ZOOM_ Posted November 14, 2013 Report Share Posted November 14, 2013 Pozdrav,Da li neko moze da mi pomogne i objasni kako da pokrenem OPEN VPN na jednom VPS serveru koji ima vise IP adresa. Zelim da napravim VPN za svaku od tih adresa. Zelim da koristim 5 IP-a na istom Open VPN-u. Imam na jednom VPS-u 5 IP-a ali ne znam kako da podignem Open VPN service koji ce da koristi 5 IP. Tipa 5 Open VPN-a podignuta. Znaci sa 5 open vpn klijenata zelim da se konektujem na 5 razlicitih IP adresa koje su sve zakacene na isti VPS. Kapiram da bi resenje mozda bilo da se podigne 5 Open VPN servisa ali nemam ideju kako da im dodelim IP koji zelim. Linux je u pitanju Centos 5 32 ali ne bi bio problem ni da se promeni. Quote Link to comment Share on other sites More sharing options...
mohican Posted November 15, 2013 Report Share Posted November 15, 2013 Jedan servis i pool ip adresa. Na telefonu sam tako da pogledaj dokumentaciju pa ako se ne snadjes do sutra ili neko drugi ne pomogne javicu se ja sa kompa. Quote OPTIMISED FOR HUMAN OPTICAL NERVEBEST VIEWED WITH A MONITOR Link to comment Share on other sites More sharing options...
f4ts0 Posted November 15, 2013 Report Share Posted November 15, 2013 nisam puno radio sa openvpn, ali ono sto jesam, mislim da ti treba poglavlje 2.5 (strana 9) https://dl.dropboxusercontent.com/u/37080112/OpenVPN_Access_Server_Sysadmin_Guide_Rev.pdf Quote You may have gone to Cambridge, but I'm an honorary graduate of Starfleet Academy Link to comment Share on other sites More sharing options...
ZOOM_ Posted November 15, 2013 Author Report Share Posted November 15, 2013 Sama instalacija nije neki problem. Problem bi mi bilo rutiranje ostalih IP da radi preko istog servisa. Pokusacu sada da instaliram 5 servisa mozda ce da radi. Quote Link to comment Share on other sites More sharing options...
ZOOM_ Posted November 15, 2013 Author Report Share Posted November 15, 2013 Jedan servis i pool ip adresa. Na telefonu sam tako da pogledaj dokumentaciju pa ako se ne snadjes do sutra ili neko drugi ne pomogne javicu se ja sa kompa. De da se snadjem vrtim se ko usran danima oko ovoga :DAko si raspolozen, pomoc bi dobro dosla :) Quote Link to comment Share on other sites More sharing options...
mohican Posted November 16, 2013 Report Share Posted November 16, 2013 Ok, prvo kako dobijas tih 5 ip adresa? Jesu ti sve na javnom interfejsu tog vps-a ili imas jednu na javnom interfejsu, a ostale se rutiraju preko nje? Nikako 5 servisa jer ces tako izgubiti pola ip adresa. Jedan servis sa pool-om ip adresa kao sto sam rekao, a to se u config fajlu definise ovom direktivom server 10.8.0.0 255.255.255.0 u tvom slucaju recimo server x.x.x.0 255.255.255.248 U slucaju da ti rutiraju opseg od 6 ip adresa ali mi se cini da to nije slucaj vec da na javnom interfejsu imas da kazemo 5 aliasa koji su deo nekog njihovog subneta. U slucaju da je tako moraces da dignes tap varijantu sa server-bridge i device tap opcijama. Sve je to lepo objasnjeno u openvpn dokumentaciji, na primer ovde First, define a static unit number for our tun interface, so that we will be able to refer to it later in our firewall rules: dev tun0 In the server configuration file, define the Employee IP address pool: server 10.8.0.0 255.255.255.0 Add routes for the System Administrator and Contractor IP ranges: route 10.8.1.0 255.255.255.0 route 10.8.2.0 255.255.255.0 Because we will be assigning fixed IP addresses for specific System Administrators and Contractors, we will use a client configuration directory: client-config-dir ccd Now place special configuration files in the ccd subdirectory to define the fixed IP address for each non-Employee VPN client. ccd/sysadmin1 ifconfig-push 10.8.1.1 10.8.1.2 ccd/contractor1 ifconfig-push 10.8.2.1 10.8.2.2 ccd/contractor2 ifconfig-push 10.8.2.5 10.8.2.6 Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints. They must be taken from successive /30 subnets in order to be compatible with Windows clients and the TAP-Windows driver. Specifically, the last octet in the IP address of each endpoint pair must be taken from this set: Na ovoj adresi http://openvpn.net/index.php/open-source/documentation/howto.html Samo se meni cini da ti ne znas ni sta je subnet, a podesavao bi vpn. Plus je specifican slucaj koji hoces da izvedes ako nisi dobio rutiran opseg ip adresa nego su one aliasi na javnom interfejsu koji nisam siguran kako bi funkcionisao. Ako je tako u svakom slucaju morao bi da skines te javne adrese sa tog interfejsa i ostavis samo jednu ako hoces da klijenti bas dobijaju javne, a ne da klijenti dobijaju privatne adrese pa da ih natujes kroz te javne. Ali mi se cini kao da ti pricam spanski :| Quote OPTIMISED FOR HUMAN OPTICAL NERVEBEST VIEWED WITH A MONITOR Link to comment Share on other sites More sharing options...
mohican Posted November 16, 2013 Report Share Posted November 16, 2013 PS: U slucaju da su ti klijenti windows-i moras za svakog da imas /30 opseg adresa (ogranicenje windows tap drajvera), dakle x.x.x.0 - pocetak mreze x.x.x.1 - ip servera x.x.x.2 - ip klijenta x.x.x.3 - kraj mreze Umesto 0-3 mozes imati i druge ipeve iz nekog opsega, ovo sam naveo samo kao primer. Da bi radilo tako da tu vec gubis dosta adresa ako hoces da klijent dobije direktno javnu adresu. Ako ces klijenta na privatni opseg pa nat kroz javnu onda moze. Quote OPTIMISED FOR HUMAN OPTICAL NERVEBEST VIEWED WITH A MONITOR Link to comment Share on other sites More sharing options...
ZOOM_ Posted November 16, 2013 Author Report Share Posted November 16, 2013 (edited) Ok, prvo kako dobijas tih 5 ip adresa? Jesu ti sve na javnom interfejsu tog vps-a ili imas jednu na javnom interfejsu, a ostale se rutiraju preko nje? Nikako 5 servisa jer ces tako izgubiti pola ip adresa. Jedan servis sa pool-om ip adresa kao sto sam rekao, a to se u config fajlu definise ovom direktivom server 10.8.0.0 255.255.255.0 u tvom slucaju recimo server x.x.x.0 255.255.255.248 U slucaju da ti rutiraju opseg od 6 ip adresa ali mi se cini da to nije slucaj vec da na javnom interfejsu imas da kazemo 5 aliasa koji su deo nekog njihovog subneta. U slucaju da je tako moraces da dignes tap varijantu sa server-bridge i device tap opcijama. Sve je to lepo objasnjeno u openvpn dokumentaciji, na primer ovde First, define a static unit number for our tun interface, so that we will be able to refer to it later in our firewall rules: dev tun0 In the server configuration file, define the Employee IP address pool: server 10.8.0.0 255.255.255.0 Add routes for the System Administrator and Contractor IP ranges: route 10.8.1.0 255.255.255.0 route 10.8.2.0 255.255.255.0 Because we will be assigning fixed IP addresses for specific System Administrators and Contractors, we will use a client configuration directory: client-config-dir ccd Now place special configuration files in the ccd subdirectory to define the fixed IP address for each non-Employee VPN client. ccd/sysadmin1 ifconfig-push 10.8.1.1 10.8.1.2 ccd/contractor1 ifconfig-push 10.8.2.1 10.8.2.2 ccd/contractor2 ifconfig-push 10.8.2.5 10.8.2.6 Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints. They must be taken from successive /30 subnets in order to be compatible with Windows clients and the TAP-Windows driver. Specifically, the last octet in the IP address of each endpoint pair must be taken from this set: Ali mi se cini kao da ti pricam spanski :| Zvuci kao spanski :) Edited November 16, 2013 by Parlament ZOOM Quote Link to comment Share on other sites More sharing options...
mohican Posted November 16, 2013 Report Share Posted November 16, 2013 Pa onda si se uvalio preko glave :P Kontam da nisi ni izgenerisao sertifikate i pokrenuo varijantu sa jednom ip adresom? Quote OPTIMISED FOR HUMAN OPTICAL NERVEBEST VIEWED WITH A MONITOR Link to comment Share on other sites More sharing options...
ZOOM_ Posted November 16, 2013 Author Report Share Posted November 16, 2013 Pa onda si se uvalio preko glave :P Kontam da nisi ni izgenerisao sertifikate i pokrenuo varijantu sa jednom ip adresom? Jesam i ko za krompir nema izlaz na internet. kao da je nesto oko firewall ali ne mogu izvalim sta. Podesio sam i ip tables i bem li ga sta mu je. Quote Link to comment Share on other sites More sharing options...
mohican Posted November 16, 2013 Report Share Posted November 16, 2013 koje adrese dobijes na tap interfejsu kod sebe i koja se pojavi na serveru kad se nakacis i kako si podesio iptables? Quote OPTIMISED FOR HUMAN OPTICAL NERVEBEST VIEWED WITH A MONITOR Link to comment Share on other sites More sharing options...
ZOOM_ Posted November 16, 2013 Author Report Share Posted November 16, 2013 iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPTiptables -A FORWARD -s 10.8.0.0/24 -j ACCEPTiptables -A FORWARD -j REJECTiptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT –to-source MOJ IP adresa mi je 10.8.0.6 na klijentu kad pogledam Quote Link to comment Share on other sites More sharing options...
mohican Posted November 16, 2013 Report Share Posted November 16, 2013 A jel dobijes javnu adresu na klijent racunaru ili privatnu? Ako dobijes ovu iz generickog config-a, to je privatna, da bi dobio net preko nje moras da dodas nat pravilo Koji gateway dobijas na klijent masini i jel ti "MOJ IP" javni ip?I reci mi sta dobijes ovom komandom cat /proc/sys/net/ipv4/ip_forward Quote OPTIMISED FOR HUMAN OPTICAL NERVEBEST VIEWED WITH A MONITOR Link to comment Share on other sites More sharing options...
ZOOM_ Posted November 16, 2013 Author Report Share Posted November 16, 2013 (edited) cat /proc/sys/net/ipv4/ip_forward dobijem 1 , to sam odradio Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:23053 0.0.0.0:0 LISTENING TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING TCP 10.8.0.6:139 0.0.0.0:0 LISTENING TCP 127.0.0.1:25340 0.0.0.0:0 LISTENING TCP 127.0.0.1:25340 127.0.0.1:49182 ESTABLISHE TCP 127.0.0.1:49182 127.0.0.1:25340 ESTABLISHE TCP 192.168.1.2:139 0.0.0.0:0 LISTENING TCP [::]:135 [::]:0 LISTENING TCP [::]:445 [::]:0 LISTENING TCP [::]:23053 [::]:0 LISTENING TCP [::]:49152 [::]:0 LISTENING TCP [::]:49153 [::]:0 LISTENING TCP [::]:49154 [::]:0 LISTENING TCP [::]:49155 [::]:0 LISTENING TCP [::]:49156 [::]:0 LISTENING TCP [::]:49157 [::]:0 LISTENING UDP 0.0.0.0:500 *:* UDP 0.0.0.0:4500 *:* UDP 0.0.0.0:5355 *:* UDP 0.0.0.0:9887 *:* UDP 0.0.0.0:9888 *:* UDP 0.0.0.0:59401 *:* UDP 10.8.0.6:137 *:* UDP 10.8.0.6:138 *:* UDP 192.168.1.2:137 *:* UDP 192.168.1.2:138 *:* UDP [::]:500 *:* UDP [::]:4500 *:* UDP [::]:5355 *:* UDP [fe80::c29:750e:df54:3c5d%17]:546 *:* Edited November 16, 2013 by Parlament ZOOM Quote Link to comment Share on other sites More sharing options...
mohican Posted November 16, 2013 Report Share Posted November 16, 2013 na linuxu kucaj ip route list ovo sto si poslao je od netstat-a lista konekcija. Quote OPTIMISED FOR HUMAN OPTICAL NERVEBEST VIEWED WITH A MONITOR Link to comment Share on other sites More sharing options...
ZOOM_ Posted November 16, 2013 Author Report Share Posted November 16, 2013 s root@vds:~# ip route list default via xx.x.xxx.25 dev eth0 10.8.0.0/24 via 10.8.0.2 dev tun0 10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 xx.x.xxx.24/29 dev eth0 proto kernel scope link src xx.x.xxx.26 Quote Link to comment Share on other sites More sharing options...
peja_ Posted November 16, 2013 Report Share Posted November 16, 2013 http://www.youtube.com/watch?v=Uwhq1t7bNt8 Quote The thing's hollow — it goes on forever — and — oh my God — it's full of stars! Link to comment Share on other sites More sharing options...
mohican Posted November 16, 2013 Report Share Posted November 16, 2013 s root@vds:~# ip route list default via xx.x.xxx.25 dev eth0 10.8.0.0/24 via 10.8.0.2 dev tun0 10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 xx.x.xxx.24/29 dev eth0 proto kernel scope link src xx.x.xxx.26 Sry htedoh reci da mi das listu route-a na tvom kompu kad si zakacen na vpn. ako si na windowsu kucaj u cmdu route print Btw mislim da bi ti u ovoj konfiguraciji net kroz vpn proradio kad bi na linuxu ukucao ovo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE pod uslovom da je kod tebe na kompu lepo podesen default gateway Ali onda bi bio iza nata tj nisam siguran da li je to ono sto hoces da postignes posto gore koristis source nat sto nije isto. Quote OPTIMISED FOR HUMAN OPTICAL NERVEBEST VIEWED WITH A MONITOR Link to comment Share on other sites More sharing options...
ZOOM_ Posted November 21, 2013 Author Report Share Posted November 21, 2013 a MASQUERADE sam prvo probao ali i dalje nista. Ne kapiram. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.