两个 LAN 之间的 OpenVPN 隧道,途中流量丢失?

tag-icon tag-icon openvpn tun
两个 LAN 之间的 OpenVPN 隧道,途中流量丢失?

我想在 LAN 192.168.1.0/24 和 192.168.2.0/24 之间创建一个 OpenVPN 隧道。但是不知何故,从隧道一侧进入的数据包却无法从另一侧出来...

涉及以下主机:

R1=192.168.1.1  Router in LAN 1
R2=192.168.2.1  Router in LAN 2
S1=192.168.1.10 OpenVPN Server in LAN 1, no ip tables, net.ipv4.ip_forward=1
C2=192.168.2.10 OpenVPN Client in LAN 2, no ip tables, net.ipv4.ip_forward=1
H1=192.168.1.20 Some host in LAN 1 with default gateway R1
H2=192.168.2.20 Some host in LAN 2 with default gateway R2

我设置了 OpenVPN 并在路由器中安装了路由,配置见下文。连接正常,让我们来 ping 一下。

C2> ping 10.8.0.1        # OK
C2> ping S1=192.168.1.10 # OK
C2> ping R1=192.168.1.1  # OK
S1> ping 10.8.0.6        # OK
S1> ping C2=192.168.2.10 # NO
H1> ping C2=192.168.2.10 # NO
H2> ping S1=192.168.1.10 # NO

我使用 tcpdump 检查了 S1 和 C2,发现所有 ICMP 请求都到达隧道的一端,但没有从另一端出来,例如,首先从 H2 ping S1,但没有成功,然后从 S1 ping C2

C2> tcpdump -s0 -i tun0
17:05:53.070047 IP C2 > 10.8.0.1: ICMP echo request, id 10190, seq 1, length 64
17:05:53.099990 IP 10.8.0.1 > C2: ICMP echo reply, id 10190, seq 1, length 64
17:06:04.115396 IP C2 > S1: ICMP echo request, id 10194, seq 1, length 64
17:06:04.148898 IP S1 > C2: ICMP echo reply, id 10194, seq 1, length 64
17:06:16.160644 IP 10.8.0.1 > C2: ICMP echo request, id 4479, seq 1, length 64
17:06:16.160720 IP C2 > 10.8.0.1: ICMP echo reply, id 4479, seq 1, length 64
17:06:11.532787 IP C2 > R1: ICMP echo request, id 10221, seq 1, length 64
17:06:11.563275 IP R1 > C2: ICMP echo reply, id 10221, seq 1, length 64
17:07:05.149219 IP H2 > S1: ICMP echo request, id 57470, seq 0, length 64

S1> tcpdump -s0 -i tun0
17:05:53.083547 IP 10.8.0.6 > S1: ICMP echo request, id 10190, seq 1, length 64
17:05:53.083624 IP S1 > 10.8.0.6: ICMP echo reply, id 10190, seq 1, length 64
17:06:04.130861 IP 10.8.0.6 > S1: ICMP echo request, id 10194, seq 1, length 64    
17:06:04.130941 IP S1 > 10.8.0.6: ICMP echo reply, id 10194, seq 1, length 64
17:06:11.546125 IP 10.8.0.6 > R1: ICMP echo request, id 10221, seq 1, length 64
17:06:11.546766 IP R1 > 10.8.0.6: ICMP echo reply, id 10221, seq 1, length 64
17:06:16.144123 IP S1 > 10.8.0.6: ICMP echo request, id 4479, seq 1, length 64
17:06:16.172989 IP 10.8.0.6 > S1: ICMP echo reply, id 4479, seq 1, length 64
17:06:43.928054 IP S1 > C2: ICMP echo request, id 4484, seq 1, length 64
17:06:54.095618 IP H1 > C2: ICMP echo request, id 1091, seq 1, length 64

因此,这似乎不是路由问题,也不是任何与防火墙相关的问题,因为 S1 和 C2 上的 iptables 都是空的。知道可能是什么问题吗?为什么数据包没有到达隧道末端?OpenVPN 中似乎启用了一些数据包过滤。

R1 路线:

192.168.2.0/24 via 192.168.1.10 dev lan
10.8.0.0/24 via 192.168.1.10 dev lan

R2 路线:

192.168.1.0/24 via 192.168.2.10 dev lan
10.8.0.0/24 via 192.168.2.10 dev lan

S1 路线:

default via 192.168.1.1 dev eth0  proto static  metric 1024 
10.8.0.0/24 via 10.8.0.2 dev tun0  proto static  metric 20 
10.8.0.2 dev tun0  proto kernel  scope link  src 10.8.0.1 
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.10 
192.168.1.1 dev eth0  proto dhcp  scope link  src 192.168.1.10  metric 1024 
192.168.2.0/24 via 10.8.0.2 dev tun0  proto static  metric 20

C2路线:

default via 192.168.2.1 dev wlp2s0  proto static  metric 1024 
10.8.0.1 via 10.8.0.5 dev tun0  proto static  metric 20 
10.8.0.5 dev tun0  proto kernel  scope link  src 10.8.0.6 
192.168.1.0/24 via 10.8.0.5 dev tun0  proto static  metric 20 
192.168.2.0/24 dev wlp2s0  proto kernel  scope link  src 192.168.2.10

服务器配置文件

dev tun
port 1195
proto tcp
server 10.8.0.0 255.255.255.0
route 192.168.2.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"

ca       ca.crt
cert     server.crt
key      server.key
dh       dh2048.pem
tls-auth ta.key 0

comp-lzo
keepalive 10 60
persist-key
persist-tun
user nobody
group nobody

客户端配置文件

client
dev tun
port 1195
proto tcp-client
tls-client
remote mylan.de 1195

ca       ca.crt
cert     client.crt
key      client.key
tls-auth ta.key 1
verify-x509-name server name

comp-lzo
keepalive 10 60
persist-key
persist-tun
user nobody
group nobody

答案1

尝试H1添加这样的路由"route add -net 192.168.2.0/24 gw 192.168.1.10",然后再次尝试 ping 一下,现在如果你想要互相 ping 一下,请H1执行相同的操作,H2H2"rout add -net 192.168.1.0/24 gw 192.168.2.10"

In this the two pc in the two lans, they will use the vpn client and vpn server to reach the remote lan

答案2

我自己找到了解决方案,有两个问题:在阅读完 openvpn 手册后,这个词iroute引起了我的注意,这是解决方案的第一部分,也是主要部分。有关详细信息,我建议阅读本教程https://community.openvpn.net/openvpn/wiki/RoutedLans

此后,除了连接到 openvpn 服务器和客户端主机 S1 和 C2 之外,几乎所有事情都正常了。第二个问题是我不知道的内核功能:多个路由表和 RPDB。有第二个路由表,其中设置了另一个默认网关:

S1> ip route list table 1
default via 192.168.1.1 dev eth0
192.168.1.0/24 via 192.168.1.10 dev eth0

S1> ip rule
0:      from all lookup local
500:    from 192.168.1.10 lookup 1
32766:  from all lookup main
32767:  from all lookup default

解决方案是使用自定义路由脚本将正确的路由注入到该路由表中。

服务器配置文件

dev tun
port 1195
server 10.8.0.0 255.255.255.0

# allow script execution
script-security 2

# routing information
route 192.168.2.0 255.255.255.0
route-up /etc/openvpn/vpn-route-up.sh
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
client-to-client

# setup client specific iroutes
client-config-dir /etc/openvpn/ccd/

ca       ca.crt
cert     server.crt
key      server.key
dh       dh2048.pem
tls-auth ta.key 0

comp-lzo
keepalive 10 60
persist-key
persist-tun
user nobody
group nobody

S1 上的 ccd/client1(client1 是客户端的 CN)

iroute 192.168.2.0 255.255.255.0

客户端配置文件

dev tun
port 1195
client
remote mylan.de 1195

# allow script execution
script-security 2

# routing information
redirect-private bypass-dhcp bypass-dns
route-up vpn-route-up.sh

ca       ca.crt
cert     client1.crt
key      client1.key
tls-auth ta.key 1
verify-x509-name server name

comp-lzo
keepalive 10 60
persist-key
persist-tun
user nobody
group nobody

S1 上的 vpn-route-up.sh

#!/bin/sh
ip route add 10.8.0.0/24 dev tun1  proto kernel  scope link  src 10.8.0.1 table 1
ip route add 192.168.2.0/24 via 10.8.0.2 dev tun1 table 1

C2 上的 vpn-route-up.sh

#!/bin/sh
ip route add 10.8.0.0/24 dev tun1  proto kernel  scope link  src 10.8.0.2 table 1
ip route add 192.168.1.0/24 via 10.8.0.1 dev tun1 table 1

相关内容