FreeBSD 11,OpenVPN 2.4.0 桥接连接问题

FreeBSD 11,OpenVPN 2.4.0 桥接连接问题

我能够进行身份验证,从 OpenVPN 服务器获取 192.168.1.90 IP 地址,并从客户端 tap0 接口从 192.168.1.0/24 网络获取 tcpdump 广播流量。

每当我尝试 ping 或从客户端访问 192.168.1.0 网络时,我都无法从服务器访问客户端。

包含 ping 请求的服务器日志

Thu Mar  2 20:06:25 2017 us=919632 neldridge/10.10.10.2:10681 UDPv4 READ [123] from [AF_INET]10.10.10.2:10681: P_DATA_V2 kid=2 DATA len=122
Thu Mar  2 20:06:25 2017 us=919692 neldridge/10.10.10.2:10681 TUN WRITE [98]

Thu Mar  2 20:06:26 2017 us=983190 neldridge/10.10.10.2:10681 UDPv4 READ [123] from [AF_INET]10.10.10.2:10681: P_DATA_V2 kid=2 DATA len=122
Thu Mar  2 20:06:26 2017 us=983245 neldridge/10.10.10.2:10681 TUN WRITE [98]

Thu Mar  2 20:06:28 2017 us=13120 neldridge/10.10.10.2:10681 UDPv4 READ [123] from [AF_INET]10.10.10.2:10681: P_DATA_V2 kid=2 DATA len=122
Thu Mar  2 20:06:28 2017 us=13188 neldridge/10.10.10.2:10681 TUN WRITE [98]

em1 的服务器 tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes
20:06:25.919500 IP 10.10.10.2.10681 > 10.10.10.1.1194: UDP, length 123
20:06:26.983094 IP 10.10.10.2.10681 > 10.10.10.1.1194: UDP, length 123
20:06:28.012980 IP 10.10.10.2.10681 > 10.10.10.1.1194: UDP, length 123

客户端 ping 结果

# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
ping: sendto: Host is down
ping: sendto: Host is down
^C
--- 192.168.1.1 ping statistics ---
15 packets transmitted, 0 packets received, 100.0% packet loss

客户端 ifconfig/路由表

# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
    ether 00:0c:29:ab:1d:ab
    inet 10.10.10.2 netmask 0xffffff00 broadcast 10.10.10.255
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
    ether 00:0c:29:ab:1d:b5
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    groups: lo
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    ether 00:bd:2c:f3:e5:00
    inet6 fe80::2bd:2cff:fef3:e500%tap0 prefixlen 64 scopeid 0x4
    inet 192.168.1.90 netmask 0xffffff00 broadcast 192.168.1.255
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    media: Ethernet autoselect
    status: active
    groups: tap
    Opened by PID 1417

# netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
10.10.10.0/24      link#1             U           em0
10.10.10.2         link#1             UHS         lo0
127.0.0.1          link#3             UH          lo0
192.168.1.0/24     link#4             U          tap0
192.168.1.90       link#4             UHS         lo0

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::/96                             ::1                           UGRS        lo0
::1                               link#3                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%lo0/64                     link#3                        U           lo0
fe80::1%lo0                       link#3                        UHS         lo0
fe80::%tap0/64                    link#4                        U          tap0
fe80::2bd:2cff:fef3:e500%tap0     link#4                        UHS         lo0
ff02::/16                         ::1                           UGRS        lo0

客户端 tcpdump tap0

# tcpdump -ni tap0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap0, link-type EN10MB (Ethernet), capture size 262144 bytes
20:09:32.958696 IP 192.168.1.171.54915 > 192.168.1.255.54915: UDP, length 263
20:09:33.335203 ARP, Request who-has 192.168.1.254 tell 192.168.1.250, length 46
20:09:33.959851 IP 192.168.1.171.54915 > 192.168.1.255.54915: UDP, length 263
20:09:34.962810 IP 192.168.1.171.54915 > 192.168.1.255.54915: UDP, length 263
20:09:35.346785 IP 192.168.1.77.50312 > 192.168.1.255.32412: UDP, length 21
20:09:35.346812 IP 192.168.1.77.20051 > 192.168.1.255.32414: UDP, length 21
20:09:35.346825 IP 192.168.1.77.52908 > 239.255.255.250.1900: UDP, length 94
20:09:35.783245 IP6 fe80::f6f5:e8ff:fe6e:df1c > ff02::1:ff6e:df1c: ICMP6, neighbor solicitation, who has fe80::f6f5:e8ff:fe6e:df1c, length 32
20:09:35.853649 IP 192.168.1.90.46569 > 192.168.1.1.53: 11879+ AAAA? 1.freebsd.pool.ntp.org. (40)
20:09:35.961804 IP 192.168.1.171.54915 > 192.168.1.255.54915: UDP, length 263
20:09:36.345039 ARP, Request who-has 192.168.1.254 tell 192.168.1.250, length 46
20:09:36.863036 IP6 fe80::f6f5:e8ff:fe6e:df1c > ff02::1:ff6e:df1c: ICMP6, neighbor solicitation, who has fe80::f6f5:e8ff:fe6e:df1c, length 32
20:09:36.962493 IP 192.168.1.171.54915 > 192.168.1.255.54915: UDP, length 263
20:09:37.343471 ARP, Request who-has 192.168.1.254 tell 192.168.1.250, length 46
20:09:37.963454 IP 192.168.1.171.54915 > 192.168.1.255.54915: UDP, length 263

服务器 openvpn.log

Thu Mar  2 20:09:32 2017 us=23710 neldridge/10.10.10.2:63179 UDPv4 WRITE [233] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=232
Thu Mar  2 20:09:32 2017 us=56268 neldridge/10.10.10.2:63179 UDPv4 WRITE [139] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=138
Thu Mar  2 20:09:32 2017 us=400398 neldridge/10.10.10.2:63179 UDPv4 WRITE [82] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=81
Thu Mar  2 20:09:33 2017 us=23870 neldridge/10.10.10.2:63179 UDPv4 WRITE [233] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=232
Thu Mar  2 20:09:33 2017 us=400395 neldridge/10.10.10.2:63179 UDPv4 WRITE [82] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=81
Thu Mar  2 20:09:34 2017 us=24994 neldridge/10.10.10.2:63179 UDPv4 WRITE [233] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=232
Thu Mar  2 20:09:35 2017 us=28020 neldridge/10.10.10.2:63179 UDPv4 WRITE [233] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=232
Thu Mar  2 20:09:35 2017 us=411921 neldridge/10.10.10.2:63179 UDPv4 WRITE [85] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=84
Thu Mar  2 20:09:35 2017 us=412148 neldridge/10.10.10.2:63179 UDPv4 WRITE [85] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=84
Thu Mar  2 20:09:35 2017 us=412226 neldridge/10.10.10.2:63179 UDPv4 WRITE [158] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=157
Thu Mar  2 20:09:35 2017 us=412503 neldridge/10.10.10.2:63179 UDPv4 READ [41] from [AF_INET]10.10.10.2:63179: P_DATA_V2 kid=0 DATA len=40
Thu Mar  2 20:09:35 2017 us=848265 neldridge/10.10.10.2:63179 UDPv4 WRITE [108] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=107
Thu Mar  2 20:09:35 2017 us=919512 neldridge/10.10.10.2:63179 UDPv4 READ [107] from [AF_INET]10.10.10.2:63179: P_DATA_V2 kid=0 DATA len=106
Thu Mar  2 20:09:35 2017 us=919560 neldridge/10.10.10.2:63179 TUN WRITE [82]
Thu Mar  2 20:09:36 2017 us=27066 neldridge/10.10.10.2:63179 UDPv4 WRITE [233] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=232
Thu Mar  2 20:09:36 2017 us=410232 neldridge/10.10.10.2:63179 UDPv4 WRITE [82] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=81
Thu Mar  2 20:09:36 2017 us=928176 neldridge/10.10.10.2:63179 UDPv4 WRITE [108] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=107
Thu Mar  2 20:09:37 2017 us=27646 neldridge/10.10.10.2:63179 UDPv4 WRITE [233] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=232

服务器接口/路由表

em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=98<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
    ether 00:0c:29:d1:38:e7
    inet6 fe80::20c:29ff:fed1:38e7%em0 prefixlen 64 scopeid 0x1
    inet6 2605:a601:8064:7300:20c:29ff:fed1:38e7 prefixlen 64 autoconf
    inet 192.168.1.82 netmask 0xffffff00 broadcast 192.168.1.255
    nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
    ether 00:0c:29:d1:38:f1
    inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    groups: lo
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 02:e0:6c:c4:bb:00
    nd6 options=9<PERFORMNUD,IFDISABLED>
    groups: bridge
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 5 priority 128 path cost 2000000
    member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 1 priority 128 path cost 20000
tap0: flags=8942<BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    ether 00:bd:af:ed:f6:00
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    media: Ethernet autoselect
    status: active
    groups: tap
    Opened by PID 1103

# netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.1.1        UGS         em0
10.10.10.0/24      link#2             U           em1
10.10.10.1         link#2             UHS         lo0
127.0.0.1          link#3             UH          lo0
192.168.1.0/24     link#1             U           em0
192.168.1.82       link#1             UHS         lo0

实验室详细信息

ESXi 6.5

虚拟交换机
vSwitch0-允许 promisc-vlan:0
vSwitch1-允许 promisc-vlan:10

OpenVPN 服务器
FreeBSD:11.0
OpenVPN:2.4.0
OpenSSL:1.0.2j-freebsd

bridge0 em0 和 tap0
em0 192.168.1.82
tap0

em1 10.10.10.1

服务器 /etc/sysctl.conf

net.inet.ip.forwarding=1

服务器 /etc/rc.conf

hostname="openvpn.neldridge.io"
ifconfig_em0="DHCP"
#ifconfig_em0_ipv6="inet6 accept_rtadv"

ifconfig_em1="inet 10.10.10.1 netmask 255.255.255.0"

sshd_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
gateway_enable="YES"
firewall_enable="NO"

cloned_interfaces="bridge0 tap0"
ifconfig_bridge0="addm em0 addm tap0"

openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"

服务器配置

user nobody
group nobody

server-bridge 192.168.1.1 255.255.255.0 192.168.1.90 192.168.1.100
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
ifconfig-pool-persist ipp.txt
client-to-client

port 1194

proto udp4
dev tap0

ca keys/ca.crt
cert keys/neldridge.io.crt
key keys/neldridge.io.key  # This file should be kept secret
dh keys/dh.pem

tls-auth keys/ta.key 0 # This file is secret

keepalive 10 120

cipher AES-256-CBC

comp-lzo

persist-key
persist-tun

status openvpn-status.log
log openvpn.log
verb 6 

OpenVPN 客户端
FreeBSD:11.0
OpenVPN:2.4.0
OpenSSL:1.0.2j-freebsd

em0 10.10.10.2
tap0 来自 OpenVPN 服务器的 DHCP

客户端配置

client
proto udp
dev tap0
port 1194
remote 10.10.10.1
nobind
resolv-retry infinite
tls-client

ca keys/ca.crt
cert keys/neldridge.crt
key keys/neldridge.key
tls-auth keys/ta.key 1

cipher AES-256-CBC
comp-lzo
pull

persist-key
persist-tun
verb 1

答案1

我删除了 /etc/rc.conf 中关于 brigde 的配置并插入:

ovpns_enable="YES"
ovpns_if="tap"
ovpns_flags="--script-security 3"

在 /usr/local/etc/openvpn/ovpns.conf 中插入2行:

up /usr/local/etc/openvpn/up.sh
down /usr/local/etc/openvpn/down.sh

和文件:

上传文件

#!/bin/sh
/sbin/ifconfig bridge0 create
/sbin/ifconfig bridge0 addm vr0 addm $dev up
/sbin/ifconfig $dev up

下载

#!/bin/sh
/sbin/ifconfig bridge0 deletem $dev
/sbin/ifconfig bridge0 destroy
/sbin/ifconfig $dev destroy

记得在 up.sh 和 down.sh 上设置 chmod 755

相关内容