Estou tentando fazer com que todo o tráfego seja roteado pela VPN para que o endereço IP do servidor OpenVPN seja o que aparece quando estou navegando na Internet.
Não que isso deva importar, mas estamos usando autenticação baseada em senha por meio de um módulo PAM. Esse módulo PAM faz uma chamada HTTP para um site para validar as coisas.
Esta é a minha configuração do servidor OpenVPN:
port 1194
proto udp
dev tun
dh keys/dh2048.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
;topology subnet
server 10.8.0.0 255.255.255.0
;route 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
;duplicate-cn
;max-clients 30
;user nobody
;group nogroup
;mute 20
;explicit-exit-notify 1
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
verify-client-cert optional
push "redirect-gateway def1"
;push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
;push "route 10.8.0.0 255.255.255.0"
Esta é a configuração do meu cliente OpenVPN:
client
dev tun
proto udp
remote MY_SERVERS_PUBLIC_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cipher AES-256-CBC
comp-lzo
redirect-gateway def1
verb 3
auth-user-pass
É assim que iptables --list se parece:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- ip-10-8-0-0.ec2.internal/24 anywhere ctstate NEW
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Essas entradas do iptables foram criadas com:
iptables -I FORWARD -i tun0 -o eth0 \
-s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
-j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 \
-s 10.8.0.0/24 -j MASQUERADE
Esta é a aparência do ifconfig no servidor OpenVPN:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 172.26.12.92 netmask 255.255.240.0 broadcast 172.26.15.255
inet6 fe80::89c:e4ff:feab:ccce prefixlen 64 scopeid 0x20<link>
ether 0a:9c:e4:ab:cc:ce txqueuelen 1000 (Ethernet)
RX packets 219194 bytes 218590052 (218.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 98397 bytes 11103942 (11.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 4886 bytes 669299 (669.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4886 bytes 669299 (669.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::ef51:ccb3:ccc0:f02b prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 144 (144.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
O encaminhamento de IP está ativado:
ubuntu@ip-172-26-2-31:~$ cat /proc/sys/net/ipv4/ip_forward
1
Isto é o que eu vejo se meu cliente log:
Wed Jun 05 07:40:02 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Wed Jun 05 07:40:02 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Jun 05 07:40:02 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Wed Jun 05 07:40:02 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Wed Jun 05 07:40:02 2019 Need hold release from management interface, waiting...
Wed Jun 05 07:40:03 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'state on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'log all on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'echo all on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'bytecount 5'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'hold off'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'hold release'
Wed Jun 05 07:40:04 2019 MANAGEMENT: CMD 'username "Auth" "dlogan"'
Wed Jun 05 07:40:04 2019 MANAGEMENT: CMD 'password [...]'
Wed Jun 05 07:40:04 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Jun 05 07:40:04 2019 MANAGEMENT: >STATE:1559734804,RESOLVE,,,,,,
Wed Jun 05 07:40:05 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:05 2019 Socket Buffers: R=[65536->65536] S=[64512->64512]
Wed Jun 05 07:40:05 2019 UDP link local: (not bound)
Wed Jun 05 07:40:05 2019 UDP link remote: [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:05 2019 MANAGEMENT: >STATE:1559734805,WAIT,,,,,,
Wed Jun 05 07:40:05 2019 MANAGEMENT: >STATE:1559734805,AUTH,,,,,,
Wed Jun 05 07:40:05 2019 TLS: Initial packet from [AF_INET]MY_SERVERS_PUBLIC_IP:1194, sid=ea2002fc a21451ed
Wed Jun 05 07:40:05 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jun 05 07:40:05 2019 VERIFY OK: depth=1, C=US, ST=FL, L=Sarasota, O=Cyber Ninjas, OU=Ethical Hacking, CN=Cyber Ninjas CA, name=CyberNinjas, [email protected]
Wed Jun 05 07:40:05 2019 VERIFY OK: depth=0, C=US, ST=FL, L=Sarasota, O=Cyber Ninjas, OU=Ethical Hacking, CN=remote2.cyberninjas.com, name=remote2.cyberninjas.com, [email protected]
Wed Jun 05 07:40:32 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Jun 05 07:40:32 2019 [remote2.cyberninjas.com] Peer Connection Initiated with [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:33 2019 MANAGEMENT: >STATE:1559734833,GET_CONFIG,,,,,,
Wed Jun 05 07:40:33 2019 SENT CONTROL [remote2.cyberninjas.com]: 'PUSH_REQUEST' (status=1)
Wed Jun 05 07:40:33 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.220.220,dhcp-option DNS 208.67.222.222,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: route options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: peer-id set
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: adjusting link_mtu to 1625
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: data channel crypto options modified
Wed Jun 05 07:40:33 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jun 05 07:40:33 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 05 07:40:33 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 05 07:40:33 2019 interactive service msg_channel=832
Wed Jun 05 07:40:33 2019 ROUTE_GATEWAY 192.168.1.99/255.255.255.0 I=15 HWADDR=8c:ae:4c:f6:89:4d
Wed Jun 05 07:40:33 2019 open_tun
Wed Jun 05 07:40:33 2019 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{A4956E3A-C1FC-45BF-9857-31E5725E5011}.tap
Wed Jun 05 07:40:33 2019 TAP-Windows Driver Version 9.21
Wed Jun 05 07:40:33 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {A4956E3A-C1FC-45BF-9857-31E5725E5011} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Wed Jun 05 07:40:33 2019 Successful ARP Flush on interface [23] {A4956E3A-C1FC-45BF-9857-31E5725E5011}
Wed Jun 05 07:40:33 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jun 05 07:40:33 2019 MANAGEMENT: >STATE:1559734833,ASSIGN_IP,,10.8.0.6,,,,
Wed Jun 05 07:40:38 2019 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Wed Jun 05 07:40:38 2019 C:\WINDOWS\system32\route.exe ADD MY_SERVERS_PUBLIC_IP MASK 255.255.255.255 192.168.1.99
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 MANAGEMENT: >STATE:1559734838,ADD_ROUTES,,,,,,
Wed Jun 05 07:40:38 2019 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 Initialization Sequence Completed
Wed Jun 05 07:40:38 2019 MANAGEMENT: >STATE:1559734838,CONNECTED,SUCCESS,10.8.0.6,MY_SERVERS_PUBLIC_IP,1194,,
Isto é o que vejo no log do OpenVPN do meu servidor:
Wed Jun 5 11:39:35 2019 WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional (or --client-cert-not-required) may accept clients which do not present a certificate
Wed Jun 5 11:39:35 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jan 9 2019
Wed Jun 5 11:39:35 2019 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Wed Jun 5 11:39:35 2019 PLUGIN_INIT: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_
VERIFY
Wed Jun 5 11:39:35 2019 Diffie-Hellman initialized with 2048 bit key
Wed Jun 5 11:39:35 2019 ROUTE_GATEWAY 172.26.0.1/255.255.240.0 IFACE=eth0 HWADDR=0a:9c:e4:ab:cc:ce
Wed Jun 5 11:39:35 2019 TUN/TAP device tun0 opened
Wed Jun 5 11:39:35 2019 TUN/TAP TX queue length set to 100
Wed Jun 5 11:39:35 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jun 5 11:39:35 2019 /sbin/ip link set dev tun0 up mtu 1500
Wed Jun 5 11:39:35 2019 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Jun 5 11:39:35 2019 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Wed Jun 5 11:39:35 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Jun 5 11:39:35 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jun 5 11:39:35 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Jun 5 11:39:35 2019 UDPv4 link remote: [AF_UNSPEC]
Wed Jun 5 11:39:35 2019 MULTI: multi_init called, r=256 v=256
Wed Jun 5 11:39:35 2019 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Wed Jun 5 11:39:35 2019 IFCONFIG POOL LIST
Wed Jun 5 11:39:35 2019 Initialization Sequence Completed
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 TLS: Initial packet from [AF_INET]THE_CLIENT_PUBLIC_IP:50490, sid=80eafd2f b659fb60
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_VER=2.4.6
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_PLAT=win
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_PROTO=2
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_NCP=2
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZ4=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZ4v2=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZO=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_COMP_STUB=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_COMP_STUBv2=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_TCPNL=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_GUI_VER=OpenVPN_GUI_11
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 PLUGIN_CALL: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 TLS: Username/Password authentication succeeded for username 'dlogan'
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 [] Peer Connection Initiated with [AF_INET]THE_CLIENT_PUBLIC_IP:50490
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI: Learn: 10.8.0.6 -> THE_CLIENT_PUBLIC_IP:50490
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI: primary virtual IP for THE_CLIENT_PUBLIC_IP:50490: 10.8.0.6
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 SENT CONTROL [UNDEF]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.220.220,dhcp-option DNS 208.67.222.222,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.
8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 5 11:46:32 2019 THE_CLIENT_PUBLIC_IP:50490 [UNDEF] Inactivity timeout (--ping-restart), restarting
Wed Jun 5 11:46:32 2019 THE_CLIENT_PUBLIC_IP:50490 SIGUSR1[soft,ping-restart] received, client-instance restarting
Eu olhei e tentei adotar / tentar configurações dos seguintes artigos sem sucesso: https://www.linode.com/docs/networking/vpn/tunnel-your-internet-traffic-through-an-openvpn-server /
Como forçar todo o tráfego através de VPN?
https://askubuntu.com/questions/462533/route-all-traffic-through-openvpn
https://openvpn.net/community-resources/how-to/#redirect
Provavelmente, eu simplesmente não coloquei a combinação certa, mas estou perdido aqui e definitivamente procurando ajuda.
Seria muito apreciado se você pudesse explicar por que uma determinada configuração pode resolver o problema, pois isso pode me ajudar a descobrir isso se o que você fornecer não for a solução completa.