Server
server.conf
# create by tim on 20130913 port 1194 proto udp dev tap0 secret key.txt script-security 3 system up /etc/openvpn/up.sh keepalive 3 60 comp-lzo no persist-key persist-tun verb 4 log /var/log/openvpn/openvpn.log status /var/log/openvpn/status
up.sh
#!/bin/sh # create by tim # the tap interface name is passed as first argument # set it !! bridge=brlan ifconfig "$1" up brctl addif "$bridge" "$1" sleep 3 # Enable arp proxy echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp echo 1 > /proc/sys/net/ipv4/conf/$bridge/proxy_arp
run.sh
#!/bin/sh # create by tim function clearup { ip route del $1 dev brlan > /dev/null 2>&1 ip route del $1 dev eth0 > /dev/null 2>&1 arp -d $1 dev brlan > /dev/null 2>&1 arp -d $1 dev eth0 > /dev/null 2>&1 } # del clearup "203.169.xxx.0/24" clearup "203.169.xxx.xxx" clearup "203.169.xxx.xxx" # create ip route add 203.169.xxx.xxx dev br0 > /dev/null 2>&1 ip route add 203.169.xxx.xxx dev brlan > /dev/null 2>&1 ip route add 203.169.xxx.xxx dev brlan > /dev/null 2>&1 ip route add "203.169.xxx.0/24" dev br0 > /dev/null 2>&1 # must last line arp -f echo "Done"
check.sh
#!/bin/sh # create by tim echo "#### br0 proxy" cat /proc/sys/net/ipv4/conf/br0/proxy_arp echo "#### brlan proxy" cat /proc/sys/net/ipv4/conf/brlan/proxy_arp echo "#### sys forward" cat /proc/sys/net/ipv4/ip_forward echo "#### route table" ip route echo "#### ARP TABLE" arp -an echo "#### bridge setting" brctl show echo "#### forwarding result" iptables -nL | grep "203.169.xxx"
iptables
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i tap0 -j ACCEPT -A INPUT -i brlan -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # openvpn -A INPUT -s 115.160.xxx.xxx -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -i tap0 -j ACCEPT -A FORWARD -i brlan -j ACCEPT -A FORWARD -i br0 -d 203.169.xxx.xxx -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
ifcfg-eth0
# wan DEVICE=eth0 HWADDR=00:08:02:??:??:?? TYPE=Ethernet ONBOOT=yes NM_CONTROLLED=yes BOOTPROTO=static IPADDR=?.?.?.? NETMASK=255.255.255.0
ifcfg-eth1
# lan DEVICE=eth1 HWADDR=00:50:BF:??:??:?? TYPE=Ethernet ONBOOT=yes NM_CONTROLLED=yes BRIDGE=brlan IPV6INIT=no
ifcfg-brlan
DEVICE=brlan TYPE=Bridge ONBOOT=yes STP=off