Problemi con rotte statiche

JackLayne · 27-08-2015, 09:51

Salve a tutti,

ho un problema con la configurazione della mia rete

Io ho questa situazione qua:

Rete A: 192.168.1.0
Router A: 192.168.1.254

Rete B: 192.168.2.0
Router B: 192.168.2.253

Il Router A è quello che è connesso ad internet, mentre il router B è connesso al router tramite la porta WAN Ethernt del router.
Per il router A il router B corrisponde al 192.168.1.13

Ho necessità di configurare nel router B una VPN, usando OpenVPN, e che tutto il traffico del router B ( ethernet e WI-FI ) passi dalla VPN e non dal router A.

Ho già configurato la VPN ed entrato in SSH nel router B e facendo un traceroute e un check ip, il router funziona correttamente con la VPN. La cosa strana è che tutto ciò che è conesso al router venga re-indirizzato al router A e n on passi per la VPN.

Vi allego config e log:

OPENVPN config

Codice:

client
dev tun
proto udp
remote lin-c04.ipvanish.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca /config/xxx/amod/openvpn/ca.crt
tls-remote lin-c04.ipvanish.com
auth-user-pass /config/xxx/amod/openvpn/auth.conf
comp-lzo
verb 3
auth SHA256
cipher AES-256-CBC
keysize 256
tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA

OpenVPN log

Codice:

openvpn --config /config/xxx/amod/openvpn/openvpn_client.conf 
Thu Aug 27 09:21:17 2015 DEPRECATED OPTION: --tls-remote, please update your configuration
Thu Aug 27 09:21:17 2015 OpenVPN 2.3.7 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 24 2015
Thu Aug 27 09:21:17 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
Thu Aug 27 09:21:17 2015 Deprecated TLS cipher name 'DHE-RSA-AES256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
Thu Aug 27 09:21:17 2015 Deprecated TLS cipher name 'DHE-DSS-AES256-SHA', please use IANA name 'TLS-DHE-DSS-WITH-AES-256-CBC-SHA'
Thu Aug 27 09:21:17 2015 Deprecated TLS cipher name 'AES256-SHA', please use IANA name 'TLS-RSA-WITH-AES-256-CBC-SHA'
Thu Aug 27 09:21:17 2015 Socket Buffers: R=[122880->131072] S=[122880->131072]
Thu Aug 27 09:21:17 2015 UDPv4 link local: [undef]
Thu Aug 27 09:21:17 2015 UDPv4 link remote: [AF_INET]94.198.97.10:443
Thu Aug 27 09:21:17 2015 TLS: Initial packet from [AF_INET]94.198.97.10:443, sid=66e4e4fb 3f10728c
Thu Aug 27 09:21:17 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Aug 27 09:21:17 2015 VERIFY OK: depth=1, /C=US/ST=FL/L=Winter_Park/O=IPVanish/OU=IPVanish_VPN/CN=IPVanish_CA/emailAddress=support@ipvanish.com
Thu Aug 27 09:21:17 2015 VERIFY X509NAME OK: /C=US/ST=FL/L=Winter_Park/O=IPVanish/OU=IPVanish_VPN/CN=lin-c04.ipvanish.com/emailAddress=support@ipvanish.com
Thu Aug 27 09:21:17 2015 VERIFY OK: depth=0, /C=US/ST=FL/L=Winter_Park/O=IPVanish/OU=IPVanish_VPN/CN=lin-c04.ipvanish.com/emailAddress=support@ipvanish.com
Thu Aug 27 09:21:19 2015 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Aug 27 09:21:19 2015 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Aug 27 09:21:19 2015 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Aug 27 09:21:19 2015 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Aug 27 09:21:19 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Aug 27 09:21:19 2015 [lin-c04.ipvanish.com] Peer Connection Initiated with [AF_INET]94.198.97.10:443
Thu Aug 27 09:21:21 2015 SENT CONTROL [lin-c04.ipvanish.com]: 'PUSH_REQUEST' (status=1)
Thu Aug 27 09:21:21 2015 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 198.18.0.1,dhcp-option DNS 198.18.0.2,rcvbuf 262144,explicit-exit-notify 5,route-gateway 172.20.32.1,topology subnet,ping 20,ping-restart 40,ifconfig 172.20.34.242 255.255.252.0'
Thu Aug 27 09:21:21 2015 OPTIONS IMPORT: timers and/or timeouts modified
Thu Aug 27 09:21:21 2015 OPTIONS IMPORT: explicit notify parm(s) modified
Thu Aug 27 09:21:21 2015 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Thu Aug 27 09:21:21 2015 Socket Buffers: R=[131072->245760] S=[131072->131072]
Thu Aug 27 09:21:21 2015 OPTIONS IMPORT: --ifconfig/up options modified
Thu Aug 27 09:21:21 2015 OPTIONS IMPORT: route options modified
Thu Aug 27 09:21:21 2015 OPTIONS IMPORT: route-related options modified
Thu Aug 27 09:21:21 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Aug 27 09:21:21 2015 TUN/TAP device tun0 opened
Thu Aug 27 09:21:21 2015 TUN/TAP TX queue length set to 100
Thu Aug 27 09:21:21 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Aug 27 09:21:21 2015 /bin/ip link set dev tun0 up mtu 1500
Thu Aug 27 09:21:21 2015 /bin/ip addr add dev tun0 172.20.34.242/22 broadcast 172.20.35.255
Thu Aug 27 09:21:22 2015 /bin/ip route add 94.198.97.10/32 via 192.168.1.254
Thu Aug 27 09:21:22 2015 /bin/ip route add 0.0.0.0/1 via 172.20.32.1
Thu Aug 27 09:21:22 2015 /bin/ip route add 128.0.0.0/1 via 172.20.32.1
Thu Aug 27 09:21:22 2015 Initialization Sequence Completed

ip route del router B

Codice:

94.198.97.10 via 192.168.1.254 dev eth4 
192.168.2.0/24 dev group1  proto kernel  scope link  src 192.168.2.253 
192.168.1.0/24 dev eth4  proto kernel  scope link  src 192.168.1.13 
172.20.32.0/22 dev tun0  proto kernel  scope link  src 172.20.34.242 
239.0.0.0/8 dev group1  scope link 
127.0.0.0/8 dev lo  scope link 
0.0.0.0/1 via 172.20.32.1 dev tun0 
128.0.0.0/1 via 172.20.32.1 dev tun0 
default via 192.168.1.254 dev eth4

netstat -nr del router B

Codice:

94.198.97.10    192.168.1.254   255.255.255.255 UGH       0 0          0 eth4
192.168.2.0     0.0.0.0         255.255.255.0   U         0 0          0 group1
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth4
172.20.32.0     0.0.0.0         255.255.252.0   U         0 0          0 tun0
239.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 group1
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         172.20.32.1     128.0.0.0       UG        0 0          0 tun0
128.0.0.0       172.20.32.1     128.0.0.0       UG        0 0          0 tun0
0.0.0.0         192.168.1.254   0.0.0.0         UG        0 0          0 eth4

traceroute effettuato in ssh dal router B

Codice:

traceroute to google.it (173.194.40.143), 30 hops max, 38 byte packets
 1  172.20.32.1 (172.20.32.1)  56.821 ms  57.138 ms  64.915 ms
 2  95.141.37.1 (95.141.37.1)  72.550 ms  57.018 ms  58.854 ms
 3  95.141.47.254 (95.141.47.254)  75.322 ms  57.733 ms  59.106 ms
 4  google.mix-it.net (217.29.66.96)  66.882 ms  57.846 ms  59.337 ms
 5  209.85.249.54 (209.85.249.54)  65.641 ms  58.608 ms  216.239.47.128 (216.239.47.128)  59.467 ms
 6  209.85.253.9 (209.85.253.9)  64.777 ms  209.85.253.11 (209.85.253.11)  74.073 ms  64.239 ms
 7  209.85.142.249 (209.85.142.249)  74.629 ms  209.85.143.219 (209.85.143.219)  83.182 ms  209.85.142.249 (209.85.142.249)  75.904 ms
 8  209.85.245.80 (209.85.245.80)  77.139 ms  74.954 ms  78.684 ms
 9  209.85.243.47 (209.85.243.47)  76.669 ms  76.239 ms  75.757 ms
10  par10s10-in-f15.1e100.net (173.194.40.143)  83.902 ms  75.904 ms  79.657 ms

invece da un dispositivo nella rete B collegato al router B, ho questo:

Codice:

1  192.168.2.253 (192.168.2.253)  2.436 ms  8.045 ms  1.884 ms
 2  192.168.1.254 (192.168.1.254)  2.469 ms  15.007 ms  1.732 ms
 3  82.230.29.254 (82.230.29.254)  23.728 ms  28.420 ms  23.826 ms
 4  montpellier-6k-1-a5.routers.proxad.net (213.228.12.62)  25.944 ms  37.071 ms  34.704 ms
 5  montpellier-crs8-1-be2100.intf.routers.proxad.net (78.254.249.30)  33.926 ms  38.213 ms  35.982 ms
 6  p11-cr16-1-be1103.intf.routers.proxad.net (194.149.160.21)  47.050 ms  47.324 ms  58.332 ms
 7  cbv-9k-1-be1001.intf.routers.proxad.net (194.149.161.14)  44.040 ms  52.422 ms  52.980 ms
 8  72.14.211.26 (72.14.211.26)  52.615 ms  58.753 ms  51.571 ms
 9  72.14.239.145 (72.14.239.145)  52.409 ms  50.430 ms  53.787 ms
10  72.14.233.83 (72.14.233.83)  52.349 ms  51.231 ms  51.725 ms
11  par03s15-in-f99.1e100.net (216.58.211.99)  52.618 ms  52.439 ms  53.201 ms

facendo anche un check ip ( sul router tramite CLI ), nel router esco con l'IP della VPN, ma dal client collegato allo stesso router esco con l'IP del provider..

cosa mi manca?

Grazie in anticipo a tutti quanti

JL

alfonsor · 27-08-2015, 12:17

ti manca il gw

default via 192.168.1.254 dev eth4

ovviamente tutto passa al router A

ip ro del default via 192.168.1.254 dev eth4
ip ro add default via SERVERVPN dev tun0

l'opzione da mettere in config per automatizzarlo mo non me la ricordo al momento

JackLayne · 27-08-2015, 13:41

Quote:

Originariamente inviato da alfonsor

ti manca il gw

default via 192.168.1.254 dev eth4

ovviamente tutto passa al router A

ip ro del default via 192.168.1.254 dev eth4
ip ro add default via SERVERVPN dev tun0

l'opzione da mettere in config per automatizzarlo mo non me la ricordo al momento

già provato non funziona..potrebbe essere un problema di nat?

27-08-2015, 12:17	#2
alfonsor Senior Member Iscritto dal: Oct 2005 Messaggi: 7494	ti manca il gw default via 192.168.1.254 dev eth4 ovviamente tutto passa al router A ip ro del default via 192.168.1.254 dev eth4 ip ro add default via SERVERVPN dev tun0 l'opzione da mettere in config per automatizzarlo mo non me la ricordo al momento

Strumenti
Mostra una versione stampabile Invia questa pagina per email