PC (intern)-----------------------------Firewall 1-------------------------Firewall 2----------------------Internet
192.168.30.11----------192.168.30.240|192.168.40.240-------192.168.40.250|10.1.0.131-------Internet
Laptop (extern)----------Internet
10.1.0.21-----------------Internet
Firewall 1:
Code: Select all
-A FORWARD -i eth0 -o eth1 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -p udp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -p udp --dport 1195 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
*nat
-F
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
Code: Select all
...
-A FORWARD -p udp -m multiport --dport 53,1194,1195 -m state --state NEW -j ACCEPT
...
COMMIT
*nat
-F
-A PREROUTING -i eth1 -p udp --dport 1194 -j DNAT --to-destination 192.168.40.240
-A PREROUTING -i eth1 -p udp --dport 1195 -j DNAT --to-destination 192.168.40.240
-A POSTROUTING -o eth1 -j MASQUERADE
...
Code: Select all
# Server Config
;script-security 3
# Server
mode server
;tls-server
;tls-auth /etc/openvpn/certs/ta.key 0
# VPN Port
port 1194
# UDP Server
proto udp
# TAP/TUN Device
dev tap
# Certificate, Key and Pem paths
ca /etc/openvpn/certs/f223CA.chain.crt
cert /etc/openvpn/certs/firma-a.f223.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/dh2048.pem
# Ipp file
ifconfig-pool-persist ipp.txt
# Server Bridge
server-bridge 192.168.30.240 255.255.255.0 192.168.30.100 192.168.30.130
# Connection Client to Client
client-to-client
# Other settings
keepalive 10 120 # Kontrollsignal
comp-lzo yes # Kompression aktivieren
user nobody # OpenVPN als Benutzer openvpn
group nogroup # Gruppe OpenVPN
persist-key
persist-tun
status openvpn-status.log # Log-Datei
;log-append openvpn.log
verb 5 # Logdateien
;cipher AES-256-CBC
;auth SHA1
#push "ping 10"
#push "ping-restart 60"
push "DOMAIN firma-a.f223"
push "dhcp-option DNS 192.168.40.1"
push "route-gateway 192.168.30.240"
push "route 192.168.30.0 255.255.255.0"
push "redirect-gateway bypass-dhcp"
#push "route-gateway 192.168.30.240"
#push "redirect-gateway def1 bypss-dhcp"
#push "route-gateway 192.168.40.250"
Code: Select all
dev tap
proto udp
remote 10.1.0.131 1194
client
;tls-client
;tls-auth ta.key 1
keepalive 15 120
verb 3
;script-security 3
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
ca f223CA.chain.crt
cert itsec@firma-a.f223.crt
key itsec.key
;cipher AES-256-CBC
;auth SHA1
route-delay 10
comp-lzo yes
key-direction 1
pull
Code: Select all
Ping from PC to 192.168.30.100 (to Client-IP)
Destination Host Unreachable
route
Ziel | Router | Genmask | Flag | Metric | Ref | Use | Iface
192.168.30.0 * 255.255.255.0 U 0 0 0 eth0
Code: Select all
Ping from Lap to 192.168.30.11 and .240
Destination Host Unreachable
route
Ziel | Router | Genmask | Flag | Metric | Ref | Use | Iface
192.168.30.0 192.168.30.240 255.255.255.0 UG 0 0 0 tap0
192.168.30.0 * 255.255.255.0 U 0 0 0 tap0
Best regrads, Dave