需要设置哪些规则才能允许 Softether VPN 上的 NAT？

Question

首先，确保您正在使用 Softether 的本地桥接功能，并利用 tap 接口。这将比标准桥接更快，并允许您以不会破坏其他客户端的方式设置 DHCP。:-)

为了易于使用，我将我的 TAP 接口命名为“soft”，但请记住调整您的 netplan 规则，如下所示：在下面的规则中，我使用 enp0s7 作为 WAN，使用 enp3s0f0 作为 LAN 接口。

# This file is generated from information provided by
# the datasource.  Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
    ethernets:
        enp0s7:
            dhcp4: true
            optional: false
        enp3s0f0:
            addresses: [192.168.254.1/24]
            nameservers:
                addresses: [9.9.9.9,192.168.1.254]
                search: [vinceworks.com]
            dhcp4: false
            optional: true
        tap_soft:
            addresses: [192.168.253.1/24]
            dhcp4: false
            optional: true

    version: 2

您还需要在 /etc/dhcp/dhcpd.conf 文件中调整您的 DHCP 规则：

subnet 192.168.254.0 netmask 255.255.255.0 {
  range 192.168.254.100 192.168.254.150;
# broadcast-address needs to be .255 to cover all the address range
  option broadcast-address 192.168.254.255;
  option routers 192.168.254.1;
}

subnet 192.168.253.0 netmask 255.255.255.0 {
  range 192.168.253.30 192.168.253.42;
# broadcast-address needs to be .255 to cover all the address ranges
  option broadcast-address 192.168.253.255;
  option routers 192.168.253.1;
}

以下是您应在启动时设置的 iptables 规则：

# Default policy to drop all incoming packets.
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Allow forwarding at the highest levels!
sudo sysctl -w net.ipv4.ip_forward=1

# Accept incoming packets from localhost and the LAN interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i enp3s0f0 -j ACCEPT
# Accept incoming packets from tap_soft
iptables -A INPUT -i tap_soft -j ACCEPT

# Accept incoming packets from the WAN if the router initiated the
#connection
iptables -A INPUT -i enp0s7 -m conntrack \
--ctstate ESTABLISHED,RELATED -j ACCEPT

# Forward LAN packets to the WAN.
iptables -A FORWARD -i enp3s0f0 -o enp0s7 -j ACCEPT
# Forward packets Between the LAN and WAN to VPN
iptables -A FORWARD -i tap_soft -o enp0s7 -j ACCEPT
iptables -A FORWARD -i tap_soft -o enp3s0f0 -j ACCEPT

# Forward WAN packets to the LAN if the LAN initiated the connection.
iptables -A FORWARD -i enp0s7 -o enp3s0f0 -m conntrack \
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i enp0s7 -o tap_soft -m conntrack \
--ctstate ESTABLISHED,RELATED -j ACCEPT

# NAT traffic going out the WAN interface.
iptables -t nat -A POSTROUTING -o enp0s7 -j MASQUERADE

#Sleep for a little bit to allow the VPN interface to come up
sleep 30
#Restart the DHCP server to begin serving for the new interface
systemctl restart isc-dhcp-server

Answer 1

首先，确保您正在使用 Softether 的本地桥接功能，并利用 tap 接口。这将比标准桥接更快，并允许您以不会破坏其他客户端的方式设置 DHCP。:-)

为了易于使用，我将我的 TAP 接口命名为“soft”，但请记住调整您的 netplan 规则，如下所示：在下面的规则中，我使用 enp0s7 作为 WAN，使用 enp3s0f0 作为 LAN 接口。

# This file is generated from information provided by
# the datasource.  Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
    ethernets:
        enp0s7:
            dhcp4: true
            optional: false
        enp3s0f0:
            addresses: [192.168.254.1/24]
            nameservers:
                addresses: [9.9.9.9,192.168.1.254]
                search: [vinceworks.com]
            dhcp4: false
            optional: true
        tap_soft:
            addresses: [192.168.253.1/24]
            dhcp4: false
            optional: true

    version: 2

您还需要在 /etc/dhcp/dhcpd.conf 文件中调整您的 DHCP 规则：

subnet 192.168.254.0 netmask 255.255.255.0 {
  range 192.168.254.100 192.168.254.150;
# broadcast-address needs to be .255 to cover all the address range
  option broadcast-address 192.168.254.255;
  option routers 192.168.254.1;
}

subnet 192.168.253.0 netmask 255.255.255.0 {
  range 192.168.253.30 192.168.253.42;
# broadcast-address needs to be .255 to cover all the address ranges
  option broadcast-address 192.168.253.255;
  option routers 192.168.253.1;
}

以下是您应在启动时设置的 iptables 规则：

# Default policy to drop all incoming packets.
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Allow forwarding at the highest levels!
sudo sysctl -w net.ipv4.ip_forward=1

# Accept incoming packets from localhost and the LAN interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i enp3s0f0 -j ACCEPT
# Accept incoming packets from tap_soft
iptables -A INPUT -i tap_soft -j ACCEPT

# Accept incoming packets from the WAN if the router initiated the
#connection
iptables -A INPUT -i enp0s7 -m conntrack \
--ctstate ESTABLISHED,RELATED -j ACCEPT

# Forward LAN packets to the WAN.
iptables -A FORWARD -i enp3s0f0 -o enp0s7 -j ACCEPT
# Forward packets Between the LAN and WAN to VPN
iptables -A FORWARD -i tap_soft -o enp0s7 -j ACCEPT
iptables -A FORWARD -i tap_soft -o enp3s0f0 -j ACCEPT

# Forward WAN packets to the LAN if the LAN initiated the connection.
iptables -A FORWARD -i enp0s7 -o enp3s0f0 -m conntrack \
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i enp0s7 -o tap_soft -m conntrack \
--ctstate ESTABLISHED,RELATED -j ACCEPT

# NAT traffic going out the WAN interface.
iptables -t nat -A POSTROUTING -o enp0s7 -j MASQUERADE

#Sleep for a little bit to allow the VPN interface to come up
sleep 30
#Restart the DHCP server to begin serving for the new interface
systemctl restart isc-dhcp-server

需要设置哪些规则才能允许 Softether VPN 上的 NAT？

答案1

您还需要在 /etc/dhcp/dhcpd.conf 文件中调整您的 DHCP 规则：

以下是您应在启动时设置的 iptables 规则：

相关内容