{"id":115,"date":"2004-07-22T16:20:57","date_gmt":"2004-07-22T16:20:57","guid":{"rendered":"https:\/\/143-42-55-146.ip.linodeusercontent.com\/?p=115"},"modified":"2004-07-22T16:20:57","modified_gmt":"2004-07-22T16:20:57","slug":"tunel-mezi-linuxem-a-windows-xp","status":"publish","type":"post","link":"https:\/\/nax.cz\/?p=115","title":{"rendered":"TUNEL MEZI LINUXEM A WINDOWS XP"},"content":{"rendered":"

V\u00c4\u008dera se mi kone\u00c4\u008dn\u00c4\u009b poda\u0139\u0099ilo rozb\u00c4\u009bhnout tunel nebo chcete li VPN mezi m\u0102\u02ddm linuxov\u0102\u02ddm routerem a notebookem moji vyvolen\u0102\u0160 kter\u0102\u02dd m\u0102\u0104 od p\u0139\u0099\u0102\u00adrody Windows XP. Po v\u0139\u0104ech marn\u0102\u02ddch pokusech s ipsec (je to btw povinn\u0102\u0104 sou\u00c4\u008d\u0102\u0104st IPv6 a na linuxu to implementuje projekt openswan<\/a> – fork d\u0139\u0099\u0102\u00adv\u00c4\u009bj\u0139\u0104\u0102\u00adho freeswan projektu), kde se mi to nepovedlo rozjet na windows\u0102\u00adch a nebo s pptpd (pro linux existuje sice server poptop<\/a> ale \u0139\u0099e\u0139\u0104\u0102\u00ad se to n\u00c4\u009bjak \u0102\u015fpln\u00c4\u009b divn\u00c4\u009b p\u0139\u0099es pppd, kter\u0102\u02dd m\u0102\u0104m prost\u00c4\u009b spojen\u0102\u02dd podv\u00c4\u009bdom\u00c4\u009b hlavn\u00c4\u009b s modemem a vyt\u0102\u0104\u00c4\u008den\u0102\u02ddm p\u0139\u0099ipojen\u0102\u00adm – i kdy\u0139\u017e v\u0102\u00adm \u0139\u017ee point to point protokol se jen na tohle nevyu\u0139\u017e\u0102\u00adv\u0102\u0104) jsem nakonec jako optim\u0102\u0104ln\u0102\u00ad volbou shledal openvpn<\/a>, co\u0139\u017e je userspace implementace vpn, kter\u0102\u0104 b\u00c4\u009b\u0139\u017e\u0102\u00ad jak na Windows (m\u0139\u017b\u0139\u017ee i jako slu\u0139\u017eba) nebo na linuxu (norm\u0102\u0104ln\u0102\u00ad daemon, kter\u0102\u02dd jen v j\u0102\u0104d\u0139\u0099e pot\u0139\u0099ebuje podporu tun\/tap modul).<\/p>\n

Nastavit se to d\u0102\u0104 jak aby pou\u0139\u017e\u0102\u00adval siln\u0102\u0160 \u0139\u0104ifrov\u0102\u0104n\u0102\u00ad tak taky tak, aby t\u0139\u0099eba jen komprimoval packety. Ono sice v\u00c4\u009bt\u0139\u0104inou je pot\u0139\u0099eba \u0139\u0104ifrov\u0102\u0104n\u0102\u00ad (firemn\u0102\u00ad sf\u0102\u0160ra, kter\u0102\u0104 sdru\u0139\u017euje dv\u00c4\u009b lan do jedn\u0102\u0160 pomoc\u0102\u00ad VPN), ale zrovna v m\u0102\u0160m p\u0139\u0099\u0102\u00adpad\u00c4\u009b by to bylo tot\u0102\u0104ln\u00c4\u009b na houby a jen bych zbyte\u00c4\u008dn\u00c4\u009b pekl procesory na obou stran\u0102\u0104ch tunelu (nav\u0102\u00adc u m\u00c4\u009b na balk\u0102\u0142n\u00c4\u009b je to docela star\u0102\u0104 \u0139\u0104unka, na kter\u0102\u0160 byste si t\u0139\u0099eba quaka 2 rozhodn\u00c4\u009b nezapa\u0139\u0099ili \ud83d\ude09 No abych to zkr\u0102\u0104til: U sebe jsem si st\u0102\u0104hl zdroj\u0102\u0104ky (pozor abyste na obou kompech m\u00c4\u009bli stejn\u0102\u0160 verze ! J\u0102\u0104 nejd\u0139\u0099\u0102\u00adv st\u0102\u0104hnul 2.0beta ale pro widle jsem na\u0139\u0104el jen stabiln\u0102\u00ad 1.6 a byly s t\u00c4\u009bmi rozd\u0102\u00adln\u0102\u02ddmi verzemi probl\u0102\u0160my) a zkompiloval a nainstaloval. <\/p>\n

Vlastn\u00c4\u009b ne\u0139\u017e se pust\u0102\u00adm do dal\u0139\u0104\u0102\u00adho popisu konfigurace, tak bych asi m\u00c4\u009bl popsat situaci, pro\u00c4\u008d vlastn\u00c4\u009b ten tunel d\u00c4\u009bl\u0102\u0104m. Inu jde o to, \u0139\u017ee moje p\u0139\u0099\u0102\u00adtelkyn\u00c4\u009b je zrovna p\u0139\u0099ipojen\u0102\u0104 na to jedin\u0102\u0160 AP v \u0139\u0104ir\u0102\u0160m okol\u0102\u00ad, kde admin z\u0102\u0104sadn\u00c4\u009b odm\u0102\u00adt\u0102\u0104 ud\u00c4\u009blat default routu do czfree (tedy na mne). V\u0139\u0104echny des\u0102\u00adtkov\u0102\u0160 adresy se routuj\u0102\u00ad spr\u0102\u0104vn\u00c4\u009b, ale internetov\u0102\u0160 adresy pro kter\u0102\u0160 samoz\u0139\u0099ejm\u00c4\u009b nem\u0139\u017b\u0139\u017ee b\u0102\u02ddt v routovac\u0102\u00ad tabulce z\u0102\u0104znam (proto\u0139\u017ee internetov\u0102\u0160 adresy jsou v\u0139\u0104echny ostatn\u0102\u00ad ne\u0139\u017e priv\u0102\u0104tn\u0102\u00ad, tedy des\u0102\u00adtkov\u0102\u0160, 192.168kov\u0102\u0160 a je\u0139\u0104t\u00c4\u009b p\u0102\u0104r rozsah\u0139\u017b m\u0102\u0160n\u00c4\u009b pou\u0139\u017e\u0102\u00advan\u0102\u02ddch) a tedy jde je sm\u00c4\u009b\u0139\u0099ovat jen pomoc\u0102\u00ad default routy. No a vzhledem k tomu, \u0139\u017ee ten spr\u0102\u0104vce AP m\u0102\u0104 svoj\u0102\u00ad p\u0139\u0099\u0102\u00adpojku UPC a chce aby z routeru m\u00c4\u009bl p\u0139\u0099\u0102\u00adstup na net p\u0139\u0099es svoj\u0102\u00ad p\u0139\u0099\u0102\u00adpojku, ale \u0139\u017e\u0102\u0104dn\u0102\u02ddm klient\u0139\u017bm to neumo\u0139\u017e\u0139\u0088uje (ani nem\u0139\u017b\u0139\u017ee podle smluvn\u0102\u00adch podm\u0102\u00adnek) tak je tu probl\u0102\u0160m, proto\u0139\u017ee pro klienty co jsou na n\u00c4\u009bj p\u0139\u0099ipojen\u0102\u00ad vede routa prost\u00c4\u009b „do zdi“. J\u0102\u0104 jsem u sebe samoz\u0139\u0099ejm\u00c4\u009b \u0139\u0099e\u0139\u0104il stejn\u0102\u02dd probl\u0102\u0160m, ale j\u0102\u0104 jsem se neb\u0102\u0104l experimentoval a \u0139\u0099e\u0139\u0104en\u0102\u00adm na \u0102\u015frovni routov\u0102\u0104n\u0102\u00ad je pou\u0139\u017e\u0102\u00adt tzv. source routing, kter\u0102\u0160 se d\u00c4\u009bl\u0102\u0104 pomoc\u0102\u00ad zna\u00c4\u008dkov\u0102\u0104n\u0102\u00ad packet\u0139\u017b ve firewallu podle zdrojov\u0102\u0160 adresy a pomoc\u0102\u00ad n\u0102\u0104stroj\u0139\u017b z bal\u0102\u00adku iproute (v debianu ho m\u0102\u0104m jako iproute2) je definov\u0102\u0104no n\u00c4\u009bkolik routovac\u0102\u00adch tabulek a podle zna\u00c4\u008dky kterou packet dostal ve firewallu se packet po\u0139\u0104le do t\u0102\u0160 kter\u0102\u0160 tabulky. T\u0102\u00adm je tedy dosa\u0139\u017eeno, \u0139\u017ee p\u0139\u0099\u0102\u00admo z m\u0102\u0160ho routeru dostanu default routu do vnit\u0139\u0099n\u0102\u00ad s\u0102\u00adt\u00c4\u009b (a tedy na svoj\u0102\u00ad p\u0139\u0099\u0102\u00adpojku do upc) ale v\u0139\u0104ichni moji klienti maj\u0102\u00ad v alternativn\u0102\u00ad routovac\u0102\u00ad tabulce default routu na internetovou br\u0102\u0104nu na\u0139\u0104eho czfree cloudu.<\/p>\n

Jen\u0139\u017ee ten spr\u0102\u0104vce AP tvrd\u0102\u00ad, \u0139\u017ee je to moc pr\u0102\u0104ce a potenci\u0102\u0104ln\u0102\u00ad zdroj d\u0102\u00adry ve firewallu a \u0139\u017ee prost\u00c4\u009b source routing ani n\u0102\u0104hodou. Pak tedy ji\u0139\u017e zb\u0102\u02ddvaj\u0102\u00ad jen dv\u00c4\u009b varianty. Bu\u00c4\u008fto se pou\u0139\u017eije proxy server (tak jsem to u p\u0139\u0099\u0102\u00adtelkyn\u00c4\u009b \u0139\u0099e\u0139\u0104il dosud) ale to m\u0102\u0104 tu velik\u0102\u0104nskou nev\u0102\u02ddhodu, \u0139\u017ee to ta aplikace mus\u0102\u00ad podporovat (t\u0139\u0099eba internetov\u0102\u0104 prohl\u0102\u00ad\u0139\u017ee\u00c4\u008de jako Mozilla nebo i to IE takov\u0102\u0160 nastaven\u0102\u00ad m\u0102\u0104) ale t\u0139\u0099eba v\u00c4\u009bt\u0139\u0104ina her (nap\u0139\u0099\u0102\u00adklad takov\u0102\u0160 cube<\/a>, kter\u0102\u0160 jsme si s p\u0139\u0099\u0102\u00adtelkyn\u0102\u00ad velmi obl\u0102\u00adbili) to neum\u0102\u00ad a prost\u00c4\u009b si pak p\u0139\u0099es internet nezahrajete a jste odk\u0102\u0104z\u0102\u0104ni jen na hran\u0102\u00ad uvnit\u0139\u0099 czfree (tedy des\u0102\u00adtkov\u0102\u0160 s\u0102\u00adt\u00c4\u009b). Druh\u0102\u02ddm zp\u0139\u017bsobem je ud\u00c4\u009bl\u0102\u0104n\u0102\u00ad takzvan\u0102\u0160ho tunelu neboli vpn. Polopat\u00c4\u009b \u0139\u0099e\u00c4\u008deno to znamen\u0102\u0104, \u0139\u017ee na obou po\u00c4\u008d\u0102\u00adta\u00c4\u008d\u0102\u00adch se vytvo\u0139\u0099\u0102\u00ad virtu\u0102\u0104ln\u0102\u00ad interfacy kter\u0102\u0160 se vzhledem t\u0139\u0099eba k routov\u0102\u0104n\u0102\u00ad tv\u0102\u0104\u0139\u0099\u0102\u00ad, \u0139\u017ee jsou spolu p\u0139\u0099\u0102\u00admo ty po\u00c4\u008d\u0102\u00adta\u00c4\u008de spojen\u0102\u0160. Cel\u0102\u0160 to potom funguje tak, \u0139\u017ee co se po\u0139\u0104le na ten virtu\u0102\u0104ln\u0102\u00ad interface, tak se obal\u0102\u00ad nov\u0102\u02ddmi hlavi\u00c4\u008dkami a tam se zap\u0102\u00ad\u0139\u0104e adresa p\u0139\u0099\u0102\u00admo dosa\u0139\u017eiteln\u0102\u0104 (tedy v m\u0102\u02ddm p\u0139\u0099\u0102\u00adpad\u00c4\u009b des\u0102\u00adtkov\u0102\u0104) a ode\u0139\u0104le se to. Na druh\u0102\u0160m po\u00c4\u008d\u0102\u00adta\u00c4\u008di kdy\u0139\u017e takov\u0102\u02dd packet p\u0139\u0099ijde tak se zase rozbal\u0102\u00ad a \u0139\u0099ekne se \u0139\u017ee ten vnit\u0139\u0099ek p\u0139\u0099i\u0139\u0104el z toho virtu\u0102\u0104ln\u0102\u00adho interfacu.<\/p>\n

No a te\u00c4\u008f k t\u0102\u0160 konfiguraci. Openvpn um\u0102\u00ad dva re\u0139\u017eimy – jednak tun, co\u0139\u017e znamen\u0102\u0104 simulaci p\u0139\u0099\u0102\u00adm\u0102\u0160ho spojen\u0102\u00ad dvou po\u00c4\u008d\u0102\u00adta\u00c4\u008d\u0139\u017b a nebo tap, co\u0139\u017e je simulace Ethernetu, tedy kdy na jeden segment je p\u0139\u0099ipojeno v\u0102\u00adce po\u00c4\u008d\u0102\u00adta\u00c4\u008d\u0139\u017b. Zat\u0102\u00admco v t\u0102\u0160 prvn\u0102\u00ad v konfigur\u0102\u0104ku nastav\u0102\u00adte v\u0139\u017edy jen p\u0139\u0099\u0102\u00admo viditelnou IP adresu druh\u0102\u0160ho po\u00c4\u008d\u0102\u00adta\u00c4\u008de (remote) a ob\u00c4\u009b virtu\u0102\u0104ln\u0102\u00ad adresy (\u0139\u0099\u0102\u0104dek ifconfig) tak u varianty tap u serveru (neboli jednoho z po\u00c4\u008d\u0102\u00adta\u00c4\u008d\u0139\u017b, kter\u0102\u02dd bude zprost\u0139\u0099edkov\u0102\u0104vat spojen\u0102\u00ad ostatn\u0102\u00adm) remote nech\u0102\u0104te zakomentovan\u0102\u0160 a do ifconfig nastav\u0102\u00adte virtu\u0102\u0104ln\u0102\u00ad adresu svoj\u0102\u00ad a masku. Na klientech pak do remote nap\u0102\u00ad\u0139\u0104ete jm\u0102\u0160no serveru a ifconfig bude vypadat stejn\u00c4\u009b akor\u0102\u0104t s t\u0102\u00adm rozd\u0102\u00adlem, \u0139\u017ee tam bude virtu\u0102\u0104ln\u0102\u00ad adresa toho klienta. Oproti ipsec je to proch\u0102\u0104zka r\u0139\u017b\u0139\u017eov\u0102\u02ddm krajem. Ostatn\u0102\u00ad volby nejsou tak d\u0139\u017ble\u0139\u017eit\u0102\u0160 a v\u0139\u0104e je velice hezky okomentov\u0102\u0104no, tak\u0139\u017ee by nem\u00c4\u009bl b\u0102\u02ddt probl\u0102\u0160m.<\/p>\n

Je\u0139\u0104t\u00c4\u009b je t\u0139\u0099eba ve firewallu na obou stran\u0102\u0104ch povolit protokol GRE (neboli PROTOKOL! 47 – POZOR! Ne port, ale protokol) a port kter\u0102\u02dd jste pro komunikaci vybrali (defaultn\u00c4\u009b UDP port 5000). Vyp\u0102\u00ad\u0139\u0104u tady co sem p\u0139\u0099idal j\u0102\u0104 do sv\u0102\u0160ho fw:<\/p>\n

\n$IPTABLES -A FORWARD -i $TUNEL1_IF -j ACCEPT\n$IPTABLES -A INPUT -i $TUNEL1_IF -j ACCEPT\n$IPTABLES -A INPUT -p 47 -s $EVIK_IP -j ACCEPT\n$IPTABLES -A INPUT -p UDP -s $EVIK_IP --dport 5000 -j ACCEPT\n$IPTABLES -A OUTPUT -s $TUNEL1_IP -j ACCEPT\n<\/pre>\n
Jenom p\u0139\u0099ipomenu, \u0139\u017ee m\u0102\u0104m autentizaci pomoc\u0102\u00ad statick\u0102\u0160ho kl\u0102\u00ad\u00c4\u008de, tak\u0139\u017ee proto m\u0102\u0104m povoleno v\u0139\u0104e z interfacu toho tunelu. Na t\u00c4\u009bch windows\u0102\u00adch jsem je\u0139\u0104t\u00c4\u009b musel dostat do routovac\u0102\u00ad tabulky to, aby des\u0102\u00adtkov\u0102\u0160 adresy pos\u0102\u00adlal na to svoje AP a ne do tunelu (jinak by to vedlo k tomu, \u0139\u017ee by se packety zabalen\u0102\u0160 z tunelu o5 cpaly do tunelu). V cmd jsem tedy pustil permanentn\u0102\u00ad p\u0139\u0099id\u0102\u0104n\u0102\u00ad routy (parametr -p za\u0139\u0099\u0102\u00add\u0102\u00ad \u0139\u017ee tam ta routa bude i po rebootu) do des\u0102\u00adtkov\u0102\u0160 s\u0102\u00adt\u00c4\u009b:<\/p>\n
route -p add 10.0.0.0 mask 255.0.0.0 10.27.9.1<\/strong><\/p>\n
kde to 10.27.9.1 je IP toho AP z rozsahu, kter\u0102\u02dd m\u0102\u0104 i ten jej\u0102\u00ad notebook (tedy je ze stejn\u0102\u0160 s\u0102\u00adt\u00c4\u009b).<\/p>\n","protected":false},"excerpt":{"rendered":"
V\u00c4\u008dera se mi kone\u00c4\u008dn\u00c4\u009b poda\u0139\u0099ilo rozb\u00c4\u009bhnout tunel nebo chcete li VPN mezi m\u0102\u02ddm linuxov\u0102\u02ddm routerem a notebookem moji vyvolen\u0102\u0160 kter\u0102\u02dd m\u0102\u0104 od p\u0139\u0099\u0102\u00adrody Windows XP. Po v\u0139\u0104ech marn\u0102\u02ddch pokusech s ipsec (je to btw povinn\u0102\u0104 sou\u00c4\u008d\u0102\u0104st IPv6 a na linuxu to implementuje projekt openswan – fork d\u0139\u0099\u0102\u00adv\u00c4\u009bj\u0139\u0104\u0102\u00adho freeswan projektu), kde se mi to nepovedlo rozjet […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-115","post","type-post","status-publish","format-standard","hentry","category-networks"],"_links":{"self":[{"href":"https:\/\/nax.cz\/index.php?rest_route=\/wp\/v2\/posts\/115","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nax.cz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nax.cz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nax.cz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nax.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=115"}],"version-history":[{"count":0,"href":"https:\/\/nax.cz\/index.php?rest_route=\/wp\/v2\/posts\/115\/revisions"}],"wp:attachment":[{"href":"https:\/\/nax.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nax.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nax.cz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}