我能够进行身份验证,从 OpenVPN 服务器获取 192.168.1.90 IP 地址,并从客户端 tap0 接口从 192.168.1.0/24 网络获取 tcpdump 广播流量。
每当我尝试 ping 或从客户端访问 192.168.1.0 网络时,我都无法从服务器访问客户端。
包含 ping 请求的服务器日志
Thu Mar 2 20:06:25 2017 us=919632 neldridge/10.10.10.2:10681 UDPv4 READ [123] from [AF_INET]10.10.10.2:10681: P_DATA_V2 kid=2 DATA len=122
Thu Mar 2 20:06:25 2017 us=919692 neldridge/10.10.10.2:10681 TUN WRITE [98]
Thu Mar 2 20:06:26 2017 us=983190 neldridge/10.10.10.2:10681 UDPv4 READ [123] from [AF_INET]10.10.10.2:10681: P_DATA_V2 kid=2 DATA len=122
Thu Mar 2 20:06:26 2017 us=983245 neldridge/10.10.10.2:10681 TUN WRITE [98]
Thu Mar 2 20:06:28 2017 us=13120 neldridge/10.10.10.2:10681 UDPv4 READ [123] from [AF_INET]10.10.10.2:10681: P_DATA_V2 kid=2 DATA len=122
Thu Mar 2 20:06:28 2017 us=13188 neldridge/10.10.10.2:10681 TUN WRITE [98]
em1 的服务器 tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes
20:06:25.919500 IP 10.10.10.2.10681 > 10.10.10.1.1194: UDP, length 123
20:06:26.983094 IP 10.10.10.2.10681 > 10.10.10.1.1194: UDP, length 123
20:06:28.012980 IP 10.10.10.2.10681 > 10.10.10.1.1194: UDP, length 123
客户端 ping 结果
# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
ping: sendto: Host is down
ping: sendto: Host is down
^C
--- 192.168.1.1 ping statistics ---
15 packets transmitted, 0 packets received, 100.0% packet loss
客户端 ifconfig/路由表
# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:ab:1d:ab
inet 10.10.10.2 netmask 0xffffff00 broadcast 10.10.10.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:ab:1d:b5
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
ether 00:bd:2c:f3:e5:00
inet6 fe80::2bd:2cff:fef3:e500%tap0 prefixlen 64 scopeid 0x4
inet 192.168.1.90 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: active
groups: tap
Opened by PID 1417
# netstat -nr
Routing tables
Internet:
Destination Gateway Flags Netif Expire
10.10.10.0/24 link#1 U em0
10.10.10.2 link#1 UHS lo0
127.0.0.1 link#3 UH lo0
192.168.1.0/24 link#4 U tap0
192.168.1.90 link#4 UHS lo0
Internet6:
Destination Gateway Flags Netif Expire
::/96 ::1 UGRS lo0
::1 link#3 UH lo0
::ffff:0.0.0.0/96 ::1 UGRS lo0
fe80::/10 ::1 UGRS lo0
fe80::%lo0/64 link#3 U lo0
fe80::1%lo0 link#3 UHS lo0
fe80::%tap0/64 link#4 U tap0
fe80::2bd:2cff:fef3:e500%tap0 link#4 UHS lo0
ff02::/16 ::1 UGRS lo0
客户端 tcpdump tap0
# tcpdump -ni tap0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap0, link-type EN10MB (Ethernet), capture size 262144 bytes
20:09:32.958696 IP 192.168.1.171.54915 > 192.168.1.255.54915: UDP, length 263
20:09:33.335203 ARP, Request who-has 192.168.1.254 tell 192.168.1.250, length 46
20:09:33.959851 IP 192.168.1.171.54915 > 192.168.1.255.54915: UDP, length 263
20:09:34.962810 IP 192.168.1.171.54915 > 192.168.1.255.54915: UDP, length 263
20:09:35.346785 IP 192.168.1.77.50312 > 192.168.1.255.32412: UDP, length 21
20:09:35.346812 IP 192.168.1.77.20051 > 192.168.1.255.32414: UDP, length 21
20:09:35.346825 IP 192.168.1.77.52908 > 239.255.255.250.1900: UDP, length 94
20:09:35.783245 IP6 fe80::f6f5:e8ff:fe6e:df1c > ff02::1:ff6e:df1c: ICMP6, neighbor solicitation, who has fe80::f6f5:e8ff:fe6e:df1c, length 32
20:09:35.853649 IP 192.168.1.90.46569 > 192.168.1.1.53: 11879+ AAAA? 1.freebsd.pool.ntp.org. (40)
20:09:35.961804 IP 192.168.1.171.54915 > 192.168.1.255.54915: UDP, length 263
20:09:36.345039 ARP, Request who-has 192.168.1.254 tell 192.168.1.250, length 46
20:09:36.863036 IP6 fe80::f6f5:e8ff:fe6e:df1c > ff02::1:ff6e:df1c: ICMP6, neighbor solicitation, who has fe80::f6f5:e8ff:fe6e:df1c, length 32
20:09:36.962493 IP 192.168.1.171.54915 > 192.168.1.255.54915: UDP, length 263
20:09:37.343471 ARP, Request who-has 192.168.1.254 tell 192.168.1.250, length 46
20:09:37.963454 IP 192.168.1.171.54915 > 192.168.1.255.54915: UDP, length 263
服务器 openvpn.log
Thu Mar 2 20:09:32 2017 us=23710 neldridge/10.10.10.2:63179 UDPv4 WRITE [233] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=232
Thu Mar 2 20:09:32 2017 us=56268 neldridge/10.10.10.2:63179 UDPv4 WRITE [139] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=138
Thu Mar 2 20:09:32 2017 us=400398 neldridge/10.10.10.2:63179 UDPv4 WRITE [82] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=81
Thu Mar 2 20:09:33 2017 us=23870 neldridge/10.10.10.2:63179 UDPv4 WRITE [233] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=232
Thu Mar 2 20:09:33 2017 us=400395 neldridge/10.10.10.2:63179 UDPv4 WRITE [82] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=81
Thu Mar 2 20:09:34 2017 us=24994 neldridge/10.10.10.2:63179 UDPv4 WRITE [233] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=232
Thu Mar 2 20:09:35 2017 us=28020 neldridge/10.10.10.2:63179 UDPv4 WRITE [233] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=232
Thu Mar 2 20:09:35 2017 us=411921 neldridge/10.10.10.2:63179 UDPv4 WRITE [85] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=84
Thu Mar 2 20:09:35 2017 us=412148 neldridge/10.10.10.2:63179 UDPv4 WRITE [85] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=84
Thu Mar 2 20:09:35 2017 us=412226 neldridge/10.10.10.2:63179 UDPv4 WRITE [158] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=157
Thu Mar 2 20:09:35 2017 us=412503 neldridge/10.10.10.2:63179 UDPv4 READ [41] from [AF_INET]10.10.10.2:63179: P_DATA_V2 kid=0 DATA len=40
Thu Mar 2 20:09:35 2017 us=848265 neldridge/10.10.10.2:63179 UDPv4 WRITE [108] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=107
Thu Mar 2 20:09:35 2017 us=919512 neldridge/10.10.10.2:63179 UDPv4 READ [107] from [AF_INET]10.10.10.2:63179: P_DATA_V2 kid=0 DATA len=106
Thu Mar 2 20:09:35 2017 us=919560 neldridge/10.10.10.2:63179 TUN WRITE [82]
Thu Mar 2 20:09:36 2017 us=27066 neldridge/10.10.10.2:63179 UDPv4 WRITE [233] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=232
Thu Mar 2 20:09:36 2017 us=410232 neldridge/10.10.10.2:63179 UDPv4 WRITE [82] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=81
Thu Mar 2 20:09:36 2017 us=928176 neldridge/10.10.10.2:63179 UDPv4 WRITE [108] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=107
Thu Mar 2 20:09:37 2017 us=27646 neldridge/10.10.10.2:63179 UDPv4 WRITE [233] to [AF_INET]10.10.10.2:63179: P_DATA_V1 kid=0 DATA len=232
服务器接口/路由表
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=98<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:d1:38:e7
inet6 fe80::20c:29ff:fed1:38e7%em0 prefixlen 64 scopeid 0x1
inet6 2605:a601:8064:7300:20c:29ff:fed1:38e7 prefixlen 64 autoconf
inet 192.168.1.82 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:d1:38:f1
inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 02:e0:6c:c4:bb:00
nd6 options=9<PERFORMNUD,IFDISABLED>
groups: bridge
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 5 priority 128 path cost 2000000
member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 1 priority 128 path cost 20000
tap0: flags=8942<BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
ether 00:bd:af:ed:f6:00
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: active
groups: tap
Opened by PID 1103
# netstat -nr
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 192.168.1.1 UGS em0
10.10.10.0/24 link#2 U em1
10.10.10.1 link#2 UHS lo0
127.0.0.1 link#3 UH lo0
192.168.1.0/24 link#1 U em0
192.168.1.82 link#1 UHS lo0
实验室详细信息
ESXi 6.5
虚拟交换机
vSwitch0-允许 promisc-vlan:0
vSwitch1-允许 promisc-vlan:10
OpenVPN 服务器
FreeBSD:11.0
OpenVPN:2.4.0
OpenSSL:1.0.2j-freebsd
bridge0 em0 和 tap0
em0 192.168.1.82
tap0
em1 10.10.10.1
服务器 /etc/sysctl.conf
net.inet.ip.forwarding=1
服务器 /etc/rc.conf
hostname="openvpn.neldridge.io"
ifconfig_em0="DHCP"
#ifconfig_em0_ipv6="inet6 accept_rtadv"
ifconfig_em1="inet 10.10.10.1 netmask 255.255.255.0"
sshd_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
gateway_enable="YES"
firewall_enable="NO"
cloned_interfaces="bridge0 tap0"
ifconfig_bridge0="addm em0 addm tap0"
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
服务器配置
user nobody
group nobody
server-bridge 192.168.1.1 255.255.255.0 192.168.1.90 192.168.1.100
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
ifconfig-pool-persist ipp.txt
client-to-client
port 1194
proto udp4
dev tap0
ca keys/ca.crt
cert keys/neldridge.io.crt
key keys/neldridge.io.key # This file should be kept secret
dh keys/dh.pem
tls-auth keys/ta.key 0 # This file is secret
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 6
OpenVPN 客户端
FreeBSD:11.0
OpenVPN:2.4.0
OpenSSL:1.0.2j-freebsd
em0 10.10.10.2
tap0 来自 OpenVPN 服务器的 DHCP
客户端配置
client
proto udp
dev tap0
port 1194
remote 10.10.10.1
nobind
resolv-retry infinite
tls-client
ca keys/ca.crt
cert keys/neldridge.crt
key keys/neldridge.key
tls-auth keys/ta.key 1
cipher AES-256-CBC
comp-lzo
pull
persist-key
persist-tun
verb 1
答案1
我删除了 /etc/rc.conf 中关于 brigde 的配置并插入:
ovpns_enable="YES"
ovpns_if="tap"
ovpns_flags="--script-security 3"
在 /usr/local/etc/openvpn/ovpns.conf 中插入2行:
up /usr/local/etc/openvpn/up.sh
down /usr/local/etc/openvpn/down.sh
和文件:
上传文件
#!/bin/sh
/sbin/ifconfig bridge0 create
/sbin/ifconfig bridge0 addm vr0 addm $dev up
/sbin/ifconfig $dev up
下载
#!/bin/sh
/sbin/ifconfig bridge0 deletem $dev
/sbin/ifconfig bridge0 destroy
/sbin/ifconfig $dev destroy
记得在 up.sh 和 down.sh 上设置 chmod 755