craano
09.06.07, 21:56
Hallo,
ich spiele gerade ein bisschen mit OpenVPN herum.
Aber ich verstehe noch nicht ganz, wie ich die Firewall konfigurieren muss.
Ich möchte auf dem Server nach außen nur den VPN Port öffnen.
#Standard Policy, wenn keine Regel matched.
2 iptables -P INPUT DROP
3 iptables -P OUTPUT DROP
4 iptables -P FORWARD DROP
5
6 #ssh erlauben
7 iptables -A INPUT -i eth0 -p tcp --sport 22 -j ACCEPT
8 iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT
9 #
10 #
11 #
13 iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
18 iptables -A OUTPUT -o eth0 -p udp --dport 1194 -j ACCEPT
23 #
24 iptables -A INPUT -i tun0 -j ACCEPT
25 iptables -A OUTPUT -o tun0 -j ACCEPT
26 iptables -A FORWARD -i tun0 -j ACCEPT
27 iptables -A FORWARD -o tun0 -j ACCEPT
28 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Wenn ich jetzt den OpenVPN Server starte ist zunächst noch alles OK, doch wenn ich mich mit einem client verbinden will, erhalte ich folgende Meldung auf dem Server:
Sat Jun 9 22:41:11 2007 Initialization Sequence Completed
Sat Jun 9 22:41:38 2007 MULTI: multi_create_instance called
Sat Jun 9 22:41:38 2007 192.168.1.35:32781 Re-using SSL/TLS context
Sat Jun 9 22:41:38 2007 192.168.1.35:32781 LZO compression initialized
Sat Jun 9 22:41:38 2007 192.168.1.35:32781 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Jun 9 22:41:38 2007 192.168.1.35:32781 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Jun 9 22:41:38 2007 192.168.1.35:32781 Local Options hash (VER=V4): '530fdded'
Sat Jun 9 22:41:38 2007 192.168.1.35:32781 Expected Remote Options hash (VER=V4): '41690919'
Sat Jun 9 22:41:38 2007 192.168.1.35:32781 TLS: Initial packet from 192.168.1.35:32781, sid=18e30cc6 b353ca9e
Sat Jun 9 22:41:38 2007 192.168.1.35:32781 write UDPv4 []: Operation not permitted (code=1)
Sat Jun 9 22:41:39 2007 192.168.1.35:32781 write UDPv4 []: Operation not permitted (code=1)
Sat Jun 9 22:41:41 2007 192.168.1.35:32781 write UDPv4 []: Operation not permitted (code=1)
Sat Jun 9 22:41:42 2007 192.168.1.35:32781 write UDPv4 []: Operation not permitted (code=1)
Sat Jun 9 22:41:43 2007 192.168.1.35:32781 write UDPv4 []: Operation not permitted (code=1)
Sat Jun 9 22:41:44 2007 192.168.1.35:32781 write UDPv4 []: Operation not permitted (code=1)
Sat Jun 9 22:41:45 2007 192.168.1.35:32781 write UDPv4 []: Operation not permitted (code=1)
Der client hängt bei:
root@amarok:/etc/openvpn# Sat Jun 9 22:52:41 2007 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Mar 2 2007
Sat Jun 9 22:52:41 2007 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Jun 9 22:52:41 2007 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jun 9 22:52:41 2007 WARNING: file './Amarok-Wohnen.key' is group or others accessible
Sat Jun 9 22:52:41 2007 LZO compression initialized
Sat Jun 9 22:52:41 2007 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Jun 9 22:52:41 2007 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Jun 9 22:52:41 2007 Local Options hash (VER=V4): '41690919'
Sat Jun 9 22:52:41 2007 Expected Remote Options hash (VER=V4): '530fdded'
Sat Jun 9 22:52:41 2007 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sat Jun 9 22:52:41 2007 UDPv4 link local: [undef]
Sat Jun 9 22:52:41 2007 UDPv4 link remote: 192.168.1.33:1194
Was fehlt in meinen Regeln?
In der Config des Servers verbinde ich so zu meinem Netzadapter:
push "route 192.168.1.33 255.255.255.0"
Jemand einen Idee?
Grüße.
craano.
ich spiele gerade ein bisschen mit OpenVPN herum.
Aber ich verstehe noch nicht ganz, wie ich die Firewall konfigurieren muss.
Ich möchte auf dem Server nach außen nur den VPN Port öffnen.
#Standard Policy, wenn keine Regel matched.
2 iptables -P INPUT DROP
3 iptables -P OUTPUT DROP
4 iptables -P FORWARD DROP
5
6 #ssh erlauben
7 iptables -A INPUT -i eth0 -p tcp --sport 22 -j ACCEPT
8 iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT
9 #
10 #
11 #
13 iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
18 iptables -A OUTPUT -o eth0 -p udp --dport 1194 -j ACCEPT
23 #
24 iptables -A INPUT -i tun0 -j ACCEPT
25 iptables -A OUTPUT -o tun0 -j ACCEPT
26 iptables -A FORWARD -i tun0 -j ACCEPT
27 iptables -A FORWARD -o tun0 -j ACCEPT
28 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Wenn ich jetzt den OpenVPN Server starte ist zunächst noch alles OK, doch wenn ich mich mit einem client verbinden will, erhalte ich folgende Meldung auf dem Server:
Sat Jun 9 22:41:11 2007 Initialization Sequence Completed
Sat Jun 9 22:41:38 2007 MULTI: multi_create_instance called
Sat Jun 9 22:41:38 2007 192.168.1.35:32781 Re-using SSL/TLS context
Sat Jun 9 22:41:38 2007 192.168.1.35:32781 LZO compression initialized
Sat Jun 9 22:41:38 2007 192.168.1.35:32781 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Jun 9 22:41:38 2007 192.168.1.35:32781 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Jun 9 22:41:38 2007 192.168.1.35:32781 Local Options hash (VER=V4): '530fdded'
Sat Jun 9 22:41:38 2007 192.168.1.35:32781 Expected Remote Options hash (VER=V4): '41690919'
Sat Jun 9 22:41:38 2007 192.168.1.35:32781 TLS: Initial packet from 192.168.1.35:32781, sid=18e30cc6 b353ca9e
Sat Jun 9 22:41:38 2007 192.168.1.35:32781 write UDPv4 []: Operation not permitted (code=1)
Sat Jun 9 22:41:39 2007 192.168.1.35:32781 write UDPv4 []: Operation not permitted (code=1)
Sat Jun 9 22:41:41 2007 192.168.1.35:32781 write UDPv4 []: Operation not permitted (code=1)
Sat Jun 9 22:41:42 2007 192.168.1.35:32781 write UDPv4 []: Operation not permitted (code=1)
Sat Jun 9 22:41:43 2007 192.168.1.35:32781 write UDPv4 []: Operation not permitted (code=1)
Sat Jun 9 22:41:44 2007 192.168.1.35:32781 write UDPv4 []: Operation not permitted (code=1)
Sat Jun 9 22:41:45 2007 192.168.1.35:32781 write UDPv4 []: Operation not permitted (code=1)
Der client hängt bei:
root@amarok:/etc/openvpn# Sat Jun 9 22:52:41 2007 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Mar 2 2007
Sat Jun 9 22:52:41 2007 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Jun 9 22:52:41 2007 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jun 9 22:52:41 2007 WARNING: file './Amarok-Wohnen.key' is group or others accessible
Sat Jun 9 22:52:41 2007 LZO compression initialized
Sat Jun 9 22:52:41 2007 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Jun 9 22:52:41 2007 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Jun 9 22:52:41 2007 Local Options hash (VER=V4): '41690919'
Sat Jun 9 22:52:41 2007 Expected Remote Options hash (VER=V4): '530fdded'
Sat Jun 9 22:52:41 2007 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sat Jun 9 22:52:41 2007 UDPv4 link local: [undef]
Sat Jun 9 22:52:41 2007 UDPv4 link remote: 192.168.1.33:1194
Was fehlt in meinen Regeln?
In der Config des Servers verbinde ich so zu meinem Netzadapter:
push "route 192.168.1.33 255.255.255.0"
Jemand einen Idee?
Grüße.
craano.