Ubuntu 服务器未路由我的 VTun VPN 的数据包

Ubuntu 服务器未路由我的 VTun VPN 的数据包

我有一个 Ubuntu 12.04 LTE 虚拟服务器、内核 2.6.32 和一个运行 VTun 的 VPN。

在VPN中,服务器为6.6.6.6,两个客户端为6.6.6.296.6.6.35

如果我6.6.6.6从任何客户端 ping,服务器都会立即响应。所以我相信客户端配置正确。但如果我6.6.6.35从ping 6.6.6.29,或反之亦然,则没有响应。

来自的跟踪路由6.6.6.29显示:

$ traceroute -n 6.6.6.35

traceroute to 6.6.6.35 (6.6.6.35), 30 hops max, 60 byte packets
 1  6.6.6.6  78.409 ms  80.202 ms  82.820 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *

我猜测服务器的路由表存在路由问题。

我的配置文件是:

$ cat /etc/default/vtun

RUN_SERVER=yes

$ cat /etc/vtund.conf

options {
    bindaddr {
        addr 85.84.83.82;
    };
}

default {
    type      tun;
    proto     tcp;
    persist   yes;
    keepalive yes;
    stat      yes;
    multi     yes;
}

client1 {
    passwd   U'dLikeToKnow;

    up {
        ifconfig "%% 6.6.6.6 pointopoint 6.6.6.29 mtu 1450";
        route "add -net 6.6.6.0 netmask 255.255.255.0 gw 6.6.6.29";
    };
    down {
        ifconfig "%% down";
        route "del -net 6.6.6.0 netmask 255.255.255.0 gw 6.6.6.29";
    };
}

client2 {
    passwd   U'dLikeToKnow;

    up {  
        ifconfig "%% 6.6.6.6 pointopoint 6.6.6.35 mtu 1450";
        route "add -net 6.6.6.0 netmask 255.255.255.0 gw 6.6.6.35";
    };
    down {
        ifconfig "%% down";
        route "del -net 6.6.6.0 netmask 255.255.255.0 gw 6.6.6.35";
    };
}     

$ ifconfig

tun0      Link encap:UNSPEC  direcciónHW 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          Direc. inet:6.6.6.6  P-t-P:6.6.6.29  Másc:255.255.255.255
          ACTIVO PUNTO A PUNTO FUNCIONANDO NOARP MULTICAST  MTU:1450  Métrica:1
          Paquetes RX:358 errores:0 perdidos:0 overruns:0 frame:0
          Paquetes TX:18 errores:0 perdidos:0 overruns:0 carrier:0
          colisiones:0 long.colaTX:500 
          Bytes RX:27624 (27.6 KB)  TX bytes:1560 (1.5 KB)

tun1      Link encap:UNSPEC  direcciónHW 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          Direc. inet:6.6.6.6  P-t-P:6.6.6.35  Másc:255.255.255.255
          ACTIVO PUNTO A PUNTO FUNCIONANDO NOARP MULTICAST  MTU:1450  Métrica:1
          Paquetes RX:98 errores:0 perdidos:0 overruns:0 frame:0
          Paquetes TX:91 errores:0 perdidos:0 overruns:0 carrier:0
          colisiones:0 long.colaTX:500 
          Bytes RX:10580 (10.5 KB)  TX bytes:8579 (8.5 KB)

$ route

Tabla de rutas IP del núcleo
Destino         Pasarela        Genmask         Indic Métric Ref    Uso Interfaz
6.6.6.29        *               255.255.255.255 UH    0      0        0 tun0
6.6.6.35        *               255.255.255.255 UH    0      0        0 tun1
6.6.6.0         6.6.6.35        255.255.255.0   UG    0      0        0 tun1
6.6.6.0         6.6.6.29        255.255.255.0   UG    0      0        0 tun0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         *               0.0.0.0         U     0      0        0 venet0

最奇怪的问题是,当我将服务器从版本 10.04 LTE 升级到 12.04 LTE 时出现了这个问题。

当我这样做时:# cat /proc/sys/net/ipv4/ip_forward我得到1

当我这样做时:# ufw我得到-bash: ufw: command not found

添加于2013年4月15日:

当我这样做时:# iptables -L我得到:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere             tcpflags:! FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8880
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssmtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:poppassd
DROP       tcp  --  anywhere             anywhere             tcp dpt:mysql
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:postgresql
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9008
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9080
ACCEPT     udp  --  anywhere             anywhere             udp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere             udp dpt:netbios-dgm
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn
DROP       udp  --  anywhere             anywhere             udp dpt:domain
DROP       tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     icmp --  anywhere             anywhere             icmptype 8 code 0
ACCEPT     all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere             tcpflags:! FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
LOG        all  --  anywhere            !6.6.6.0/24           limit: avg 5/min burst 5 LOG level warning
LOG        all  --  anywhere            !6.6.6.0/24           limit: avg 5/min burst 5 LOG level warning
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere             tcpflags:! FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere   

如果我这样做tcpdump -n -vvv -i tun0,我ping 6.6.6.356.6.6.29得到:

tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
00:17:16.876853 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    6.6.6.29 > 6.6.6.35: ICMP echo request, id 4664, seq 1, length 64
00:17:17.875252 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    6.6.6.29 > 6.6.6.35: ICMP echo request, id 4664, seq 2, length 64
00:17:18.882941 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    6.6.6.29 > 6.6.6.35: ICMP echo request, id 4664, seq 3, length 64
00:17:19.891173 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    6.6.6.29 > 6.6.6.35: ICMP echo request, id 4664, seq 4, length 64
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel

如果我同时这样做tcpdump -n -vvv -i tun1,我等待又等待,却一无所获:

tcpdump: listening on tun1, link-type RAW (Raw IP), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

当我这样做时,tcpdump -n -vvv -e -i any host 6.6.6.29我得到:

tcpdump -n -vvv -e -i any host 6.6.6.29
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
09:50:05.051513  In ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    6.6.6.29 > 6.6.6.35: ICMP echo request, id 11932, seq 1, length 64

当我这样做时,ip route get 6.6.6.35 from 6.6.6.29 iif tun0我得到:

6.6.6.35 from 6.6.6.29 dev tun1  src 6.6.6.6 
    cache <src-direct>  mtu 1450 advmss 1410 hoplimit 64 iif tun0

有什么建议么?

答案1

听起来更像是防火墙/数据包转发问题...您的服务器是否转发数据包?如何启用数据包转发?或者更正式地UFW(简单防火墙)

如果数据包转发正常工作,防火墙(和 VPN 配置)是否允许客户端之间的流量(我知道有一个在 OpenVPN 中,配置设置称为“客户端到客户端”)。

或者可能openvpn 可以工作,但客户端只能 ping 服务器有帮助吗?


更新 抱歉,我刚刚意识到:你的路线不对……

6.6.6.0         6.6.6.35        255.255.255.0   UG    0      0        0 tun1
6.6.6.0         6.6.6.29        255.255.255.0   UG    0      0        0 tun0

没有意义(但也不应该导致您描述的问题)。

您告诉服务器网络 6.6.6.0/24 落后于 6.6.6.29 和 6.6.6.35。这不太好。您想通过这些路由实现什么目的?我认为您不需要它们。

但服务器仍应能够分别路由到 6.6.6.29 和 .39。您能从服务器 (6.6.6.6) ping 6.6.6.29 和 .39 吗?

顺便说一句:6.6.6.0/24 不是一个可以随意使用的网络。使用 RFC1918 网络(10.0.0.0/8、172.16.0.0/12 或 192.168.0.0/16)会更合适。

相关内容