LINUX.ORG.RU
ФорумAdmin

Утечка днс через openvpn на openwrt

 , , ,


0

2

Впн подключается, все работает. Но проблема в том, что whoer.net палит мой российский DNS. Не могу понять где проблема, конфиги вроде правильные. Судя по логам роутера, dhcp-option DNS 8.8.8.8 не пушатся на роутер или роутер отвергает и dns идет в обход впн. А надо чтобы весь трафик+днс все шло через туннель впн. Кто нибудь может объяснить, как сделать ?
структура сети примерно такая

 --------------                               --------
|   *client1   |10.10.106.6  VPN  10.10.106.5|        |
|openwrt router|-----------------------------|*server |
| 192.168.1.1  |                             |        |
 ---------------                              --------
     | 192.168.2.244                             | 188.166.xx.xxx
     |                                           |
     | 192.168.2.2                               |
 -------------                               --------
|   router    |                             |        |
|  internet   |                             |internet|
|192.168.2.2  |                             |        |
 -------------                               --------

конфиг сервера
port 1194
proto tcp
dev tun

dh dh2048.pem
ca ca.crt
cert server.crt
key server.key

tls-server
tls-auth ta.key 0
auth SHA1

server 10.10.106.0 255.255.255.0

ifconfig-pool-persist ipp.txt

client-config-dir ccd

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

route 192.168.1.0 255.255.255.0

keepalive 10 120

comp-lzo

persist-key
persist-tun

status openvpn-status.log
log         openvpn.log

verb 3

user@server:~$ cat /etc/openvpn/ccd/client1

iroute 192.168.1.0 255.255.255.0

user@server:~$ route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         188.166.0.1     0.0.0.0         UG    0      0        0 eth0
10.10.106.0     10.10.106.2     255.255.255.0   UG    0      0        0 tun0
10.10.106.2     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
188.166.0.0     0.0.0.0         255.255.192.0   U     0      0        0 eth0
192.168.1.0     10.10.106.2     255.255.255.0   UG    0      0        0 tun0

user@server:~$ ifconfig

eth0      Link encap:Ethernet  HWaddr 01:04:9d:1b:b8:05  
          inet addr: 188.166.xx.xxx  Bcast:188.166.63.255  Mask:255.255.192.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:32162 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36305 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:13216347 (13.2 MB)  TX bytes:14018950 (14.0 MB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.10.106.1  P-t-P:10.10.106.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:20756 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18331 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:2039764 (2.0 MB)  TX bytes:8958756 (8.9 MB)

user@server:~$ Iptables

Chain INPUT (policy ACCEPT 2102 packets, 370K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  888  149K ACCEPT     all  --  *      *       10.10.106.0/24       0.0.0.0/0           
  848  421K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 2149 packets, 742K bytes)
 pkts bytes target     prot opt in     out     source               destination         

—————— конфиг клиента1

client

dev tun
proto tcp

remote 188.166.xx.xxx
port 1194

resolv-retry infinite
route 188.166.0.0 255.255.192.0

ca /etc/openvpn/ca.crt
cert /etc/openvpn/client1.crt
key /etc/openvpn/client1.key

tls-client
tls-auth /etc/openvpn/ta.key 1
auth SHA1           
                              
ns-cert-type server           
                              
comp-lzo           
                   
persist-key        
persist-tun  

root@OpenWrt:~# route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.10.106.5     128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.2.2     0.0.0.0         UG    0      0        0 eth0.2
10.10.106.1     10.10.106.5     255.255.255.255 UGH   0      0        0 tun0
10.10.106.5     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
128.0.0.0       10.10.106.5     128.0.0.0       UG    0      0        0 tun0
188.166.0.0     10.10.106.5     255.255.192.0   UG    0      0        0 tun0
188.166.xx.xxx  192.168.2.2     255.255.255.255 UGH   0      0        0 eth0.2
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0.2

root@OpenWrt:~# ifconfig

eth0.2    Link encap:Ethernet  HWaddr F6:7A:62:8A:C4:B3  
          inet addr:192.168.2.244  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10696 errors:0 dropped:53 overruns:0 frame:0
          TX packets:10098 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:8582753 (8.1 MiB)  TX bytes:3033319 (2.8 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.10.106.6  P-t-P:10.10.106.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:14947 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17596 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:7382547 (7.0 MiB)  TX bytes:1593893 (1.5 MiB)

log openwrt
Oct 18 13:45:29 OpenWrt daemon.notice openvpn(custom_config)[1406]: OpenVPN 2.2.2 mips-openwrt-linux [SSL] [LZO2] [EPOLL] built on Mar 14 2013
Oct 18 13:45:29 OpenWrt daemon.warn openvpn(custom_config)[1406]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Oct 18 13:45:29 OpenWrt daemon.notice openvpn(custom_config)[1406]: Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Oct 18 13:45:29 OpenWrt daemon.notice openvpn(custom_config)[1406]: LZO compression initialized
Oct 18 13:45:29 OpenWrt daemon.notice openvpn(custom_config)[1406]: Attempting to establish TCP connection with 188.166.xx.xxx:1194 [nonblock]
Oct 18 13:45:30 OpenWrt daemon.notice openvpn(custom_config)[1406]: TCP connection established with 188.166.xx.xxx:1194
Oct 18 13:45:30 OpenWrt daemon.notice openvpn(custom_config)[1406]: TCPv4_CLIENT link local: [undef]
Oct 18 13:45:30 OpenWrt daemon.notice openvpn(custom_config)[1406]: TCPv4_CLIENT link remote: 188.166.xx.xxx:1194
Oct 18 13:45:31 OpenWrt daemon.info dnsmasq-dhcp[1397]: DHCPDISCOVER(br-lan) 08:00:27:01:47:B0 
Oct 18 13:45:31 OpenWrt daemon.info dnsmasq-dhcp[1397]: DHCPOFFER(br-lan) 192.168.1.245 08:00:27:01:47:B0 
Oct 18 13:45:31 OpenWrt daemon.info dnsmasq-dhcp[1397]: DHCPDISCOVER(br-lan) 08:00:27:01:47:B0 
Oct 18 13:45:31 OpenWrt daemon.info dnsmasq-dhcp[1397]: DHCPOFFER(br-lan) 192.168.1.245 08:00:27:01:47:B0 
Oct 18 13:45:32 OpenWrt daemon.info dnsmasq-dhcp[1397]: DHCPREQUEST(br-lan) 192.168.1.245 08:00:27:01:47:B0 
Oct 18 13:45:32 OpenWrt daemon.info dnsmasq-dhcp[1397]: DHCPACK(br-lan) 192.168.1.245 08:00:27:01:47:B0 Notebook-PC
Oct 18 13:45:43 OpenWrt daemon.notice openvpn(custom_config)[1406]: [server] Peer Connection Initiated with 188.166.xx.xxx:1194
Oct 18 13:45:46 OpenWrt daemon.notice openvpn(custom_config)[1406]: TUN/TAP device tun0 opened
Oct 18 13:45:46 OpenWrt daemon.notice openvpn(custom_config)[1406]: /sbin/ifconfig tun0 10.10.106.6 pointopoint 10.10.106.5 mtu 1500
Oct 18 13:45:46 OpenWrt daemon.notice netifd: Interface 'vpn' is now up
Oct 18 13:45:46 OpenWrt daemon.info dnsmasq[1397]: reading /tmp/resolv.conf.auto
Oct 18 13:45:46 OpenWrt daemon.info dnsmasq[1397]: using nameserver 192.168.1.1#53
Oct 18 13:45:46 OpenWrt daemon.info dnsmasq[1397]: using local addresses only for domain lan
Oct 18 13:45:46 OpenWrt daemon.notice openvpn(custom_config)[1406]: Initialization Sequence Completed
Oct 18 13:45:47 OpenWrt user.notice ifup: Enabling Router Solicitations on vpn (tun0)
Oct 18 13:45:48 OpenWrt user.info firewall: adding vpn (tun0) to zone wan
Oct 18 13:45:58 OpenWrt authpriv.info dropbear[1534]: Child connection from 192.168.1.245:52626
Oct 18 13:46:56 OpenWrt authpriv.notice dropbear[1534]: Password auth succeeded for 'root' from 192.168.1.245:52626
Oct 18 13:48:53 OpenWrt authpriv.info dropbear[1534]: Exit (root): Disconnect receive

Ответ на: Спустя 3 дня... от brainbit

Я откапываю труп, подключаю к нему электроды, беру в руки бубен и начинаю кричать всю фигню которая у меня в голове. Труп начинает двигаться. Некропост гальванизируется и приходит в движение.

rezedent12 ☆☆☆ ()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.