Openvpn、FreeBSD、Linux 和路由

tag-icon tag-icon linux routing freebsd openvpn
Openvpn、FreeBSD、Linux 和路由

办公室里有一个网络,网络里有一个运行FreeBSD的路由器,外面有一个运行CentOS的服务器。

任务:提供从任何地方访问办公室网络的权限。

数据:网络 — 192.168.0.0,位于 FreeBSD 后面,bge0(192.168.0.111)和 re0(192.168.1.2 — 位于调制解调器的子网中)。外部服务器 — xx.xx.xx.xx。OpenVPN 网络中的 FreeBSD 为 192.168.255.6,CentOS 服务器地址为 192.168.255.1

问题:外部服务器无法访问内部网络(我可以访问 FreeBSD 路由器),但我可以从我的网络访问外部服务器。我需要从外部服务器访问内部网络。

CentOS 服务器的 OpenVPN 配置之外:

dev tun 
port 1194 
proto udp 
mode server 
tls-server 
server 192.168.255.0 255.255.255.0 
push "route 192.168.255.0 255.255.255.0" 
route 192.168.0.0 255.255.255.0 192.168.255.2 
push "dhcp-option DNS 192.168.255.1" 
client-config-dir /etc/openvpn/ccd 
client-to-client 
ifconfig-pool-persist addr_list 
comp-lzo 
tun-mtu 1500 
keepalive 10 60 
persist-key 
persist-tun 
cipher DES-EDE3-CBC 
ca /etc/openvpn/ca.crt 
cert /etc/openvpn/server.crt 
key /etc/openvpn/server.key 
dh /etc/openvpn/dh1024.pem 
tls-auth /etc/openvpn/ta.key 0 
status openvpn-status.log 
log /var/log/openvpn/openvpn.log 
verb 4

FreeBSD 的配置:

client 
proto udp 
dev tun 
remote xx.xx.xx.xx 1194 
comp-lzo 
resolv-retry infinite 
persist-tun 
persist-key 
ca /usr/local/etc/openvpn/ca.crt 
cert /usr/local/etc/openvpn/freebsd-client.crt 
key /usr/local/etc/openvpn/freebsd-client.key 
dh /usr/local/etc/openvpn/dh1024.pem 
tls-auth /usr/local/etc/openvpn/ta.key 1 
tls-client 
cipher DES-EDE3-CBC # Triple-DES 
verb 4 
route-method exe 
route-delay 2 
ping 100 
ping-restart 200

/etc/openvpn/ccd/freebsd-client内容:

push "route 192.168.255.0 255.255.255.0" 
iroute 192.168.0.0 255.255.255.0

在 FreeBSD 上:

# ps aux | grep natd
/sbin/natd -n re0 
/sbin/natd -n tun0 -p 8669

# ipfw show 
00039   12203     876046 fwd 192.168.0.111,80 tcp from 192.168.0.0/24 to 192.168.0.111 dst-port 80 
00040  322269   40046856 fwd 192.168.0.111,3128 tcp from 192.168.0.0/24 to any dst-port 80,433,8080 
00050 2885463 1611968772 divert 8668 ip4 from any to any via re0 
00060    5675    1094008 divert 8669 ip from any to any via tun0 
00100   28440    2126360 allow ip from any to any via lo0 
00200       0          0 deny ip from any to 127.0.0.0/8 
00300       0          0 deny ip from 127.0.0.0/8 to any 
65000 4241769 2426143908 allow ip from any to any 
65535       1         78 deny ip from any to any

# netstat -nr -finet 
Routing tables 

Internet: 
Destination        Gateway            Flags    Refs      Use  Netif Expire 
default            192.168.1.1        UGS        22  3312575    re0 
127.0.0.1          link#4             UH          0    56564    lo0 
192.168.0.0/24     link#1             U           3 166750211   bge0 
192.168.0.111      link#1             UHS         0       12    lo0 
192.168.1.0/24     link#2             U           1   235840    re0 
192.168.1.2        link#2             UHS         0       36    lo0 
192.168.255.0/24   192.168.255.5      UGS         0       20   tun0 
192.168.255.5      link#5             UH          0        0   tun0 
192.168.255.6      link#5             UHS         0        0    lo0

在 CentOS 上:

$ route 
Kernel IP routing table 
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 
192.168.255.2   *               255.255.255.255 UH    0      0        0 tun0 
xx.xx.xx.0    *               255.255.255.0   U     0      0        0 eth0 
xx.xx.yy.0    *               255.255.255.0   U     0      0        0 eth0 
192.168.0.0     192.168.255.2   255.255.255.0   UG    0      0        0 tun0 
192.168.122.0   *               255.255.255.0   U     0      0        0 virbr0 
192.168.255.0   192.168.255.2   255.255.255.0   UG    0      0        0 tun0 
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0 
default         xx.xx.xx.1    0.0.0.0         UG    0      0        0 eth0



$ ip route get 192.168.0.111 
192.168.0.111 via 192.168.255.2 dev tun0  src 192.168.255.1 
    cache  mtu 1500 advmss 1460 hoplimit 64

我从 CentOS ping 192.168.0.111 并得到以下结果:

在 CentOS 上:

$ tcpdump -i tun0 
tcpdump: WARNING: arptype 65534 not supported by libpcap - falling back to cooked socket 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
listening on tun0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 
11:34:48.963629 IP 192.168.255.1 > 192.168.0.111: ICMP echo request, id 40524, seq 1, length 64 
11:34:49.973944 IP 192.168.255.1 > 192.168.0.111: ICMP echo request, id 40524, seq 2, length 64 
11:34:50.974007 IP 192.168.255.1 > 192.168.0.111: ICMP echo request, id 40524, seq 3, length 64 
11:34:51.974075 IP 192.168.255.1 > 192.168.0.111: ICMP echo request, id 40524, seq 4, length 64

关于 FreeBSD 的沉默:

tcpdump -i tun0 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
listening on tun0, link-type NULL (BSD loopback), capture size 96 bytes

有谁能够帮助我?

答案1

您确定接口之间的路由已激活吗?/proc/sys/net/ipv4/ip_forward

尝试离开 VPN 之前,请先尝试 ping VPN。

答案2

如果我是你,我会看看 ClearOS。它是一个基于 CentOS 的系统,具有出色的基于 Web 的 GUI,它可以在大约 15 分钟内完成您想要它做的事情。它不必是您的网关,并且根据您的问题判断,我相信您可以将其配置为您网络上的设备。它可以提供 PPTP 和 OpenVPN,以防您的 Windows 用户也需要访问。

相关内容