服务器

服务器

我正在尝试在 TCP 端口 443 上使用静态密钥认证(而不是 TLS)设置 OpenVPN;但是客户端连接到服务器后无法通过 VPN 访问互联网。

这是我当前的设置:

服务器

这是在 OpenVZ 上运行的 Debian VPS启用 TUN/TAP。
以下是配置文件:

dev tun
proto tcp-server
port 443
ifconfig 10.8.0.1 10.8.0.2
secret /etc/openvpn/static.key
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

以下是我应用的 iptables 脚本:

 #!/bin/bash

# A Sample OpenVPN-aware firewall.

# vetnet0 is connected to the internet.
# eth1 is connected to a private subnet.

# Change this subnet to correspond to your private
# ethernet subnet.  Home will use HOME_NET/24 and
# Office will use OFFICE_NET/24.
PRIVATE=10.0.0.0/24

# Loopback address
LOOP=127.0.0.1

# Delete old iptables rules
# and temporarily block all traffic.
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -F

# Set default policies
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Prevent external packets from using loopback addr
iptables -A INPUT -i vetnet0 -s $LOOP -j DROP
iptables -A FORWARD -i vetnet0 -s $LOOP -j DROP
iptables -A INPUT -i vetnet0 -d $LOOP -j DROP
iptables -A FORWARD -i vetnet0 -d $LOOP -j DROP

# Anything coming from the Internet should have a real Internet address
iptables -A FORWARD -i vetnet0 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i vetnet0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i vetnet0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i vetnet0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i vetnet0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i vetnet0 -s 10.0.0.0/8 -j DROP

# Block outgoing NetBios (if you have windows machines running
# on the private subnet).  This will not affect any NetBios
# traffic that flows over the VPN tunnel, but it will stop
# local windows machines from broadcasting themselves to
# the internet.
iptables -A FORWARD -p tcp --sport 137:139 -o vetnet0 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -o vetnet0 -j DROP
iptables -A OUTPUT -p tcp --sport 137:139 -o vetnet0 -j DROP
iptables -A OUTPUT -p udp --sport 137:139 -o vetnet0 -j DROP

# Check source address validity on packets going out to internet
iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP

# Allow local loopback
iptables -A INPUT -s $LOOP -j ACCEPT
iptables -A INPUT -d $LOOP -j ACCEPT

# Allow incoming pings (can be disabled)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Allow services such as www and ssh (can be disabled)
iptables -A INPUT -p tcp --dport http -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT

# Allow incoming OpenVPN packets
# Duplicate the line below for each
# OpenVPN tunnel, changing --dport n
# to match the OpenVPN UDP port.
#
# In OpenVPN, the port number is
# controlled by the --port n option.
# If you put this option in the config
# file, you can remove the leading '--'
#
# If you taking the stateful firewall
# approach (see the OpenVPN HOWTO),
# then comment out the line below.

iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow packets from TUN/TAP devices.
# When OpenVPN is run in a secure mode,
# it will authenticate packets prior
# to their arriving on a tun or tap
# interface.  Therefore, it is not
# necessary to add any filters here,
# unless you want to restrict the
# type of packets which can flow over
# the tunnel.

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT

# Allow packets from private subnets
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT

# Keep state of connections from local machine and private subnets
iptables -A OUTPUT -m state --state NEW -o vetnet0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -o vetnet0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#SNAT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o vetnet0 -j SNAT --to-source <ip>
# Masquerade local subnet
#iptables -t nat -A POSTROUTING -s $PRIVATE -o vetnet0 -j MASQUERADE

输出iptables -L -v -n

 Chain INPUT (policy DROP 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                                                                                              
    0     0 DROP       all  --  vetnet0 *       127.0.0.1            0.0.0.0/0                                                                                                                                                               
    0     0 DROP       all  --  vetnet0 *       0.0.0.0/0            127.0.0.1                                                                                                                                                               
    0     0 DROP       all  --  vetnet0 *       192.168.0.0/16       0.0.0.0/0                                                                                                                                                               
    0     0 DROP       all  --  vetnet0 *       172.16.0.0/12        0.0.0.0/0                                                                                                                                                               
    0     0 DROP       all  --  vetnet0 *       10.0.0.0/8           0.0.0.0/0                                                                                                                                                               
  486 1016K ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0                                                                                                                                                                
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            127.0.0.1                                                                                                                                                                
    4   240 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        icmp type 8
  691 78432 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        tcp dpt:80
 1705  152K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        tcp dpt:22
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        udp dpt:1194
  102  8054 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        tcp dpt:443
    9   756 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                
    0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                
   40  5988 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        state RELATED,ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                                                                                              
    0     0 DROP       all  --  vetnet0 *       127.0.0.1            0.0.0.0/0                                                                                                                                                               
    0     0 DROP       all  --  vetnet0 *       0.0.0.0/0            127.0.0.1                                                                                                                                                               
    0     0 DROP       all  --  vetnet0 *       192.168.0.0/16       0.0.0.0/0                                                                                                                                                               
    0     0 DROP       all  --  vetnet0 *       172.16.0.0/12        0.0.0.0/0                                                                                                                                                               
    0     0 DROP       all  --  vetnet0 *       10.0.0.0/8           0.0.0.0/0                                                                                                                                                               
    0     0 DROP       tcp  --  *      vetnet0  0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        tcp spts:137:139
    0     0 DROP       udp  --  *      vetnet0  0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        udp spts:137:139
    0     0 DROP       all  --  eth1   *      !10.0.0.0/24          0.0.0.0/0                                                                                                                                                                
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                
    0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                
    0     0 ACCEPT     all  --  *      vetnet0  0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        state NEW
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 3046 packets, 2269K bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                                                                                              
    0     0 DROP       tcp  --  *      vetnet0  0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        tcp spts:137:139
    0     0 DROP       udp  --  *      vetnet0  0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        udp spts:137:139
    0     0 ACCEPT     all  --  *      vetnet0  0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        state NEW

输出ifconfig

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:12007 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12007 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:21446320 (20.4 MiB)  TX bytes:21446320 (20.4 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:127.0.0.2  P-t-P:127.0.0.2  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:25189 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27831 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2689401 (2.5 MiB)  TX bytes:18616342 (17.7 MiB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:<ip>  P-t-P:<ip> Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

输出netstat -rn

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
0.0.0.0         0.0.0.0         0.0.0.0         U         0 0          0 venet0

客户

客户端是运行 OpenVPN 2.3 的 Windows 8.1 机器,
这是配置文件:

remote <server_ip> 443
dev tun
proto tcp-client
ifconfig 10.8.0.2 10.8.0.1
secret "C:\\Program Files\\OpenVPN\\config\\static.key"
verb 6

连接客户端后,Windows 上会为 OpenVPN 创建连接,但它无法访问互联网(我还确保它位于连接列表的顶部)。

相关内容