Назад | Перейти на главную страницу

Как настроить маршрутизацию, пропуская весь трафик к ISP через защищенный туннель из конфигурации клиента OpenVPN

Если посмотреть на две таблицы маршрутизации, даже после того, как VPN будет запущена, весь трафик в более широкий Интернет по-прежнему проходит через ISP, а не через ваш туннель, со шлюзом 192.168.43.1 до или после подключения к VPN. Google DNS 8.8.8.8 как dhcp-вариант и полностью отключил все IPv6

Перед подключением к VPN

===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.43.1    192.168.43.35     55
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
     192.168.43.0    255.255.255.0         On-link     192.168.43.35    311
    192.168.43.35  255.255.255.255         On-link     192.168.43.35    311
   192.168.43.255  255.255.255.255         On-link     192.168.43.35    311
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.43.35    311
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.43.35    311
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
  1    331 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

После включения VPN

===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.43.1    192.168.43.35     55
       10.10.11.0    255.255.255.0      10.81.234.2      10.81.234.9    257
       10.10.12.0    255.255.255.0      10.81.234.2      10.81.234.9    257
       10.10.12.0  255.255.255.255      10.81.234.2      10.81.234.9    257
       10.10.13.0    255.255.255.0      10.81.234.2      10.81.234.9    257
       10.10.14.0    255.255.255.0      10.81.234.2      10.81.234.9    257
       10.10.15.0    255.255.255.0      10.81.234.2      10.81.234.9    257
       10.10.16.0  255.255.255.255      10.81.234.2      10.81.234.9    257
       10.10.17.0    255.255.255.0      10.81.234.2      10.81.234.9    257
       10.10.18.0    255.255.255.0      10.81.234.2      10.81.234.9    257
       10.10.19.0    255.255.255.0      10.81.234.2      10.81.234.9    257
       10.10.20.0    255.255.255.0      10.81.234.2      10.81.234.9    257
       10.10.22.0    255.255.255.0      10.81.234.2      10.81.234.9    257
       10.10.25.0    255.255.255.0      10.81.234.2      10.81.234.9    257
       10.10.26.0    255.255.255.0      10.81.234.2      10.81.234.9    257
       10.10.30.0    255.255.254.0      10.81.234.2      10.81.234.9    257
       10.10.40.0    255.255.255.0      10.81.234.2      10.81.234.9    257
        10.12.0.0      255.255.0.0      10.81.234.2      10.81.234.9    257
       10.12.2.40  255.255.255.255      10.81.234.2      10.81.234.9    257
      10.81.234.0    255.255.254.0         On-link       10.81.234.9    257
      10.81.234.9  255.255.255.255         On-link       10.81.234.9    257
    10.81.235.255  255.255.255.255         On-link       10.81.234.9    257
     100.100.15.0    255.255.255.0      10.81.234.2      10.81.234.9    257
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.0.0    255.255.248.0      10.81.234.2      10.81.234.9    257
     192.168.43.0    255.255.255.0         On-link     192.168.43.35    311
    192.168.43.35  255.255.255.255         On-link     192.168.43.35    311
   192.168.43.255  255.255.255.255         On-link     192.168.43.35    311
    xxx.xxx.xxx.x  255.255.255.255     192.168.43.1    192.168.43.35    311
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.43.35    311
        224.0.0.0        240.0.0.0         On-link       10.81.234.9    257
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.43.35    311
  255.255.255.255  255.255.255.255         On-link       10.81.234.9    257
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
  1    331 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Журналы:

PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.81.234.2,ping 15,
ping-restart 60,route 10.10.40.0 255.255.255.0,route 10.10.30.0 255.255.254.0,
route 192.168.0.0 255.255.248.0,route 10.12.0.0 255.255.0.0,route 100.100.15.0 
255.255.255.0,route 10.12.2.40 255.255.255.255,route 10.10.11.0 255.255.255.0,
route 10.10.16.0 255.255.255.255,route 10.10.13.0 255.255.255.0,route 10.10.25.0 255.255.255.0,
route 192.168.0.0 255.255.248.0,route 10.10.15.0 255.255.255.0,route 10.10.20.0 
255.255.255.0,route 10.10.17.0 255.255.255.0,route 10.10.18.0 255.255.255.0,
route 
10.10.22.0 255.255.255.0,route 10.10.12.0 255.255.255.0,route 10.10.14.0 255.255.255.0,
route 10.10.14.0 255.255.255.0,route 10.10.19.0 255.255.255.0,route 10.10.14.0 
255.255.255.0,route 10.10.26.0 255.255.255.0,route 10.10.12.0 255.255.255.255,
topology subnet,route remote_host 255.255.255.255 net_gateway,dhcp-option DNS 192.168.1.32,
dhcp-option DNS 8.8.8.8,ifconfig 10.81.234.12 255.255.254.0'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: route-related options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
ROUTE_GATEWAY 192.168.43.1/255.255.255.0 I=16 HWADDR=xx:xx:xx:xx:xx:xx
open_tun, tt->ipv6=0
TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{7DDFD4E7-DE03-4DAA-9C74-87BC34684BEC}.tap
TAP-Windows Driver Version 9.21 
TAP-Windows MTU=1500
Set TAP-Windows TUN subnet mode network/local/netmask = 10.81.234.0/10.81.234.12/255.255.254.0 [SUCCEEDED]
Notified TAP-Windows driver to set a DHCP IP/netmask of 10.81.234.12/255.255.254.0 on interface {7DDFD4E7-DE03-4DAA-9C74-87BC34684BEC} [DHCP-serv: 10.81.235.254, lease-time: 31536000]
DHCP option string: 0608c0a8 01200808 0808
Successful ARP Flush on interface [11] {7DDFD4E7-DE03-4DAA-9C74-87BC34684BEC}
do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
MANAGEMENT: >STATE:1586610969,ASSIGN_IP,,10.81.234.12,,,,
TEST ROUTES: 25/25 succeeded len=25 ret=1 a=0 u/d=up
MANAGEMENT: >STATE:1586610974,ADD_ROUTES,,,,,,
C:\Windows\system32\route.exe ADD xxx.xxx.xxx.x MASK 255.255.255.255 192.168.43.1
Route addition via service succeeded
C:\Windows\system32\route.exe ADD 10.10.40.0 MASK 255.255.255.0 10.81.234.2
Route addition via service succeeded
C:\Windows\system32\route.exe ADD 10.10.30.0 MASK 255.255.254.0 10.81.234.2
Route addition via service succeeded
C:\Windows\system32\route.exe ADD 192.168.0.0 MASK 255.255.248.0 10.81.234.2
Route addition via service succeeded
C:\Windows\system32\route.exe ADD 10.12.0.0 MASK 255.255.0.0 10.81.234.2
Route addition via service succeeded
C:\Windows\system32\route.exe ADD 100.100.15.0 MASK 255.255.255.0 10.81.234.2
Route addition via service succeeded
C:\Windows\system32\route.exe ADD 10.12.2.40 MASK 255.255.255.255 10.81.234.2
Route addition via service succeeded
C:\Windows\system32\route.exe ADD 10.10.11.0 MASK 255.255.255.0 10.81.234.2
Route addition via service succeeded
C:\Windows\system32\route.exe ADD 10.10.16.0 MASK 255.255.255.255 10.81.234.2
Route addition via service succeeded
C:\Windows\system32\route.exe ADD 10.10.13.0 MASK 255.255.255.0 10.81.234.2
Route addition via service succeeded
C:\Windows\system32\route.exe ADD 10.10.25.0 MASK 255.255.255.0 10.81.234.2
Route addition via service succeeded
C:\Windows\system32\route.exe ADD 192.168.0.0 MASK 255.255.248.0 10.81.234.2
ROUTE: route addition failed using service: The object already exists.   [status=5010 if_index=11]
Route addition via service failed
C:\Windows\system32\route.exe ADD 10.10.15.0 MASK 255.255.255.0 10.81.234.2
Route addition via service succeeded
C:\Windows\system32\route.exe ADD 10.10.20.0 MASK 255.255.255.0 10.81.234.2
Route addition via service succeeded
C:\Windows\system32\route.exe ADD 10.10.17.0 MASK 255.255.255.0 10.81.234.2
Route addition via service succeeded
C:\Windows\system32\route.exe ADD 10.10.18.0 MASK 255.255.255.0 10.81.234.2
Route addition via service succeeded
C:\Windows\system32\route.exe ADD 10.10.22.0 MASK 255.255.255.0 10.81.234.2
Route addition via service succeeded
C:\Windows\system32\route.exe ADD 10.10.12.0 MASK 255.255.255.0 10.81.234.2
Route addition via service succeeded
C:\Windows\system32\route.exe ADD 10.10.14.0 MASK 255.255.255.0 10.81.234.2
Route addition via service succeeded
C:\Windows\system32\route.exe ADD 10.10.14.0 MASK 255.255.255.0 10.81.234.2
ROUTE: route addition failed using service: The object already exists.   [status=5010 if_index=11]
Route addition via service failed
C:\Windows\system32\route.exe ADD 10.10.19.0 MASK 255.255.255.0 10.81.234.2
Route addition via service succeeded
C:\Windows\system32\route.exe ADD 10.10.14.0 MASK 255.255.255.0 10.81.234.2
ROUTE: route addition failed using service: The object already exists.   [status=5010 if_index=11]
Route addition via service failed
C:\Windows\system32\route.exe ADD 10.10.26.0 MASK 255.255.255.0 10.81.234.2
Route addition via service succeeded
C:\Windows\system32\route.exe ADD 10.10.12.0 MASK 255.255.255.255 10.81.234.2
Route addition via service succeeded
C:\Windows\system32\route.exe ADD xxx.xxx.xxx.x MASK 255.255.255.255 192.168.43.1
ROUTE: route addition failed using service: The object already exists.   [status=5010 if_index=16]
Route addition via service failed
Initialization Sequence Completed
MANAGEMENT: >STATE:1586610974,CONNECTED,SUCCESS,10.81.234.12,xxx.xxx.xxx.x,8443,192.168.43.35,51245

Даже трассировка остается неизменной до и после подключения к VPN.

Tracing route to somedomain.org [xx.xx.xxx.xxx]
over a maximum of 30 hops:

  1     3 ms     3 ms     2 ms  192.168.43.1
  2     *        *        *     Request timed out.
  3   724 ms   407 ms   512 ms  10.45.1.86
  4  2534 ms   375 ms   408 ms  10.45.8.146
  5   432 ms   408 ms   408 ms  10.45.8.153
  6   399 ms   378 ms   368 ms  172.16.101.42
  7     *      799 ms   408 ms  218.248.255.5
  8   301 ms     *        *     218.248.255.6
  9   206 ms   100 ms   101 ms  115.110.161.85.static.vsnl.net.in [115.110.161.85]
 10   269 ms    88 ms    89 ms  172.31.167.45
 11     *      917 ms   409 ms  ix-ae-2-1334.tcore2.svw-singapore.as6453.net [180.87.15.5]
 12     *        *        *     Request timed out.
 13   655 ms   531 ms   138 ms  if-ae-11-2.thar1.svq-singapore.as6453.net [180.87.98.37]
 14   398 ms   438 ms   378 ms  ae-9.a01.sngpsi07.sg.bb.gin.ntt.net [129.250.8.241]
 15   556 ms   378 ms   378 ms  ae-5.r01.sngpsi07.sg.bb.gin.ntt.net [129.250.2.241]
 16   378 ms   371 ms   386 ms  ae-2.r20.sngpsi07.sg.bb.gin.ntt.net [129.250.3.101]
 17   480 ms   384 ms   388 ms  ae-1.r25.osakjp02.jp.bb.gin.ntt.net [129.250.2.67]
 18   377 ms   378 ms   392 ms  ae-4.r22.lsanca07.us.bb.gin.ntt.net [129.250.2.176]
 19   537 ms   378 ms   378 ms  ae-1.r00.lsanca07.us.bb.gin.ntt.net [129.250.3.17]
 20   377 ms   378 ms   378 ms  ce-0-19-0-2.r00.lsanca07.us.ce.gin.ntt.net [168.143.228.173]
 21   514 ms   330 ms   338 ms  162-215-195-128.unifiedlayer.com [162.215.195.128]
 22   357 ms   358 ms   358 ms  162-215-195-141.unifiedlayer.com [162.215.195.141]
 23   447 ms   329 ms   328 ms  69-195-64-121.unifiedlayer.com [69.195.64.121]
 24   483 ms   338 ms   395 ms  eth3-33-3.prvspn002.net.unifiedlayer.com [162.144.240.159]
 25   476 ms   338 ms   338 ms  po99.prv-leaf6b.net.unifiedlayer.com [162.144.240.23]
 26   496 ms   348 ms   348 ms  host2053.hostmonster.com [xx.xx.xxx.xxx]

Trace complete.

Конфигурация OpenVPN

client
dev tun
proto tcp
verify-x509-name "OU=Domain Control Validated, CN=*.domain.com"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
Bag Attributes: <No Attributes>
subject=/C=BE/O=GlobalSign nv-sa/CN=XXXSSL CA - SHA256 - G2
issuer=/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
auth-user-pass pass.txt
cipher AES-128-CBC
auth SHA256
comp-lzo no
route-delay 4
verb 3
reneg-sec 0
tun-mtu 1500
fragment 0
mssfix 1420
remote-cert-tls server
auth-nocache
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
script-security 2 system
# route 0.0.0.0 128.0.0.0
# route 128.0.0.0 128.0.0.0
remote xxx.xxx.xxx.x 8443 tcp-client

Как мне настроить маршрут для создания зашифрованного безопасного туннеля?