Доброго вечера!
Предыстория такова. Решил я значит перелезть с древнего pptp, на openvpn для удаленного доступа к ресурсам своей домашней локалки. На сервере остановил Accel-ppp, запустил openvpn, настроил. Если важно то сервер крутиться на Debian 7.11.
port 1195
proto tcp
dev tun
ca /etc/openvpn/srv/ca.crt
cert /etc/openvpn/srv/srv.crt
key /etc/openvpn/srv/srv.key
dh /etc/openvpn/srv/dh2048.pem
duplicate-cn
server 192.168.0.32 255.255.255.224
server-ipv6 fd00:2::/112
topology subnet
client-to-client
push "dhcp-option DNS fd00:2::1"
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option DOMAIN-SEARCH example.ru"
push "dhcp-option DOMAIN-SEARCH example.lan"
push "route-ipv6 ::/0"
push "route 192.168.0.1 255.255.255.255"
push "route 192.168.0.64 255.255.255.192"
push "route 192.168.0.128 255.255.255.128"
push "route 192.168.1.0 255.255.255.224"
push "route xxx.xxx.xxx.xxx 255.255.255.248"
#tun-ipv6
ifconfig-ipv6 fd00:2::1 fd00:2::ff
keepalive 10 120
persist-key
persist-tun
log-append /var/log/openvpn/openvpn-srv.log
auth SHA256
cipher AES-128-CBC
verb 3
Сгенерил конгфиг для клиента.
client
dev tun
proto tcp
ns-cert-type server
remote example.ru 1195
persist-key
persist-tun
auth SHA256
cipher AES-128-CBC
<key>
-----BEGIN PRIVATE KEY-----
MySuperPrivateKey
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
MySuperCertificate
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
MySuperCertificateCA
-----END CERTIFICATE-----
</ca>
В общем, ничего особенного.
Странность в том, что с клиетна установленном на телефоне, при такой конфигурации я запросто получаю доступ к ресурсам сети, а с Ubuntu 18.04, даже не могу достучаться до самого сервера, не говоря уже о сети.
# ip -4 route show table all type unicast
default via 95.220.192.1 dev isp0 table isp0 proto bird
192.168.0.0/24 dev lan0 table isp0 proto bird scope link
192.168.0.32/27 dev tun0 table isp0 scope link
192.168.1.0/27 dev adm0 table isp0 proto bird scope link
xxx.xxx.xxx.xxx/29 dev lan1 table isp0 proto bird scope link
default via 31.130.39.1 dev isp1 table isp1 proto bird
192.168.0.0/24 dev lan0 table isp1 proto bird scope link
192.168.0.32/27 dev tun0 table isp1 scope link
192.168.1.0/27 dev adm0 table isp1 proto bird scope link
xxx.xxx.xxx.xxx/29 dev lan1 table isp1 proto bird scope link
default table default proto bird
nexthop via 31.130.39.1 dev isp1 weight 3
nexthop via 95.220.192.1 dev isp0 weight 1
31.130.39.0/24 dev isp1 proto kernel scope link src 31.130.39.48
95.220.192.0/19 dev isp0 proto kernel scope link src 95.220.217.87
192.168.0.0/24 dev lan0 proto kernel scope link src 192.168.0.1
192.168.0.32/27 dev tun0 proto kernel scope link src 192.168.0.33
192.168.1.0/27 dev adm0 proto kernel scope link src 192.168.1.10
xxx.xxx.xxx.xxx/29 dev lan1 proto kernel scope link src xxx.xxx.xxx.xxy
# Generated by iptables-save v1.4.21 on Sun Oct 28 17:03:43 2018
*mangle
:PREROUTING ACCEPT [55424259:47109124253]
:INPUT ACCEPT [31224603:24615125045]
:FORWARD ACCEPT [24163929:22493092244]
:OUTPUT ACCEPT [40502659:37885830520]
:POSTROUTING ACCEPT [64651686:60378607416]
:BALANCE - [0:0]
:MULTIWAN_PREROUTING - [0:0]
:isp0_MARK - [0:0]
:isp0_WAN - [0:0]
:isp1_MARK - [0:0]
:isp1_WAN - [0:0]
-A PREROUTING -m conntrack --ctstate RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A PREROUTING -j MULTIWAN_PREROUTING
-A PREROUTING -m state --state NEW -m connmark ! --mark 0x0 -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -p udp -m udp --sport 53 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -p tcp -m tcp --sport 53 -j MARK --set-xmark 0x1/0xffffffff
-A BALANCE -m statistic --mode nth --every 2 --packet 0 -j isp0_WAN
-A BALANCE -m statistic --mode nth --every 2 --packet 1 -j isp1_WAN
-A MULTIWAN_PREROUTING -i isp1 -j isp1_WAN
-A MULTIWAN_PREROUTING -i isp0 -j isp0_WAN
-A MULTIWAN_PREROUTING -s 192.168.0.128/26 -j isp0_WAN
-A MULTIWAN_PREROUTING -s 192.168.0.64/26 -j isp1_WAN
-A MULTIWAN_PREROUTING -s 192.168.0.192/26 -j BALANCE
-A isp0_MARK -j MARK --set-xmark 0x1/0xffffffff
-A isp0_MARK -m set --match-set comlan dst -j MARK --set-xmark 0x2/0xffffffff
-A isp0_WAN -j isp0_MARK
-A isp1_MARK -j MARK --set-xmark 0x2/0xffffffff
-A isp1_MARK -m set --match-set konsul dst -j MARK --set-xmark 0x1/0xffffffff
-A isp1_WAN -j isp1_MARK
COMMIT
# Completed on Sun Oct 28 17:03:43 2018
# Generated by iptables-save v1.4.21 on Sun Oct 28 17:03:43 2018
*nat
:PREROUTING ACCEPT [1575713:144015802]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [2110943:262852049]
:POSTROUTING ACCEPT [2185542:267223821]
:MULTINAT - [0:0]
-A POSTROUTING -o isp0 -j MULTINAT
-A POSTROUTING -o isp1 -j MULTINAT
-A MULTINAT -s 192.168.0.64/26 -j MASQUERADE
-A MULTINAT -s 192.168.0.128/26 -j MASQUERADE
-A MULTINAT -s 192.168.0.192/26 -j MASQUERADE
COMMIT
# Completed on Sun Oct 28 17:03:43 2018
# Generated by iptables-save v1.4.21 on Sun Oct 28 17:03:43 2018
*filter
:INPUT DROP [3768:302796]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [9616:1539467]
:ADM_FILTER - [0:0]
:ALLOW_FW - [0:0]
:BAD - [0:0]
:BAD_DOMAINS - [0:0]
:DNS - [0:0]
:FILTER_LAN0 - [0:0]
:FILTER_LAN1 - [0:0]
:FILTER_OVPN - [0:0]
:MINIUPNPD - [0:0]
:RTT - [0:0]
:SSH - [0:0]
:VPN - [0:0]
:VPN_FILTER - [0:0]
-A INPUT -m conntrack --ctstate INVALID -j BAD
-A INPUT -m set --match-set dns_bads src -j BAD
-A INPUT -p icmp -m icmp --icmp-type 8 -j RTT
-A INPUT -p tcp -m tcp --dport 1195 -j ALLOW_FW
-A INPUT -p udp -m udp --dport 1195 -j ALLOW_FW
-A INPUT -p udp -m udp --dport 33434:33523 -j RTT
-A INPUT -d xxx.xxx.xxx.xxy/32 -p udp -m udp --dport 53 -j DNS
-A INPUT -d xxx.xxx.xxx.xxy/32 -p tcp -m tcp --dport 53 -j DNS
-A INPUT -p gre -j VPN
-A INPUT -d 224.0.0.0/4 -j ACCEPT
-A INPUT -i isp0 -p tcp -m tcp --dport 6925 -j ALLOW_FW
-A INPUT -i isp1 -p tcp -m tcp --dport 6925 -j ALLOW_FW
-A INPUT -i isp0 -p udp -m udp --dport 6926 -j ALLOW_FW
-A INPUT -i isp1 -p udp -m udp --dport 6926 -j ALLOW_FW
-A INPUT -p tcp -m tcp --dport 1723 -j VPN
-A INPUT -i lo -j ALLOW_FW
-A INPUT -i ppp+ -j ALLOW_FW
-A INPUT -i adm0 -j ALLOW_FW
-A INPUT -i tun+ -j ALLOW_FW
-A INPUT -i lan0 -j ALLOW_FW
-A INPUT -i lan1 -j ALLOW_FW
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ALLOW_FW
-A FORWARD -i isp1 -o lan1 -j ALLOW_FW
-A FORWARD -i lan1 -o isp1 -j ALLOW_FW
-A FORWARD -m conntrack --ctstate INVALID -j BAD
-A FORWARD -d 224.0.0.0/4 -j ALLOW_FW
-A FORWARD -i adm0 -j ALLOW_FW
-A FORWARD -i lan0 -o lan0 -j ALLOW_FW
-A FORWARD -i lan0 -o adm0 -j ADM_FILTER
-A FORWARD -i lan1 -o adm0 -j ADM_FILTER
-A FORWARD -i ppp+ -j VPN_FILTER
-A FORWARD -o ppp+ -j VPN_FILTER
-A FORWARD -i tun+ -j FILTER_OVPN
-A FORWARD -i lan0 -o isp0 -j FILTER_LAN0
-A FORWARD -i lan0 -o isp1 -j FILTER_LAN0
-A FORWARD -i lan1 -o isp0 -j FILTER_LAN1
-A FORWARD -i lan1 -o lan1 -j FILTER_LAN1
-A FORWARD -i isp0 -o lan1 -j FILTER_LAN1
-A FORWARD -i isp1 ! -o isp1 -j MINIUPNPD
-A FORWARD -i isp0 ! -o isp0 -j MINIUPNPD
-A FORWARD -i lan0 -o lan1 -j ALLOW_FW
-A FORWARD -i lan1 -o lan0 -j ALLOW_FW
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ALLOW_FW
-A FORWARD -i lan0 -o tun0 -m set --match-set openvpn src -j ALLOW_FW
-A FORWARD -i lan0 -o tun0 -m set --match-set openvpn src -j ALLOW_FW
-A ADM_FILTER -m set --match-set admacc src,src -j ALLOW_FW
-A ADM_FILTER -m set --match-set admin_access src,src -j ALLOW_FW
-A ALLOW_FW -j ACCEPT
-A BAD -j DROP
-A BAD_DOMAINS -m string --string "mail" --algo kmp --to 65535 -j ALLOW_FW
-A BAD_DOMAINS -m string --string "examle" --algo kmp --to 65535 -j ALLOW_FW
-A BAD_DOMAINS -j BAD
-A DNS -m recent --set --name dns-spoof --mask 255.255.255.255 --rsource
-A DNS -m recent --update --seconds 3 --hitcount 50 --name dns-spoof --mask 255.255.255.255 --rsource -j LOG --log-prefix "DNS Spoof: " --log-level 3
-A DNS -m recent --update --seconds 3 --hitcount 50 --name dns-spoof --mask 255.255.255.255 --rsource -j SET --add-set dns_bads src
-A DNS -j BAD_DOMAINS
-A FILTER_LAN0 -m ndpi --telegram -j BAD
-A FILTER_LAN0 -j ALLOW_FW
-A FILTER_LAN1 -p udp -m multiport --dports 6881 -j DROP
-A FILTER_LAN1 -j ALLOW_FW
-A FILTER_OVPN -j ALLOW_FW
-A RTT -d xxx.xxx.xxx.xxy/32 -j ACCEPT
-A VPN -d xxx.xxx.xxx.xxy/32 -j ACCEPT
-A VPN_FILTER -o lan0 -j ALLOW_FW
-A VPN_FILTER -i lan0 -j ALLOW_FW
-A VPN_FILTER -o lan1 -j ALLOW_FW
-A VPN_FILTER -i lan1 -j ALLOW_FW
-A VPN_FILTER -o adm0 -j ALLOW_FW
-A VPN_FILTER -i adm0 -j ALLOW_FW
-A VPN_FILTER -o isp0 -j ALLOW_FW
-A VPN_FILTER -i ppp+ -j ALLOW_FW
-A VPN_FILTER -o ppp+ -j ALLOW_FW
COMMIT
# Completed on Sun Oct 28 17:03:43 2018
На клиенте с Ubuntu выглядит таки образом
~# ip a s; ip -4 r s t all ty uni; iptables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether f4:6d:04:94:c8:1d brd ff:ff:ff:ff:ff:ff
6: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 18:a6:f7:15:b9:bf brd ff:ff:ff:ff:ff:ff
inet 192.168.43.218/24 brd 192.168.43.255 scope global wlan0
valid_lft forever preferred_lft forever
inet6 fe80::1aa6:f7ff:fe15:b9bf/64 scope link
valid_lft forever preferred_lft forever
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 192.168.0.35/27 brd 192.168.0.63 scope global tun0
valid_lft forever preferred_lft forever
inet6 fd00:2::1001/112 scope global
valid_lft forever preferred_lft forever
inet6 fe80::4e40:b317:c23d:7c16/64 scope link stable-privacy
valid_lft forever preferred_lft forever
default via 192.168.43.1 dev wlan0
169.254.0.0/16 dev wlan0 scope link metric 1000
192.168.0.1 via 192.168.0.33 dev tun0
192.168.0.32/27 dev tun0 proto kernel scope link src 192.168.0.35
192.168.0.64/26 via 192.168.0.33 dev tun0
192.168.0.128/25 via 192.168.0.33 dev tun0
192.168.1.0/27 via 192.168.0.33 dev tun0
192.168.43.0/24 dev wlan0 proto kernel scope link src 192.168.43.218
xxx.xxx.xxx.xxx/29 via 192.168.0.33 dev tun0
# Generated by iptables-save v1.6.1 on Sun Oct 28 17:12:43 2018
*filter
:INPUT ACCEPT [713726:168586779]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [677292:38234246]
:SSH - [0:0]
-A INPUT -m set --match-set ssh src -m set ! --match-set local_net src -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j SSH
-A SSH -m recent --set --name ssh --mask 255.255.255.255 --rsource
-A SSH -m recent --update --seconds 60 --hitcount 5 --name ssh --mask 255.255.255.255 --rsource -j LOG --log-prefix "SSH brute: " --log-level 3
-A SSH -m recent --update --seconds 60 --hitcount 5 --name ssh --mask 255.255.255.255 --rsource -j SET --add-set ssh src
COMMIT
# Completed on Sun Oct 28 17:12:43 2018
Но никуда с Ubuntu попасть не могу.
# traceroute -I 192.168.1.3 -q 1
traceroute to 192.168.1.3 (192.168.1.3), 30 hops max, 60 byte packets
1 *
2 *
3 *
4 *
5 *
Oct 28 19:01:14 workstation ovpn-mysrv[7389]: OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 5 2018
Oct 28 19:01:14 workstation ovpn-mysrv[7389]: library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Oct 28 19:01:14 workstation ovpn-mysrv[7389]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Oct 28 19:01:14 workstation ovpn-mysrv[7389]: Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Oct 28 19:01:19 workstation ovpn-mysrv[7389]: Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Oct 28 19:01:19 workstation ovpn-mysrv[7389]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1571,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-client'
Oct 28 19:01:19 workstation ovpn-mysrv[7389]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1571,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-server'
Oct 28 19:01:19 workstation ovpn-mysrv[7389]: TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxy:1195
Oct 28 19:01:19 workstation ovpn-mysrv[7389]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Oct 28 19:01:19 workstation ovpn-mysrv[7389]: Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxy:1195 [nonblock]
Oct 28 19:01:20 workstation ovpn-mysrv[7389]: TCP connection established with [AF_INET]xxx.xxx.xxx.xxy:1195
Oct 28 19:01:20 workstation ovpn-mysrv[7389]: TCP_CLIENT link local: (not bound)
Oct 28 19:01:20 workstation ovpn-mysrv[7389]: TCP_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxy:1195
Oct 28 19:01:20 workstation ovpn-mysrv[7389]: TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxy:1195, sid=3871fae6 5a799e11
Oct 28 19:01:20 workstation ovpn-mysrv[7389]: VERIFY OK: depth=1, C=RU, ST=MSK, L=Moscow, O=example.ru, OU=example.ru home network, CN=example.ru CA, name=Access, emailAddress=admin@example.ru
Oct 28 19:01:20 workstation ovpn-mysrv[7389]: VERIFY OK: nsCertType=SERVER
Oct 28 19:01:20 workstation ovpn-mysrv[7389]: VERIFY OK: depth=0, C=RU, ST=MSK, L=Moscow, O=example.ru, OU=example.ru home network, CN=srv, name=Access, emailAddress=admin@example.ru
Oct 28 19:01:21 workstation ovpn-mysrv[7389]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Oct 28 19:01:21 workstation ovpn-mysrv[7389]: [srv] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxy:1195
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: SENT CONTROL [srv]: 'PUSH_REQUEST' (status=1)
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS fd00:1::1,dhcp-option DNS 192.168.0.1,dhcp-option DOMAIN-SEARCH example.ru,dhcp-option DOMAIN-SEARCH example.lan,route-ipv6 ::/0,route 192.168.0.1 255.255.255.255,route 192.168.0.64 255.255.255.192,route 192.168.0.128 255.255.255.128,route 192.168.1.0 255.255.255.224,route xxx.xxx.xxx.xxx 255.255.255.248,tun-ipv6,route-gateway 192.168.0.33,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 fd00:2::1000/112 fd00:2::1,ifconfig 192.168.0.34 255.255.255.224,peer-id 0,cipher AES-256-GCM'
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: OPTIONS IMPORT: timers and/or timeouts modified
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: OPTIONS IMPORT: --ifconfig/up options modified
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: OPTIONS IMPORT: route options modified
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: OPTIONS IMPORT: route-related options modified
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: OPTIONS IMPORT: peer-id set
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: OPTIONS IMPORT: adjusting link_mtu to 1626
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: OPTIONS IMPORT: data channel crypto options modified
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: Data Channel: using negotiated cipher 'AES-256-GCM'
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: Data Channel MTU parms [ L:1554 D:1450 EF:54 EB:406 ET:0 EL:3 ]
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: ROUTE_GATEWAY 192.168.43.1/255.255.255.0 IFACE=wlan0 HWADDR=18:a6:f7:15:b9:bf
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: GDG6: remote_host_ipv6=n/a
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: ROUTE6: default_gateway=UNDEF
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: TUN/TAP device tun0 opened
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: TUN/TAP TX queue length set to 100
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: /sbin/ip link set dev tun0 up mtu 1500
Oct 28 19:01:22 workstation systemd-udevd[7409]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: /sbin/ip addr add dev tun0 192.168.0.34/27 broadcast 192.168.0.63
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: /sbin/ip -6 addr add fd00:2::1000/112 dev tun0
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: /sbin/ip route add 192.168.0.1/32 via 192.168.0.33
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: /sbin/ip route add 192.168.0.64/26 via 192.168.0.33
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: /sbin/ip route add 192.168.0.128/25 via 192.168.0.33
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: /sbin/ip route add 192.168.1.0/27 via 192.168.0.33
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: /sbin/ip route add xxx.xxx.xxx.xxx/29 via 192.168.0.33
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: add_route_ipv6(::/0 -> fd00:2::1 metric -1) dev tun0
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: /sbin/ip -6 route add ::/0 dev tun0
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: Initialization Sequence Completed
Oct 28 19:01:22 workstation ovpn-mysrv[7389]: Recursive routing detected, drop tun packet to [AF_INET]xxx.xxx.xxx.xxy:1195
C Телефона этот хост отвечает на втором хопе.
ЧЯДНТ?
Помогите разобраться.
PS Некоторые критически важные моменты, такие как global unicast адреса и домены, изменены.