OpenVPN allows some users to jump to other hosts in the LAN
All users can connect to host where OpenVPN runs but some users can jump to other hosts in the LAN. For example, foo user can reach host 10.2.0.1/32 (where OpenVPN runs) and hosts at 10.0.0.0/24 but bar user can reach only the host 10.2.0.1/32.
For both users, the route table is the same
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 302 0 0 wlan0
10.1.0.0 10.2.0.5 255.255.255.128 UG 0 0 0 tun0
10.2.0.1 10.2.0.5 255.255.255.255 UGH 0 0 0 tun0
10.2.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
For generating the client's key I run
cd /usr/share/easy-rsa/2.0
source vars
./build-key --batch foo
The /etc/openvpn/server.conf file has
; server
mode server
port 1194
proto udp
dev tun
keepalive 10 120
; networking
server 10.2.0.0 255.255.255.0
ifconfig 10.2.0.1 255.255.255.0
push "route 10.1.0.0 255.255.255.128"
ifconfig-pool-persist ipp.txt
The server is a CentOS 7 (x86_64) running OpenVPN 2.3.11 and Easy RSA 2.2.2.
0
задан vando
26 December 2016 в 17:41
Ссылка
1 ответ
Моя ошибка: проблема заключалась в правиле пост-маршрутизации в IPTables, это было
-A POSTROUTING -s 10.2.0.0/27 -o eno1 -j MASQUERADE
И должно быть
-A POSTROUTING -s 10.2.0.0/24 -o eno1 -j MASQUERADE
0