如何在同一台机器上设置两个 OpenVPN 实例,并设置带有特殊规则的 iptables

tag-icon tag-icon iptables openvpn multiple-instances
如何在同一台机器上设置两个 OpenVPN 实例,并设置带有特殊规则的 iptables

我有一台带有 2 个实例的服务器OpenVPN。一个实例供我的朋友使用,另一个实例仅供我和我的家人使用。
我朋友的第一个实例的tun0IP 为 192.168.243.0/24。
我和我的家人的第二个实例的tun1IP 为 192.168.244.0/24。

我想要得到以下信息:

.243 上的用户不得访问 .244 上的用户,并且 .243 上的用户也不得在它们之间进行访问

允许来自 .244 的用户可以访问 .243 和 .244 上的所有用户。

我有以下内容:

来自 .243 的用户无法访问 .243 上的用户(被拒绝。没关系!)但他们可以访问 .244 上的用户(不行)。这是一个我自己无法解决的问题。

来自 .244 的用户可以访问 .244 和 .243 上的用户。都可以!这就是我对 .244 用户的要求!

这是我的配置:

iptables 保存

# Generated by iptables-save v1.4.14 on Tue Feb 14 06:12:35 2017
*nat
:PREROUTING ACCEPT [35:2407]
:INPUT ACCEPT [1:52]
:OUTPUT ACCEPT [9:569]
:POSTROUTING ACCEPT [9:569]
-A POSTROUTING -s 192.168.244.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Feb 14 06:12:35 2017
# Generated by iptables-save v1.4.14 on Tue Feb 14 06:12:35 2017
*filter
:INPUT DROP [1:52]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [94170:8476388]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 11222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12333:12339 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 13289:13290 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22111:22124 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i eth0 -o tun1 -j ACCEPT
-A FORWARD -i tun1 -o eth0 -j ACCEPT
-A FORWARD -d 192.168.243.0/24 -i tun1 -j ACCEPT
-A FORWARD -d 192.168.244.0/24 -i tun1 -j ACCEPT
-A FORWARD -d 192.168.244.0/24 -i tun0 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A FORWARD -j REJECT
COMMIT
# Completed on Tue Feb 14 06:12:35 2017

ip 地址显示

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 26:c9:76:7c:d9:d7 brd ff:ff:ff:ff:ff:ff
    inet xxx.xx.xx.xxx/20 brd xxx.xx.xx.xxx scope global eth0
    inet 10.16.0.7/16 scope global eth0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 56:b6:af:4b:b4:0f brd ff:ff:ff:ff:ff:ff
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 192.168.243.1/24 brd 192.168.243.255 scope global tun0
5: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 192.168.244.1/24 brd 192.168.244.255 scope global tun1

ip 路由显示

default via xxx.xx.xxx.x dev eth0
10.16.0.0/16 dev eth0  proto kernel  scope link  src 10.16.0.7
xxx.xx.xxx.x/20 dev eth0  proto kernel  scope link  src xxx.xx.xxx.xxx
192.168.243.0/24 dev tun0  proto kernel  scope link  src 192.168.243.1
192.168.244.0/24 dev tun1  proto kernel  scope link  src 192.168.244.1

OpenVPN tun0

port 12338
proto tcp-server
dev tun0
tls-auth ta.key 0
topology subnet
server 192.168.243.0 255.255.255.0
push "route 192.168.244.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-config-dir /home/gabberhead/ccd
group openvpn
keepalive 10 60
cipher AES-256-CBC
auth SHA512
tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
persist-key
persist-tun
status clients-status.log
log clients.log
verb 3
mute 15

OpenVPN tun1

port 12339
proto tcp-server
dev tun1
tls-auth ta.key 0
topology subnet
server 192.168.244.0 255.255.255.0
push "route 192.168.243.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-config-dir /home/gabberhead/ccd
group openvpn
keepalive 10 60
cipher AES-256-CBC
auth SHA512
tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
remote-cert-tls client
persist-key
persist-tun
status openvpn-status1.log
log openvpn1.log
verb 3
mute 15

相关内容