 4
# No more than 20 the same messages
mute 20
В /etc/openvpn/ccd следующее:
# cat /etc/openvpn/ccd/client1
iroute 10.135.0.0 255.255.0.0
push "route 10.129.0.0 255.255.0.0"
Маршруты на сервере (10.129.18.182):
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 37.139.10.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.14.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
10.129.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
10.135.0.0 10.8.0.2 255.255.0.0 UG 0 0 0 tun0
37.139.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
Конфиг клиента ovpn (10.135.28.233):
client
dev tun
proto udp
remote 37.139.10.10 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
# 0 is on server and 1 on client
key-direction 1
comp-lzo
verb 4
mute 20
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
....
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
....
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
После старта OpenVPN маршруты на клиенте (10.135.28.233):
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 138.68.96.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.19.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
10.129.0.0 10.8.0.5 255.255.0.0 UG 0 0 0 tun0
10.135.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
37.139.10.10 138.68.96.1 255.255.255.255 UGH 0 0 0 eth0
138.68.96.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
Для сервера и клиента активированы такие правила Netfilter:
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -P FORWARD ACCEPT
# iptables -t nat -s 10.8.0.0/24 -A POSTROUTING -o eth1 -j MASQUERADE
Благодаря чему клиент и сервер могут пинговать всех, но узлы с подсети клиента и узлы с подсети сервера, как и раньше, видят только свою сеть. Т.е. ничего и не поменялось.
Исходная версия ipeacocks, :
Ну у меня и так был один клиент с ключем PSK.
Поменял как вы рекомендовали, конфиг сервера (10.129.18.182):
# Port and protocol
port 1194
proto udp
# Emulated network interface
dev tun
# Server's certificates/key
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
# Diffie-Hellman key
dh dh2048.pem
# OpenVPN client's address pool
server 10.8.0.0 255.255.255.0
# Persist list of IPs and client's names
ifconfig-pool-persist ipp.txt
client-config-dir ccd
route 10.135.0.0 255.255.0.0
# With this option we can use one key/cert
# on many clients at the same time
duplicate-cn
# All traffic from clients goes to vpn interface
# push "redirect-gateway def1 bypass-dhcp"
# Push DNS-settings to client
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Timeouts
# default 10 120
keepalive 50 200
# TLS authentication secret
tls-auth ta.key 0 # This file is secret
key-direction 0
# Minimal TLS version for connection
tls-version-min 1.2
# TLS cipheres. We are using only most secure ones.
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
# Encryption algorithm for traffic
cipher AES-256-CBC
# HMAC auth
auth SHA256
# Traffic commpression
comp-lzo
# Redusing daemon's privileges after initialization.
user nobody
group nogroup
# Persistence of client's interface/key
# after server restarting
persist-key
persist-tun
# Logging parameters
status openvpn-status.log
log-append /var/log/openvpn.log
verb 4
# No more than 20 the same messages
mute 20
В /etc/openvpn/ccd следующее:
# cat /etc/openvpn/ccd/client1
iroute 10.135.0.0 255.255.0.0
push "route 10.129.0.0 255.255.0.0"
Маршруты на сервере (10.129.18.182):
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 37.139.10.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.14.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
10.129.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
10.135.0.0 10.8.0.2 255.255.0.0 UG 0 0 0 tun0
37.139.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
Конфиг клиента (10.135.28.233):
client
dev tun
proto udp
remote 37.139.10.10 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
# 0 is on server and 1 on client
key-direction 1
comp-lzo
verb 4
mute 20
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
....
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
....
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
После старта OpenVPN маршруты на клиенте (10.135.28.233):
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 138.68.96.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.19.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
10.129.0.0 10.8.0.5 255.255.0.0 UG 0 0 0 tun0
10.135.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
37.139.10.10 138.68.96.1 255.255.255.255 UGH 0 0 0 eth0
138.68.96.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
Для сервера и клиента активированы такие правила Netfilter:
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -P FORWARD ACCEPT
# iptables -t nat -s 10.8.0.0/24 -A POSTROUTING -o eth1 -j MASQUERADE
Благодаря чему клиент и сервер могут пинговать всех, но узлы с подсети клиента и узлы с подсети сервера, как и раньше, видят только свою сеть. Т.е. ничего и не поменялось.