Soy un novato en redes y me vendría bien un poco de ayuda.
Estoy intentando configurar una conexión TAP usando OpenVPN para acceder a dispositivos que están en una VLAN en mi servidor remoto. En este momento, puedo conectarme y hacer ping a la interfaz (172.20.0.101), pero no puedo hacer ping a nada en la VLAN (como 172.20.0.2). No me importa que la VLAN pase por mi conexión VPN, solo quiero poder ver esos dispositivos.
La IP "pública" del servidor es 10.249.2.93 (en realidad, es una LAN a la que me conecto a través de otra VPN).
La subred con la que quiero poder hablar es 172.20.0.0/24, que está en vlan.3072, según ifconifg. La interfaz física asociada es enp3s0.
Tenía esto funcionando en un servidor diferente que no usa una VLAN, es decir, pude conectarme exitosamente a dispositivos en una LAN normal detrás de ese servidor, así que creo que la VLAN es el problema.
¿Alguien puede indicarme la dirección correcta? Cualquier ayuda es muy apreciada, ya que me estoy volviendo loco =P
El servidor ejecuta Ubuntu 18.04 LTS, OpenVPN 2.4.4
El cliente ejecuta Windows, OpenVPN GUI 11.14.0.0
servidor.conf:
port 1194
proto udp
dev tap0
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
ifconfig-pool-persist /var/log/openvpn/ipp.txt
server-bridge 172.20.0.101 255.255.255.0 172.20.0.200 172.20.0.240
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-256-CBC
auth SHA256
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 4
explicit-exit-notify 1
tls-auth ta.key 0
key-direction 0
cipher AES-256-CBC
auth SHA256
dh dh.pem
user nobody
group nogroup
cert server.crt
key server.key
clinet.ovpn:
client
dev tap
proto udp
remote 10.249.2.93 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
key-direction 1
script-security 2
verb 4
# cert and keys omitted
reglas de la ufw:
sudo nano /etc/ufw/before.rules
#change:
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.20.0.0/24 -o br0 -j MASQUERADE
COMMIT
reenvío:
sudo nano /etc/sysctl.conf
#change:
net.ipv4.ip_forward=1
sudo sysctl -p
actualizaciones de reglas:
sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enable
sudo iptables -A INPUT -i tap0 -j ACCEPT
sudo iptables -A INPUT -i br0 -j ACCEPT
sudo iptables -A FORWARD -i br0 -j ACCEPT
script de inicio de puente:
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="enp3s0"
eth_ip="fe80::a5a:11ff:fe33:e6e3"
eth_netmask="255.255.255.0"
eth_broadcast="172.20.0.255"
for t in $tap; do
openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br inet6 add fe80::a5a:11ff:fe33:e6e3/64 up
ifconfig br0:0 172.20.0.101 netmask 255.255.255.0 broadcast 172.20.0.255 up
ifconfig (no muestra br0 o tap0 porque no puedo iniciarlos en este momento, y también hay un montón de otros veth* que omití):
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:60ff:fe8c:45de prefixlen 64 scopeid 0x20<link>
ether 02:42:60:8c:45:de txqueuelen 0 (Ethernet)
RX packets 74394 bytes 900967774 (900.9 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 63778 bytes 901066960 (901.0 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.249.2.93 netmask 255.255.240.0 broadcast 10.249.15.255
inet6 fe80::c600:adff:fe94:e303 prefixlen 64 scopeid 0x20<link>
ether c4:00:ad:94:e3:03 txqueuelen 1000 (Ethernet)
RX packets 960832 bytes 1168467699 (1.1 GB)
RX errors 0 dropped 166 overruns 0 frame 0
TX packets 535763 bytes 73093159 (73.0 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16 memory 0xb2500000-b2520000
enp1s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 08:5a:11:33:e8:00 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp3s0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet6 fe80::a5a:11ff:fe33:e6e3 prefixlen 64 scopeid 0x20<link>
ether 08:5a:11:33:e6:e3 txqueuelen 1000 (Ethernet)
RX packets 9900475 bytes 7053325760 (7.0 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10464489 bytes 8238594873 (8.2 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
kube-bridge: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1480
inet 10.244.0.1 netmask 255.255.255.0 broadcast 10.244.0.255
inet6 fe80::841:c2ff:fed1:3642 prefixlen 64 scopeid 0x20<link>
ether 0a:41:c2:d1:36:42 txqueuelen 1000 (Ethernet)
RX packets 2110720 bytes 234803960 (234.8 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2264621 bytes 419964189 (419.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 8383864 bytes 4038115926 (4.0 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8383864 bytes 4038115926 (4.0 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth83317517: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1480
inet6 fe80::d4c3:65ff:fe76:7592 prefixlen 64 scopeid 0x20<link>
ether d6:c3:65:76:75:92 txqueuelen 0 (Ethernet)
RX packets 28251 bytes 7794531 (7.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 29314 bytes 3608931 (3.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vlan.2560: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.19.0.1 netmask 255.255.128.0 broadcast 172.19.127.255
inet6 fe80::a5a:11ff:fe33:e6e3 prefixlen 64 scopeid 0x20<link>
ether 08:5a:11:33:e6:e3 txqueuelen 1000 (Ethernet)
RX packets 70170 bytes 25019840 (25.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 179 bytes 17252 (17.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vlan.2816: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.19.130.100 netmask 255.255.255.0 broadcast 172.19.130.255
inet6 fe80::a5a:11ff:fe33:e6e3 prefixlen 64 scopeid 0x20<link>
ether 08:5a:11:33:e6:e3 txqueuelen 1000 (Ethernet)
RX packets 1243206 bytes 65936318 (65.9 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1194999 bytes 99652577 (99.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vlan.3072: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet 172.20.0.100 netmask 255.255.255.0 broadcast 172.20.0.255
inet6 fe80::a5a:11ff:fe33:e6e3 prefixlen 64 scopeid 0x20<link>
ether 08:5a:11:33:e6:e3 txqueuelen 1000 (Ethernet)
RX packets 8544935 bytes 6820405811 (6.8 GB)
RX errors 0 dropped 511 overruns 0 frame 0
TX packets 9265376 bytes 8138226312 (8.1 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
excepto de ip a:
7: vlan.3072@enp3s0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 08:5a:11:33:e6:e3 brd ff:ff:ff:ff:ff:ff
inet 172.20.0.100/24 brd 172.20.0.255 scope global vlan.3072
valid_lft forever preferred_lft forever
inet6 fe80::a5a:11ff:fe33:e6e3/64 scope link
valid_lft forever preferred_lft forever
Respuesta1
La configuración de su puente bridge-startcrea un puente entre tapy enp3s0, por lo que cualquier trama proveniente del cliente termina enp3s0sin etiquetas vlan. Por eso funcionaba sin VLAN y por eso no funciona con ellas. Debe establecer un puente entre tapy vlan.3072en el lado del servidor para que su configuración funcione, así que simplemente cambie enp3s0a vlan.3072en su bridge-startsecuencia de comandos.