Есть локалка (192.168.8.0/24). Шлюзом в локалке 192.168.8.2, внешний IP шлюза 1.1.1.1. Охота попадать в эту сеть снаружи, причем без роутинга попадать напрямую в локалку. Для этого я поднял на SLES11 сервак, имеющий внутренний IP 192.168.8.20 и внешний 2.2.2.2, на него поставил openvpn и bridgeutils. Конфиги почти по-умолчанию, проблема такая:
соединение нормально устанавливается, клиент видит сервер, сервер видит клиента, но клиент не видит всей локальной сети
Лог сервера:
Код: Выделить всё
vpn:/etc/openvpn # openvpn server.conf
Tue Nov 3 22:32:21 2009 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Feb 25 2009
Tue Nov 3 22:32:21 2009 Diffie-Hellman initialized with 1024 bit key
Tue Nov 3 22:32:21 2009 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Nov 3 22:32:21 2009 TUN/TAP device tap0 opened
Tue Nov 3 22:32:21 2009 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Nov 3 22:32:21 2009 GID set to nobody
Tue Nov 3 22:32:21 2009 UID set to nobody
Tue Nov 3 22:32:21 2009 UDPv4 link local (bound): 2.2.2.2:1194
Tue Nov 3 22:32:21 2009 UDPv4 link remote: [undef]
Tue Nov 3 22:32:21 2009 MULTI: multi_init called, r=256 v=256
Tue Nov 3 22:32:21 2009 IFCONFIG POOL: base=192.168.8.60 size=7
Tue Nov 3 22:32:21 2009 IFCONFIG POOL LIST
Tue Nov 3 22:32:21 2009 Initialization Sequence Completed
Tue Nov 3 22:32:56 2009 MULTI: multi_create_instance called
Tue Nov 3 22:32:56 2009 172.16.10.28:44392 Re-using SSL/TLS context
Tue Nov 3 22:32:56 2009 172.16.10.28:44392 LZO compression initialized
Tue Nov 3 22:32:56 2009 172.16.10.28:44392 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Nov 3 22:32:56 2009 172.16.10.28:44392 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Nov 3 22:32:56 2009 172.16.10.28:44392 Local Options hash (VER=V4): 'f7df56b8'
Tue Nov 3 22:32:56 2009 172.16.10.28:44392 Expected Remote Options hash (VER=V4): 'd79ca330'
Tue Nov 3 22:32:56 2009 172.16.10.28:44392 TLS: Initial packet from 172.16.10.28:44392, sid=f05237c9 2de0b4fd
Tue Nov 3 22:32:56 2009 172.16.10.28:44392 VERIFY OK: depth=1, /C=RU/ST=PK/L=PETROPAVLOVSKKAMCHATSKY/O=PKF_FGUP_CentrInform/CN=firewall/emailAddress=ca@ххх.ru
Tue Nov 3 22:32:56 2009 172.16.10.28:44392 VERIFY OK: depth=0, /C=RU/ST=PK/O=PKF_FGUP_CentrInform/CN=vzhikbook/emailAddress=ca@ххх.ru
Tue Nov 3 22:32:56 2009 172.16.10.28:44392 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Nov 3 22:32:56 2009 172.16.10.28:44392 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 3 22:32:56 2009 172.16.10.28:44392 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Nov 3 22:32:56 2009 172.16.10.28:44392 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 3 22:32:56 2009 172.16.10.28:44392 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Nov 3 22:32:56 2009 172.16.10.28:44392 [vzhikbook] Peer Connection Initiated with 172.16.10.28:44392
Tue Nov 3 22:32:56 2009 vzhikbook/172.16.10.28:44392 OPTIONS IMPORT: reading client specific options from: ccd/vzhikbook
Tue Nov 3 22:32:57 2009 vzhikbook/172.16.10.28:44392 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 3 22:32:57 2009 vzhikbook/172.16.10.28:44392 SENT CONTROL [vzhikbook]: 'PUSH_REPLY,route-gateway 192.168.8.20,ping 10,ping-restart 120,ifconfig 192.168.8.65 255.255.255.0' (status=1)
Tue Nov 3 22:32:57 2009 vzhikbook/172.16.10.28:44392 MULTI: Learn: a6:47:a0:47:33:61 -> vzhikbook/172.16.10.28:44392Лог клиента:
Код: Выделить всё
vzhikbook:/etc/openvpn # openvpn client.conf
Tue Nov 3 22:33:57 2009 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Dec 3 2008
Tue Nov 3 22:33:57 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Nov 3 22:33:57 2009 LZO compression initialized
Tue Nov 3 22:33:57 2009 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Nov 3 22:33:57 2009 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Nov 3 22:33:57 2009 Local Options hash (VER=V4): 'd79ca330'
Tue Nov 3 22:33:57 2009 Expected Remote Options hash (VER=V4): 'f7df56b8'
Tue Nov 3 22:33:57 2009 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Tue Nov 3 22:33:57 2009 UDPv4 link local: [undef]
Tue Nov 3 22:33:57 2009 UDPv4 link remote: 2.2.2.2:1194
Tue Nov 3 22:33:57 2009 TLS: Initial packet from 2.2.2.2:1194, sid=9203445a 170272df
Tue Nov 3 22:33:57 2009 VERIFY OK: depth=1, /C=RU/ST=PK/L=PETROPAVLOVSKKAMCHATSKY/O=PKF_FGUP_CentrInform/CN=firewall/emailAddress=ca@ххх.ru
Tue Nov 3 22:33:57 2009 VERIFY OK: nsCertType=SERVER
Tue Nov 3 22:33:57 2009 VERIFY OK: depth=0, /C=RU/ST=PK/O=PKF_FGUP_CentrInform/CN=atlaskam/emailAddress=ca@ххх.ru
Tue Nov 3 22:33:57 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Nov 3 22:33:57 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 3 22:33:57 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Nov 3 22:33:57 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 3 22:33:57 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Nov 3 22:33:57 2009 [atlaskam] Peer Connection Initiated with 2.2.2.2:1194
Tue Nov 3 22:33:58 2009 SENT CONTROL [atlaskam]: 'PUSH_REQUEST' (status=1)
Tue Nov 3 22:33:58 2009 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.8.20,ping 10,ping-restart 120,ifconfig 192.168.8.65 255.255.255.0'
Tue Nov 3 22:33:58 2009 OPTIONS IMPORT: timers and/or timeouts modified
Tue Nov 3 22:33:58 2009 OPTIONS IMPORT: --ifconfig/up options modified
Tue Nov 3 22:33:58 2009 OPTIONS IMPORT: route options modified
Tue Nov 3 22:33:58 2009 TUN/TAP device tap0 opened
Tue Nov 3 22:33:58 2009 /bin/ip link set dev tap0 up mtu 1500
Tue Nov 3 22:33:58 2009 /bin/ip addr add dev tap0 192.168.8.65/24 broadcast 192.168.8.255
Tue Nov 3 22:33:58 2009 GID set to nobody
Tue Nov 3 22:33:58 2009 UID set to nobody
Tue Nov 3 22:33:58 2009 Initialization Sequence CompletedИнтерфейсы сервака:
Код: Выделить всё
vpn:/etc/openvpn # ifconfig -a
br0 Link encap:Ethernet HWaddr 00:0C:29:A5:71:8A
inet addr:192.168.8.20 Bcast:192.168.8.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2407 errors:0 dropped:0 overruns:0 frame:0
TX packets:397 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:247329 (241.5 Kb) TX bytes:146783 (143.3 Kb)
eth0 Link encap:Ethernet HWaddr 00:0C:29:A5:71:8A
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:2604 errors:0 dropped:0 overruns:0 frame:0
TX packets:406 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:309964 (302.6 Kb) TX bytes:147161 (143.7 Kb)
eth1 Link encap:Ethernet HWaddr 00:0C:29:A5:71:94
inet addr:2.2.2.2 Bcast:2.2.2.127 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1564 errors:0 dropped:0 overruns:0 frame:0
TX packets:1860 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:161037 (157.2 Kb) TX bytes:359421 (350.9 Kb)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:100 (100.0 b) TX bytes:100 (100.0 b)
tap0 Link encap:Ethernet HWaddr 3A:C3:1D:06:42:26
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:69 errors:0 dropped:0 overruns:0 frame:0
TX packets:940 errors:0 dropped:287 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:11539 (11.2 Kb) TX bytes:66966 (65.3 Kb)Интерфесы клиента:
Код: Выделить всё
vzhikbook:/home/vzhik # ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:26:18:9F:E3:F3
inet addr:172.16.10.28 Bcast:172.16.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:519817 errors:0 dropped:0 overruns:0 frame:0
TX packets:36532 errors:0 dropped:0 overruns:0 carrier:2
collisions:0 txqueuelen:1000
RX bytes:47439735 (45.2 Mb) TX bytes:3491313 (3.3 Mb)
Interrupt:219
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:86 errors:0 dropped:0 overruns:0 frame:0
TX packets:86 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8700 (8.4 Kb) TX bytes:8700 (8.4 Kb)
tap0 Link encap:Ethernet HWaddr D2:FC:0A:2B:9E:62
inet addr:192.168.8.65 Bcast:192.168.8.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:964 (964.0 b) TX bytes:3242 (3.1 Kb)
vboxnet0 Link encap:Ethernet HWaddr 0A:00:27:00:00:00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)Конфиг сервера:
Код: Выделить всё
local 2.2.2.2
port 1194
proto udp
dev tap0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/atlaskam.crt
key /etc/openvpn/keys/atlaskam.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.8.20 255.255.255.0 192.168.8.60 192.168.8.66
client-config-dir ccd
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3Конфиг клиента:
Код: Выделить всё
client
dev tap
proto udp
remote 2.2.2.2 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/vzhikbook.crt
key /etc/openvpn/keys/vzhikbook.key
ns-cert-type server
comp-lzo
verb 3На сервере в cdd есть файл vzhikbook с таким содержимым:
Код: Выделить всё
ifconfig-push 192.168.8.65 255.255.255.0Перед запуском опенвпна запускаю скрипт бридж старт:
Код: Выделить всё
br="br0"
tap="tap0"
eth="eth0"
eth_ip="192.168.8.20"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.8.255"
for t in $tap; do
openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcastНемножко логов снифера на клиенте:
Код: Выделить всё
vzhikbook:/home/vzhik # tshark -i tap0
Running as user "root" and group "root". This could be dangerous.
Capturing on tap0
0.000000 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
2.079925 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
4.160066 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
6.240232 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
8.320414 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
10.410574 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
11.538283 00000000.0010f301d987 -> 00000000.ffffffffffff IPX SAP General Response
11.713454 192.168.8.65 -> 192.168.8.255 NBNS Registration NB VZHIKBOOK<20>
11.713479 192.168.8.65 -> 192.168.8.255 NBNS Registration NB VZHIKBOOK<03>
11.713495 192.168.8.65 -> 192.168.8.255 NBNS Registration NB VZHIKBOOK<00>
11.713513 192.168.8.65 -> 192.168.8.255 NBNS Registration NB INFORM<00>
11.713529 192.168.8.65 -> 192.168.8.255 NBNS Registration NB INFORM<1e>
12.500681 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
12.714311 192.168.8.65 -> 192.168.8.255 BROWSER Host Announcement VZHIKBOOK, Workstation, Server, Print Queue Server, Xenix Server, NT Workstation, NT Server, Potential Browser, Unknown server type:23
13.713315 192.168.8.65 -> 192.168.8.255 NBNS Registration NB VZHIKBOOK<20>
13.713350 192.168.8.65 -> 192.168.8.255 NBNS Registration NB VZHIKBOOK<03>
13.713370 192.168.8.65 -> 192.168.8.255 NBNS Registration NB VZHIKBOOK<00>
13.713391 192.168.8.65 -> 192.168.8.255 NBNS Registration NB INFORM<00>
13.713409 192.168.8.65 -> 192.168.8.255 NBNS Registration NB INFORM<1e>
14.590884 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
14.713302 192.168.8.65 -> 192.168.8.255 NBNS Registration NB VZHIKBOOK<20>
14.713322 192.168.8.65 -> 192.168.8.255 NBNS Registration NB VZHIKBOOK<03>
14.713333 192.168.8.65 -> 192.168.8.255 NBNS Registration NB VZHIKBOOK<00>
14.713344 192.168.8.65 -> 192.168.8.255 NBNS Registration NB INFORM<00>
14.713355 192.168.8.65 -> 192.168.8.255 NBNS Registration NB INFORM<1e>
15.713309 192.168.8.65 -> 192.168.8.255 NBNS Registration NB VZHIKBOOK<20>
15.713329 192.168.8.65 -> 192.168.8.255 NBNS Registration NB VZHIKBOOK<03>
15.713341 192.168.8.65 -> 192.168.8.255 NBNS Registration NB VZHIKBOOK<00>
15.713353 192.168.8.65 -> 192.168.8.255 NBNS Registration NB INFORM<00>
15.713364 192.168.8.65 -> 192.168.8.255 NBNS Registration NB INFORM<1e>
16.681100 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
17.899509 AsustekC_25:79:d1 -> Broadcast ARP Who has 192.168.8.231? Tell 192.168.8.4
18.771242 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
20.861532 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
22.951531 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
25.041646 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
27.131865 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
29.222089 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
31.312752 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
33.424056 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
34.899381 Vmware_38:30:3c -> Broadcast ARP Who has 192.168.8.7? Tell 192.168.8.9
35.512550 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
37.261239 a6:47:a0:47:33:61 -> Broadcast ARP Who has 192.168.8.2? Tell 192.168.8.65
37.592673 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
38.257239 a6:47:a0:47:33:61 -> Broadcast ARP Who has 192.168.8.2? Tell 192.168.8.65
39.257258 a6:47:a0:47:33:61 -> Broadcast ARP Who has 192.168.8.2? Tell 192.168.8.65
39.673039 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
40.277256 a6:47:a0:47:33:61 -> Broadcast ARP Who has 192.168.8.2? Tell 192.168.8.65
41.277239 a6:47:a0:47:33:61 -> Broadcast ARP Who has 192.168.8.2? Tell 192.168.8.65
41.753190 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
42.277241 a6:47:a0:47:33:61 -> Broadcast ARP Who has 192.168.8.2? Tell 192.168.8.65
42.371251 AsustekC_25:79:d1 -> Broadcast ARP Who has 192.168.8.8? Tell 192.168.8.4
43.833403 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
45.913506 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
46.983957 00:25:84:bd:81:40 -> CDP/VTP/DTP/PAgP/UDLD CDP Device ID: yourname.yourdomain.com Port ID: FastEthernet0/0
47.993677 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
50.073949 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)
50.959101 Vmware_41:ba:31 -> Broadcast ARP Who has 192.168.8.2? Tell 192.168.8.80
52.154112 Supermic_b8:b6:e2 -> Broadcast ARP Gratuitous ARP for 192.168.8.235 (Request)192.168.8.20 и 192.168.8.65 пингуют друг друга без проблем. 192.168.8.20 пингует любые хосты, 192.168.8.65 ничего не может пропинговать.
Потребуются ли еще какие-нибудь данные? Как сделать, чтобы клиент видел всю сеть 192.168.8.0/24?
Я Вам это об этом и глаголю, что БРИДЖ работает только между интерфейсами, на физическом уровне, но не как на логическом. Что бы получить доступ к локалке БРИДЖ не подходит. Вы сами подумайте как он будет перенаправлять пакеты, если он работает только с интерфейсом. И на том интерфейсе поднят VPN. Как написано в конфиге: "Client-to-client" иными словами "точка-точка" всё за пределы точек он не выйдет. По поводу ссылки, отнюдь, ничего для себя нового не открыл, стандартное устройство 2го уровня.