我想在 LAN 192.168.1.0/24 和 192.168.2.0/24 之间创建一个 OpenVPN 隧道。但是不知何故,从隧道一侧进入的数据包却无法从另一侧出来...
涉及以下主机:
R1=192.168.1.1 Router in LAN 1
R2=192.168.2.1 Router in LAN 2
S1=192.168.1.10 OpenVPN Server in LAN 1, no ip tables, net.ipv4.ip_forward=1
C2=192.168.2.10 OpenVPN Client in LAN 2, no ip tables, net.ipv4.ip_forward=1
H1=192.168.1.20 Some host in LAN 1 with default gateway R1
H2=192.168.2.20 Some host in LAN 2 with default gateway R2
我设置了 OpenVPN 并在路由器中安装了路由,配置见下文。连接正常,让我们来 ping 一下。
C2> ping 10.8.0.1 # OK
C2> ping S1=192.168.1.10 # OK
C2> ping R1=192.168.1.1 # OK
S1> ping 10.8.0.6 # OK
S1> ping C2=192.168.2.10 # NO
H1> ping C2=192.168.2.10 # NO
H2> ping S1=192.168.1.10 # NO
我使用 tcpdump 检查了 S1 和 C2,发现所有 ICMP 请求都到达隧道的一端,但没有从另一端出来,例如,首先从 H2 ping S1,但没有成功,然后从 S1 ping C2
C2> tcpdump -s0 -i tun0
17:05:53.070047 IP C2 > 10.8.0.1: ICMP echo request, id 10190, seq 1, length 64
17:05:53.099990 IP 10.8.0.1 > C2: ICMP echo reply, id 10190, seq 1, length 64
17:06:04.115396 IP C2 > S1: ICMP echo request, id 10194, seq 1, length 64
17:06:04.148898 IP S1 > C2: ICMP echo reply, id 10194, seq 1, length 64
17:06:16.160644 IP 10.8.0.1 > C2: ICMP echo request, id 4479, seq 1, length 64
17:06:16.160720 IP C2 > 10.8.0.1: ICMP echo reply, id 4479, seq 1, length 64
17:06:11.532787 IP C2 > R1: ICMP echo request, id 10221, seq 1, length 64
17:06:11.563275 IP R1 > C2: ICMP echo reply, id 10221, seq 1, length 64
17:07:05.149219 IP H2 > S1: ICMP echo request, id 57470, seq 0, length 64
S1> tcpdump -s0 -i tun0
17:05:53.083547 IP 10.8.0.6 > S1: ICMP echo request, id 10190, seq 1, length 64
17:05:53.083624 IP S1 > 10.8.0.6: ICMP echo reply, id 10190, seq 1, length 64
17:06:04.130861 IP 10.8.0.6 > S1: ICMP echo request, id 10194, seq 1, length 64
17:06:04.130941 IP S1 > 10.8.0.6: ICMP echo reply, id 10194, seq 1, length 64
17:06:11.546125 IP 10.8.0.6 > R1: ICMP echo request, id 10221, seq 1, length 64
17:06:11.546766 IP R1 > 10.8.0.6: ICMP echo reply, id 10221, seq 1, length 64
17:06:16.144123 IP S1 > 10.8.0.6: ICMP echo request, id 4479, seq 1, length 64
17:06:16.172989 IP 10.8.0.6 > S1: ICMP echo reply, id 4479, seq 1, length 64
17:06:43.928054 IP S1 > C2: ICMP echo request, id 4484, seq 1, length 64
17:06:54.095618 IP H1 > C2: ICMP echo request, id 1091, seq 1, length 64
因此,这似乎不是路由问题,也不是任何与防火墙相关的问题,因为 S1 和 C2 上的 iptables 都是空的。知道可能是什么问题吗?为什么数据包没有到达隧道末端?OpenVPN 中似乎启用了一些数据包过滤。
R1 路线:
192.168.2.0/24 via 192.168.1.10 dev lan
10.8.0.0/24 via 192.168.1.10 dev lan
R2 路线:
192.168.1.0/24 via 192.168.2.10 dev lan
10.8.0.0/24 via 192.168.2.10 dev lan
S1 路线:
default via 192.168.1.1 dev eth0 proto static metric 1024
10.8.0.0/24 via 10.8.0.2 dev tun0 proto static metric 20
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.10
192.168.1.1 dev eth0 proto dhcp scope link src 192.168.1.10 metric 1024
192.168.2.0/24 via 10.8.0.2 dev tun0 proto static metric 20
C2路线:
default via 192.168.2.1 dev wlp2s0 proto static metric 1024
10.8.0.1 via 10.8.0.5 dev tun0 proto static metric 20
10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6
192.168.1.0/24 via 10.8.0.5 dev tun0 proto static metric 20
192.168.2.0/24 dev wlp2s0 proto kernel scope link src 192.168.2.10
服务器配置文件
dev tun
port 1195
proto tcp
server 10.8.0.0 255.255.255.0
route 192.168.2.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth ta.key 0
comp-lzo
keepalive 10 60
persist-key
persist-tun
user nobody
group nobody
客户端配置文件
client
dev tun
port 1195
proto tcp-client
tls-client
remote mylan.de 1195
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
verify-x509-name server name
comp-lzo
keepalive 10 60
persist-key
persist-tun
user nobody
group nobody
答案1
尝试H1
添加这样的路由"route add -net 192.168.2.0/24 gw 192.168.1.10"
,然后再次尝试 ping 一下,现在如果你想要互相 ping 一下,请H1
执行相同的操作,H2
H2
"rout add -net 192.168.1.0/24 gw 192.168.2.10"
In this the two pc in the two lans, they will use the vpn client and vpn server to reach the remote lan
答案2
我自己找到了解决方案,有两个问题:在阅读完 openvpn 手册后,这个词iroute
引起了我的注意,这是解决方案的第一部分,也是主要部分。有关详细信息,我建议阅读本教程https://community.openvpn.net/openvpn/wiki/RoutedLans。
此后,除了连接到 openvpn 服务器和客户端主机 S1 和 C2 之外,几乎所有事情都正常了。第二个问题是我不知道的内核功能:多个路由表和 RPDB。有第二个路由表,其中设置了另一个默认网关:
S1> ip route list table 1
default via 192.168.1.1 dev eth0
192.168.1.0/24 via 192.168.1.10 dev eth0
S1> ip rule
0: from all lookup local
500: from 192.168.1.10 lookup 1
32766: from all lookup main
32767: from all lookup default
解决方案是使用自定义路由脚本将正确的路由注入到该路由表中。
服务器配置文件
dev tun
port 1195
server 10.8.0.0 255.255.255.0
# allow script execution
script-security 2
# routing information
route 192.168.2.0 255.255.255.0
route-up /etc/openvpn/vpn-route-up.sh
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
client-to-client
# setup client specific iroutes
client-config-dir /etc/openvpn/ccd/
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth ta.key 0
comp-lzo
keepalive 10 60
persist-key
persist-tun
user nobody
group nobody
S1 上的 ccd/client1(client1 是客户端的 CN)
iroute 192.168.2.0 255.255.255.0
客户端配置文件
dev tun
port 1195
client
remote mylan.de 1195
# allow script execution
script-security 2
# routing information
redirect-private bypass-dhcp bypass-dns
route-up vpn-route-up.sh
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
verify-x509-name server name
comp-lzo
keepalive 10 60
persist-key
persist-tun
user nobody
group nobody
S1 上的 vpn-route-up.sh
#!/bin/sh
ip route add 10.8.0.0/24 dev tun1 proto kernel scope link src 10.8.0.1 table 1
ip route add 192.168.2.0/24 via 10.8.0.2 dev tun1 table 1
C2 上的 vpn-route-up.sh
#!/bin/sh
ip route add 10.8.0.0/24 dev tun1 proto kernel scope link src 10.8.0.2 table 1
ip route add 192.168.1.0/24 via 10.8.0.1 dev tun1 table 1