ahoj, nejde mi vytvořit openvpn server na turrisu.
Oficiální návod je pro klienta
https://www.turris.cz/doc/navody/openvpnjá jsem postupoval podle
http://www.s474n.com/project-turris-zprovozneni-openvpn-serveru/, nefungovalo, a pak jsem se v kombinaci s jinými návody do toho zamotal a nevím přesně, jestli je chyba v tom, že po zadání ifconfig nevidím tun rozhraní, nebo jestli je problém ve firewallu, nebo v konfiguračním rozhraní.
/etc/config/openvpn
package openvpn
config openvpn custom_config
option enabled 1
option config /etc/openvpn/vpn.conf
/etc/openvpn/vpn.conf
[size=78%]
config openvpn 'turris_server'
option enabled '1'
option dev 'tun'
option proto 'udp'
option port '1194'
option keepalive '10 1200'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/turris.crt'
option key '/etc/openvpn/turris.key'
option dh '/etc/dh2048.pem'
option server '192.168.100.0 255.255.255.0'
option remote-cert-tls 'server'
list push 'redirect-gateway def1'
option comp-lzo 'yes'
option verb '3'
option topology 'subnet'
option ifconfig_pool_persist '/tmp/ipp.txt'
option persist_key '1'
option persist_tun '1'
option status '/tmp/openvpn-status.log'
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd04:1778:866e::/48'
config interface 'lan'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth0 eth1 vpn'
config interface 'wan'
option ifname 'eth2'
option proto 'dhcp'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
config interface 'vpn'
option ifname 'tun0'
option proto 'static'
option ipaddr '192.168.100.1'
option netmask '255.255.255.0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 4 '
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 6'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
list network 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'OpenVPN'
option family 'ipv4'
option src 'wan'
option proto 'udp'
option dest_port '1194'
option target 'ACCEPT'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include
option path '/usr/share/firewall/turris'
option reload '1'
config include
option path '/etc/firewall.d/with_reload/firewall.include.sh'
option reload '1'
config include
option path '/etc/firewall.d/without_reload/firewall.include.sh'
option reload '0'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'IPv4'
option reload '1'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '22'
option dest_port '58732'
option name 'SSH honeypot'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '5555'
option dest_port '22'
option name 'SSH redirect'
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src '*'
option proto 'udp'
option dest_port '1194'
config zone
option name 'vpn'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'vpn0'
config forwarding
option src 'vpn'
option dest 'wan'
/etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
iptables -A input_wan -p udp --dport 1194 -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
Openvpn server mi nejede, nejde pingnout na server ip z klienta, ani obráceně. Démon běží.
root@turris:~# ps | grep "openvpn"
6344 root 1528 S grep openvpn
[/font][/size]
Chybí rozhraní tun, ale i když jsem ho před rebootem ručně prostřednictvím openvnp vytvářel, tak sice automaticky získalo správnou adresu 192.168.100.1m, ale stejně nešlo pingnout.
root@turris:~# ifconfig | grep "tun"
root@turris:~#
root@turris:~# cat /tmp/openvpn.log
cat: can't open '/tmp/openvpn.log': No such file or directory
Pozná někdo, co mám špatně?