启用 OpenVPN 客户端的 Tomato 路由器上的端口转发

Question 1

端口转发不再起作用的说法并不正确。相反，实际情况是来自 Ubuntu 服务器的回复通过 VPN 路由，因此，当它到达试图联系 Ubuntu 服务器的 PC 时，它将来自与初始消息写入的 IP 地址不同的 IP 地址。出于明显的安全问题，所有 PC 都被指示放弃这些伪造的（？）回复包。

因此，基本思路是强制您的 LAN 允许 VPN 之外的回复（来自 Ubuntu 服务器）。这需要策略路由，IE，根据源（而不是目标！）IP 地址同时使用两个路由表。策略路由有时也称为源路由。

您可以在番茄路线上找到有关如何执行此操作的明确说明服务器故障地点，这里。这是以以下内容开头的贡献：我终于做到了。我认为该帖子被不公正地关闭了，但贡献却非常有用。如果您在遵循说明时遇到具体问题，请回来。

Answer

端口转发不再起作用的说法并不正确。相反，实际情况是来自 Ubuntu 服务器的回复通过 VPN 路由，因此，当它到达试图联系 Ubuntu 服务器的 PC 时，它将来自与初始消息写入的 IP 地址不同的 IP 地址。出于明显的安全问题，所有 PC 都被指示放弃这些伪造的（？）回复包。

因此，基本思路是强制您的 LAN 允许 VPN 之外的回复（来自 Ubuntu 服务器）。这需要策略路由，IE，根据源（而不是目标！）IP 地址同时使用两个路由表。策略路由有时也称为源路由。

您可以在番茄路线上找到有关如何执行此操作的明确说明服务器故障地点，这里。这是以以下内容开头的贡献：我终于做到了。我认为该帖子被不公正地关闭了，但贡献却非常有用。如果您在遵循说明时遇到具体问题，请回来。

Question 2

感谢 MariusMatutiae 的上述回答，我能够使用提供的链接中的答案解决这个问题。我将包含的脚本的所有功劳都归功于 grdnkln 的 serverfault 答案。我调整了他的脚本以更好地满足我的需求，因为他希望默认情况下从 VPN 中排除所有流量，而我想要做相反的事情。所以我的最终解决方案是默认情况下包括 VPN 中的所有流量，并添加来自我的服务器的端口 80/443 响应的排除。

此外，我在底部为 DynDns 的 IP 查找工具 (checkip.dyndns.com) 添加了一些例外。我一度陷入困境，因为我的动态 IP 解析器工具 (ddclient) 正在获取新的 VPN IP 并设置我的所有域名主机记录以解析该 IP。

# This code goes in the WAN UP section of the Tomato GUI.
#
# This script configures "selective" VPN routing. Normally Tomato will route ALL traffic out
# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
# traffic to bypass the VPN and use the regular Internet instead.
#
#  To list the current rules on the router, issue the command:
#      iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#      iptables -t mangle -F PREROUTING
#

#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
done

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1

# Whitelist ports for server
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport 80,443 -s 192.168.1.132 -j MARK --set-mark 1
# DynDNS lockup IPs
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.1-216.146.43.254 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 91.198.22.1-91.198.22.254 -j MARK --set-mark 1

Answer

感谢 MariusMatutiae 的上述回答，我能够使用提供的链接中的答案解决这个问题。我将包含的脚本的所有功劳都归功于 grdnkln 的 serverfault 答案。我调整了他的脚本以更好地满足我的需求，因为他希望默认情况下从 VPN 中排除所有流量，而我想要做相反的事情。所以我的最终解决方案是默认情况下包括 VPN 中的所有流量，并添加来自我的服务器的端口 80/443 响应的排除。

此外，我在底部为 DynDns 的 IP 查找工具 (checkip.dyndns.com) 添加了一些例外。我一度陷入困境，因为我的动态 IP 解析器工具 (ddclient) 正在获取新的 VPN IP 并设置我的所有域名主机记录以解析该 IP。

# This code goes in the WAN UP section of the Tomato GUI.
#
# This script configures "selective" VPN routing. Normally Tomato will route ALL traffic out
# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
# traffic to bypass the VPN and use the regular Internet instead.
#
#  To list the current rules on the router, issue the command:
#      iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#      iptables -t mangle -F PREROUTING
#

#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
done

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1

# Whitelist ports for server
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport 80,443 -s 192.168.1.132 -j MARK --set-mark 1
# DynDNS lockup IPs
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.1-216.146.43.254 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 91.198.22.1-91.198.22.254 -j MARK --set-mark 1

启用 OpenVPN 客户端的 Tomato 路由器上的端口转发

答案1

答案2

相关内容