С сервера
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:00:00:30:73:73 brd ff:ff:ff:ff:ff:ff
inet **.22.232.228/23 brd **.22.233.255 scope global eth0
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
# ip r
default via **.22.233.254 dev eth0
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
**.22.232.0/23 dev eth0 proto kernel scope link src **.22.232.228
nslookup ya.ru
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: ya.ru
Address: 93.158.134.3
Name: ya.ru
Address: 213.180.204.3
Name: ya.ru
Address: 213.180.193.3
nslookup ya.ru 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: ya.ru
Address: 213.180.204.3
Name: ya.ru
Address: 93.158.134.3
Name: ya.ru
Address: 213.180.193.3
# iptables-save
# Generated by iptables-save v1.4.21 on Tue Apr 19 16:27:30 2016
*nat
:PREROUTING ACCEPT [2286:1014643]
:INPUT ACCEPT [1:52]
:OUTPUT ACCEPT [7:454]
:POSTROUTING ACCEPT [7:454]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Apr 19 16:27:30 2016
# Generated by iptables-save v1.4.21 on Tue Apr 19 16:27:30 2016
*filter
:INPUT DROP [700046:370572070]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [21905:9912384]
:fail2ban-MAIL - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-VESTA - [0:0]
:fail2ban-ssh - [0:0]
:vesta - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -p tcp -m tcp --dport 8083 -j fail2ban-VESTA
-A INPUT -p tcp -m multiport --dports 25,465,587,2525,110,995,143,993 -j fail2ban-MAIL
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -p udp -m udp --dport 7777 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443,3000,3001,3002,3005 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 25,465,587,2525 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 110,995 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 143,993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8083 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -s **.22.232.228/32 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 5432 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 8433 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 8083 -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 8888 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 10.128.0.0/24 -j ACCEPT
-A FORWARD -d 10.128.0.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A fail2ban-MAIL -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-VESTA -j RETURN
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Tue Apr 19 16:27:30 2016
server.conf:
port 7777
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth ta.key 0
cipher DES-EDE3-CBC
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
user nobody
group nogroup
max-clients 10
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
С клиента
Cоединяюсь через network-manager, по моему gnome-openvpn. Вот конфиг:
[connection]
id=VPN
uuid=941a0c02-0e89-43eb-bb0a-f0da4e01b497
type=vpn
autoconnect=false
permissions=
secondaries=
timestamp=1460987415
[vpn]
ta-dir=1
connection-type=tls
remote=**.22.232.228
cipher=DES-EDE3-CBC
comp-lzo=yes
cert-pass-flags=0
port=7777
cert=/home/openvpn/client.crt
ca=/home/openvpn/ca.crt
key=/home/openvpn/client.key
ta=/home/openvpn/ta.key
service-type=org.freedesktop.NetworkManager.openvpn
[vpn-secrets]
no-secret=true
[ipv4]
dns-search=
method=auto
[ipv6]
dns-search=
ip6-privacy=0
method=auto
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 04:7d:7b:3b:4a:f4 brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether e0:ca:94:c6:d7:60 brd ff:ff:ff:ff:ff:ff
4: wwx0c5b8f279a64: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether 0c:5b:8f:27:9a:64 brd ff:ff:ff:ff:ff:ff
inet 10.133.27.161/30 brd 10.133.27.163 scope global dynamic wwx0c5b8f279a64
valid_lft 516398sec preferred_lft 516398sec
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.6 peer 10.8.0.5/32 brd 10.8.0.6 scope global tun0
valid_lft forever preferred_lft forever
~# ip r
default via 10.8.0.5 dev tun0 proto static metric 50
default via 10.133.27.162 dev wwx0c5b8f279a64 proto static metric 750
10.8.0.0/24 via 10.8.0.5 dev tun0 proto static metric 50
10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6
10.8.0.5 dev tun0 proto static scope link metric 950
10.8.0.6 dev tun0 proto kernel scope link src 10.8.0.6 metric 50
10.133.27.160/30 dev wwx0c5b8f279a64 proto kernel scope link src 10.133.27.161 metric 750
**.22.232.228 via 10.133.27.162 dev wwx0c5b8f279a64 proto static metric 750
# nslookup ya.ru
;; connection timed out; no servers could be reached
# nslookup ya.ru 8.8.8.8
;; connection timed out; no servers could be reached
Всё-таки думаю что с iptables накосячил.