Задача состояла в разделении точки входа и точки выхода для openvpn.
| Entry node | Exit node | |
|---|---|---|
| OS | Linux CentOS 6.x | FreeBSD 9.x |
| Service | openvpn server | none |
| External IP | 88.32.99.91 | 162.210.201.13 |
| Internal IP | 10.254.10.1 | 10.254.20.1 |
| OpenVPN network | 10.254.0.0/16 | |
#!/usr/bin/env bash # # - create GRE tunnel between two servers # - pass all traffic from specified network to GRE tunel # ####### LINUX ####### PATH="/bin:/usr/sbin:/usr/bin:/sbin:/usr/local/bin:/usr/local/sbin" TUNNEL_IF=gre10 VPN_NETWORK=10.254.0.0/16 # entry node LOCAL_ADDR_EXT=162.210.201.13 LOCAL_ADDR_INT=10.254.10.1 # exit node REMOTE_ADDR_EXT=88.32.99.91 REMOTE_ADDR_INT=10.254.20.1 ##################### # create gre interface ip tunnel add "$TUNNEL_IF" mode gre local "$LOCAL_ADDR_EXT" remote "$REMOTE_ADDR_EXT" ttl 255 # start interface ip link set "$TUNNEL_IF" up # setup internal address on interface ip addr add "$LOCAL_ADDR_INT" dev "$TUNNEL_IF" # add route to exit node route add -net "${REMOTE_ADDR_INT%.*}.0" netmask 255.255.255.0 gw "$LOCAL_ADDR_INT" # create rule for vpn network ip rule add from $VPN_NETWORK table 10 # add default rule for vpn table ip route add default via "$LOCAL_ADDR_INT" table 10
#!/usr/bin/env bash # # - create GRE tunnel between two servers # ####### FREEBSD ####### PATH="/bin:/usr/sbin:/usr/bin:/sbin:/usr/local/bin:/usr/local/sbin" TUNNEL_IF=gre10 # exit node LOCAL_ADDR_EXT=88.32.99.91 LOCAL_ADDR_INT=10.254.20.1 # entry node REMOTE_ADDR_EXT=162.210.201.13 REMOTE_ADDR_INT=10.254.10.1 ####################### # create interface ifconfig "$TUNNEL_IF" create # setup internal address on interface ifconfig "$TUNNEL_IF" "$LOCAL_ADDR_INT" "$REMOTE_ADDR_INT" link1 # up tunnel ifconfig "$TUNNEL_IF" tunnel "$LOCAL_ADDR_EXT" "$REMOTE_ADDR_EXT" # add route to entry node route add -net "${REMOTE_ADDR_INT%.*}" -netmask 255.255.255.0 "$LOCAL_ADDR_INT"
nat from 10.254.0.0/16 to any -> 162.210.201.13
local 88.32.99.91 port 1194 proto tcp dev tun dh /etc/openvpn/ssl/dh1024.pem ca /etc/openvpn/ssl/ca.crt cert /etc/openvpn/ssl/server.crt key /etc/openvpn/ssl/server.key server 10.254.0.0 255.255.255.0 push "dhcp-option DNS 8.8.8.8" push "redirect-gateway def1" keepalive 10 120 verb 0 duplicate-cn comp-lzo persist-key persist-tun
local 88.32.99.91 port 1194 proto udp dev tun dh /etc/openvpn/ssl/dh1024.pem ca /etc/openvpn/ssl/ca.crt cert /etc/openvpn/ssl/server.crt key /etc/openvpn/ssl/server.key server 10.254.1.0 255.255.255.0 push "dhcp-option DNS 8.8.8.8" push "redirect-gateway def1" keepalive 10 120 verb 0 tun-mtu 1500 fragment 0 mssfix 0 duplicate-cn comp-lzo persist-key persist-tun
client remote 88.32.99.91 rport 1194 proto tcp dev tun dh dh1024.pem ca ca.crt cert client.crt key client.key verb 5 comp-lzo redirect-gateway comp-noadapt persist-key persist-tun