我有以下安装:
生产网络(10.88.88.0/24)
办公室网络(192.168.2.0/24)
在 PROD 上我有 openvpn 服务器(vpnprod),因此 OFFICE 可以连接。
在 OFFICE 上,我有一台 openvpn 机器(vpnoffice),它运行 openvpn 服务器以允许外部用户和客户端连接到 PROD。
vpnprod 和 vpnoffice 都运行 Linux。
一切正常,即从 OFFICE(任何机器),我可以连接到 PROD(任何) - 但有一些限制。
我已正确设置所有路线。
另外,我可以将客户端连接到 OFFICE,并且他们可以访问 OFFICE 机器 - 没有问题。
如果客户端(远程,连接到 OFFICE)尝试访问某个 PROD 机器,就会失败。它会超时。
我在 vpnoffice 的两个 tun 接口上运行了 tcpdump,它显示了连接的客户端发送的数据包。我猜这意味着那里的路由正常。
但是在 vpnprod 上的 tun0 上我根本看不到这些数据包 - 它们根本没有到达那里。
总结一下:
officemachine -> vpnoffice -> vpnprod -> prodmachine - WORKS
remote -> vpnoffice -> officemachine - WORKS
remote -> vpnoffice -> vpnprod -> prodmachine - FAILS!!!
我对 tcpdump 或类似工具的了解不是很好。有没有人知道如何解决这个问题以及如何调查它?
我还需要检查什么?
我检查了防火墙规则 (IPTABLES) 和每一条规则,这些规则会删除日志中写入的任何请求。但我没有看到远程客户端通过 vpnoffice 向 vpmprod 发出的此特定请求的任何条目。
根据@Andrew McGregor 的要求(我在括号中加了一些解释):
IP 地址 (vpnprod):
> ip addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2(DMZ): eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:60:cf:20:bb:54 brd ff:ff:ff:ff:ff:ff
inet 10.88.8.1/24 brd 10.88.8.255 scope global eth2
inet6 fe80::260:cfff:fe20:bb54/64 scope link
valid_lft forever preferred_lft forever
3(internal): eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:10:18:02:30:c4 brd ff:ff:ff:ff:ff:ff
inet 10.88.88.1/24 brd 10.88.88.255 scope global eth1
inet6 fe80::210:18ff:fe02:30c4/64 scope link
valid_lft forever preferred_lft forever
4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:02:b3:25:94:7d brd ff:ff:ff:ff:ff:ff
inet MY_EXT_NET/28 brd EXT_IP_BCAST scope global eth0
inet EXT_IP_1/28 brd EXT_IP_BCAST scope global secondary eth0:FWB1
inet EXT_IP_2/28 brd EXT_IP_BCAST scope global secondary eth0:FWB2
inet EXT_IP_3/28 brd EXT_IP_BCAST scope global secondary eth0:FWB3
inet EXT_IP_4/28 brd EXT_IP_BCAST scope global secondary eth0:FWB4
inet6 MY::PROD:EXT:NET:XXXX/64 scope link
valid_lft forever preferred_lft forever
5(OTHER_INT_NET): eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:b0:d0:b0:bd:94 brd ff:ff:ff:ff:ff:ff
inet 172.19.2.193/27 brd 172.19.2.223 scope global eth3
inet 172.19.2.194/27 brd 172.19.2.223 scope global secondary eth3:FWB5
inet 172.19.2.195/27 brd 172.19.2.223 scope global secondary eth3:FWB6
inet6 fe80::2b0:d0ff:feb0:bd94/64 scope link
valid_lft forever preferred_lft forever
6: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
7(PRODVPN server): tun0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/[65534]
inet 10.136.136.1 peer 10.136.136.2/32 scope global tun0
因此,tun0 是 prod 上的 vpn 服务器,它绑定到 EXT_IP_1 ip 地址。
ip 路由 prodvpn:
10.136.136.2 dev tun0 proto kernel scope link src 10.136.136.1
EXT_NET/28 dev eth0 proto kernel scope link src EXT_NET_IP0
172.19.2.192/27 dev eth3 proto kernel scope link src 172.19.2.193
10.136.135.0/24 via 10.136.136.2 dev tun0
192.168.2.0/24 (office_int) via 10.136.136.2 dev tun0
192.168.1.0/24 (office_DMZ) via 10.136.136.2 dev tun0
10.39.3.0/24 via 172.19.2.222 dev eth3
10.88.88.0/24 dev eth1 proto kernel scope link src 10.88.88.1
10.39.12.0/24 via 172.19.2.222 dev eth3
10.88.8.0/24 dev eth2 proto kernel scope link src 10.88.8.1
10.136.136.0/24 via 10.136.136.2 dev tun0
10.176.0.0/16 (OTHER_INT_NET) via 172.19.2.222 dev eth3
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via EXT_IP_ISP_GATEWAY dev eth0
ip地址officevpn:
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0(officeDMZ): <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:d0:b7:84:ab:a2 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
3: eth1(office external IPs): <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:06:5b:39:c4:21 brd ff:ff:ff:ff:ff:ff
inet OFF_EXT_IP1/29 brd 216.17.90.95 scope global eth1
inet OFF_EXT_IP2/29 brd 216.17.90.95 scope global secondary eth1:FWB1
inet OFF_EXT_IP3/29 brd 216.17.90.95 scope global secondary eth1:FWB2
inet OFF_EXT_IP4/29 brd 216.17.90.95 scope global secondary eth1:FWB3
4: eth2(office_internal): <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:da:d7:14:77 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.254/24 brd 192.168.2.255 scope global eth2
11: tun1(officevpn_server): <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc pfifo_fast qlen 100
link/[65534]
inet 10.136.135.1 peer 10.136.135.2/32 scope global tun1
12: tun0(officevpn-client-to-prod): <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc pfifo_fast qlen 100
link/[65534]
inet 10.136.136.6 peer 10.136.136.5/32 scope global tun0
tun1 绑定到 OFF_EXT_IP1 来为连接客户端提供服务。
ip 路由 officevpn:
10.136.135.2 dev tun1 proto kernel scope link src 10.136.135.1
10.136.136.5 dev tun0 proto kernel scope link src 10.136.136.6
10.136.136.1 via 10.136.136.5 dev tun0
EXT_IP_NET/29 dev eth1 proto kernel scope link src EXT_IP1
172.19.2.192/27 via 10.136.136.5 dev tun0
10.135.137.0/24 via 10.136.135.2 dev tun1
10.136.135.0/24 via 10.136.135.2 dev tun1
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254
10.39.3.0/24 via 10.136.136.5 dev tun0
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
10.88.88.0/24 via 10.136.136.5 dev tun0
10.39.12.0/24 via 10.136.136.5 dev tun0
10.88.8.0/24 via 10.136.136.5 dev tun0
10.176.0.0/16 via 10.136.136.5 dev tun0
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via EXT_IP0(ISP GW) dev eth1
总结一下:在生产环境中,我有 4 个外部 IP 地址,绑定到一个接口。我有 1 个内部网络(绑定到 2 个接口)和一个 DMZ(第四个接口):
- PROD_INT_ZONE1-10.88.88.x
- PROD_INT_ZONE2 - 172.xxx(以及其后面的 10.176.xx - 它有自己的路由器)
- PROD_DMZ-10.88.8.x
- EXTERNAP_IPs - EXT_IPxx
- openvpnserver(绑定到 EXT_IP)-tun0
办公室:
- OFFICE_INT_ZONE - 192.168.2.x
- 办公室_DMZ-192.168.1.x
- OFFICE_EXT_IPs - OFF_EXT_IPx
- openvpn 服务器-tun1
- openvpn 客户端(连接到产品)-tun0
答案1
我猜想远程客户端不知道 PROD 网络。通过 OFFICE 服务器推送路由。类似
push "route 10.88.88.0 255.255.255.0"
will 之类的东西应该可以做到。