NAT для OpenVPN или "Как выйти во внутреннюю сеть?"

Всем привет.
Сегодня маленькая заметка про OpenVPN.
Как-то пришлось мне ставитьOpenVPN. Сама установка не сложная, если делать всё по инструкции.

Проблемы начались позже. Как выяснилось, те NAT правила которые прописаны в официальном мануале:

FIREWALLS
OpenVPN's usage of a single UDP port makes it fairly firewall-friendly. You should add an entry to your firewall rules to allow incoming OpenVPN packets. On Linux 2.4+:

iptables -A INPUT -p udp -s 1.2.3.4 --dport 1194 -j ACCEPT

This will allow incoming packets on UDP port 1194 (OpenVPN's default UDP port) from an OpenVPN peer at 1.2.3.4.

If you are using HMAC-based packet authentication (the default in any of OpenVPN's secure modes), having the firewall filter on source address can be considered optional, since HMAC packet authentication is a much more secure method of verifying the authenticity of a packet source. In that case:

iptables -A INPUT -p udp --dport 1194 -j ACCEPT

would be adequate and would not render the host inflexible with respect to its peer having a dynamic IP address.

OpenVPN also works well on stateful firewalls. In some cases, you may not need to add any static rules to the firewall list if you are using a stateful firewall that knows how to track UDP connections. If you specify --ping n, OpenVPN will be guaranteed to send a packet to its peer at least once every n seconds. If n is less than the stateful firewall connection timeout, you can maintain an OpenVPN connection indefinitely without explicit firewall rules.

You should also add firewall rules to allow incoming IP traffic on TUN or TAP devices such as:

iptables -A INPUT -i tun+ -j ACCEPT

to allow input packets from tun devices,

iptables -A FORWARD -i tun+ -j ACCEPT

to allow input packets from tun devices to be forwarded to other hosts on the local network,

iptables -A INPUT -i tap+ -j ACCEPT

to allow input packets from tap devices, and

iptables -A FORWARD -i tap+ -j ACCEPT

to allow input packets from tap devices to be forwarded to other hosts on the local network.

These rules are secure if you use packet authentication, since no incoming packets will arrive on a TUN or TAP virtual device unless they first pass an HMAC authentication test.

Позволят Вам попасть в свою сеть, но только не дальше сервера.
Что-бы пакеты перебрасывались во внутреннюю сеть нужно ещё одно NAT правило
На нашем сервере стоит 2 сетевых карты.
eth0 - смотрит в интернет
eth1 - смотрит в LAN. IP - 192.168.1.2

Сам OpenVPN использует адреса из диапазона 10.0.0.0/24

Напишем требуемое правило для того что-бы пользователи OpenVPN могли ходить в LAN
iptables -v -t nat -A POSTROUTING -o eth1 -s 10.0.0.0/24 -j SNAT --to-source 192.168.1.2


Всё, пробуем.
blog comments powered by Disqus