Harpin NAT 规则不适用于 USG 上的 OpenVPN 服务器

Harpin NAT 规则不适用于 USG 上的 OpenVPN 服务器

我正在尝试访问部署到 USG 的 OpenVPN 服务器。

USG 有一个 WAN,IP 地址为 192.168.1.110。这在路由器 eth2 中被命名为。

跑步

sudo tcpdump -ni eth2 dst host 192.168.1.110 and dst port 1194 -vv

我可以收到包裹

tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
20:15:06.395294 IP (tos 0x0, ttl 57, id 12658, offset 0, flags [none], proto UDP (17), length 70)
    <Public-IP>.18525 > 192.168.1.110.1194: [udp sum ok] UDP, length 42

问题是这些数据包应该进入接口vtun1,即部署 OpenVPN 服务器的接口,子网为 172.16.10.0/24,但它们没有进入。我看不到任何正在运行的东西

sudo tcpdump -ni vtun1

这是我的配置

{
  "firewall": {
    "name": {
      "WAN_IN": {
        "rule": {
          "20": {
            "action": "accept",
            "description": "allow OpenVPN",
            "destination": {
              "address": "172.16.10.1",
              "port": "1194"
            },
            "log": "enable",
            "protocol": "udp"
          }
        }
      },
      "WAN_LOCAL": {
        "rule": {
          "20": {
            "action": "accept",
            "description": "allow OpenVPN",
            "destination": {
              "port": "1194"
            },
            "log": "enable",
            "protocol": "udp"
          }
        }
      }
    },
    "group": {
      "network-group": {
        "openvpn_network": {
          "description": "OpenVPN subnets",
          "network": ["192.168.100.0/28"]
        }
      }
    },
    "modify": {
      "SOURCE_ROUTE": {
        "rule": {
          "5": {
            "action": "modify",
            "description": "route traffic from LAN to openvpn_network",
            "modify": {
              "table": "main"
            },
            "destination": {
              "address": "192.168.10.1/24"
            }
          },
          "10": {
            "action": "modify",
            "description": "route traffic from openvpn_network to vtun0",
            "modify": {
              "table": "2"
            },
            "source": {
              "group": {
                "network-group": "openvpn_network"
              }
            }
          }
        }
      }
    },
    "source-validation": "disable"
  },
  "load-balance": {
    "group": {
      "wan_failover": {
        "interface": {
          "eth0": {
            "route-test": {
              "count": {
                "failure": "6",
                "success": "1"
              },
              "initial-delay": "20",
              "interval": "15",
              "type": {
                "ping": {
                  "target": "8.8.8.8"
                }
              }
            }
          },
          "eth2": {
            "route-test": {
              "count": {
                "failure": "6",
                "success": "1"
              },
              "initial-delay": "20",
              "interval": "15",
              "type": {
                "ping": {
                  "target": "8.8.8.8"
                }
              }
            }
          }
        }
      }
    }
  },
  "interfaces": {
    "ethernet": {
      "eth1": {
        "vif": {
          "10": {
            "address": [
              "192.168.100.1/28"
            ],
            "firewall": {
              "in": {
                "modify": "SOURCE_ROUTE",
                "name": "LAN_IN"
              }
            }
          }
        }
      }
    },
    "openvpn": {
      "vtun0": {
        "config-file": "/config/user-data/client.ovpn",
        "description": "OpenVPN Client"
      },
      "vtun1": {
        "description": "OpenVPN Server",
        "encryption": "aes256",
        "mode": "server",
        "openvpn-option": [
          "--keepalive 10 120",
          "--comp-lzo",
          "--duplicate-cn",
          "--user nobody --group nogroup",
          "--verb 3",
          "--proto udp",
          "--port 1194",
          "--tls-auth /config/auth/keys/ta.key 0",
          "--push route 10.10.0.0 255.255.252.0",
          "--push route 192.168.200.0 255.255.255.224",
          "--push route 192.168.10.0 255.255.255.0"
        ],
        "server": {
          "subnet": "172.16.10.0/24",
          "name-server": "192.168.10.1"
        },
        "tls": {
          "ca-cert-file": "/config/auth/keys/ca.crt",
          "cert-file": "/config/auth/keys/server.crt",
          "dh-file": "/config/auth/keys/dh2048.pem",
          "key-file": "/config/auth/keys/server.key"
        }
      }
    }
  },
  "protocols": {
    "static": {
      "table": {
        "2": {
          "interface-route": {
            "0.0.0.0/0": {
              "next-hop-interface": {
                "vtun0": "''"
              }
            }
          }
        }
      }
    }
  },
  "service": {
    "gui": {
      "listen-address": "192.168.10.1",
      "older-ciphers": "disable"
    },
    "nat": {
      "rule": {
        "1001": {
          "description": "OpenVPN server traffic to WAN2 [eth2] - DNAT",
          "log": "enable",
          "inbound-interface": "eth2",
          "inside-address": {
            "address": "172.16.10.1",
            "port": "1194"
          },
          "destination": {
            "address": "192.168.1.110",
            "port": "1194"
          },
          "protocol": "udp",
          "type": "destination"
        },
        "1002": {
          "description": "OpenVPN server traffic to WAN1 [vtun1] - Hairpin NAT",
          "log": "enable",
          "inbound-interface": "vtun1",
          "inside-address": {
            "address": "172.16.10.1",
            "port": "1194"
          },
          "destination": {
            "address": "192.168.1.110",
            "port": "1194"
          },
          "protocol": "udp",
          "type": "destination"
        },
        "5001": {
          "description": "MASQ openvpn_network to VPN",
          "log": "disable",
          "outbound-interface": "vtun0",
          "source": {
            "group": {
              "network-group": "openvpn_network"
            }
          },
          "type": "masquerade"
        },
        "5002": {
          "destination": {
            "address": ["192.168.1.1"]
          },
          "description": "Access to Huawei B2368 antenna (O2 LTE)",
          "outbound-interface": ["eth2"],
          "type": "masquerade"
        },
        "5003": {
          "destination": {
            "address": ["192.168.8.1"]
          },
          "description": "Access to Huawei B535-232 (T-Mobile LTE)",
          "outbound-interface": ["eth0"],
          "type": "masquerade"
        },
        "5004": {
          "description": "MASQ OpenVPN server traffic to WAN1 [vtun1] - Hairpin NAT",
          "log": "enable",
          "outbound-interface": "vtun1",
          "source": {
            "address": "172.16.10.0/24"
          },
          "destination": {
            "address": "172.16.10.1",
            "port": "1194"
          },
          "protocol": "udp",
          "type": "masquerade"
        }
      }
    },
    "ssh": {
      "listen-address": "192.168.10.1",
      "protocol-version": "v2"
    }
  }
}

我错过了什么?

答案1

我已经解决了这个问题。实际上 NAT 规则 1001、1002 和 5004 根本不需要。

相关内容