openvpn envoie le trafic Internet au server séparé

Version courte:

Je souhaite que mon server ubuntu openvpn aws renvoie tout le trafic Internet des clients vers un autre server au lieu de l'envoyer directement lui-même.

Version longue:

Je configure un environnement en aws et, pour des raisons d'audit, tout le trafic Internet doit être apathé via une passerelle particulière. Certains users se connecteront au réseau par openvpn. J'ai l'installation du server openvpn et les users peuvent se connecter mais tout leur trafic sort de la passerelle / ip d'openvpn.

IE lorsque mes clients vont à ipcow.com, ils voient AAAA où je souhaite qu'ils voient BBBB

Configuration du sous-réseau

-------------------------------------------------- | AAAA - VPN - 10.0.200.10 | | -------------------------------------| Private | | BBBB - Gateway/NAT - 10.0.0.200 | | -------------------------------------------------- 

server.conf

 port 1194 proto udp dev tun sndbuf 0 rcvbuf 0 ca ca.crt cert server.crt key server.key dh dh.pem tls-auth ta.key 0 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push route "0.0.0.0 0.0.0.0 10.0.0.200" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 cipher AES-128-CBC comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem 

client.ovpn

 client dev tun proto udp sndbuf 0 rcvbuf 0 remote PPPP 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-128-CBC comp-lzo setenv opt block-outside-dns key-direction 1 verb 3 

journal de connection

 Unrecognized option or missing parameter(s) in vpn.ovpn:14: block-outside-dns (2.3.10) OpenVPN 2.3.10 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 14 2016 library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.09 Control Channel Authentication: tls-auth using INLINE static key file Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Socket Buffers: R=[212992->212992] S=[212992->212992] UDPv4 link local: [undef] UDPv4 link remote: [AF_INET]PPPP:1194 TLS: Initial packet from [AF_INET]PPPP:1194, sid=5678375f 5c54cccd VERIFY OK: depth=1, CN=ChangeMe Validating certificatee key usage ++ Certificate has key usage 00a0, expects 00a0 VERIFY KU OK Validating certificatee extended key usage ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication VERIFY EKU OK VERIFY OK: depth=0, CN=server Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA [server] Peer Connection Initiated with [AF_INET]PPPP:1194 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route 10.0.0.0 255.255.0.0,route 0.0.0.0 0.0.0.0 10.0.0.200 0,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0' OPTIONS IMPORT: timers and/or timeouts modified OPTIONS IMPORT: --ifconfig/up options modified OPTIONS IMPORT: route options modified OPTIONS IMPORT: route-related options modified OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified ROUTE_GATEWAY 192.168.42.129/255.255.255.0 IFACE=enp0s20f0u1 HWADDR= TUN/TAP device tun0 opened TUN/TAP TX queue length set to 100 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 /usr/bin/ip link set dev tun0 up mtu 1500 /usr/bin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255 /usr/bin/ip route add PPPP/32 via 192.168.42.129 /usr/bin/ip route add 0.0.0.0/1 via 10.8.0.1 /usr/bin/ip route add 128.0.0.0/1 via 10.8.0.1 /usr/bin/ip route add 10.0.0.0/16 via 10.8.0.1 /usr/bin/ip route add 0.0.0.0/0 mesortingc 0 via 10.0.0.200 RTNETLINK answers: Network is unreachable ERROR: Linux route add command failed: external program exited with error status: 2 Initialization Sequence Completed 

Ma tentative d'append une route 0.0.0.0/0 ne fonctionnait évidemment pas.

Les étapes suivantes étaient nécessaires pour atteindre mon objective.

  1. echo "200 VPN"> / etc / iproute2 / iproute

  2. ip route add default via 10.0.0.200 table vpn

  3. Règle ip ajoutée à partir de la search 10.8.0.0/24 vpn

Ce qui me donne le suivant.

entrez la description de l'image ici