我正在尝试访问部署到 USG 的 OpenVPN 服务器。
USG 有一个 WAN,IP 地址为 192.168.1.110。这在路由器 eth2 中被命名为。
跑步
sudo tcpdump -ni eth2 dst host 192.168.1.110 and dst port 1194 -vv
我可以收到包裹
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
20:15:06.395294 IP (tos 0x0, ttl 57, id 12658, offset 0, flags [none], proto UDP (17), length 70)
<Public-IP>.18525 > 192.168.1.110.1194: [udp sum ok] UDP, length 42
问题是这些数据包应该进入接口vtun1
,即部署 OpenVPN 服务器的接口,子网为 172.16.10.0/24,但它们没有进入。我看不到任何正在运行的东西
sudo tcpdump -ni vtun1
这是我的配置
{
"firewall": {
"name": {
"WAN_IN": {
"rule": {
"20": {
"action": "accept",
"description": "allow OpenVPN",
"destination": {
"address": "172.16.10.1",
"port": "1194"
},
"log": "enable",
"protocol": "udp"
}
}
},
"WAN_LOCAL": {
"rule": {
"20": {
"action": "accept",
"description": "allow OpenVPN",
"destination": {
"port": "1194"
},
"log": "enable",
"protocol": "udp"
}
}
}
},
"group": {
"network-group": {
"openvpn_network": {
"description": "OpenVPN subnets",
"network": ["192.168.100.0/28"]
}
}
},
"modify": {
"SOURCE_ROUTE": {
"rule": {
"5": {
"action": "modify",
"description": "route traffic from LAN to openvpn_network",
"modify": {
"table": "main"
},
"destination": {
"address": "192.168.10.1/24"
}
},
"10": {
"action": "modify",
"description": "route traffic from openvpn_network to vtun0",
"modify": {
"table": "2"
},
"source": {
"group": {
"network-group": "openvpn_network"
}
}
}
}
}
},
"source-validation": "disable"
},
"load-balance": {
"group": {
"wan_failover": {
"interface": {
"eth0": {
"route-test": {
"count": {
"failure": "6",
"success": "1"
},
"initial-delay": "20",
"interval": "15",
"type": {
"ping": {
"target": "8.8.8.8"
}
}
}
},
"eth2": {
"route-test": {
"count": {
"failure": "6",
"success": "1"
},
"initial-delay": "20",
"interval": "15",
"type": {
"ping": {
"target": "8.8.8.8"
}
}
}
}
}
}
}
},
"interfaces": {
"ethernet": {
"eth1": {
"vif": {
"10": {
"address": [
"192.168.100.1/28"
],
"firewall": {
"in": {
"modify": "SOURCE_ROUTE",
"name": "LAN_IN"
}
}
}
}
}
},
"openvpn": {
"vtun0": {
"config-file": "/config/user-data/client.ovpn",
"description": "OpenVPN Client"
},
"vtun1": {
"description": "OpenVPN Server",
"encryption": "aes256",
"mode": "server",
"openvpn-option": [
"--keepalive 10 120",
"--comp-lzo",
"--duplicate-cn",
"--user nobody --group nogroup",
"--verb 3",
"--proto udp",
"--port 1194",
"--tls-auth /config/auth/keys/ta.key 0",
"--push route 10.10.0.0 255.255.252.0",
"--push route 192.168.200.0 255.255.255.224",
"--push route 192.168.10.0 255.255.255.0"
],
"server": {
"subnet": "172.16.10.0/24",
"name-server": "192.168.10.1"
},
"tls": {
"ca-cert-file": "/config/auth/keys/ca.crt",
"cert-file": "/config/auth/keys/server.crt",
"dh-file": "/config/auth/keys/dh2048.pem",
"key-file": "/config/auth/keys/server.key"
}
}
}
},
"protocols": {
"static": {
"table": {
"2": {
"interface-route": {
"0.0.0.0/0": {
"next-hop-interface": {
"vtun0": "''"
}
}
}
}
}
}
},
"service": {
"gui": {
"listen-address": "192.168.10.1",
"older-ciphers": "disable"
},
"nat": {
"rule": {
"1001": {
"description": "OpenVPN server traffic to WAN2 [eth2] - DNAT",
"log": "enable",
"inbound-interface": "eth2",
"inside-address": {
"address": "172.16.10.1",
"port": "1194"
},
"destination": {
"address": "192.168.1.110",
"port": "1194"
},
"protocol": "udp",
"type": "destination"
},
"1002": {
"description": "OpenVPN server traffic to WAN1 [vtun1] - Hairpin NAT",
"log": "enable",
"inbound-interface": "vtun1",
"inside-address": {
"address": "172.16.10.1",
"port": "1194"
},
"destination": {
"address": "192.168.1.110",
"port": "1194"
},
"protocol": "udp",
"type": "destination"
},
"5001": {
"description": "MASQ openvpn_network to VPN",
"log": "disable",
"outbound-interface": "vtun0",
"source": {
"group": {
"network-group": "openvpn_network"
}
},
"type": "masquerade"
},
"5002": {
"destination": {
"address": ["192.168.1.1"]
},
"description": "Access to Huawei B2368 antenna (O2 LTE)",
"outbound-interface": ["eth2"],
"type": "masquerade"
},
"5003": {
"destination": {
"address": ["192.168.8.1"]
},
"description": "Access to Huawei B535-232 (T-Mobile LTE)",
"outbound-interface": ["eth0"],
"type": "masquerade"
},
"5004": {
"description": "MASQ OpenVPN server traffic to WAN1 [vtun1] - Hairpin NAT",
"log": "enable",
"outbound-interface": "vtun1",
"source": {
"address": "172.16.10.0/24"
},
"destination": {
"address": "172.16.10.1",
"port": "1194"
},
"protocol": "udp",
"type": "masquerade"
}
}
},
"ssh": {
"listen-address": "192.168.10.1",
"protocol-version": "v2"
}
}
}
我错过了什么?
答案1
我已经解决了这个问题。实际上 NAT 规则 1001、1002 和 5004 根本不需要。