如何通过 Tomato 上的 OpenVPN 客户端将端口转发到服务器 + 隧道特定主机路由

tag-icon tag-icon iptables openvpn port-forwarding routing
如何通过 Tomato 上的 OpenVPN 客户端将端口转发到服务器 + 隧道特定主机路由

在华硕 RT-N66U 上运行 Shibby Tomato v130。

我的目标如下

  1. 在路由器上运行 Transmission 后,所有 torrent 流量都会通过同样在路由器上运行的 OpenVPN 客户端进行路由。其他流量将不会通过 VPN。
  2. 我在静态内部 IP 192.168.1.3 上运行单独的 Web 服务器。我想将 WAN 端口 80 和 443 转发到服务器。

我能够一次让 1 个或 2 个工作,但无法让它们同时工作。

首先,我使用 Tomato GUI (br1) 创建了第二个 LAN,并为其指定了 IP 地址 192.168.2.1。然后,我通过修改 settings.json 配置文件行,指定 Transmission 使用此 IP"bind-address-ipv4": "192.168.2.1",

第二,使用这个答案中发布的 WAN up 脚本的一个非常稍微修改的版本如何仅通过 openvpn 客户端在 Tomato 上隧道特定主机路由 [关闭]

# This code goes in the WAN UP section of the Tomato GUI.
#
# This script configures "selective" VPN routing. Normally Tomato will route ALL traffic out
# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
# traffic to bypass the VPN and use the regular Internet instead.
#
#  To list the current rules on the router, issue the command:
#      iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#      iptables -t mangle -F PREROUTING
#

#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
done

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1

# By default all traffic bypasses the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

# Only foward to Transmission
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.2.1 -j MARK --set-mark 0

我只能通过 VPN 路由传输流量,而其他所有计算机都通过普通 WAN。但是,运行此脚本似乎会清除我到服务器的端口转发,我再也无法从网络外部访问服务器。

我已在 Tomato GUI 中将 TCP 端口 80 和 443 配置为转发到 192.168.1.3。在运行 WAN up 脚本之前检查两者iptables -L -vniptables -L -vn -t nat服务器可以从外部访问,但 VPN 尚未运行)

iptables -L -vn 节目

Chain wanin (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.3         tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.3         tcp dpt:443

iptables -L -vn -t nat节目

Chain WANPREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           to:192.168.1.1
    1    40 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 to:192.168.1.3:80
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 to:192.168.1.3:443

运行 WAN 启动脚本后

iptables -L -vn 节目

Chain wanin (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.3         tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.3         tcp dpt:443

iptables -L -vn -t nat节目

Chain WANPREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           to:192.168.1.1
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 to:192.168.1.3:80
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 to:192.168.1.3:443

两者与以前相同,但我无法从网络外部访问端口 80 或 443 上的服务器。

所以简单的问题是,使用这个 WAN 脚本或类似的东西,我如何将端口转发到特定的 IP 并将它们保留在 VPN 之外?

相关内容