172.16.0.0/24 via 192.168.150.2 dev tun5
tun5: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 192.168.150.1 peer 192.168.150.2/32 scope global tun5 valid_lft forever preferred_lft forever inet6 fe80::13d2:fada:59d1:60f8/64 scope link flags 800 valid_lft forever preferred_lft forever
local 213.XXX.XXX.XXXport 1149proto tcpdev tun5ca /etc/openvpn/keys/ca.crtcert /etc/openvpn/keys/Server.crtkey /etc/openvpn/keys/Server.keydh /etc/openvpn/keys/dh1024.pemserver 192.168.150.0 255.255.255.0ifconfig-pool-persist ipp.txtkeepalive 10 120cipher AES-256-CBCauth sha1user nobodygroup nogrouppersist-keypersist-tunstatus /var/log/openvpn/vpngate-status.logverb 5plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so loginpush "route 10.15.0.0 255.255.255.0"push "route 10.16.0.0 255.255.255.248"client-config-dir client-configsdaemonmax-clients 5route 172.16.0.0 255.255.255.0 # sit za klientem
traceroute 172.16.0.45traceroute to 172.16.0.45 (172.16.0.45), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * *
zkus tu routu na serveru pridat rucne a jako gw tam dej VPN adresu Mikrotiku
tcpdump -i tun5 -nv13:06:53.711170 IP (tos 0x0, ttl 64, id 20142, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.150.1 > 172.16.0.45: ICMP echo request, id 9159, seq 2, length 64
Pokud chcete routovat, doporučuji používat tap, kde se routování nastavuje na úrovni OS.Pro tun je potřeba v klientské konfiguraci (CCD) pro ten Mikrotik uvést iroute 172.16.0.0 255.255.255.0, jinak OpenVPN netuší, kam má takové pakety posílat.
Takze dekuji vam panove. Kouzelna slovicka byla CCD a iroute.
Prave jsem chtel pouzit tun (layer 3), protoze chci routovat a ne bridgovat tap (layer 2)iroute ccd OK - to jsem enzkousel jdu studovat. Dekuji.