目前的情况是这样的:
网上有OpenVPN-Server,我家有OpenWRT-Router,路由器作为客户端连接VPN。
我希望路由器能够像往常一样工作,但在 VPN 和 LAN 之间增加一条额外的路由。我成功地在两个 VPN 地址之间 ping 通了。然后,我在 VPN 服务器上通过 10.8.0.2(我本地路由器的 IP 地址)为 192.168.1.0/24 添加了一条路由,但我无法 ping 通路由器的另一个网络地址 192.168.1.1...
整个事情显然看起来像是一个路由问题,我无法解决......
在/etc/config/网络:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option ifname 'eth0.1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config switch
option name 'eth0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'eth0'
option vlan '1'
option ports '0t 2 3 4 5'
config switch_vlan
option device 'eth0'
option vlan '2'
option ports '0t 1'
config interface 'vpn'
option proto 'none'
option ifname 'tun0'
在/etc/config/防火墙:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'vpn'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'vpn'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option dest_port '1194'
option src 'wan'
option proto 'udp'
option family 'ipv4'
config include
option path '/etc/firewall.user'
输出route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default stdw-wh-84-0.st 0.0.0.0 UG 0 0 0 eth0.2
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
212.201.84.0 * 255.255.254.0 U 0 0 0 eth0.2
输出ifconfig -a
br-lan Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:534 errors:0 dropped:8 overruns:0 frame:0
TX packets:458 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:97412 (95.1 KiB) TX bytes:105023 (102.5 KiB)
eth0 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1495490 errors:0 dropped:13 overruns:0 frame:0
TX packets:259329 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:500056893 (476.8 MiB) TX bytes:220075895 (209.8 MiB)
Interrupt:4
eth0.1 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:407 errors:0 dropped:0 overruns:0 frame:0
TX packets:353 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:77176 (75.3 KiB) TX bytes:81768 (79.8 KiB)
eth0.2 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:82
inet addr:x.x.x.x Bcast:x.x.x.255 Mask:255.255.254.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3090 errors:0 dropped:1098 overruns:0 frame:0
TX packets:527 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:419453 (409.6 KiB) TX bytes:104348 (101.9 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2549 (2.4 KiB) TX bytes:2549 (2.4 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.2 P-t-P:10.8.0.2 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:83
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:130 errors:0 dropped:0 overruns:0 frame:0
TX packets:131 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:22234 (21.7 KiB) TX bytes:28345 (27.6 KiB)
wlan1 Link encap:Ethernet HWaddr 64:66:B3:C6:FC:84
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:620 (620.0 B)
ip routeVPN 服务器上的部分输出(附加的 VPN 路由,手动添加到我的 LAN 的路由):
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
192.168.1.0/24 via 10.8.0.2 dev tun0
我对 iptables 一无所知,所以这是我能做的最好的事情。
答案1
这可能是很多事情,但都很容易解决……
最有可能的是,这是 OpenWRT 和终端设备防火墙内的双重防火墙问题……要么你复制并粘贴了重复内容,要么你的防火墙配置不正确,因为不仅有两个 WAN(如上所述),还有两个 VPN(虽然你可以从同一个配置文件运行多个服务器和客户端,但每个都必须有自己唯一的区域名称)
在 OpenWRT 上,您必须允许流量从 VPN 传输到 LAN 以及从 LAN 传输到 VPN...还必须使用防火墙规则以及在 LAN 和 VPN 区域下设置的转发来重定向流量。我建议您查看 OpenVPN 的 HOWTO 页面
需要防火墙流量和重定向规则
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '1194'
option family 'ipv4'
option src '*'
option name 'Allow Inbound VPN0'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option src '*'
option dest '*'
option dest_port '1194'
option family 'ipv4'
option name 'Allow Forwarded VPN0'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src '*'
option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
option dest_ip '192.168.1.0/24'
option name 'Allow Inbound VPN0 Traffic to LAN'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src '*'
option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
option dest '*'
option dest_ip '192.168.1.0/24'
option name 'Allow Forwarded VPN0 Traffic to LAN'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
option src '*'
option src_ip '10.8.0.0/24' #-or whatever netmask you utilized-#
option dest 'wan'
option name 'Allow Outbound ICMP Echo Request (8)'
list icmp_type 'echo-request'
我建议将 VPN 的子网更改为 10.8.0.0/netmask 以外的其他内容,因为 10.8.0.0 涵盖 10.8.0.0 - 10.8.255.255。
您还应该将端口更改为 1194 以外的其他端口,并选择更高级的其他服务器子网(例如 10.25.100.1),因为对于网络入侵者来说,保留默认设置就完成了一半的工作。
端口号应高于 1025(因为 <1025 是特权端口),但低于 10000。
答案2
我自己也遇到过这个问题。到目前为止,我只遇到过这个问题,所以我可以从 LAN ping VPN 机器。我使用与您类似的配置来实现这一点,只是我将 VPN 区域的转发设置为接受而不是拒绝。
将 LAN 区域的转发设置为接受对我来说没有任何改变。
顺便说一句,wan您的配置文件中有两个完全相同的区域。