我基本上面临同样的问题描述在这里除了我(确实)为新的桥接接口分配了一个 IP 之外br0。
我正在尝试构建一个“数据链路 VPN”。
因此,我按照上述步骤进行在OpenVPN的官方文章中。
我稍微修改了脚本(在最底部添加了几行)来设置所需的防火墙规则并启动接口。
脚本如下:
#!/bin/bash
####################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
####################################
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.178.20"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.178.255"
for t in $tap; do
openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
for t in $tap; do
iptables -A INPUT -i $t -j ACCEPT
done
iptables -A INPUT -i $br -j ACCEPT
iptables -A FORWARD -i $br -j ACCEPT
ifconfig $br up
for t in $tap; do
ifconfig $t up
done
route add default gw 192.168.178.1
ip addr
ip route
ip addr此外,请参见下面的输出ip route(脚本之前和之后):
前:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether b8:27:eb:b9:a0:0f brd ff:ff:ff:ff:ff:ff
inet 192.168.178.20/24 brd 192.168.178.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fd00::6523:63a5:7749:c7a/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 7131sec preferred_lft 3531sec
inet6 fe80::e750:eb6e:6c80:f71c/64 scope link
valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether b8:27:eb:ec:f5:5a brd ff:ff:ff:ff:ff:ff
default via 192.168.178.1 dev eth0 src 192.168.178.20 metric 202
192.168.178.0/24 dev eth0 proto dhcp scope link src 192.168.178.20 metric 202
后:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
link/ether b8:27:eb:b9:a0:0f brd ff:ff:ff:ff:ff:ff
inet6 fd00::6523:63a5:7749:c7a/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 6718sec preferred_lft 3118sec
inet6 fe80::e750:eb6e:6c80:f71c/64 scope link
valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether b8:27:eb:ec:f5:5a brd ff:ff:ff:ff:ff:ff
4: tap0: <NO-CARRIER,BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast master br0 state DOWN group default qlen 100
link/ether be:71:41:11:89:cd brd ff:ff:ff:ff:ff:ff
5: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether b8:27:eb:b9:a0:0f brd ff:ff:ff:ff:ff:ff
inet 192.168.178.20/24 brd 192.168.178.255 scope global br0
valid_lft forever preferred_lft forever
inet6 fe80::ba27:ebff:feb9:a00f/64 scope link tentative
valid_lft forever preferred_lft forever
default via 192.168.178.1 dev br0
192.168.178.0/24 dev br0 proto kernel scope link src 192.168.178.20
如你所见,eth0是物理接口(LAN)。
运行脚本后,该机器从任何地方都无法访问(它应该可以通过 SSH 在本地 LAN 上访问,但我也无法 ping 通该机器)。
我使用 dhcpcd,其配置如下:
interface eth0
static ip_address=192.168.178.20/24
static routers=192.168.178.1
static domain_name_servers=192.168.178.1 8.8.8.8
因此eth0分配了一个静态IP。
按照@TomYan 在下面提到的步骤操作后,我没有为新的桥接接口启动 dhcpcd。相反,我从物理接口分配 IP 并指定默认网关:
ip l set eth0 down
ip a flush eth0
ip l add name bridge0 type bridge
# Swap Ethernet addresses at this point
read eth_mac </sys/class/net/eth0/address
read br_mac </sys/class/net/bridge0/address
ip l set eth0 address $br_mac
ip l set bridge0 address $eth_mac
ip l set eth0 master bridge0
ip l set eth0 promisc on
ip l set bridge0 promisc on
# Set IP address of bridge interface
#ip addr add 192.168.178.20 dev bridge0
ifconfig bridge0 192.168.178.20 netmask 255.255.255.0 broadcast 192.168.178.255
route add default gw 192.168.178.1 bridge0
ip l set dev bridge0 up
# Configure the bridge
ip l set dev eth0 up
这是执行这些命令后ip a show dev eth0/bridge0的输出:ip r show
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master bridge0 state UP group default qlen 1000
link/ether a2:f1:00:1c:aa:c2 brd ff:ff:ff:ff:ff:ff
4: bridge0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether b8:27:eb:b9:a0:0f brd ff:ff:ff:ff:ff:ff
inet 192.168.178.20/24 brd 192.168.178.255 scope global bridge0
valid_lft forever preferred_lft forever
inet6 fe80::ba27:ebff:feb9:a00f/64 scope link tentative
valid_lft forever preferred_lft forever
default via 192.168.178.1 dev bridge0
192.168.178.0/24 dev bridge0 proto kernel scope link src 192.168.178.20
缺少了什么?我真的很迷茫,非常高兴得到任何提示。
答案1
也许你应该停止使用脚本,而是先一步一步地做。说实话,我甚至不明白为什么你要用脚本来设置网桥,而不是像 systemd-networkd 这样的网络管理器。但如果你坚持的话,你可以用 iproute2 来设置一切。
假设 NIC 已配置(例如,由 dhcpcd 启动通过 systemd)你想停止无论怎样并首先“重置”(关闭它并刷新 IP 地址):
[tom@archlinux ~]$ ip a show dev enp3s0
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether ac:22:0b:29:e6:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.1.111/24 brd 192.168.1.255 scope global dynamic noprefixroute enp3s0
valid_lft 86381sec preferred_lft 75581sec
inet6 fe80::736a:adc3:745b:b48d/64 scope link
valid_lft forever preferred_lft forever
[tom@archlinux ~]$ sudo systemctl stop dhcpcd@enp3s0
[tom@archlinux ~]$ sudo ip l set enp3s0 down
[tom@archlinux ~]$ sudo ip a flush enp3s0
[tom@archlinux ~]$ ip a show dev enp3s0
2: enp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether ac:22:0b:29:e6:0c brd ff:ff:ff:ff:ff:ff
然后你就可以开始创建网桥并使 NIC 成为其从属网桥:
[tom@archlinux ~]$ sudo ip l add name bridge0 type bridge
[tom@archlinux ~]$ ip a show dev bridge0
3: bridge0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether ba:f0:20:42:64:5f brd ff:ff:ff:ff:ff:ff
[tom@archlinux ~]$ sudo ip l set enp3s0 address ba:f0:20:42:64:5f
[tom@archlinux ~]$ sudo ip l set bridge0 address ac:22:0b:29:e6:0c
[tom@archlinux ~]$ sudo ip l set enp3s0 master bridge0
正如您所看到的,我只是“交换”了它们的 MAC 地址。
启动 NIC 后,您可以按照之前配置 NIC 的方式配置网桥:
[tom@archlinux ~]$ sudo ip l set enp3s0 up
[tom@archlinux ~]$ sudo systemctl start dhcpcd@bridge0
[tom@archlinux ~]$ ip a show dev enp3s0
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master bridge0 state UP group default qlen 1000
link/ether ba:f0:20:42:64:5f brd ff:ff:ff:ff:ff:ff
[tom@archlinux ~]$ ip a show dev bridge0
3: bridge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ac:22:0b:29:e6:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.1.111/24 brd 192.168.1.255 scope global dynamic noprefixroute bridge0
valid_lft 86392sec preferred_lft 75592sec
inet6 fe80::736a:adc3:745b:b48d/64 scope link
valid_lft forever preferred_lft forever
只有在您确实启用了防火墙的情况下,才需要更改防火墙规则。即使在这种情况下,是否真的需要进行任何更改实际上取决于防火墙的配置方式。仅仅从互联网上添加您甚至不知道其作用的随机规则是愚蠢的。此外,您可能正在使用 nftables 而不是 iptables。
您也不一定需要手动创建 tap,因为 OpenVPN 可以按需创建。您可以在客户端和服务器配置中使用以下内容创建特定名称的 tap:
dev whatever
dev-type tap
您可能还想添加persist-tun。有关详细信息,请参阅手册。
我不确定你是否真的需要转身混杂模式为网桥和/或 NIC 启用。如果您想检查它是否有帮助,可以运行:
# ip l set $name promisc on|off
不过,我认为无论如何你都不需要它来连接水龙头。
答案2
我最终设法保持连接正常运转。
我使用了一个脚本,因为我是通过远程连接的eth0- 关闭它会导致连接关闭。
与问题中的脚本相比,我所做的更改首先是确保 DHCP 服务未运行,以防止其(重新)分配 IP 地址,其次eth0是冲洗 eth0删除地址。
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.178.20"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.178.255"
eth_gateway="192.168.178.1"
for t in $tap; do
openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
# Stop dhcpcd if running
systemctl stop dhcpcd
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
#ip addr del $eth_ip dev $eth
ip addr flush dev $eth
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw $eth_gateway $br
for t in $tap; do
ifconfig $t up
done
ifconfig $br up