Table of Contents

, , , , , , ,

Использование GRE-туннеля в качестве транспорта для OpenVPN

Задача состояла в разделении точки входа и точки выхода для openvpn.

Entry node Exit node
OS Linux CentOS 6.x FreeBSD 9.x
Service openvpn server none
External IP 88.32.99.91 162.210.201.13
Internal IP 10.254.10.1 10.254.20.1
OpenVPN network 10.254.0.0/16

Скрипт для инициализации GRE-туннеля на Entry node

/opt/scripts/tunnel.sh
#!/usr/bin/env bash
#
#  - create GRE tunnel between two servers
#  - pass all traffic from specified network to GRE tunel
#
 
####### LINUX #######
 
PATH="/bin:/usr/sbin:/usr/bin:/sbin:/usr/local/bin:/usr/local/sbin"
TUNNEL_IF=gre10
VPN_NETWORK=10.254.0.0/16
 
# entry node
LOCAL_ADDR_EXT=162.210.201.13
LOCAL_ADDR_INT=10.254.10.1
 
# exit node
REMOTE_ADDR_EXT=88.32.99.91
REMOTE_ADDR_INT=10.254.20.1
 
#####################
 
# create gre interface
ip tunnel add "$TUNNEL_IF" mode gre local "$LOCAL_ADDR_EXT" remote "$REMOTE_ADDR_EXT" ttl 255
 
# start interface
ip link set "$TUNNEL_IF" up
 
# setup internal address on interface
ip addr add "$LOCAL_ADDR_INT" dev "$TUNNEL_IF"
 
# add route to exit node
route add -net "${REMOTE_ADDR_INT%.*}.0" netmask 255.255.255.0 gw "$LOCAL_ADDR_INT"
 
# create rule for vpn network
ip rule add from $VPN_NETWORK table 10
 
# add default rule for vpn table
ip route add default via "$LOCAL_ADDR_INT" table 10

Скрипт для инициализации GRE-туннеля на Exit node

/opt/scripts/tunnel.sh
#!/usr/bin/env bash
#
#  - create GRE tunnel between two servers
#
 
####### FREEBSD #######
 
PATH="/bin:/usr/sbin:/usr/bin:/sbin:/usr/local/bin:/usr/local/sbin"
TUNNEL_IF=gre10
 
# exit node
LOCAL_ADDR_EXT=88.32.99.91
LOCAL_ADDR_INT=10.254.20.1
 
# entry node
REMOTE_ADDR_EXT=162.210.201.13
REMOTE_ADDR_INT=10.254.10.1
 
#######################
 
# create interface
ifconfig "$TUNNEL_IF" create
 
# setup internal address on interface
ifconfig "$TUNNEL_IF" "$LOCAL_ADDR_INT" "$REMOTE_ADDR_INT" link1
 
# up tunnel
ifconfig "$TUNNEL_IF" tunnel "$LOCAL_ADDR_EXT" "$REMOTE_ADDR_EXT"
 
# add route to entry node
route add -net "${REMOTE_ADDR_INT%.*}" -netmask 255.255.255.0 "$LOCAL_ADDR_INT"

NAT в Packet Filter (pf)

/etc/pf.conf
nat from 10.254.0.0/16 to any -> 162.210.201.13

Конфигурация сервера OpenVPN

/etc/openvpn/openvpn_tcp.conf
local                 88.32.99.91
port                  1194
proto                 tcp
dev                   tun
dh                    /etc/openvpn/ssl/dh1024.pem
ca                    /etc/openvpn/ssl/ca.crt
cert                  /etc/openvpn/ssl/server.crt
key                   /etc/openvpn/ssl/server.key
server                10.254.0.0 255.255.255.0
push                  "dhcp-option DNS 8.8.8.8"
push                  "redirect-gateway def1"
keepalive             10 120
verb                  0
duplicate-cn
comp-lzo
persist-key
persist-tun
/etc/openvpn/openvpn_udp.conf
local                 88.32.99.91
port                  1194
proto                 udp
dev                   tun
dh                    /etc/openvpn/ssl/dh1024.pem
ca                    /etc/openvpn/ssl/ca.crt
cert                  /etc/openvpn/ssl/server.crt
key                   /etc/openvpn/ssl/server.key
server                10.254.1.0 255.255.255.0
push                  "dhcp-option DNS 8.8.8.8"
push                  "redirect-gateway def1"
keepalive             10 120
verb                  0
tun-mtu               1500
fragment              0
mssfix                0
duplicate-cn
comp-lzo
persist-key
persist-tun

Конфигурация клиента OpenVPN

openvpn_client.conf
client
remote                88.32.99.91
rport                 1194
proto                 tcp
dev                   tun
dh                    dh1024.pem
ca                    ca.crt
cert                  client.crt
key                   client.key
verb                  5
comp-lzo
redirect-gateway
comp-noadapt
persist-key
persist-tun