[BSD] openvpn kerdes
Fazekas Mihály
michael at goliat.eik.bme.hu
2007. Ápr. 3., K, 18:53:10 CEST
> Nem tudom, nem kuldted el se a konfigokat, amit osszehoztal, se a
> route, se az ifconfig kimeenetet, semmi informaciot.
>
> Igy nehez lenne segiteni:)
Ok, igaz.
Viszont azota kaptam egy visszajelzest, hogy a "meghajtokat lehet
mappelni, de neha ledob". Erre feljebbvettem a keepalive -ot.
De kifele' ping -elni meg mindig nem lehet a vpn -en keresztul.
Ez mar nem annyira fontos, de meg mindig nagyon erdekes lenne.
A "push" -t mar szana-szet allitgattam, de semmi javulas.
Ime:
A ceg fix ip -s ADSL -el van a net -en.
Az ADSL router maga a FreeBSD -s gep, a belso ip cime: 192.168.0.2
(192.168.0.0/24)
Ezen fut az openvpn szervernek.
openvpn.conf
---------------------------------------
# Specify device
dev tun
# Server and client IP and Pool
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# Certificates for VPN Authentication
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/brilliance_server.crt
key /usr/local/etc/openvpn/keys/brilliance_server.key
dh /usr/local/etc/openvpn/keys/dh1024.pem
# Routes to push to the client
push "route 192.168.0.0 255.255.255.0"
#push "route 10.8.0.2 255.255.255.0"
# Use compression on the VPN link
comp-lzo
# Make the link more resistent to connection failures keepalive 10 60
keepalive 60 36000
max-clients 5
ping-timer-rem
persist-tun
persist-key
# Run OpenVPN as a daemon and drop privileges to user/group nobody
user nobody
group nobody
daemon
---------------------------------------
A keepalive parametert azert tetem bele, mert rendszeresen
ledobta a klienst. Most varom a visszajelzest.
myvpn.ovpn:
---------------------------------------
client
remote ******** 1194
dev tun
comp-lzo
ca ca.crt
cert client1.crt
key client1.key
verb 3
---------------------------------------
a szerver ifconfig -ja:
---------------------------------------
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
ether 4c:00:10:15:4f:46
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
ether 00:e0:4c:39:19:f8
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
inet x.x.x.x --> y.y.y.y netmask 0xffffffff
Opened by PID 386
tun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
Opened by PID 57629
---------------------------------------
a pf.conf idevago reszletei:
---------------------------------------
ext_if="tun0"
int_if="rl1"
internal_net="192.168.0.0/24"
internal_addr="192.168.0.2"
vpn_if="tun1"
vpn_network="10.8.0.0/24"
nat on $ext_if from $vpn_network to any -> ($ext_if)
pass in on $ext_if proto udp from any to port 1194 keep state
pass quick on $vpn_if
---------------------------------------
--
mailto:michael at goliat.eik.bme.hu
Phone: 463-1966
További információk a(z) BSD levelezőlistáról