Как заставить openvpn клиентов ходить в интернет через VPN

Обсуждение ПО и его настройки
Ответить
urnash
Сообщения: 5
Зарегистрирован: 14 июн 2018, 21:43

10 фев 2019, 16:50

Проблема в том, что клиенты подключаются (ПК и телефон с официальным клиентом), но видят только локальные ресурсы. Нужно чтобы весь трафик у клиентов был через ВПН

Сжатый конфиг(удалил лишнее):

Код: Выделить всё

/interface ovpn-server
add disabled=no name=ovpn-in-ovpn user=ovpn
add comment="" disabled=no name=ovpn-in-username user=username
/ip pool
add name=dhcp-pool ranges=192.168.30.100-192.168.30.254
add name=vpn-pool ranges=192.168.31.100-192.168.31.254
/ip dhcp-server
add address-pool=dhcp-pool authoritative=yes bootp-support=static disabled=no \
    interface=bridge lease-script="" lease-time=1d name=dhcp use-radius=no
/ppp profile
set *0 address-list="" !bridge !bridge-horizon !bridge-path-cost \
    !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout \
    !incoming-filter !insert-queue-before !interface-list !local-address \
    name=default on-down="" on-up="" only-one=default !outgoing-filter \
    !parent-queue !queue-type !rate-limit !remote-address !session-timeout \
    use-compression=default use-encryption=default use-mpls=default use-upnp=\
    default !wins-server
add address-list="" !bridge !bridge-horizon !bridge-path-cost \
    !bridge-port-priority change-tcp-mss=default comment="" dns-server=192.168.30.1 !idle-timeout !incoming-filter \
    !insert-queue-before !interface-list !local-address name=ovpn-in-username \
    on-down="" on-up="" only-one=no !outgoing-filter !parent-queue \
    !queue-type !rate-limit !remote-address !session-timeout use-compression=\
    default use-encryption=required use-mpls=default use-upnp=default \
    wins-server=192.168.30.1
set *FFFFFFFE address-list="" !bridge !bridge-horizon !bridge-path-cost \
    !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout \
    !incoming-filter !insert-queue-before !interface-list !local-address \
    name=default-encryption on-down="" on-up="" only-one=default \
    !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address \
    !session-timeout use-compression=default use-encryption=yes use-mpls=\
    default use-upnp=default !wins-server
/interface pppoe-client
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 \
    dial-on-demand=no disabled=no interface=ether1 keepalive-timeout=30 \
    max-mru=auto max-mtu=auto mrru=disabled name=pppoe-out password=0000000 \
    profile=pppoe-out service-name="" use-peer-dns=no user=00000000


/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=ovpn-in-ovpn \
    enabled=yes keepalive-timeout=15 mac-address=000000 max-mtu=\
    1500 mode=ip netmask=24 port=*** require-client-certificate=yes

/ip address
add address=192.168.30.1/24 disabled=no interface=bridge network=192.168.30.0

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    connection-state=established,related,untracked !connection-type !content \
    disabled=no !dscp !dst-address !dst-address-list !dst-address-type \
    !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
    !in-bridge-port-list !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
    !nth !out-bridge-port !out-bridge-port-list !out-interface \
    !out-interface-list !packet-mark !packet-size !per-connection-classifier \
    !port !priority !protocol !psd !random !routing-mark !routing-table \
    !src-address !src-address-list !src-address-type !src-mac-address \
    !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=accept chain=input comment="" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit dst-port=443 !fragment !hotspot \
    !icmp-options !in-bridge-port !in-bridge-port-list in-interface=pppoe-out \
    !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \
    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
    !packet-size !per-connection-classifier !port !priority protocol=tcp !psd \
    !random !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=drop chain=input comment="defconf: drop invalid" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    connection-state=invalid !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
    !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !tls-host !ttl
add action=accept chain=input comment="defconf: accept ICMP" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority protocol=icmp !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=drop chain=input comment="defconf: drop all not coming from LAN (\
    \C2\D2\D7 \E2\F0\EE\E4\E5 \E7\E0\EA\F0\FB\E2\E0\E5\F2 53 \EF\EE\F0\F2 \C4\
    \CD\D1 \ED\E0 \E2\ED\E5\F8\ED\E8\F5 \E8\ED\F2\E5\F0\F4\E5\E9\F1\E0\F5)" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-bridge-port-list !in-interface in-interface-list=!LAN \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list \
    !ingress-priority ipsec-policy=in,ipsec !ipv4-options !layer7-protocol \
    !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list \
    !ingress-priority ipsec-policy=out,ipsec !ipv4-options !layer7-protocol \
    !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=fasttrack-connection chain=forward comment=\
    "defconf: fasttrack (disabled as https://habr.com/ru/post/435372/)" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate connection-state=\
    established,related !connection-type !content disabled=yes !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
    !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !tls-host !ttl
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    connection-state=established,related,untracked !connection-type !content \
    disabled=no !dscp !dst-address !dst-address-list !dst-address-type \
    !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
    !in-bridge-port-list !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
    !nth !out-bridge-port !out-bridge-port-list !out-interface \
    !out-interface-list !packet-mark !packet-size !per-connection-classifier \
    !port !priority !protocol !psd !random !routing-mark !routing-table \
    !src-address !src-address-list !src-address-type !src-mac-address \
    !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=drop chain=forward comment="defconf: drop invalid" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate connection-state=invalid \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface \
    !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \
    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
    !packet-size !per-connection-classifier !port !priority !protocol !psd \
    !random !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" !connection-bytes \
    !connection-limit !connection-mark connection-nat-state=!dstnat \
    !connection-rate connection-state=new !connection-type !content disabled=\
    no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
    !in-bridge-port-list !in-interface in-interface-list=WAN \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl

/ip firewall nat
add action=masquerade chain=srcnat comment="" \
    !connection-bytes !connection-limit !connection-mark !connection-rate \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface \
    !in-interface-list !ingress-priority ipsec-policy=out,none !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \
    !out-bridge-port-list !out-interface out-interface-list=WAN !packet-mark \
    !packet-size !per-connection-classifier !port !priority !protocol !psd \
    !random !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-mss !time !tls-host \
    !to-addresses !to-ports !ttl


/ip route
add !bgp-as-path !bgp-atomic-aggregate !bgp-communities !bgp-local-pref \
    !bgp-med !bgp-origin !bgp-prepend !check-gateway comment="" disabled=no distance=1 dst-address=0.0.0.0/0 \
    gateway=pppoe-out !route-tag !routing-mark scope=30 target-scope=10

/ppp secret
add caller-id="" comment="" disabled=no \
    limit-bytes-in=0 limit-bytes-out=0 local-address=192.168.31.1 name=ovpn \
    password=000000 profile=ovpn-in-ovpn remote-address=192.168.31.2 \
    routes="" service=ovpn
Вкратце:
интернет PPoE
фаервол заводской defconfig, из дополнении только разрешение на входящий ovpn
в НАТе прописан маскарадинг на внешних интерфейсах (intarface list)
роутинги все на динамике, вручную не правил

Конфиг файл клиентов:
client
dev tun
proto tcp
remote sample.com 443
cipher AES-256-CBC
auth SHA1
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
remote-cert-tls server
verb 3
<cert>
</cert>
<key>
</key>
<ca>
</ca>


Ответить