iroute 192.168.5.0 255.255.255.0 ifconfig-push 10.1.1.14 10.1.1.13
Em 19 de março de 2012 14:55, Marcelo Gondim <gon...@bsdinfo.com.br> escreveu: > Em 19/03/2012 14:34, Christiano Liberato escreveu: >> Bem pessoal, estou utilizando o openbsd. >> >> Seguem minhas confs: >> >> *No servidor (escritorio 1)* - rede 192.168.100.0/24 >> >> dev tun0 >> local 200.200.200.200 >> port 1198 >> proto udp >> server 10.1.1.0 255.255.255.0 >> ifconfig-pool-persist ipp.txt >> >> ca /usr/local/etc/openvpn/easy-rsa/2.0/keys/ca.crt >> cert /usr/local/etc/openvpn/easy-rsa/2.0/keys/srv.crt >> key /usr/local/etc/openvpn/easy-rsa/2.0/keys/srv.key >> dh /usr/local/etc/openvpn/easy-rsa/2.0/keys/dh1024.pem >> >> push "route 192.168.100.0 255.255.255.0" >> >> comp-lzo >> ping-timer-rem >> persist-tun >> persist-key >> >> group nobody >> daemon >> >> *No cliente (escritorio 2)* - rede 192.168.200.0/24 >> >> client >> dev tun1 >> mssfix 1400 >> proto udp >> remote 200.200.200.200 1198 >> >> nobind >> persist-key >> persist-tun >> ca /usr/local/etc/openvpn/keys/ca.crt >> cert /usr/local/etc/openvpn/keys/filial.crt >> key /usr/local/etc/openvpn/keys/filial.key >> comp-lzo >> verb 3 >> mute 20 >> status /var/log/openvpn/openvpn.log >> log-append /var/log/openvpn/openvpn.log >> >> Como eu disse, a rede do escritorio 2 nao fala com a rede do escritorio 1. >> No firewall do escritorio 2 consigo pingar o fw e a rede do escritorio 1 >> (ex: 192.168.100.10) >> >> Obrigado! >> >> Em 19 de março de 2012 14:24, Christiano Liberato< >> christianoliber...@gmail.com> escreveu: > > Eu tenho na minha conf da vpn matriz a diretiva: > > client-to-client > client-config-dir /usr/local/etc/openvpn/ccd > > Dentro desse diretório eu crio os arquivos CN especificando que IPs as > filiais vão pegar e adiciono neles o parâmetro iroute pra permitir que > as filiais se falem. > > Conf da matriz: > > port 5002 > proto tcp > dev tun > ca /usr/local/etc/openvpn/ca.crt > cert /usr/local/etc/openvpn/centsoft.crt > key /usr/local/etc/openvpn/centsoft.key > dh /usr/local/etc/openvpn/dh1024.pem > server 172.16.0.0 255.255.255.0 > ifconfig-pool-persist /usr/local/etc/openvpn/ipp.txt > client-config-dir /usr/local/etc/openvpn/ccd > tls-auth /usr/local/etc/openvpn/ta.key 0 > keepalive 10 120 > comp-lzo > persist-key > persist-tun > client-to-client > route 192.168.10.0 255.255.255.0 > route 192.168.0.0 255.255.255.0 > > No diretório ccd eu tenho os arquivos: > > -rw-r--r-- 1 root 71 Jun 13 2011 intcentro > -rw-r--r-- 1 root 73 Jun 16 2011 intnet > -rw-r--r-- 1 root 70 Jun 3 2011 intvila > > Dentro do intcentro tem assim: > > ifconfig-push 172.16.0.14 172.16.0.13 > iroute 192.168.0.0 255.255.255.0 > > Onde digo que eles vão ter o IP 172.16.0.14 to propagando a rota deles > com o iroute. > > Desse jeito funciona aqui pra mim :) > > > >> >>> Pode estar faltando algo entao na minha conf. >>> >>> Em 19 de março de 2012 14:21, Alessandro de Souza Rocha< >>> etherlin...@gmail.com> escreveu: >>> >>> isto foi feito num servidor Redhat enterprise linux, que a empresa ja >>>> tinha funcionando e nao queria que eu troca-se, so em caso se desse >>>> algum pau. >>>> >>>> >>>> Em 19 de março de 2012 14:15, Paulo Henrique BSD Brasil >>>> <paulo.rd...@bsd.com.br> escreveu: >>>>> Então no caso estou usando PFSense, não achei o arquivo openvpn.conf, >>>>> mais a opção é "Remote Networks" , quando ele fecha o tunnel o proprio >>>>> OpenVPN cria uma rota da seguinte forma. >>>>> >>>>> Lado servidor: route add 192.168.100.0/24 $ip_do_tunel_lado_servidor ( >>>>> 10.1.1.1 ) >>>>> Lado clinte: route add 192.168.254.200.0/24 $ip_do_tunnel_lado_cliente ( >>>>> 10.1.1.2 ) >>>>> >>>>> Isso é feito automaticamente pelo PFSense/OpenVPN no caso de >>>> SITE-TO-SITE. >>>>> Att. >>>>> >>>>> Em 19/3/2012 13:51, Alessandro de Souza Rocha escreveu: >>>>>> mode server >>>>>> >>>>>> port 1194 >>>>>> proto udp >>>>>> >>>>>> dev tun >>>>>> >>>>>> #user nobody >>>>>> #group nobody >>>>>> >>>>>> #Usa a biblioteca lzo >>>>>> comp-lzo >>>>>> >>>>>> ca /etc/openvpn/keys/ca.crt >>>>>> cert /etc/openvpn/keys/servidor.crt >>>>>> key /etc/openvpn/keys/servidor.key >>>>>> dh /etc/openvpn/keys/dh1024.pem >>>>>> server 10.1.1.0 255.255.255.0 >>>>>> >>>>>> ifconfig-pool-persist /etc/openvpn/ipp.txt >>>>>> client-config-dir /etc/openvpn/ccd >>>>>> >>>>>> ping 10 >>>>>> ping-restart 120 >>>>>> push "ping 10" >>>>>> push "ping-restart 60" >>>>>> >>>>>> push "route 192.168.0.0 255.255.255.0" >>>>>> push "route 192.168.1.0 255.255.255.0" >>>>>> push "route 192.168.4.0 255.255.255.0" >>>>>> push "route 192.168.5.0 255.255.255.0" >>>>>> >>>>>> route 192.168.0.0 255.255.255.0 >>>>>> route 192.168.4.0 255.255.255.0 >>>>>> route 192.168.5.0 255.255.255.0 >>>>>> >>>>>> mssfix 1400 >>>>>> fragment 1400 >>>>>> >>>>>> client-to-client >>>>>> >>>>>> # OpenVPN usa a porta 5000/UDP por padrão. >>>>>> # Cada túnel do OpenVPN deve usar >>>>>> # uma porta diferente. >>>>>> # O padrão é a porta 5000 >>>>>> # This option prevents OpenVPN from closing and re-opening the tun/tap >>>>>> # device every time it receives a SIGUSR1 signal >>>>>> persist-tun >>>>>> >>>>>> # This is similar to the previous option, but it prevents OpenVPN from >>>>>> # re-reading the key files every time >>>>>> persist-key >>>>>> #float >>>>>> >>>>>> log /var/log/openvpn-server.log >>>>>> status /var/log/openvpn-server.status 10 >>>>>> >>>>>> # Envia um ping via UDP para a parte >>>>>> # remota a cada 15 segundos para manter >>>>>> # a conexão de pé em firewall statefull >>>>>> # Muito recomendado, mesmo se você não usa >>>>>> # um firewall baseado em statefull. >>>>>> #ping 15 >>>>>> #ping-restart 120 >>>>>> # Nível de log >>>>>> verb 3 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Em 19 de março de 2012 13:42, Christiano Liberato >>>>>> <christianoliber...@gmail.com> escreveu: >>>>>>> Tenho essa opção na conf do server mas mesmo assim o escritorio >>>> cliente nao >>>>>>> consegue acessar. >>>>>>> Acho que deve ser alguma conf extra no openvpn.conf do server. >>>>>>> >>>>>>> Em 19 de março de 2012 13:32, Alessandro de Souza Rocha< >>>>>>> etherlin...@gmail.com> escreveu: >>>>>>> >>>>>>>> # Atribui rota para toda a rede local >>>>>>>> push "route 192.168.0.0 255.255.255.0" >>>>>>>> push "route 192.168.1.0 255.255.255.0" >>>>>>>> push "route 192.168.4.0 255.255.255.0" >>>>>>>> push "route 192.168.5.0 255.255.255.0" >>>>>>>> >>>>>>>> >>>>>>>> Em 19 de março de 2012 12:01, Christiano Liberato >>>>>>>> <christianoliber...@gmail.com> escreveu: >>>>>>>>> Alessandro, >>>>>>>>> >>>>>>>>> a oção de push "route ... tenho configurado na conf do server >>>> principal. >>>>>>>>> Essa é a rota que o server client adiciona para falar com o >>>> principal. >>>>>>>>> Mas a opção route 192.168.0.0 255.255.255.0 nao tenho nas minhas >>>> confs. >>>>>>>>> O que ela faz? >>>>>>>>> >>>>>>>>> >>>>>>>>> Em 19 de março de 2012 11:14, Alessandro de Souza Rocha< >>>>>>>>> etherlin...@gmail.com> escreveu: >>>>>>>>> >>>>>>>>>> push "route 192.168.0.0 255.255.255.0" >>>>>>>>>> push "route 192.168.1.0 255.255.255.0" >>>>>>>>>> push "route 192.168.4.0 255.255.255.0" >>>>>>>>>> push "route 192.168.5.0 255.255.255.0" >>>>>>>>>> >>>>>>>>>> route 192.168.0.0 255.255.255.0 >>>>>>>>>> route 192.168.4.0 255.255.255.0 >>>>>>>>>> route 192.168.5.0 255.255.255.0 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Em 19 de março de 2012 11:09, Paulo Henrique BSD Brasil >>>>>>>>>> <paulo.rd...@bsd.com.br> escreveu: >>>>>>>>>>> Tem que especificar a rota para a rede remota, "remote >>>> network"acho >>>>>>>> que >>>>>>>>>>> é a opção >>>>>>>>>>> quando eu chegar no serviços vou dar uma vista no meu PFSense, >>>>>>>>>>> Para passar trafego broadcast a VPN tem que ser configurado em >>>> brigde >>>>>>>> !! >>>>>>>>>>> Att. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Em 19/3/2012 09:45, Christiano Liberato escreveu: >>>>>>>>>>>> Bom dia pessoal, >>>>>>>>>>>> >>>>>>>>>>>> Estou utilizando o openvpn para interligar escritorios. >>>>>>>>>>>> Até o momento o tunel esta perfeito mas nao consigo fazer com >>>> que as >>>>>>>>>> redes >>>>>>>>>>>> abaixo dessas VPNs se falam. >>>>>>>>>>>> Vejam o ambiente: >>>>>>>>>>>> >>>>>>>>>>>> rede vpn >>>>>>>>>>>> 10.1.1.0/24 >>>>>>>>>>>> >>>>>>>>>>>> escritorio 1 >>>>>>>>>>>> rede interna: 192.168.100.0/24 >>>>>>>>>>>> ip vpn: 10.1.1.1 (inet 10.1.1.1 --> 10.1.1.2 netmask >>>> 0xffffffff) >>>>>>>>>>>> escritorio 2 >>>>>>>>>>>> rede interna: 192.168.200.0/24 >>>>>>>>>>>> ip vpn: 10.1.1.10 (inet 10.1.1.10 --> 10.1.1.9 netmask >>>> 0xffffffff) >>>>>>>>>>>> O fw do escritorio 2 consegue acessar a rede do escritorio 1. >>>> Tenho >>>>>>>>>> regras >>>>>>>>>>>> no pf permitindo isso, mas a rede interna nao acessa. >>>>>>>>>>>> O problema nao é regra pois abri tudo para testar e nada de >>>> acessar. >>>>>>>>>>>> Com rotas estaticas tambem nao vai. >>>>>>>>>>>> >>>>>>>>>>>> Existe alguma regra especifica no pf para permitir esse acesso ao >>>>>>>>>>>> escritorio 1? >>>>>>>>>>>> >>>>>>>>>>>> Obrigado!! >>>>>>>>>>>> ------------------------- >>>>>>>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>>>>>>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>>>>>>>>>> -- >>>>>>>>>>> "Quando a Morte decide contar uma historia, >>>>>>>>>>> A melhor ação que possa fazer é ouvi-la, >>>>>>>>>>> e torcer por não ser a sua própria a tal história." >>>>>>>>>>> >>>>>>>>>>> Flames> /dev/null ( by Irado !! ). >>>>>>>>>>> RIP Irado! >>>>>>>>>>> >>>>>>>>>>> Paulo Henrique. >>>>>>>>>>> Analista de Sistemas / Programador >>>>>>>>>>> BSDs Brasil. >>>>>>>>>>> Genuine Unix/BSD User. >>>>>>>>>>> Fone: (21) 9683-5433. >>>>>>>>>>> >>>>>>>>>>> ------------------------- >>>>>>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>>>>>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Alessandro de Souza Rocha >>>>>>>>>> Administrador de Redes e Sistemas >>>>>>>>>> FreeBSD-BR User #117 >>>>>>>>>> Long live FreeBSD >>>>>>>>>> >>>>>>>>>> Powered by .... >>>>>>>>>> >>>>>>>>>> (__) >>>>>>>>>> \\\'',) >>>>>>>>>> \/ \ ^ >>>>>>>>>> .\._/_) >>>>>>>>>> >>>>>>>>>> www.FreeBSD.org >>>>>>>>>> ------------------------- >>>>>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>>>>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>>>>>>>>> >>>>>>>>> ------------------------- >>>>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>>>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Alessandro de Souza Rocha >>>>>>>> Administrador de Redes e Sistemas >>>>>>>> FreeBSD-BR User #117 >>>>>>>> Long live FreeBSD >>>>>>>> >>>>>>>> Powered by .... >>>>>>>> >>>>>>>> (__) >>>>>>>> \\\'',) >>>>>>>> \/ \ ^ >>>>>>>> .\._/_) >>>>>>>> >>>>>>>> www.FreeBSD.org >>>>>>>> ------------------------- >>>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>>>>>>> >>>>>>> ------------------------- >>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>>>>> >>>>>> >>>>> -- >>>>> "Quando a Morte decide contar uma historia, >>>>> A melhor ação que possa fazer é ouvi-la, >>>>> e torcer por não ser a sua própria a tal história." >>>>> >>>>> Flames> /dev/null ( by Irado !! ). >>>>> RIP Irado! >>>>> >>>>> Paulo Henrique. >>>>> Analista de Sistemas / Programador >>>>> BSDs Brasil. >>>>> Genuine Unix/BSD User. >>>>> Fone: (21) 9683-5433. >>>>> >>>>> ------------------------- >>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>>> >>>> >>>> -- >>>> Alessandro de Souza Rocha >>>> Administrador de Redes e Sistemas >>>> FreeBSD-BR User #117 >>>> Long live FreeBSD >>>> >>>> Powered by .... >>>> >>>> (__) >>>> \\\'',) >>>> \/ \ ^ >>>> .\._/_) >>>> >>>> www.FreeBSD.org >>>> ------------------------- >>>> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>>> >>> >> ------------------------- >> Histórico: http://www.fug.com.br/historico/html/freebsd/ >> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >> > > ------------------------- > Histórico: http://www.fug.com.br/historico/html/freebsd/ > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd -- Alessandro de Souza Rocha Administrador de Redes e Sistemas FreeBSD-BR User #117 Long live FreeBSD Powered by .... (__) \\\'',) \/ \ ^ .\._/_) www.FreeBSD.org ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd