LINUX.ORG.RU

История изменений

Исправление ipeacocks, (текущая версия) :

Ну у меня и так был один клиент с ключем PSK.

Поменял как вы рекомендовали, конфиг сервера (10.129.18.182):

# Port and protocol
port 1194
proto udp

# Emulated network interface
dev tun

# Server's certificates/key
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

# Diffie-Hellman key
dh dh2048.pem

# OpenVPN client's address pool
server 10.8.0.0 255.255.255.0

# Persist list of IPs and client's names
ifconfig-pool-persist ipp.txt

client-config-dir ccd

route 10.135.0.0 255.255.0.0

# With this option we can use one key/cert
# on many clients at the same time
duplicate-cn

# All traffic from clients goes to vpn interface
# push "redirect-gateway def1 bypass-dhcp"

# Push DNS-settings to client
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

# Timeouts
# default 10 120
keepalive 50 200

# TLS authentication secret
tls-auth ta.key 0 # This file is secret
key-direction 0

# Minimal TLS version for connection
tls-version-min 1.2

# TLS cipheres. We are using only most secure ones.
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

# Encryption algorithm for traffic
cipher AES-256-CBC

# HMAC auth
auth SHA256

# Traffic commpression
comp-lzo

# Redusing daemon's privileges after initialization.
user nobody
group nogroup

# Persistence of client's interface/key 
# after server restarting
persist-key
persist-tun

# Logging parameters
status openvpn-status.log
log-append /var/log/openvpn.log
verb 4
# No more than 20 the same messages
mute 20

В /etc/openvpn/ccd следующее:

# cat /etc/openvpn/ccd/client1

iroute 10.135.0.0 255.255.0.0
push "route 10.129.0.0 255.255.0.0"

Маршруты на сервере (10.129.18.182):

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         37.139.10.1     0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.14.0.0       0.0.0.0         255.255.0.0     U     0      0        0 eth0
10.129.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth1
10.135.0.0      10.8.0.2        255.255.0.0     UG    0      0        0 tun0
37.139.10.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

Конфиг клиента ovpn (10.135.28.233):

client
dev tun

proto udp
remote 37.139.10.10 1194

resolv-retry infinite

nobind

user nobody
group nogroup

persist-key
persist-tun

tls-version-min 1.2

tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

remote-cert-tls server

cipher AES-256-CBC
auth SHA256
# 0 is on server and 1 on client
key-direction 1

comp-lzo

verb 4
mute 20

# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
....
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
....
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>

После старта OpenVPN маршруты на клиенте (10.135.28.233):

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         138.68.96.1     0.0.0.0         UG    0      0        0 eth0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.19.0.0       0.0.0.0         255.255.0.0     U     0      0        0 eth0
10.129.0.0      10.8.0.5        255.255.0.0     UG    0      0        0 tun0
10.135.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth1
37.139.10.10    138.68.96.1     255.255.255.255 UGH   0      0        0 eth0
138.68.96.0     0.0.0.0         255.255.240.0   U     0      0        0 eth0

Для сервера и клиента активированы такие правила Netfilter:

# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -P FORWARD ACCEPT
# iptables -t nat -s 10.8.0.0/24 -A POSTROUTING -o eth1 -j MASQUERADE

Благодаря чему клиент и сервер могут пинговать всех, но узлы с подсети клиента и узлы с подсети сервера, как и раньше, видят только свою сеть. Т.е. ничего и не поменялось.

Исходная версия ipeacocks, :

Ну у меня и так был один клиент с ключем PSK.

Поменял как вы рекомендовали, конфиг сервера (10.129.18.182):

# Port and protocol
port 1194
proto udp

# Emulated network interface
dev tun

# Server's certificates/key
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

# Diffie-Hellman key
dh dh2048.pem

# OpenVPN client's address pool
server 10.8.0.0 255.255.255.0

# Persist list of IPs and client's names
ifconfig-pool-persist ipp.txt

client-config-dir ccd

route 10.135.0.0 255.255.0.0

# With this option we can use one key/cert
# on many clients at the same time
duplicate-cn

# All traffic from clients goes to vpn interface
# push "redirect-gateway def1 bypass-dhcp"

# Push DNS-settings to client
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

# Timeouts
# default 10 120
keepalive 50 200

# TLS authentication secret
tls-auth ta.key 0 # This file is secret
key-direction 0

# Minimal TLS version for connection
tls-version-min 1.2

# TLS cipheres. We are using only most secure ones.
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

# Encryption algorithm for traffic
cipher AES-256-CBC

# HMAC auth
auth SHA256

# Traffic commpression
comp-lzo

# Redusing daemon's privileges after initialization.
user nobody
group nogroup

# Persistence of client's interface/key 
# after server restarting
persist-key
persist-tun

# Logging parameters
status openvpn-status.log
log-append /var/log/openvpn.log
verb 4
# No more than 20 the same messages
mute 20

В /etc/openvpn/ccd следующее:

# cat /etc/openvpn/ccd/client1

iroute 10.135.0.0 255.255.0.0
push "route 10.129.0.0 255.255.0.0"

Маршруты на сервере (10.129.18.182):

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         37.139.10.1     0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.14.0.0       0.0.0.0         255.255.0.0     U     0      0        0 eth0
10.129.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth1
10.135.0.0      10.8.0.2        255.255.0.0     UG    0      0        0 tun0
37.139.10.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

Конфиг клиента (10.135.28.233):

client
dev tun

proto udp
remote 37.139.10.10 1194

resolv-retry infinite

nobind

user nobody
group nogroup

persist-key
persist-tun

tls-version-min 1.2

tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

remote-cert-tls server

cipher AES-256-CBC
auth SHA256
# 0 is on server and 1 on client
key-direction 1

comp-lzo

verb 4
mute 20

# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
....
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
....
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>

После старта OpenVPN маршруты на клиенте (10.135.28.233):

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         138.68.96.1     0.0.0.0         UG    0      0        0 eth0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.19.0.0       0.0.0.0         255.255.0.0     U     0      0        0 eth0
10.129.0.0      10.8.0.5        255.255.0.0     UG    0      0        0 tun0
10.135.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth1
37.139.10.10    138.68.96.1     255.255.255.255 UGH   0      0        0 eth0
138.68.96.0     0.0.0.0         255.255.240.0   U     0      0        0 eth0

Для сервера и клиента активированы такие правила Netfilter:

# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -P FORWARD ACCEPT
# iptables -t nat -s 10.8.0.0/24 -A POSTROUTING -o eth1 -j MASQUERADE

Благодаря чему клиент и сервер могут пинговать всех, но узлы с подсети клиента и узлы с подсети сервера, как и раньше, видят только свою сеть. Т.е. ничего и не поменялось.