我有几个运行 Ubuntu 的 Amazon EC2 实例,它们需要通信(Web 服务器和 MySQL 服务器)。我想使用 OpenVPN 来确保它们的通信安全并减少开放端口的数量。我一直在关注这个文章,但我遇到了一个问题。注意:我使用的是端口 1194,而不是文章中所示的端口 80。
我在 MySQL 服务器上安装并配置了 OpenVPN 服务器,并设置了一个 Web 服务器作为客户端连接到它。运行ifconfig
显示双方都已创建隧道,但数据似乎并未通过隧道传输。
如何更改默认路由以使其使用 VPN 隧道?我假设这就是问题所在,但我不确定。
下面是我的 server.conf 和 client.conf 文件。我使用的是 tun 而不是 tap,从我读过的内容来看,我认为这是最好的选择。我目前已关闭压缩,只是为了消除这个问题。
服务器配置文件
port 1194
proto udp
server 10.4.0.0 255.255.255.0
dev tun
dh dh1024.pem
ca ca.crt
cert mysqlserver.crt
key mysqlserver.key
客户端配置文件
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
;remote my-server-1 1194
;remote my-server-2 1194
remote myopenvpnserver.com 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert webclient.crt
key webclient.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
;comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
答案1
鉴于您当前的配置,当主机连接到 10.4.0.0/24 网络时。如果您使用 10.4.0.0/24 范围内的 IP 在主机之间进行通信,那么它应该会穿过隧道。您的服务器很可能有地址 10.4.0.1。从客户端,您应该能够在 tun 接口上运行捕获时 ping 10.4.0.1,并看到 ICMP 穿过隧道。
如果您希望主机之间的所有通信都跨越隧道,那么您可能需要使用 VPN 子网中的私有 IP 在主机之间进行通信。
为了使这更容易,您可能需要调整您的 VPN 配置以分配静态 IP。
要推送静态地址,您可以像这样修改服务器配置。
OpenVPN 服务器配置。
#server 10.4.0.0 255.255.255.0
mode server
tls-server
push "topology net30"
ifconfig 10.4.0.1 10.4.0.2
ifconfig-pool 10.4.0.192 10.4.0.251
route 10.4.0.0 255.255.255.0
push "route 10.4.0.1"
# setup a per client config. Clients are defined by the CN value in the cert.
client-config-dir /etc/openvpn/ccd
/etc/openvpn/ccd/client1.example.org
ifconfig-push 10.4.0.5 10.4.0.6
push "route 10.4.0.0 255.255.255.0"
/etc/openvpn/ccd/client2.example.org
ifconfig-push 10.4.0.9 10.4.0.10
push "route 10.4.0.0 255.255.255.0"
/etc/openvpn/ccd/client3.example.org
ifconfig-push 10.4.0.13 10.4.0.14
push "route 10.4.0.0 255.255.255.0"
我不太熟悉 EC2。它们是如何寻址的?具体来说,每个主机都在不同的子网上,还是都在同一个子网上。如果它们在不同的子网上,就像这样。
Web server 192.168.25.5/30
Mysql server 192.168.25.17/30
然后,您可以轻松地从 OpenVPN 服务器推送路由,以便所有发往其中一个网络的流量都可以使用该 vpn。
push "route 192.168.25.4/30"
push "route 192.168.25.16/30"
但是,如果您的主机的非 VPN 接口都位于同一子网中,则此方法将不起作用。因为它们将直接连接。