openvpnを使用したDebianeth0からwlan0への転送
私は「raspian」(Raspberry PiのDebian)を使用しており、wlan0を使用してeth0を介してインターネットアクセスを提供するraspberry-piが必要です。ここでの落とし穴は、wlan0がルーターに接続されているときに、openvpnネットワークを介してトラフィックをルーティングしたいということです。
理解するのが難しいかもしれないので、ここに図があります:
RaspberryPiのイーサネットポートに接続されたPC-> [RaspberryPiのeth0-> wlan0を使用したopenvpnトンネル経由]->ルーター-> openvpnサーバー->インターネット
ブリッジ(?)はこれを介して行われます:
エコー1>/proc/sys/net/ipv4/ip_forward
iptables -A FORWARD --in-interface eth0 -j ACCEPT
iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE
私が今抱えている唯一の問題は、openvpnサービスを開始するとwlanインターフェイスがダウンする?もちろん、openvpnは、インターネット接続がなくなったため、この後も接続を失います。次に、「wpa_cli reconnect」を使用してwlanインターフェイスを再度有効にしようとすると、「TLSエラー:ローカル/リモートTLSキーが同期していません:[AF_INET] $ MY_OPENVPN_SERVER_IP:1194 [0]」が表示されます。
(openvpn接続は以前に確立されていたので、時計の問題ではないと思いますか?)
多分関連する設定ファイル:
/etc/openvpn/client.conf
client dev tun proto udp
remote $MY_OPENVPN_SERVER_IP
resolv-retry infinite
persist-key
persist-tun
ca ca.crt
cert raspberry.crt
key raspberry.key
comp-lzo
keepalive 10 60
verb 3
/etc/dhcp/dhcpd.conf
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
subnet 10.42.0.0 netmask 255.255.255.0 {
range 10.42.0.10 10.42.0.100;
option domain-name-servers 8.8.8.8;
option domain-name "internal.raspi.org";
option routers 10.42.0.2;
option broadcast-address 10.42.0.255;
default-lease-time 600;
max-lease-time 7200;
}
/ etc/network/interfaces
auto lo
iface lo inet loopback
#iface eth0 inet dhcp
allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp
auto eth0
iface eth0 inet static
address 10.42.0.2
netmask 255.255.255.0
broadcast 10.42.0.255
openvpnが有効になる前のifconfig出力:
eth0 Link encap:Ethernet HWaddr b8:27:eb:ea:ea:45
inet addr:10.42.0.2 Bcast:10.42.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14955 errors:0 dropped:0 overruns:0 frame:0
TX packets:22413 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3217763 (3.0 MiB) TX bytes:28150535 (26.8 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1104 (1.0 KiB) TX bytes:1104 (1.0 KiB)
wlan0 Link encap:Ethernet HWaddr b0:48:7a:91:ca:2c
inet addr:192.168.2.110 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23742 errors:0 dropped:0 overruns:0 frame:0
TX packets:14611 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28174574 (26.8 MiB) TX bytes:3627713 (3.4 MiB)
openvpnを有効にした後のifconfig出力:
eth0 Link encap:Ethernet HWaddr b8:27:eb:ea:ea:45
inet addr:10.42.0.2 Bcast:10.42.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15144 errors:0 dropped:0 overruns:0 frame:0
TX packets:22580 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3234735 (3.0 MiB) TX bytes:28178133 (26.8 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1104 (1.0 KiB) TX bytes:1104 (1.0 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.22 P-t-P:10.8.0.21 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:1356 errors:0 dropped:84 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:894869 (873.8 KiB)
wlan0 Link encap:Ethernet HWaddr b0:48:7a:91:ca:2c
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:23950 errors:0 dropped:0 overruns:0 frame:0
TX packets:14759 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28204123 (26.8 MiB) TX bytes:3648458 (3.4 MiB)
syslog、openvpnを有効にした直後:
Dec 1 17:21:23 raspberrypi ovpn-client[2301]: OpenVPN 2.2.1 arm-linux-gnueabihf [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Apr 28 2012
Dec 1 17:21:23 raspberrypi ovpn-client[2301]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Dec 1 17:21:23 raspberrypi ovpn-client[2301]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Dec 1 17:21:23 raspberrypi ovpn-client[2301]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Dec 1 17:21:23 raspberrypi ovpn-client[2301]: LZO compression initialized
Dec 1 17:21:23 raspberrypi ovpn-client[2301]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Dec 1 17:21:23 raspberrypi ovpn-client[2301]: Socket Buffers: R=[163840->131072] S=[163840->131072]
Dec 1 17:21:23 raspberrypi ovpn-client[2301]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Dec 1 17:21:23 raspberrypi ovpn-client[2301]: Local Options hash (VER=V4): '41690919'
Dec 1 17:21:23 raspberrypi ovpn-client[2301]: Expected Remote Options hash (VER=V4): '530fdded'
Dec 1 17:21:23 raspberrypi ovpn-client[2302]: UDPv4 link local (bound): [undef]
Dec 1 17:21:23 raspberrypi ovpn-client[2302]: UDPv4 link remote: [AF_INET]$MY_OPENVPN_SERVER_IP:1194
Dec 1 17:21:23 raspberrypi ovpn-client[2302]: TLS: Initial packet from [AF_INET]$MY_OPENVPN_SERVER_IP:1194, sid=28e45b1e 0782389c
Dec 1 17:21:24 raspberrypi ovpn-client[2302]: VERIFY OK: depth=1, /C=US/ST=SECRET/L=Evilston/O=SecretLair/CN=SecretLair_CA/emailAddress=compendium@starstrider
Dec 1 17:21:24 raspberrypi ovpn-client[2302]: VERIFY OK: depth=0, /C=US/ST=SECRET/L=Evilston/O=SecretLair/CN=server/emailAddress=compendium@starstrider
Dec 1 17:21:26 raspberrypi ovpn-client[2302]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Dec 1 17:21:26 raspberrypi ovpn-client[2302]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 1 17:21:26 raspberrypi ovpn-client[2302]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Dec 1 17:21:26 raspberrypi ovpn-client[2302]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 1 17:21:26 raspberrypi ovpn-client[2302]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Dec 1 17:21:26 raspberrypi ovpn-client[2302]: [server] Peer Connection Initiated with [AF_INET]$MY_OPENVPN_SERVER_IP:1194
Dec 1 17:21:28 raspberrypi ovpn-client[2302]: SENT CONTROL [server]: 'Push_REQUEST' (status=1)
Dec 1 17:21:28 raspberrypi ovpn-client[2302]: Push: Received control message: 'Push_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 4.2.2.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.22 10.8.0.21'
Dec 1 17:21:28 raspberrypi ovpn-client[2302]: OPTIONS IMPORT: timers and/or timeouts modified
Dec 1 17:21:28 raspberrypi ovpn-client[2302]: OPTIONS IMPORT: --ifconfig/up options modified
Dec 1 17:21:28 raspberrypi ovpn-client[2302]: OPTIONS IMPORT: route options modified
Dec 1 17:21:28 raspberrypi ovpn-client[2302]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Dec 1 17:21:28 raspberrypi ovpn-client[2302]: ROUTE default_gateway=192.168.2.1
Dec 1 17:21:28 raspberrypi ovpn-client[2302]: TUN/TAP device tun0 opened
Dec 1 17:21:28 raspberrypi kernel: [ 1305.253893] tun: Universal TUN/TAP device driver, 1.6
Dec 1 17:21:28 raspberrypi kernel: [ 1305.253924] tun: (C) 1999-2004 Max Krasnyansky <[email protected]>
Dec 1 17:21:28 raspberrypi ovpn-client[2302]: TUN/TAP TX queue length set to 100
Dec 1 17:21:28 raspberrypi ovpn-client[2302]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Dec 1 17:21:28 raspberrypi ovpn-client[2302]: /sbin/ifconfig tun0 10.8.0.22 pointopoint 10.8.0.21 mtu 1500
Dec 1 17:21:28 raspberrypi ovpn-client[2302]: /sbin/route add -net $MY_OPENVPN_SERVER_IP netmask 255.255.255.255 gw 192.168.2.1
Dec 1 17:21:28 raspberrypi ovpn-client[2302]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.21
Dec 1 17:21:28 raspberrypi ovpn-client[2302]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.21
Dec 1 17:21:28 raspberrypi ovpn-client[2302]: /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.21
Dec 1 17:21:28 raspberrypi ovpn-client[2302]: Initialization Sequence Completed
Dec 1 17:21:28 raspberrypi ifplugd(tun0)[2342]: ifplugd 0.28 initializing.
Dec 1 17:21:28 raspberrypi ifplugd(tun0)[2342]: Using interface tun0/00:00:00:00:00:00 with driver <tun> (version: 1.6)
Dec 1 17:21:28 raspberrypi ifplugd(tun0)[2342]: Using detection mode: SIOCETHTOOL
Dec 1 17:21:28 raspberrypi ifplugd(tun0)[2342]: Initialization complete, link beat detected.
Dec 1 17:21:28 raspberrypi ifplugd(tun0)[2342]: Executing '/etc/ifplugd/ifplugd.action tun0 up'.
Dec 1 17:21:29 raspberrypi kernel: [ 1305.603457] wlan0: deauthenticating from 88:25:2c:32:a1:10 by local choice (reason=3)
Dec 1 17:21:29 raspberrypi kernel: [ 1305.694379] cfg80211: Calling CRDA for country: CN
Dec 1 17:21:29 raspberrypi ifplugd(wlan0)[1449]: Link beat lost.
Dec 1 17:21:29 raspberrypi ifplugd(tun0)[2342]: client: OK
Dec 1 17:21:29 raspberrypi wpa_supplicant[1532]: wlan0: CTRL-EVENT-DISCONNECTED bssid=00:00:00:00:00:00 reason=3
Dec 1 17:21:29 raspberrypi ifplugd(tun0)[2342]: client: Ignoring unknown interface tun0=tun0.
Dec 1 17:21:29 raspberrypi wpa_action: WPA_IFACE=wlan0 WPA_ACTION=DISCONNECTED
Dec 1 17:21:29 raspberrypi wpa_action: WPA_ID=0 WPA_ID_STR= WPA_CTRL_DIR=/var/run/wpa_supplicant
Dec 1 17:21:29 raspberrypi wpa_action: ifdown wlan0
Dec 1 17:21:29 raspberrypi ifplugd(tun0)[2342]: Program executed successfully.
Dec 1 17:21:29 raspberrypi dhclient: Internet Systems Consortium DHCP Client 4.2.2
Dec 1 17:21:29 raspberrypi dhclient: Copyright 2004-2011 Internet Systems Consortium.
Dec 1 17:21:29 raspberrypi dhclient: All rights reserved.
Dec 1 17:21:29 raspberrypi dhclient: For info, please visit https://www.isc.org/software/dhcp/
Dec 1 17:21:29 raspberrypi dhclient:
Dec 1 17:21:29 raspberrypi dhclient: Listening on LPF/wlan0/b0:48:7a:91:ca:2c
Dec 1 17:21:29 raspberrypi dhclient: Sending on LPF/wlan0/b0:48:7a:91:ca:2c
Dec 1 17:21:29 raspberrypi dhclient: Sending on Socket/fallback
Dec 1 17:21:29 raspberrypi dhclient: DHCPRELEASE on wlan0 to 192.168.2.1 port 67
Dec 1 17:21:29 raspberrypi wpa_action: removing sendsigs omission pidfile: /run/sendsigs.omit.d/wpasupplicant.wpa_supplicant.wlan0.pid
Dec 1 17:21:31 raspberrypi ntpd[1924]: Listen normally on 4 tun0 10.8.0.22 UDP 123
Dec 1 17:21:31 raspberrypi ntpd[1924]: Deleting interface #3 wlan0, 192.168.2.110#123, interface stats: received=54, sent=54, dropped=0, active_time=1279 secs
Dec 1 17:21:31 raspberrypi ntpd[1924]: 178.63.212.146 interface 192.168.2.110 -> (none)
Dec 1 17:21:31 raspberrypi ntpd[1924]: 85.214.240.100 interface 192.168.2.110 -> (none)
Dec 1 17:21:31 raspberrypi ntpd[1924]: 195.71.86.233 interface 10.42.0.2 -> 10.8.0.22
Dec 1 17:21:31 raspberrypi ntpd[1924]: 212.85.158.10 interface 10.42.0.2 -> 10.8.0.22
Dec 1 17:21:31 raspberrypi ntpd[1924]: peers refreshed
Dec 1 17:21:39 raspberrypi ifplugd(wlan0)[1449]: Executing '/etc/ifplugd/ifplugd.action wlan0 down'.
Dec 1 17:21:39 raspberrypi ifplugd(wlan0)[1449]: client: /sbin/ifdown: interface wlan0 not configured
Dec 1 17:21:39 raspberrypi ifplugd(wlan0)[1449]: Program executed successfully.
私は私のraspberrypiでwifi経由でopenvpnを設定するのと同じ問題を抱えていました。欠陥はwpa-roamであることが判明しました。
/ etc/network/interfacesのwlan0セクションを次のように変更する必要がありました。
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
重要な部分はwpa-roamをwpa-confに置き換えることでした。
バックグラウンド
/var/log/daemon.logで、openvpnを有効にした後、次のエントリを見つけました。
Jan 13 22:40:19 raspberrypi ifplugd(tun0)[28971]: Executing '/etc/ifplugd/ifplugd.action tun0 up'.
続いて
Jan 13 22:40:19 raspberrypi wpa_supplicant[3177]: wlan0: CTRL-EVENT-DISCONNECTED bssid=00:00:00:00:00:00 reason=0
...
Jan 13 22:40:20 raspberrypi ifplugd(wlan0)[3108]: Link beat lost.
...
Jan 13 22:40:30 raspberrypi ifplugd(wlan0)[3108]: Executing '/etc/ifplugd/ifplugd.action wlan0 down'.
Jan 13 22:40:30 raspberrypi ifplugd(wlan0)[3108]: client: /sbin/ifdown: interface wlan0 not configured
Jan 13 22:40:30 raspberrypi ifplugd(wlan0)[3108]: Program executed successfully.
そのため、新しいネットワークデバイスの作成にある程度関連している必要がありました。
分析/ etc/ifplugd/ifplugd.action tun0 upが返され、/ etc/ifplugd/action.d/action_wpaが実行されます。
/etc/ifplugd/action.d/action_wpa
#!/bin/sh
# Action script to enable/disable wpa-roam interfaces in reaction to
# ifplugd events.
#
# Copyright: Copyright (c) 2008-2010, Kel Modderman <[email protected]>
# License: GPL-2
#
PATH=/sbin:/usr/sbin:/bin:/usr/bin
if [ ! -x /sbin/wpa_action ]; then
exit 0
fi
# ifplugd(8) - <iface> <action>
#
# If an ifplugd managed interface is brought up, disconnect any
# wpa-roam managed interfaces so that only one "roaming" interface
# remains active on the system.
IFPLUGD_IFACE="${1}"
case "${2}" in
up)
COMMAND=disconnect
;;
down)
COMMAND=reconnect
;;
*)
echo "$0: unknown arguments: ${@}" >&2
exit 1
;;
esac
for CTRL in /var/run/wpa_supplicant/*; do
[ -S "${CTRL}" ] || continue
IFACE="${CTRL#/var/run/wpa_supplicant/}"
# skip if ifplugd is managing this interface
if [ "${IFPLUGD_IFACE}" = "${IFACE}" ]; then
continue
fi
if wpa_action "${IFACE}" check; then
wpa_cli -i "${IFACE}" "${COMMAND}"
fi
done
したがって、おそらくroaming-costsを節約するために、他のネットワークデバイスが使用可能な場合、すべてのローミングデバイスが非アクティブ化されます。それは実際のデバイスかもしれませんし、単なる仮想デバイスかもしれません。
私はwifi経由でssh経由でpiにしかアクセスできませんでした。リモートで殺され、hard再起動のために家に帰るのを待たなければなりませんでした;-)
可能な他の方法
もう1つの方法は、/ etc/network/interfaces内のtun0デバイスを構成して、/ etc/ifplugd/action.d/action_wpaを呼び出さないようにすることです。そうすれば、ローミングは引き続き機能します。