我有以下 server.conf:
# listen on? (optional)
local 192.168.1.102
# port
port 443
# TCP
proto tcp
#tunnel
dev tun
# Certs
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
# Diffie hellman parameters.
dh /etc/openvpn/keys/dh2048.pem
# Configure server mode
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
# Maintain a record of client <-> virtual IP address
ifconfig-pool-persist ipp.txt
# Push routes to the client
push "route 10.8.0.1 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.1.102 255.255.255.0"
# Redirect
push "redirect-gateway def1 bypass-dhcp"
# DNS
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Use same key mult clients
duplicate-cn
# The keepalive
keepalive 10 120
# Compression
comp-lzo
# presistence options
persist-key
persist-tun
# log
status openvpn-status.log
log-append /var/log/openvpn.log
verb 3
服务器的网卡是eno1。服务器在192.168.1.102我的路由器网络中(客户端最初也在该网络中)。我的路由器有端口转发规则:
Source net:
source port: 443
Dest ip: 192.168.1.102
Dest port: 443
我制定的iptables规则(在openvpn服务器上):
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE
我有以下 openvpn 客户端配置:
client
dev tun
proto tcp
#Server IP and Port
remote 192.168.1.102 443
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
我可以连接到 VPN 并且它正确地给我一个 IP 10.8.0.6。
但当我尝试访问互联网上的任意内容时,它就会超时。如何让 openvpn 通过请求?
注意:当我查看 openvpn 日志时,我从客户端看到的最后一件事是“SENT CONTROL”。没有关于尝试访问我试图访问的网址的任何信息。
(我还关闭了防火墙并禁用了selinux)
答案1
更改iptables规则为:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j MASQUERADE
并确保已启用 IPv4,
echo 1 > /proc/sys/net/ipv4/ip_forward
而且你没有iptables规则阻止向前链的筛选桌子。