Как заставить openvpn клиентов ходить в интернет через VPN

Обсуждение ПО и его настройки
Ответить
urnash
Сообщения: 7
Зарегистрирован: 14 июн 2018, 21:43

Проблема в том, что клиенты подключаются (ПК и телефон с официальным клиентом), но видят только локальные ресурсы. Нужно чтобы весь трафик у клиентов был через ВПН

Сжатый конфиг(удалил лишнее):

Код: Выделить всё

/interface ovpn-server
add disabled=no name=ovpn-in-ovpn user=ovpn
add comment="" disabled=no name=ovpn-in-username user=username
/ip pool
add name=dhcp-pool ranges=192.168.30.100-192.168.30.254
add name=vpn-pool ranges=192.168.31.100-192.168.31.254
/ip dhcp-server
add address-pool=dhcp-pool authoritative=yes bootp-support=static disabled=no \
    interface=bridge lease-script="" lease-time=1d name=dhcp use-radius=no
/ppp profile
set *0 address-list="" !bridge !bridge-horizon !bridge-path-cost \
    !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout \
    !incoming-filter !insert-queue-before !interface-list !local-address \
    name=default on-down="" on-up="" only-one=default !outgoing-filter \
    !parent-queue !queue-type !rate-limit !remote-address !session-timeout \
    use-compression=default use-encryption=default use-mpls=default use-upnp=\
    default !wins-server
add address-list="" !bridge !bridge-horizon !bridge-path-cost \
    !bridge-port-priority change-tcp-mss=default comment="" dns-server=192.168.30.1 !idle-timeout !incoming-filter \
    !insert-queue-before !interface-list !local-address name=ovpn-in-username \
    on-down="" on-up="" only-one=no !outgoing-filter !parent-queue \
    !queue-type !rate-limit !remote-address !session-timeout use-compression=\
    default use-encryption=required use-mpls=default use-upnp=default \
    wins-server=192.168.30.1
set *FFFFFFFE address-list="" !bridge !bridge-horizon !bridge-path-cost \
    !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout \
    !incoming-filter !insert-queue-before !interface-list !local-address \
    name=default-encryption on-down="" on-up="" only-one=default \
    !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address \
    !session-timeout use-compression=default use-encryption=yes use-mpls=\
    default use-upnp=default !wins-server
/interface pppoe-client
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 \
    dial-on-demand=no disabled=no interface=ether1 keepalive-timeout=30 \
    max-mru=auto max-mtu=auto mrru=disabled name=pppoe-out password=0000000 \
    profile=pppoe-out service-name="" use-peer-dns=no user=00000000


/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=ovpn-in-ovpn \
    enabled=yes keepalive-timeout=15 mac-address=000000 max-mtu=\
    1500 mode=ip netmask=24 port=*** require-client-certificate=yes

/ip address
add address=192.168.30.1/24 disabled=no interface=bridge network=192.168.30.0

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    connection-state=established,related,untracked !connection-type !content \
    disabled=no !dscp !dst-address !dst-address-list !dst-address-type \
    !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
    !in-bridge-port-list !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
    !nth !out-bridge-port !out-bridge-port-list !out-interface \
    !out-interface-list !packet-mark !packet-size !per-connection-classifier \
    !port !priority !protocol !psd !random !routing-mark !routing-table \
    !src-address !src-address-list !src-address-type !src-mac-address \
    !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=accept chain=input comment="" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit dst-port=443 !fragment !hotspot \
    !icmp-options !in-bridge-port !in-bridge-port-list in-interface=pppoe-out \
    !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \
    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
    !packet-size !per-connection-classifier !port !priority protocol=tcp !psd \
    !random !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=drop chain=input comment="defconf: drop invalid" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    connection-state=invalid !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
    !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !tls-host !ttl
add action=accept chain=input comment="defconf: accept ICMP" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority protocol=icmp !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=drop chain=input comment="defconf: drop all not coming from LAN (\
    \C2\D2\D7 \E2\F0\EE\E4\E5 \E7\E0\EA\F0\FB\E2\E0\E5\F2 53 \EF\EE\F0\F2 \C4\
    \CD\D1 \ED\E0 \E2\ED\E5\F8\ED\E8\F5 \E8\ED\F2\E5\F0\F4\E5\E9\F1\E0\F5)" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-bridge-port-list !in-interface in-interface-list=!LAN \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list \
    !ingress-priority ipsec-policy=in,ipsec !ipv4-options !layer7-protocol \
    !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list \
    !ingress-priority ipsec-policy=out,ipsec !ipv4-options !layer7-protocol \
    !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=fasttrack-connection chain=forward comment=\
    "defconf: fasttrack (disabled as https://habr.com/ru/post/435372/)" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate connection-state=\
    established,related !connection-type !content disabled=yes !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
    !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !tls-host !ttl
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    connection-state=established,related,untracked !connection-type !content \
    disabled=no !dscp !dst-address !dst-address-list !dst-address-type \
    !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
    !in-bridge-port-list !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
    !nth !out-bridge-port !out-bridge-port-list !out-interface \
    !out-interface-list !packet-mark !packet-size !per-connection-classifier \
    !port !priority !protocol !psd !random !routing-mark !routing-table \
    !src-address !src-address-list !src-address-type !src-mac-address \
    !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=drop chain=forward comment="defconf: drop invalid" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate connection-state=invalid \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface \
    !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \
    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
    !packet-size !per-connection-classifier !port !priority !protocol !psd \
    !random !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" !connection-bytes \
    !connection-limit !connection-mark connection-nat-state=!dstnat \
    !connection-rate connection-state=new !connection-type !content disabled=\
    no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
    !in-bridge-port-list !in-interface in-interface-list=WAN \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl

/ip firewall nat
add action=masquerade chain=srcnat comment="" \
    !connection-bytes !connection-limit !connection-mark !connection-rate \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface \
    !in-interface-list !ingress-priority ipsec-policy=out,none !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \
    !out-bridge-port-list !out-interface out-interface-list=WAN !packet-mark \
    !packet-size !per-connection-classifier !port !priority !protocol !psd \
    !random !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-mss !time !tls-host \
    !to-addresses !to-ports !ttl


/ip route
add !bgp-as-path !bgp-atomic-aggregate !bgp-communities !bgp-local-pref \
    !bgp-med !bgp-origin !bgp-prepend !check-gateway comment="" disabled=no distance=1 dst-address=0.0.0.0/0 \
    gateway=pppoe-out !route-tag !routing-mark scope=30 target-scope=10

/ppp secret
add caller-id="" comment="" disabled=no \
    limit-bytes-in=0 limit-bytes-out=0 local-address=192.168.31.1 name=ovpn \
    password=000000 profile=ovpn-in-ovpn remote-address=192.168.31.2 \
    routes="" service=ovpn
Вкратце:
интернет PPoE
фаервол заводской defconfig, из дополнении только разрешение на входящий ovpn
в НАТе прописан маскарадинг на внешних интерфейсах (intarface list)
роутинги все на динамике, вручную не правил

Конфиг файл клиентов:
client
dev tun
proto tcp
remote sample.com 443
cipher AES-256-CBC
auth SHA1
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
remote-cert-tls server
verb 3
<cert>
</cert>
<key>
</key>
<ca>
</ca>


Вернуться к началу
urnash
Сообщения: 7
Зарегистрирован: 14 июн 2018, 21:43

Сделал mark connection, но ничего не заработало.
Вложения
Screenshot_4.png
Screenshot_4.png (13.91 КБ) 4129 просмотров
Screenshot_3.png
Screenshot_3.png (12.15 КБ) 4129 просмотров
Screenshot_2.png
Screenshot_2.png (14.04 КБ) 4129 просмотров


Вернуться к началу
Аватара пользователя
Vlad-2
Модератор
Сообщения: 2531
Зарегистрирован: 08 апр 2016, 19:19
Откуда: Петропавловск-Камчатский (п-ов Камчатка)
Контактная информация:
Контактная информация пользователя Vlad-2

1) c OpenVPN не работал (поэтому советы общего значения)
2) обычно маркируют и входящий и транзитный трафик. Второго я не вижу.
3) Не совсем понимаю зачем Вы рррое подключение уводите в маркировочную таблицу?
4) Что за сетка 192.168.21.0/24 - ??? По первому сообщению у Вас другие сети!?

а) Я бы заводской конфиг убрал. Сделал чистый роутер.
б) На чистом роутере сделайте локальную сеть и выход в Интернет.
в) поднимите ОпенВПН с отдельной IP-адресацией
г) сделайте маркировки уже этой адресации и направляйте в нужную таблицу
Проверяете всё это, смотрите, появилась адресация ОпенВПНа на нужном Вам интерфейсе,
если появилась, после можно уже включать для данной сети НАТ и выпускать в Интернет.



На работе(ах): 2xCCR1016-12G, RB3011UiAS и hAP lite (RB941)
Дома: CCR1016-12G, RBcAP2n (standalone), RB wAP LTE kit
Для тестов(под рукой): RB3011UiAS, hAP mini (RB931) и что-то ещё по мелочи
MTCNA
MTCRE
Вернуться к началу
seregaelcin
Сообщения: 176
Зарегистрирован: 27 фев 2016, 17:12

Пример конфига для l2tp сервера - юзеры получают адрес из пула 192.168.161.0/28 и ходят в VPN (pptp-client)

add address=192.168.161.0/28 list=block
/ip firewall mangle
add action=mark-routing chain=prerouting comment=VPN new-routing-mark=block passthrough=no src-address-list=block
/ip route
add distance=1 gateway=VPN routing-mark=block
add distance=4 gateway=VPN //дистанс должен быть больше, чем на основном интернет канале
add action=masquerade chain=srcnat out-interface=VPN routing-mark=block src-address-list=block

Если фасттрек поднят еще, тогда

add action=fasttrack-connection chain=forward connection-state=established,related in-interface-list=!no_fasttrack out-interface-list=!no_fasttrack
add action=accept chain=forward connection-state=established,related
/interface list member
add interface=VPN list=no_fasttrack

Надо добавить все интерфейсы в list=no_fasttrack, через которые будет ходить трафик vpn.


Обладатель Mikrotik RB2011UAS-2HnD-IN
Вернуться к началу
kharkov_max
Сообщения: 104
Зарегистрирован: 04 окт 2015, 21:38

А есть ли смысл пускать клиентов в инет через впн?
Может нужно впн клиенту прописать нужные роуты на локалку за впн сервером и пусть в инет ходят как и ходили до впн...


Вернуться к началу
Ответить

Вернуться в «MikroTik RouterOS»