我有一个 Ubuntu 12.04 LTE 虚拟服务器、内核 2.6.32 和一个运行 VTun 的 VPN。
在VPN中,服务器为6.6.6.6,两个客户端为6.6.6.29和6.6.6.35。
如果我6.6.6.6从任何客户端 ping,服务器都会立即响应。所以我相信客户端配置正确。但如果我6.6.6.35从ping 6.6.6.29,或反之亦然,则没有响应。
来自的跟踪路由6.6.6.29显示:
$ traceroute -n 6.6.6.35
traceroute to 6.6.6.35 (6.6.6.35), 30 hops max, 60 byte packets
1 6.6.6.6 78.409 ms 80.202 ms 82.820 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
我猜测服务器的路由表存在路由问题。
我的配置文件是:
$ cat /etc/default/vtun
RUN_SERVER=yes
$ cat /etc/vtund.conf
options {
bindaddr {
addr 85.84.83.82;
};
}
default {
type tun;
proto tcp;
persist yes;
keepalive yes;
stat yes;
multi yes;
}
client1 {
passwd U'dLikeToKnow;
up {
ifconfig "%% 6.6.6.6 pointopoint 6.6.6.29 mtu 1450";
route "add -net 6.6.6.0 netmask 255.255.255.0 gw 6.6.6.29";
};
down {
ifconfig "%% down";
route "del -net 6.6.6.0 netmask 255.255.255.0 gw 6.6.6.29";
};
}
client2 {
passwd U'dLikeToKnow;
up {
ifconfig "%% 6.6.6.6 pointopoint 6.6.6.35 mtu 1450";
route "add -net 6.6.6.0 netmask 255.255.255.0 gw 6.6.6.35";
};
down {
ifconfig "%% down";
route "del -net 6.6.6.0 netmask 255.255.255.0 gw 6.6.6.35";
};
}
$ ifconfig
tun0 Link encap:UNSPEC direcciónHW 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
Direc. inet:6.6.6.6 P-t-P:6.6.6.29 Másc:255.255.255.255
ACTIVO PUNTO A PUNTO FUNCIONANDO NOARP MULTICAST MTU:1450 Métrica:1
Paquetes RX:358 errores:0 perdidos:0 overruns:0 frame:0
Paquetes TX:18 errores:0 perdidos:0 overruns:0 carrier:0
colisiones:0 long.colaTX:500
Bytes RX:27624 (27.6 KB) TX bytes:1560 (1.5 KB)
tun1 Link encap:UNSPEC direcciónHW 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
Direc. inet:6.6.6.6 P-t-P:6.6.6.35 Másc:255.255.255.255
ACTIVO PUNTO A PUNTO FUNCIONANDO NOARP MULTICAST MTU:1450 Métrica:1
Paquetes RX:98 errores:0 perdidos:0 overruns:0 frame:0
Paquetes TX:91 errores:0 perdidos:0 overruns:0 carrier:0
colisiones:0 long.colaTX:500
Bytes RX:10580 (10.5 KB) TX bytes:8579 (8.5 KB)
$ route
Tabla de rutas IP del núcleo
Destino Pasarela Genmask Indic Métric Ref Uso Interfaz
6.6.6.29 * 255.255.255.255 UH 0 0 0 tun0
6.6.6.35 * 255.255.255.255 UH 0 0 0 tun1
6.6.6.0 6.6.6.35 255.255.255.0 UG 0 0 0 tun1
6.6.6.0 6.6.6.29 255.255.255.0 UG 0 0 0 tun0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default * 0.0.0.0 U 0 0 0 venet0
但最奇怪的问题是,当我将服务器从版本 10.04 LTE 升级到 12.04 LTE 时出现了这个问题。
当我这样做时:# cat /proc/sys/net/ipv4/ip_forward我得到1
当我这样做时:# ufw我得到-bash: ufw: command not found
当我这样做时:# iptables -L我得到:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcpflags:! FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:8443
ACCEPT tcp -- anywhere anywhere tcp dpt:8880
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:poppassd
DROP tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp dpt:postgresql
ACCEPT tcp -- anywhere anywhere tcp dpt:9008
ACCEPT tcp -- anywhere anywhere tcp dpt:9080
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
DROP udp -- anywhere anywhere udp dpt:domain
DROP tcp -- anywhere anywhere tcp dpt:domain
ACCEPT icmp -- anywhere anywhere icmptype 8 code 0
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcpflags:! FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere !6.6.6.0/24 limit: avg 5/min burst 5 LOG level warning
LOG all -- anywhere !6.6.6.0/24 limit: avg 5/min burst 5 LOG level warning
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcpflags:! FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
如果我这样做tcpdump -n -vvv -i tun0,我ping 6.6.6.35会6.6.6.29得到:
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
00:17:16.876853 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
6.6.6.29 > 6.6.6.35: ICMP echo request, id 4664, seq 1, length 64
00:17:17.875252 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
6.6.6.29 > 6.6.6.35: ICMP echo request, id 4664, seq 2, length 64
00:17:18.882941 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
6.6.6.29 > 6.6.6.35: ICMP echo request, id 4664, seq 3, length 64
00:17:19.891173 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
6.6.6.29 > 6.6.6.35: ICMP echo request, id 4664, seq 4, length 64
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
如果我同时这样做tcpdump -n -vvv -i tun1,我等待又等待,却一无所获:
tcpdump: listening on tun1, link-type RAW (Raw IP), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
当我这样做时,tcpdump -n -vvv -e -i any host 6.6.6.29我得到:
tcpdump -n -vvv -e -i any host 6.6.6.29
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
09:50:05.051513 In ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
6.6.6.29 > 6.6.6.35: ICMP echo request, id 11932, seq 1, length 64
当我这样做时,ip route get 6.6.6.35 from 6.6.6.29 iif tun0我得到:
6.6.6.35 from 6.6.6.29 dev tun1 src 6.6.6.6
cache <src-direct> mtu 1450 advmss 1410 hoplimit 64 iif tun0
有什么建议么?
答案1
听起来更像是防火墙/数据包转发问题...您的服务器是否转发数据包?如何启用数据包转发?或者更正式地UFW(简单防火墙)。
如果数据包转发正常工作,防火墙(和 VPN 配置)是否允许客户端之间的流量(我知道有一个在 OpenVPN 中,配置设置称为“客户端到客户端”)。
或者可能openvpn 可以工作,但客户端只能 ping 服务器有帮助吗?
更新 抱歉,我刚刚意识到:你的路线不对……
6.6.6.0 6.6.6.35 255.255.255.0 UG 0 0 0 tun1
6.6.6.0 6.6.6.29 255.255.255.0 UG 0 0 0 tun0
没有意义(但也不应该导致您描述的问题)。
您告诉服务器网络 6.6.6.0/24 落后于 6.6.6.29 和 6.6.6.35。这不太好。您想通过这些路由实现什么目的?我认为您不需要它们。
但服务器仍应能够分别路由到 6.6.6.29 和 .39。您能从服务器 (6.6.6.6) ping 6.6.6.29 和 .39 吗?
顺便说一句:6.6.6.0/24 不是一个可以随意使用的网络。使用 RFC1918 网络(10.0.0.0/8、172.16.0.0/12 或 192.168.0.0/16)会更合适。