OpenVPN 分割隧道

tag-icon tag-icon linux routing openvpn
OpenVPN 分割隧道

我一直在尝试为一个特定的 IP 地址设置 VPN。我想要的是让发送到单个 IP(目前为 1.2.3.4)的所有流量都通过 openvpn 客户端。

我当前的网络设置如下:

  1. 我的电脑(连接到 192.168.1.1)
  2. 我的服务器有 2 个网络设备:
    2.1. eth0 - 连接到互联网
    2.2. eth1 - 局域网连接:192.168.1.1

OpenVPN 客户端配置:

setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote uk-ln-001.privatetunnel.com 1194 udp
remote uk-ln-001.privatetunnel.com 1194 udp
remote uk-ln-001.privatetunnel.com 443 tcp
remote uk-ln-001.privatetunnel.com 1194 udp
remote uk-ln-001.privatetunnel.com 1194 udp
remote uk-ln-001.privatetunnel.com 1194 udp
remote uk-ln-001.privatetunnel.com 1194 udp
remote uk-ln-001.privatetunnel.com 1194 udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
comp-lzo no
verb 3
setenv PUSH_PEER_INFO

<ca>**********</ca>
<cert>**********</cert>
<key>**********</key>

key-direction 1
<tls-auth>***********</tls-auth>

OpenVPN客户端启动:

Wed Dec  4 15:39:24 2013 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Nov 28 2013
Wed Dec  4 15:39:24 2013 Control Channel Authentication: tls-auth using INLINE static key file
Wed Dec  4 15:39:24 2013 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec  4 15:39:24 2013 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec  4 15:39:24 2013 Socket Buffers: R=[8388608->200000] S=[212992->200000]
Wed Dec  4 15:39:24 2013 UDPv4 link local: [undef]
Wed Dec  4 15:39:24 2013 UDPv4 link remote: [AF_INET]5.152.200.199:1194
Wed Dec  4 15:39:24 2013 TLS: Initial packet from [AF_INET]5.152.200.199:1194, sid=13b5c2ca 7e02a311
Wed Dec  4 15:39:24 2013 VERIFY OK: depth=1, CN=OpenVPN CA
Wed Dec  4 15:39:24 2013 VERIFY OK: nsCertType=SERVER
Wed Dec  4 15:39:24 2013 VERIFY OK: depth=0, CN=OpenVPN Server
Wed Dec  4 15:39:24 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec  4 15:39:24 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec  4 15:39:24 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec  4 15:39:24 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec  4 15:39:24 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Dec  4 15:39:24 2013 [OpenVPN Server] Peer Connection Initiated with [AF_INET]5.152.200.199:1194
Wed Dec  4 15:39:27 2013 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Wed Dec  4 15:39:27 2013 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 5.5.0.1,dhcp-option DNS 10.9.0.1,dhcp-option DNS 8.8.4.4,register-dns,comp-lzo yes,ifconfig 5.5.158.58 255.255.0.0'
Wed Dec  4 15:39:27 2013 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.3.2)
Wed Dec  4 15:39:27 2013 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.3.2)
Wed Dec  4 15:39:27 2013 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.3.2)
Wed Dec  4 15:39:27 2013 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:16: register-dns (2.3.2)
Wed Dec  4 15:39:27 2013 OPTIONS IMPORT: timers and/or timeouts modified
Wed Dec  4 15:39:27 2013 OPTIONS IMPORT: explicit notify parm(s) modified
Wed Dec  4 15:39:27 2013 OPTIONS IMPORT: LZO parms modified
Wed Dec  4 15:39:27 2013 OPTIONS IMPORT: --ifconfig/up options modified
Wed Dec  4 15:39:27 2013 OPTIONS IMPORT: route options modified
Wed Dec  4 15:39:27 2013 OPTIONS IMPORT: route-related options modified
Wed Dec  4 15:39:27 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Dec  4 15:39:27 2013 ROUTE_GATEWAY 78.62.63.254/255.255.192.0 IFACE=eth0 HWADDR=90:2b:34:dc:f3:a8
Wed Dec  4 15:39:27 2013 TUN/TAP device tun0 opened
Wed Dec  4 15:39:27 2013 TUN/TAP TX queue length set to 100
Wed Dec  4 15:39:27 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Dec  4 15:39:27 2013 /sbin/ip link set dev tun0 up mtu 1500
Wed Dec  4 15:39:27 2013 /sbin/ip addr add dev tun0 5.5.158.58/16 broadcast 5.5.255.255
Wed Dec  4 15:39:32 2013 ROUTE remote_host is NOT LOCAL
Wed Dec  4 15:39:32 2013 /sbin/ip route add 5.152.200.199/32 via 78.62.63.254
Wed Dec  4 15:39:32 2013 /sbin/ip route add 0.0.0.0/1 via 5.5.0.1
Wed Dec  4 15:39:32 2013 /sbin/ip route add 128.0.0.0/1 via 5.5.0.1
Wed Dec  4 15:39:32 2013 /sbin/ip route add 10.10.10.0/24 via 5.5.0.1 metric 101
Wed Dec  4 15:39:32 2013 Initialization Sequence Completed

我遇到的问题:
1. 如果我运行openvpn client.ovpn,它会通过 vpn 路由所有流量,并且My computer根本没有互联网连接。2
. 我无法弄清楚如何仅路由来自My computer并具有目标地址的所有流量1.2.3.4通过 vpn 连接。

答案1

您可以先将route-nopull选项添加到客户端配置中。这样做不会改变客户端计算机上的任何路由。

之后,您可以将路由语句添加到 OpenVPN 配置中,以设置特定主机或网络所需的任何静态路由。您可以route 1.2.3.0 255.255.255.0在配置中添加类似内容,以便网络可以通过 VPN 进行路由。

相关内容