Jump to content

Странности с OpenVPN и iptables из entware


Recommended Posts

Всем привет. Не могу решить проблему с OpenVPN и iptables.

Имеется OpenVPN сервер на Debian 10 и 2 клиента (KN1910 и ZK Ultra1).

Проблема заключается в том, что я не могу пропинговать IP OVPN клиента ZK Ultra1. 

Для ZK Ultra1 конфигурация взята под копирку от KN1910, изменены только IP и ключи.

В остальном все идентично. С самого клиента сервер нормально пингуется.

На обоих клиентах в каталогах "/opt/etc/ndm/netfilter.d" создан скрипт "filter.sh"

#!/bin/sh

PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

[ "$table" != "filter" ] && exit 0

# OpenVPN Tun
iptables -A INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
~ #

Что заметил, если отправить ZK Ultra1, то в момент её загрузки успевает пройти несколько пакетов, но затем все прекращается.

~ # ping 192.168.5.252
PING 192.168.5.252 (192.168.5.252): 56 data bytes
64 bytes from 192.168.5.252: seq=636 ttl=64 time=7.960 ms
64 bytes from 192.168.5.252: seq=637 ttl=64 time=5.706 ms
64 bytes from 192.168.5.252: seq=638 ttl=64 time=7.400 ms
64 bytes from 192.168.5.252: seq=639 ttl=64 time=8.075 ms
64 bytes from 192.168.5.252: seq=640 ttl=64 time=9.381 ms
64 bytes from 192.168.5.252: seq=641 ttl=64 time=6.326 ms
64 bytes from 192.168.5.252: seq=642 ttl=64 time=7.234 ms
64 bytes from 192.168.5.252: seq=643 ttl=64 time=8.452 ms
64 bytes from 192.168.5.252: seq=644 ttl=64 time=6.350 ms
64 bytes from 192.168.5.252: seq=645 ttl=64 time=8.631 ms
64 bytes from 192.168.5.252: seq=646 ttl=64 time=5.479 ms
^C
--- 192.168.5.252 ping statistics ---
665 packets transmitted, 11 packets received, 98% packet loss
round-trip min/avg/max = 5.479/7.363/9.381 ms

Ощущение, что режет фаервол на ZK Ultra1. Если правила вбить в консоле руками, то ничего не происходит.

По tcpdump вижу входящие запросы но нет ответов, но сервер пингуется:

~ # tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
14:03:48.830292 IP 192.168.5.254 > 192.168.5.252: ICMP echo request, id 29049, seq 151, length 64
14:03:49.854493 IP 192.168.5.254 > 192.168.5.252: ICMP echo request, id 29049, seq 152, length 64
14:03:50.878867 IP 192.168.5.254 > 192.168.5.252: ICMP echo request, id 29049, seq 153, length 64
14:03:51.902835 IP 192.168.5.254 > 192.168.5.252: ICMP echo request, id 29049, seq 154, length 64
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
~ # ping 192.168.5.254
PING 192.168.5.254 (192.168.5.254): 56 data bytes
64 bytes from 192.168.5.254: seq=0 ttl=63 time=2.261 ms
64 bytes from 192.168.5.254: seq=1 ttl=63 time=2.168 ms
64 bytes from 192.168.5.254: seq=2 ttl=63 time=2.012 ms
^C
--- 192.168.5.254 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 2.012/2.147/2.261 ms
~ #

@Le ecureuil, может это быть баг 2.16.D.2.0-0?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...