我处于一个相当封闭的网络中,但我可以通过 SSH 访问外面的服务器。
使用 SSH 跳转,我可以在家里的 Pi 上进行 SSH,它也托管 VPN(PiVPN 设置,TCP)
从技术上讲,使用 SSH LocalForward 或 DynamicForward 连接到我的 VPN 是否可行?
这是我的.ssh/config
:
Host home
Hostname xx.xx.xx.xx
Port 22
User myuser
ForwardAgent yes
ProxyJump jumpserver
#tried this
#LocalForward 1194 127.0.0.1:1194
#and this
DynamicForward 2280
当我尝试连接到我的 VPN 时,我的 ssh 终端中会出现以下消息
channel 3: open failed: connect failed: Connection refused
我是否遗漏了什么或者这不可能?
谢谢
编辑:
OpenVPN 未启动(无法使用 1024 位密钥启动)。
现在它已连接,但似乎没有流量。我发现了这一点:通过 SSH 隧道连接 OpenVPN
我很确定路线有问题,但我不明白该如何处理这条线路
route REMOTE-IP 255.255.255.255 net_gateway default
在 ovpn 文件中添加此行会导致加载失败
编辑2:
.ssh/config
Host jumpserver
HostName IP_JUMP_SERVER
User USER_JUMP
ForwardAgent yes
ProxyCommand nc -x WORKPLACE_PROXY:1080 -X 5 %h %p
Host vpnssh
Hostname IP_HOME_SERVER
Port 2222
User USER_SSH_HOME_SERVER
ForwardAgent yes
ProxyJump jumpserver
DynamicForward 2280
> ssh vpnssh
这部分工作完美,我将这个 ssh 连接留在它的终端内。
我可以使用 ssh 隧道作为 Firefox 代理localhost:2280
:工作正常,就像在家里一样浏览。
ovpn 文件:
client
dev tun
proto tcp
remote IP_HOME_SERVER 2294
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_RMxyuSg5Snuj0qfa name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
#set socks proxy (use ssh tunnel dynamic fwd)
socks-proxy localhost 2280
socks-proxy-retry
#set a route to my server public ip
route IP_HOME_SERVER 255.255.255.255 net_gateway default
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
<tls-auth>
...
</tls-auth>
> sudo openvpn --config home_vpn.ovpn
openvpn 连接日志(为清楚起见,没有日期/时间):
DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: In OpenVPN 2.4 proxy connection retries are handled like regular connections. Use connect-retry-max 1 to get a similar behavior as before.
OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08
Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:2280
Socket Buffers: R=[87380->87380] S=[16384->16384]
Attempting to establish TCP connection with [AF_INET]127.0.0.1:2280 [nonblock]
TCP connection established with [AF_INET]127.0.0.1:2280
TCP_CLIENT link local: (not bound)
TCP_CLIENT link remote: [AF_INET]127.0.0.1:2280
TLS: Initial packet from [AF_INET]127.0.0.1:2280, sid=19fd4888 c3beb792
VERIFY OK: depth=1, CN=ChangeMe
VERIFY KU OK
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
VERIFY EKU OK
VERIFY X509NAME OK: CN=server_RMxyuSg5Snuj0qfa
VERIFY OK: depth=0, CN=server_RMxyuSg5Snuj0qfa
Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
[server_RMxyuSg5Snuj0qfa] Peer Connection Initiated with [AF_INET]127.0.0.1:2280
SENT CONTROL [server_RMxyuSg5Snuj0qfa]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 1800,ping-restart 3600,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.4.4)
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: route-related options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
OPTIONS IMPORT: peer-id set
OPTIONS IMPORT: adjusting link_mtu to 1626
OPTIONS IMPORT: data channel crypto options modified
Data Channel: using negotiated cipher 'AES-256-GCM'
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
ROUTE_GATEWAY IP_WORKPLACE_GW/255.255.255.128 IFACE=eth0 HWADDR=00:xx:xx:xx:xx:xx
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
/sbin/ip route add 127.0.0.1/32 via IP_WORKPLACE_GW
/sbin/ip route add 0.0.0.0/1 via 10.8.0.1
/sbin/ip route add 128.0.0.0/1 via 10.8.0.1
/sbin/ip route add IP_HOME_SERVER/32 via IP_WORKPLACE_GW
Initialization Sequence Completed
这样一来,我就无法 ping 任何东西,也无法浏览。VPN 似乎已连接,但任何请求都不起作用。
我也测试过使用我的手机作为调制解调器,使用跳转服务器而不使用ProxyCommand nc -x WORKPLACE_PROXY:1080 -X 5 %h %p
:结果相同。
感谢您阅读本文!
编辑3:
测试了该网络外的各种配置,我才发现原因是使用 ssh 跳转。如果没有,它就可以正常工作。
编辑4:
我认为问题实际上是这样的:
ProxyCommand nc -x WORKPLACE_PROXY:1080 -X 5 %h %p
答案1
我看到你已经提到另一个问题,并尝试将此行添加到您的配置文件中:
route REMOTE-IP 255.255.255.255 net_gateway default
您是否逐字逐句地添加了该内容?如果是,请将其替换REMOTE-IP
为远程服务器的 IP(或 DNS 名称)。