Share008資訊科技公司

我是資深的電腦資訊從業員,曾於 Motorola 及 Philips 等跨國大型公司管理層工作十多年,具各類ERP資源管理系統及其它應用系統經驗,如QAD之MFG/PRO、SAP、Ufida(用友)、Kingdee(金蝶)、Microsoft's Dynamic、Wonderware's In-Track (SFC)、Webplan (SCM)、Hyperion (business intelligence)、Informatics (Data Warehouse)...等等。另外,我精於廠房車間之電腦資訊運作,擁有 CISSP 及 ITIL 認證,能提供日常資訊運作之檢測及審查,以提高操作效率。 本人誠意為各類大中小型廠房提供資訊審計、支援及意見,歡迎聯絡,電郵為 au8788@gmail.com

「ERP資源管理系統」已是現今廠房管理必不可少的工具,提高它的效能,絕對能改善公司之盈利,請多多留意。

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

提供香港股票價位歷史數據

我想很多人會對"香港股票價位的歷史數據"有興趣,我已下載成Microsoft Access database version 2000 的文檔,資料由2008/1/1至2009/12/2,zip壓縮後也有11M,若索取請留你的PM我 。

祝願各瀏覽者股壇威威!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

2015年6月5日

How do I route all traffic from clients connected to the DD-WRT to its OpenVPN tunnel

http://serverfault.com/questions/598330/how-do-i-route-all-traffic-from-clients-connected-to-the-dd-wrt-to-its-openvpn-t


3down votefavorite
4
I am setting a secondary (DD-WRT) router to act as a OpenVPN client so that all clients would get VPN access simply by connecting to the router. But seems clients traffic is always routed via the main gateway instead of the established VPN tunnel.

SETUP

ISP modem+router(gateway) <--LAN cable--> DD-WRT OpenVPN client <--LAN/WIFI--> clients
This secondary DD-WRT OpenVPN client can connect to the remote OpenVPN server ok.
I can ping hosts in the server side subnet by first telnetting into the DD-WRT.
The OpenVPN server also shows that the DD-WRT client is connected properly.
wget -O - http://icanhazip.com returns the remote server's public IP.
So the tunnel is up properly.

PROBLEM

Traffic from clients connected to my DD-WRT are routed through my gateway router, not through the VPN tunnel tun0.
I think I need to forward traffic from br0 interface to tun0 interface. I have tried following iptables rules and checked that IPv4 forward is enabled.
cat /proc/sys/net/ipv4/ip_forward ==> 1
cat /proc/sys/net/ipv4/conf/tun0/forwarding ==> 1 
cat /proc/sys/net/ipv4/conf/br0/forwarding ==> 1

# These rules are saved by pressing the 'Save firewall' button 
#and rebooting the DD-WRT router.
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
And separately
# These rules are saved by pressing the 'Save firewall' button 
# and rebooting the DD-WRT router.
iptables -I FORWARD -s 192.168.2.0/24 -d 192.168.66.0/24 -j ACCEPT
iptables -I FORWARD -s 192.168.66.0/24 -d 192.168.2.0/24 -j ACCEPT

SETTINGS

ISP modem+gateway router
No settings modified. It is as ISP has set it.
DD-WRT OpenVPN client
- Firmware: DD-WRT v24-sp2 (08/12/10) vpn
- SPI firewall: Disabled
- WAN: Disabled
- Operating mode: Router   (this disables NAT, right?)
- Gateway: 192.168.2.1
- Local DNS: 8.8.8.8
- NTP client: Enabled
I don't post VPN server/client configs because the client can connect to the server without errors and both ping and wget commands work properly from inside the DD-WRT.
So, my question is:
How do I route all traffic from clients connected to the DD-WRT to its OpenVPN tunnel tun0? Am I using iptables incorrectly? Add a new route perhaps?
If some info is missing please ask. Thank you in advance! :)
P.S. Below more info.

ROUTING TABLE (after VPN tunnel is up)

root@DD-WRT:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
87.219.xxx.xxx  192.168.2.1     255.255.255.255 UGH   0      0        0 br0
192.168.66.1    192.168.66.5    255.255.255.255 UGH   0      0        0 tun0
192.168.66.5    *               255.255.255.255 UH    0      0        0 tun0
192.168.5.0     192.168.66.5    255.255.255.0   UG    0      0        0 tun0
192.168.2 .0    *               255.255.255.0   U     0      0        0 br0
169.254.0.0     *               255.255.0.0     U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         192.168.66.5    128.0.0.0       UG    0      0        0 tun0
128.0.0.0       192.168.66.5    128.0.0.0       UG    0      0        0 tun0
default         192.168.2.1     0.0.0.0         UG    0      0        0 br0

IP ROUTE SHOW

root@DD-WRT:~# ip route show
87.219.xxx.xxx via 192.168.2.1 dev br0
192.168.66.1 via 192.168.66.5 dev tun0
192.168.66.5 dev tun0  proto kernel  scope link  src 192.168.66.6
192.168.5.0/24 via 192.168.66.5 dev tun0
192.168.2.0/24 dev br0  proto kernel  scope link  src 192.168.2.160
169.254.0.0/16 dev br0  proto kernel  scope link  src 169.254.255.1
127.0.0.0/8 dev lo  scope link
0.0.0.0/1 via 192.168.66.5 dev tun0
128.0.0.0/1 via 192.168.66.5 dev tun0
default via 192.168.2.1 dev br0

IP RULE SHOW

root@DD-WRT:~# ip rule show
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

OpenVPN CLIENT LOG

root@DD-WRT:~# cat /var/log/messages | grep openvpn
May 24 15:47:21 DD-WRT daemon.notice openvpn[699]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Aug 12 2010
May 24 15:47:21 DD-WRT daemon.warn openvpn[699]: WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
May 24 15:47:21 DD-WRT daemon.notice openvpn[702]: UDPv4 link local: [undef]
May 24 15:47:21 DD-WRT daemon.notice openvpn[702]: UDPv4 link remote: 87.219.xxx.xxx:1194
May 24 15:47:23 DD-WRT daemon.notice openvpn[702]: [server] Peer Connection Initiated with 87.219.xxx.xxx:1194
May 24 15:47:25 DD-WRT daemon.notice openvpn[702]: TUN/TAP device tun0 opened
May 24 15:47:25 DD-WRT daemon.notice openvpn[702]: /sbin/ifconfig tun0 192.168.66.6 pointopoint 192.168.66.5 mtu 1500
May 24 15:47:26 DD-WRT daemon.notice openvpn[702]: Initialization Sequence Completed

IFCONFIG

root@DD-WRT:~# ifconfig
br0       
Link encap:Ethernet  HWaddr 00:1D:73:55:1C:A4
inet addr:192.168.2.160  Bcast:192.168.2.255  Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
RX packets:14119 errors:0 dropped:0 overruns:0 frame:0
TX packets:10639 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2068891 (1.9 MiB)  TX bytes:5382302 (5.1 MiB)

br0:0     
Link encap:Ethernet  HWaddr 00:1D:73:55:1C:A4
inet addr:169.254.255.1  Bcast:169.254.255.255  Mask:255.255.0.0
UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

eth0      
Link encap:Ethernet  HWaddr 00:1D:73:55:1C:A4
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:13136 errors:0 dropped:0 overruns:0 frame:0
TX packets:10847 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2180726 (2.0 MiB)  TX bytes:5517739 (5.2 MiB)
Interrupt:4

eth1      
Link encap:Ethernet  HWaddr 00:1D:73:55:1C:A6
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:210 errors:0 dropped:0 overruns:0 frame:198105
TX packets:3683 errors:14 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:41273 (40.3 KiB)  TX bytes:963954 (941.3 KiB)
Interrupt:2 Base address:0x5000

lo        
Link encap:Local Loopback
inet addr:127.0.0.1  Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
RX packets:28 errors:0 dropped:0 overruns:0 frame:0
TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2034 (1.9 KiB)  TX bytes:2034 (1.9 KiB)

tun0      
Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.66.6  P-t-P:192.168.66.5  Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
RX packets:56 errors:0 dropped:0 overruns:0 frame:0
TX packets:62 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:4734 (4.6 KiB)  TX bytes:4428 (4.3 KiB)

vlan0     
Link encap:Ethernet  HWaddr 00:1D:73:55:1C:A4
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:13135 errors:0 dropped:0 overruns:0 frame:0
TX packets:10847 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1944080 (1.8 MiB)  TX bytes:5466622 (5.2 MiB)
   
shareimprove this question
   
Is interface forwading enabled? cat /proc/sys/net/ipv4/ip_forward needs to report 1, or both cat /proc/sys/net/ipv4/conf/tun0/forwarding and cat /proc/sys/net/ipv4/conf/br0/forwardingneed to report 1. (the first enables forwarding globally, the second enables it per interface -- it can be done either way) –  Andrew B May 24 '14 at 16:18
   
@andrew-b cat /proc/sys/net/ipv4/ip_forward ==> 1 cat /proc/sys/net/ipv4/conf/tun0/forwarding ==> 1 cat /proc/sys/net/ipv4/conf/br0/forwarding ==> 1 –  user1534160 May 24 '14 at 17:26 
   
Did you try creating a bridge ? I use such setup with tap adapter. For tun you might need NAT via iptables – Alec Istomin May 24 '14 at 21:24
   
@alec-istomin I use tunneling because Android clients use OpenVPN Connect application and only tunneling is supported for that. To make the VPN available for all tunneling was the best option. –  user1534160 May 25 '14 at 6:36
   
@alec-istomin To use NAT I must put the DD-WRT to Gateway mode, right? Wouldn't this cause issues because the primary router is also working as gateway? –  user1534160 May 25 '14 at 6:37
up vote1down vote
Here I'm assuming that the lan and vpn interfaces on the server are br0 and tun0, respectively.
# Enable IP forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward

# Allow postrouting to tun0. You may want to use "-s" here to strictly limit forwarding to IPs on your LAN.
iptables -t nat -A POSTROUTING -o tun0  -j MASQUERADE

# Enable forwarding from the LAN to the VPN (and back via related and established connections).
# Again, you may want to use "-s".
iptables -A FORWARD -i br0 -o tun0 -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
It works for me on openwrt rotuer, and comes from @Xyne https://bbs.archlinux.org/viewtopic.php?pid=1208721#p1208721
張貼者:
標籤:

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)