我有 3 个 Amazon VPC(Dev - 10.100.0.0/16、QA - 10.101.0.0/16、Prod - 10.104.0.0/16)。每个 VPN 都有一个 OpenVPN 服务器。它们分配的客户端 IP 如下:
Dev - 10.100.0.0/16 - Tunnel 10.7.0.0/24
QA - 10.101.0.0/16 - Tunnel 10.8.0.0/24
Prod - 10.104.0.0/16 - Tunnel 10.9.0.0/24
我在现场运行着一台 Ubuntu LTS 12.04 服务器,并且建立了 3 个客户端连接(每个 VPC 一个)。我能够通过 ssh 进入这个 Ubuntu 机器,并绕过所有三个子网(10.100、10.101、10.104),没有任何问题。
这是我的客户端配置[DEV / 10.100.x / tun 10.7.0.x]:
client
dev tun
proto udp
remote dev.ip.addr 1193
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
auth-user-pass /tmp/password.txt
comp-lzo
verb 3
reneg-sec 0
tls-client
remote-cert-tls server
这是我的客户端配置 [QA / 10.101.x / tun 10.8.0.x]:
client
dev tun
proto udp
remote qa.ip.addr 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
auth-user-pass /tmp/password.txt
comp-lzo
verb 3
reneg-sec 0
tls-client
remote-cert-tls server
这是我的客户端配置[PROD / 10.104.x / tun 10.9.0.x]:
client
dev tun
proto udp
remote prod.ip.addr 1195
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
auth-user-pass /tmp/password.txt
comp-lzo
verb 3
reneg-sec 0
tls-client
remote-cert-tls server
现在,我希望我的员工(在办公室内部)通过 VPN 连接到此服务器 (192.168.1.19),该服务器与我的 VPC 有 3 个连接。并且,我希望他们能够连接到 10.100、10.101 和 10.104 网络(通过 sql 客户端、telnet 到 memcache 服务器等)。我希望通过此 vpn 接口路由除 80、443 和 3389 之外的所有流量。
Office Server 的 OpenVPN 服务器配置(192.168.1.19 / tun 10.10.0.x):
port 1196
proto udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/hqs-openvpn.mycompany.co.crt
key /etc/openvpn/easy-rsa/keys/hqs-openvpn.mycompany.co.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
plugin /usr/lib/openvpn/openvpn-auth-pam.so /etc/pam.d/login
#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
client-cert-not-required
username-as-common-name
server 10.10.0.0 255.255.255.0
push "route 10.7.0.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
push "route 10.9.0.0 255.255.255.0"
push "route 10.10.0.0 255.255.255.0"
push "route 10.104.0.0 255.255.0.0"
push "route 10.101.0.0 255.255.0.0"
push "route 10.100.0.0 255.255.0.0"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
verb 3
user nobody
group nogroup
log-append /var/log/openvpn
status /tmp/vpn.status 10
这是我分发给员工的配置(192.168.1.x / tun 10.10.0.x)
client
dev tun
proto udp
remote 192.168.1.19 1196
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
auth-user-pass /tmp/password.txt
comp-lzo
verb 3
reneg-sec 0
tls-client
remote-cert-tls server
从服务器(通过 ssh 到 192.168.1.19):
- 我可以达到 10.104
- 我可以得到 10 10.100
我可以得到 10 10.101
root@vpn-hqs:~# traceroute 10.104.10.104 traceroute to 10.104.10.104 (10.104.10.104), 30 hops max, 60 byte packets 1 10.9.0.1 (10.9.0.1) 86.094 ms 86.079 ms 86.079 ms 2 10.104.10.104 (10.104.10.104) 86.084 ms 86.086 ms 86.087 ms root@vpn-hqs:~# traceroute 10.100.10.168 traceroute to 10.100.10.168 (10.100.10.168), 30 hops max, 60 byte packets 1 10.7.0.1 (10.7.0.1) 87.130 ms 87.121 ms 87.121 ms 2 10.100.10.168 (10.100.10.168) 87.126 ms 87.238 ms 87.243 ms root@vpn-hqs:~# traceroute 10.101.10.168 traceroute to 10.101.10.168 (10.101.10.168), 30 hops max, 60 byte packets 1 10.8.0.1 (10.8.0.1) 87.954 ms 87.939 ms 87.937 ms 2 10.101.10.168 (10.101.10.168) 87.943 ms 87.944 ms 88.031 ms root@vpn-hqs:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 br0 10.7.0.0 10.7.0.17 255.255.0.0 UG 0 0 0 tun0 10.7.0.17 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 10.8.0.0 10.8.0.33 255.255.0.0 UG 0 0 0 tun1 10.8.0.33 0.0.0.0 255.255.255.255 UH 0 0 0 tun1 10.9.0.0 10.9.0.13 255.255.0.0 UG 0 0 0 tun2 10.9.0.13 0.0.0.0 255.255.255.255 UH 0 0 0 tun2 10.10.0.0 10.10.0.2 255.255.255.0 UG 0 0 0 tun3 10.10.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun3 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
这是我的服务器(192.168.1.19)的 if 配置:
root@vpn-hqs:~# ifconfig -a
br0 Link encap:Ethernet HWaddr 00:1d:09:26:43:3d
inet addr:192.168.1.19 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::21d:9ff:fe26:433d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:17149 errors:0 dropped:0 overruns:0 frame:0
TX packets:2770 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2213528 (2.2 MB) TX bytes:286915 (286.9 KB)
eth0 Link encap:Ethernet HWaddr 00:1d:09:26:43:3d
inet6 addr: fe80::21d:9ff:fe26:433d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:18666 errors:0 dropped:0 overruns:0 frame:0
TX packets:2773 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2719828 (2.7 MB) TX bytes:300485 (300.4 KB)
Interrupt:16
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.7.0.18 P-t-P:10.7.0.17 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:876 (876.0 B) TX bytes:1104 (1.1 KB)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.34 P-t-P:10.8.0.33 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:18 errors:0 dropped:0 overruns:0 frame:0
TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1584 (1.5 KB) TX bytes:2040 (2.0 KB)
tun2 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.9.0.14 P-t-P:10.9.0.13 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:18 errors:0 dropped:0 overruns:0 frame:0
TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1584 (1.5 KB) TX bytes:2040 (2.0 KB)
tun3 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.10.0.1 P-t-P:10.10.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:13 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:740 (740.0 B) TX bytes:0 (0.0 B)
现在,我可以从我的 Windows 电脑顺利连接到 192.168.1.19。而且,我得到的 IP 地址是 10.10.0.6。完美。
但是,我无法像通过 ssh 连接到 192.168.1.19 时那样连接 / ping / telnet 10.104.0.0/16、10.101.0.0/16 和 10.100.0.0/16 上的任何设备。这是我的 Windows 机器的路由表:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.220 10
0.0.0.0 128.0.0.0 10.10.0.5 10.10.0.6 30
10.7.0.0 255.255.255.0 10.10.0.5 10.10.0.6 30
10.8.0.0 255.255.255.0 10.10.0.5 10.10.0.6 30
10.9.0.0 255.255.255.0 10.10.0.5 10.10.0.6 30
10.10.0.0 255.255.255.0 10.10.0.5 10.10.0.6 30
10.10.0.1 255.255.255.255 10.10.0.5 10.10.0.6 30
10.10.0.4 255.255.255.252 On-link 10.10.0.6 286
10.10.0.6 255.255.255.255 On-link 10.10.0.6 286
10.10.0.7 255.255.255.255 On-link 10.10.0.6 286
10.100.0.0 255.255.0.0 10.10.0.5 10.10.0.6 30
10.101.0.0 255.255.0.0 10.10.0.5 10.10.0.6 30
10.104.0.0 255.255.0.0 10.10.0.5 10.10.0.6 30
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
128.0.0.0 128.0.0.0 10.10.0.5 10.10.0.6 30
192.168.1.0 255.255.255.0 On-link 192.168.1.220 266
192.168.1.19 255.255.255.255 192.168.1.1 192.168.1.220 10
192.168.1.220 255.255.255.255 On-link 192.168.1.220 266
192.168.1.255 255.255.255.255 On-link 192.168.1.220 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.220 266
224.0.0.0 240.0.0.0 On-link 10.10.0.6 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.220 266
255.255.255.255 255.255.255.255 On-link 10.10.0.6 286
===========================================================================
Persistent Routes:
None
如能帮助我的 10.10.0.0/24 VPN 客户端与 10.100.0.0/16、10.101.0.0/16 和 10.104.0.0/16 客户端进行通信,我将不胜感激!
答案1
已修复。请参阅此处了解解释: