我在 pfSense 2.3.2 上运行 OpenVPN。目前,它基本可以正常工作,但有一点不太好:我可以连接到 LAN 上的任何东西除了pfSense 服务器本身。
一些细节:
- 我使用 172.16.104.0/21 配置为 IP 地址范围。
- 防火墙位于 172.16.104.1。
- OpenVPN 客户端的 DHCP 范围是 172.16.105.10-50。
- OpenVPN 使用 tap、UDP 配置。
- ovpns1 分配给 OPT1,并且 OPT1 与 LAN 桥接(bridge0)。
我使用分接和桥接的原因是我有很多 Apple 设备,并且希望 Bonjour 和其他基于多播/广播的东西能够通过 VPN 正常工作。
以上所有操作对于我的 LAN 网络上的任何地址都有效,但 172.16.104.1(防火墙)除外。所有客户端都无法 ping 或连接到 172.16.104.1,而 172.16.104.1 也无法 ping 或连接到任何客户端。
使用 tcpdump 发现了一些其他奇怪之处:
如果我从另一个会话中运行 tcpdump 的客户端 ping 服务器,似乎我收到了回复,但 ping 并没有报告这些回复?
ping -c2 172.16.104.1
PING 172.16.104.1 (172.16.104.1) 56(84) bytes of data.
--- 172.16.104.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1009ms
但在同一台机器上的 tcpdump 会话中:
IP 172.16.105.3 > 172.16.104.1: ICMP echo request, id 17069, seq 1, length 64
IP 172.16.104.1 > 172.16.105.3: ICMP echo reply, id 17069, seq 1, length 64
IP 172.16.105.3 > 172.16.104.1: ICMP echo request, id 17069, seq 2, length 64
IP 172.16.104.1 > 172.16.105.3: ICMP echo reply, id 17069, seq 2, length 64
从 pfSense 服务器:
tcpdump -n -i ovpns1 -t icmp
tcpdump: WARNING: ovpns1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ovpns1, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 172.16.105.3 > 172.16.104.1: ICMP echo request, id 17084, seq 1, length 64
IP 172.16.104.1 > 172.16.105.3: ICMP echo reply, id 17084, seq 1, length 64
IP 172.16.105.3 > 172.16.104.1: ICMP echo request, id 17084, seq 2, length 64
IP 172.16.104.1 > 172.16.105.3: ICMP echo reply, id 17084, seq 2, length 64
这是一台没有防火墙的 Ubuntu Linux 机器。
因此,pfSense 机器认为它正在发送回复,Linux 机器认为它正在接收回复,但 ping 仍然报告 100% 数据包丢失?
如果我 ping 一个不同的非服务器地址,我会得到响应:
ping -c2 172.16.104.2
PING 172.16.104.2 (172.16.104.2) 56(84) bytes of data.
64 bytes from 172.16.104.2: icmp_seq=1 ttl=64 time=34.6 ms
64 bytes from 172.16.104.2: icmp_seq=2 ttl=64 time=34.1 ms
--- 172.16.104.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 34.165/34.401/34.638/0.300 ms
在 tcpdump shell 中:
IP 172.16.105.3 > 172.16.104.2: ICMP echo request, id 17068, seq 1, length 64
IP 172.16.104.2 > 172.16.105.3: ICMP echo reply, id 17068, seq 1, length 64
IP 172.16.105.3 > 172.16.104.2: ICMP echo request, id 17068, seq 2, length 64
IP 172.16.104.2 > 172.16.105.3: ICMP echo reply, id 17068, seq 2, length 64
这是我从 pfSense 转储的 OpenVPN 服务器配置:
dev ovpns1
verb 1
dev-type tap
dev-node /dev/tap1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local <omitted>
tls-server
server-bridge 172.16.104.1 255.255.248.0 172.16.105.10 172.16.105.50
client-config-dir /var/etc/openvpn-csc/server1
tls-verify "/usr/local/sbin/ovpn_auth_verify tls '<omitted>' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 172.16.104.0 255.255.248.0"
client-to-client
duplicate-cn
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float
mode server
来自客户:
dev tap
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote <omitted> 1194 udp
lport 0
verify-x509-name "<omitted>" name
pkcs12 udp-1194.p12
tls-auth udp-1194-tls.key 1
ns-cert-type server
这到底发生了什么事?