Следующая ситуация:
есть два офиса:
с одной сторону OpenVPN на Windows Server 2003 как сервер
с другой OpenVPN Ubuntu Linux 10.10 как клиент.
Конфиг сервера:
mode server
port 1194
proto tcp
dev tap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
tun-mtu 1500
ifconfig 10.8.0.1 255.255.255.0
push "route 192.168.250.0 255.255.255.0"
Настройки клиента
client
dev tap0
proto tcp
remote 213.170.69.42 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert murmansk.crt
key murmansk.key
ns-cert-type server
comp-lzo
verb 3
tun-mtu 1500
status openvpn-status.log
log openvpn.log
iptable на клиенте
*filter
:INPUT ACCEPT [56:5844]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [72:53172]
:open_vpn - [0:0]
-A INPUT -i tap0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A INPUT -i tap0 -j ACCEPT
-A INPUT -i tap0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i tap0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A FORWARD -o tap0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A FORWARD -i tap0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A FORWARD -i eth0 -o tap0 -j ACCEPT
-A FORWARD -i tap0 -o eth0 -j ACCEPT
-A FORWARD -i tap0 -o eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A FORWARD -i eth0 -o tap0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A FORWARD -i tap0 -o eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A FORWARD -i eth0 -o tap0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A OUTPUT -o tap0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A OUTPUT -o tap0 -j ACCEPT
-A OUTPUT -o tap0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -o tap0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A open_vpn -d 192.168.250.0/24 -i tap0 -j ACCEPT
-A open_vpn -s 192.168.250.0/24 -i tap0 -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT [76:7619]
:INPUT ACCEPT [60:6084]
:FORWARD ACCEPT [9:572]
:OUTPUT ACCEPT [76:53412]
:POSTROUTING ACCEPT [85:53984]
COMMIT
*nat
:PREROUTING ACCEPT [4:224]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
sysctl на клиенте
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv4/conf/all/accept_redirects=0
net/ipv4/conf/default/accept_redirects=0
net/ipv6/conf/all/accept_redirects=0
net/ipv6/conf/default/accept_redirects=0
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/icmp_ignore_bogus_error_responses=1
net/ipv4/icmp_echo_ignore_all=0
net/ipv4/conf/all/log_martians=0
net/ipv4/conf/default/log_martians=0
tap0 на сервере 10.8.0.1
tap0 на клиенте 10.8.0.2
сеть за сервером 192.168.250.0/24
сеть за клиентом 192.168.0.0/21
маршруты на сервере
Активные маршруты:
Сетевой адрес Маска сети Адрес шлюза Интерфейс Метрика
0.0.0.0 0.0.0.0 213.170.69.41 ip в интернете 20
10.8.0.0 255.255.255.0 10.8.0.1 10.8.0.1 30
10.8.0.1 255.255.255.255 127.0.0.1 127.0.0.1 30
10.255.255.255 255.255.255.255 10.8.0.1 10.8.0.1 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.248.0 10.8.0.2 10.8.0.1 1
192.168.250.0 255.255.255.0 192.168.250.1 192.168.250.1 10
192.168.250.1 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.250.255 255.255.255.255 192.168.250.1 192.168.250.1 10
213.170.69.40 255.255.255.252 ip в интернете ip в интернете 20
ip в интернете 255.255.255.255 127.0.0.1 127.0.0.1 20
213.170.69.255 255.255.255.255 ip в интернете ip в интернете 20
224.0.0.0 240.0.0.0 10.8.0.1 10.8.0.1 30
224.0.0.0 240.0.0.0 192.168.250.1 192.168.250.1 10
224.0.0.0 240.0.0.0 ip в интернете ip в интернете 20
255.255.255.255 255.255.255.255 10.8.0.1 10.8.0.1 1
255.255.255.255 255.255.255.255 192.168.250.1 192.168.250.1 1
255.255.255.255 255.255.255.255 ip в интернете ip в интернете 1
Основной шлюз: интенет шлюз
===========================================================================
Постоянные маршруты:
Отсутствует
маршруты на клиенте
Destination Gateway Genmask Flags Metric Ref Use Iface
интернет сеть * 255.255.255.248 U 0 0 0 eth1
10.8.0.0 * 255.255.255.0 U 0 0 0 tap0
192.168.250.0 private-address 255.255.255.0 UG 0 0 0 tap0
192.168.0.0 * 255.255.248.0 U 0 0 0 eth0
default * 0.0.0.0 UG 100 0 0 eth1
Пакеты из 192.168.0.0/21 в 192.168.250.0 проходят, а вот наоборот - застревают на 10.8.0.2
Что может быть не так подскажите пожалуйста