我有一个使用 VPN 服务器导出的远程 LAN,该服务器也充当路由器,如图所示。该服务器有两个接口,一个用于公共互联网,一个用于内部主机。
这是我的 server.conf:
# OpenVPN Port, Protocol, and the Tun
port 1194
proto udp
dev tap
# OpenVPN Server Certificate - CA, server key and certificate
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/lab.crt
key /etc/openvpn/server/lab.key
key-direction 0
#DH and CRL key
dh /etc/openvpn/server/dh.pem
# Redirect all Connection through OpenVPN Server
server 10.15.128.0 255.255.255.0
push "route 10.14.128.0 255.255.255.0 10.15.128.1"
push "route-gateway 10.15.128.1"
# Using the DNS from https://dns.watch
push "dhcp-option DNS 84.200.69.80"
push "dhcp-option DNS 84.200.70.40"
#Enable multiple clients to connect with the same certificate key
duplicate-cn
client-to-client
#client-cert-not-required
#username-as-common-name
# TLS Security
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
# Other Configuration
keepalive 20 60
persist-key
persist-tun
compress lz4
daemon
客户端配置是:
client
float
dev tap
proto udp
remote xxx.xxx.xxx.xxx 1194 udp
ca ca.crt
cert client01.crt
key client01.key
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
pull
verb 3
客户端上的路由表是:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 enp2s0
0.0.0.0 192.168.1.1 0.0.0.0 UG 600 0 0 wlp3s0
10.14.128.0 10.15.128.1 255.255.255.0 UG 0 0 0 tap0
10.15.128.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 enp2s0
从客户端,我可以 ping 服务器 10.14.128.29,但不能 ping 服务器后面的主机。我在 host2 上执行了 tcpdump,实际上我看到了来自客户端的 ping,包括请求和响应。我是否必须手动添加 10.14.128.12 上的路由?