没有通过 OpenVPN 连接进行路由

tag-icon tag-icon linux routing iptables openvpn raspbian
没有通过 OpenVPN 连接进行路由

我无法让 OpenVPN(在装有 Raspian 4.9.24-v7+ 的 Raspberry Pi B 上)工作。我可以建立连接,可以 ping 本地子网 (192.168.201.246) 中设备的 IP,但我无法 ping 此子网中的任何其他内容,也无法访问互联网上的任何其他主机,甚至 DNS 也无法访问。我使用的是 OpenVPN 2.3.4。

我的服务器配置文件看起来像(敏感数据被'%'替换):

port %%%%%
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-128-CBC   # AES
auth SHA256
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append  /var/log/openvpn.log
verb 3

net.ipv4.ip_forward=1安顿好了/etc/sysctl.conf

客户端1-测试.ovpn

client
dev tun
proto udp
remote 84.%%.%%%.%% %%%%%
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher AES-128-CBC
auth SHA256
key-direction 1
comp-lzo
verb 3
...

使用连接的客户端(例如,以下日志文​​件是 Lubuntu VM)我得到了这个路线信息:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.2.0        0.0.0.0         255.255.255.0   U     100    0        0 enp0s3
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
84.%%.%%%.%%    10.0.2.2        255.255.255.255 UGH   0      0        0 enp0s3

和这个是否配置

enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 %%%%::%%%%:%%%%:%%%%:%%%%  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:bc:92:fa  txqueuelen 1000  (Ethernet)
        RX packets 144  bytes 23728 (23.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 272  bytes 33595 (33.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 379  bytes 29199 (29.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 379  bytes 29199 (29.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5
        inet6 %%%%::%%%%:%%%%:%%%:%%%%  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 144 (144.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

openvpn 客户端的日志文件显示此内容:

Wed Jun 21 22:32:54 2017 OpenVPN 2.3.11 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2016
Wed Jun 21 22:32:54 2017 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Wed Jun 21 22:32:54 2017 Control Channel Authentication: tls-auth using INLINE static key file
Wed Jun 21 22:32:54 2017 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jun 21 22:32:54 2017 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jun 21 22:32:54 2017 Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Jun 21 22:32:54 2017 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Wed Jun 21 22:32:54 2017 UDPv4 link local: [undef]
Wed Jun 21 22:32:54 2017 UDPv4 link remote: [AF_INET]84.%%.%%%.%%:%%%%%
Wed Jun 21 22:32:55 2017 TLS: Initial packet from [AF_INET]84.%%.%%%.%%:%%%%%, sid=6e1bbb5e 017448e9
Wed Jun 21 22:32:55 2017 VERIFY OK: depth=1, C=%%, ST=%%, L=%%%%, O=%%%%%%%%%%, OU=%%%%%, CN=%%%%%%%%%%%%, name=server
Wed Jun 21 22:32:55 2017 Validating certificate key usage
Wed Jun 21 22:32:55 2017 ++ Certificate has key usage  00a0, expects 00a0
Wed Jun 21 22:32:55 2017 VERIFY KU OK
Wed Jun 21 22:32:55 2017 Validating certificate extended key usage
Wed Jun 21 22:32:55 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jun 21 22:32:55 2017 VERIFY EKU OK
Wed Jun 21 22:32:55 2017 VERIFY OK: depth=0, C=%%, ST=%%, L=%%%%, O=%%%%%%%%%, OU=%%%%%, CN=server, name=server
Wed Jun 21 22:32:55 2017 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jun 21 22:32:55 2017 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jun 21 22:32:55 2017 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jun 21 22:32:55 2017 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jun 21 22:32:55 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Jun 21 22:32:55 2017 [server] Peer Connection Initiated with [AF_INET]84.%%.%%%.%%:%%%%%
Wed Jun 21 22:32:57 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jun 21 22:32:57 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway autolocal,dhcp-option DNS 8.8.8.8,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Wed Jun 21 22:32:57 2017 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 21 22:32:57 2017 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 21 22:32:57 2017 OPTIONS IMPORT: route options modified
Wed Jun 21 22:32:57 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jun 21 22:32:57 2017 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 HWADDR=%%:%%:%%:%%:%%:%%
Wed Jun 21 22:32:57 2017 TUN/TAP device tun0 opened
Wed Jun 21 22:32:57 2017 TUN/TAP TX queue length set to 100
Wed Jun 21 22:32:57 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Jun 21 22:32:57 2017 /sbin/ip link set dev tun0 up mtu 1500
Wed Jun 21 22:32:57 2017 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Wed Jun 21 22:32:57 2017 ROUTE remote_host is NOT LOCAL
Wed Jun 21 22:32:57 2017 /sbin/ip route add 84.%%.%%%.%%/32 via 10.0.2.2
Wed Jun 21 22:32:57 2017 /sbin/ip route del 0.0.0.0/0
Wed Jun 21 22:32:57 2017 /sbin/ip route add 0.0.0.0/0 via 10.8.0.5
Wed Jun 21 22:32:57 2017 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Wed Jun 21 22:32:57 2017 GID set to nogroup
Wed Jun 21 22:32:57 2017 UID set to nobody
Wed Jun 21 22:32:57 2017 Initialization Sequence Completed

下面这行是我添加到/etc/防火墙-openvpn-规则.sh(在服务器上):

iptables -v -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.201.246

这就是我的/etc/网络/接口好像:

source-directory /etc/network/interfaces.d

auto lo
    iface lo inet loopback

iface eth0 inet manual
    pre-up /etc/firewall-openvpn-rules.sh

allow-hotplug wlan0
iface wlan0 inet manual
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

allow-hotplug wlan1
iface wlan1 inet manual
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

有人知道为什么通过 VPN 的路由无法正常工作吗?我不确定我的流量是否在 Raspian 防火墙(为 VPN UDP 端口打开)处被阻止,或者路由是否错误。我不知道如何进一步调查问题。我希望所有流量都通过 VPN 并使用我的家庭互联网连接。

我主要遵循以下两个指南:

答案1

我可以解决这个问题。第一个问题是,我的 /etc/firewall-openvpn-rules.sh 中的 iptables 配置没有被触发,我必须手动执行它。

本文帮助我理解了 iptables 和 NAT。然后我必须在 *.ovpn 客户端文件中启用以下几行才能使 DNS 正常工作:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

路由和 DNS 现在运行正常。我不认为这个问题与唯一的那个正如@liam-dennehy所提到的。

相关内容