大家好,我遇到了 OpenVPN 网络问题。主要思路如图所示,远程 OpenVPN 服务器、2 个客户端、MyPC 和 OpenWRT 客户端,它们有自己的网络,包括 Client_1 和 Client_2。我需要能够从 MyPC 访问 Client_1,反之亦然。这看起来像是路由或转发问题。
|-----------------------| |-----------------------------------|
|Ubuntu 14.04 | |OpenWRT router |
|OpenVPN Server | <-----> |Acts as OpenVPN client |
|WAN 192.168.1.197 | |LAN: 192.168.0.1, WAN:192.168.1.1 |
|OpenVPN IP: 172.20.2.1 | |OpenVPN IP:172.20.1.100 |
|-----------------------| |-----------------------------------|
^ ^ ^
| | |
| | |
v v v
|-----------------------| |-------------------| |------------------|
|MyPC, OpenVPN client | (1) |Network client_1 | |Network client_2 |
|LAN: 192.168.1.205 | <-------> |LAN: 192.168.0.213 | |LAN: 192.168.1.101|
|OpenVPN IP:172.20.2.101| |-------------------| |------------------|
|-----------------------|
ping 结果
Ping MyPC -> OpenVPN 服务器正常 Ping MyPC -> OpenWRT 正常 Ping MyPC -> client_1 来自 192.168.1.205 的回复:目标主机不可达。 Ping OpenVPN 服务器 -> MyPC OK Ping OpenVPN 服务器 -> OpenWRT 正常 从 192.168.1.197 Ping OpenVPN 服务器 -> client_1 icmp_seq=1 目标主机不可达 Ping OpenWRT -> OpenVPN 服务器正常 Ping OpenWRT -> MyPC 成功 Ping OpenWRT->client_1 成功 从 192.168.0.1 Ping client_1 -> OpenVPN 服务器 icmp_seq=1 目标端口不可达 从 192.168.0.1 Ping client_1 -> MyPC icmp_seq=1 目标端口不可达 Ping 客户端_1 -> OpenWRT 正常
OpenVPN 配置、服务器和客户端
======OpenVPN configuration ===================================================================
port 1198
proto udp
dev tap2
ca keys/remote_management/ca.crt
cert keys/remote_management/remote_man.crt
key keys/remote_management/remote_man.key
dh keys/remote_management/dh4096.pem
server-bridge 172.20.2.1 255.255.255.0 172.20.2.100 172.20.2.253 #@@ br1 eth2
crl-verify keys/remote_management/crl.pem
ifconfig-pool-persist servers/remote_man/logs/ipp.txt
tls-auth servers/remote_man/ta.key 0
cipher AES-128-CBC
user nobody
group nogroup
status servers/remote_man/logs/openvpn-status.log
log-append servers/remote_man/logs/openvpn.log
verb 2
mute 20
max-clients 10
management 127.0.0.1 7507
keepalive 10 120
client-config-dir /etc/openvpn/servers/remote_man/ccd
tls-server
client-to-client
comp-lzo
persist-key
persist-tun
ccd-exclusive
push "route 172.20.2.0 255.255.255.0"
route 192.168.0.0 255.255.255.0
======OpenVPN client MyPC configuration ======================================================
client
proto udp
dev tap
ca ca.crt
dh dh4096.pem
cert ***.crt
key ***.key
remote *** 1198
tls-auth ta.key 1
cipher AES-128-CBC
verb 2
mute 20
keepalive 10 120
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
nobind
======OpenVPN client OpenWRT configuration ===================================================
client
proto udp
dev tap
ca /etc/openvpn/sol102/ca.crt
dh /etc/openvpn/sol102/dh4096.pem
cert /etc/openvpn/sol102/sol102.crt
key /etc/openvpn/sol102/sol102.key
remote *** 1198
tls-auth /etc/openvpn/sol102/ta.key 1
cipher AES-128-CBC
verb 2
mute 20
keepalive 10 120
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
nobindOpenWRT 配置
======OpenWRT 网络配置================================================================
配置接口‘环回’
选项 ifname 'lo'
选项原型‘静态’
选项 ipaddr '127.0.0.1'
选项网络掩码‘255.0.0.0’
配置全局变量‘全局变量’
选项 ula_prefix 'fdf2:d4ae:ecd5::/48'
配置接口‘lan’
选项 ifname 'eth0.1'
选项 force_link ‘1’
选项类型‘bridge’
选项原型‘静态’
选项网络掩码 '255.255.255.0'
选项 ip6assign ‘60’
选项 ipaddr '192.168.0.1'
配置接口‘wan’
选项 ifname 'eth0.2'
选项协议‘dhcp’
配置接口‘wan6’
选项 ifname '@wan'
选项协议‘dhcpv6’
配置开关
选项名称‘switch0’
选项重置‘1’
选项 enable_vlan ‘1’
配置 switch_vlan
选项设备‘switch0’
选项 VLAN‘1’
选项端口‘1 2 3 4 5t’
配置 switch_vlan
选项设备‘switch0’
选项 VLAN‘2’
选项端口‘0 5t’
配置接口‘OVPN’
选项原型‘无’
选项委托‘0’
选项 ifname‘tap0’
======OpenWRT 防火墙配置=================================================================
配置默认值
选项 syn_flood ‘1’
选项输入‘接受’
选项输出‘ACCEPT’
选项转发‘REJECT’
配置区域
选项名称‘lan’
选项输入‘接受’
选项输出‘ACCEPT’
选项转发‘REJECT’
选项网络‘lan’
配置区域
选项名称‘wan’
选项输入‘REJECT’
选项输出‘ACCEPT’
选项转发‘REJECT’
选项 masq ‘1’
选项网络‘wan wan6’
配置规则
选项名称‘Allow-DHCP-Renew’
选项 src‘wan’
选项协议‘udp’
选项目标端口 '68'
选项目标‘接受’
选项系列‘ipv4’
配置规则
选项名称‘Allow-Ping’
选项 src‘wan’
选项协议‘icmp’
选项 icmp_type‘echo-request’
选项系列‘ipv4’
选项目标‘接受’
配置规则
选项名称‘Allow-DHCPv6’
选项 src‘wan’
选项协议‘udp’
选项 src_ip ‘fe80::/10’
选项 src_port ‘547’
选项 dest_ip ‘fe80::/10’
选项目标端口 '546'
选项系列‘ipv6’
选项目标‘接受’
配置规则
选项名称‘Allow-ICMPv6-Input’
选项 src‘wan’
选项协议‘icmp’
列表 icmp_type'echo-request'
列表 icmp_type'echo-reply'
列表 icmp_type'目标不可达'
列表 icmp_type'数据包太大'
列表 icmp_type‘超时’
列出 icmp_type‘坏头’
列表 icmp_type'未知头类型'
列表 icmp_type'路由器请求'
列表 icmp_type'邻居请求'
列表 icmp_type'路由器广告'
列表 icmp_type'邻居广告'
选项限制‘1000/秒’
选项系列‘ipv6’
选项目标‘接受’
配置规则
选项名称‘Allow-ICMPv6-Forward’
选项 src‘wan’
选项目标‘*’
选项协议‘icmp’
列表 icmp_type'echo-request'
列表 icmp_type'echo-reply'
列表 icmp_type'目标不可达'
列表 icmp_type'数据包太大'
列表 icmp_type‘超时’
列出 icmp_type‘坏头’
列表 icmp_type'未知头类型'
选项限制‘1000/秒’
选项系列‘ipv6’
选项目标‘接受’
配置包括
选项路径'/etc/firewall.user'
配置区域
选项输出‘ACCEPT’
选项名称‘OVPN_FW’
选项 masq ‘1’
选项输入‘接受’
选项转发‘REJECT’
可选网络‘OVPN’
选项 mtu_fix ‘1’
配置转发
选项目标‘OVPN_FW’
选项 src‘lan’
配置转发
选项目标‘wan’
选项 src‘lan’
配置转发
选项目标‘lan’
选项源‘OVPN_FW’
我有一些 tcpdump
======OpenVPN server tcpdump icmp filtered ====================================================
12:46:11.654580 IP 172.20.2.101 > 192.168.0.213: ICMP echo request, id 1, seq 83, length 40
12:46:11.654580 IP 172.20.2.101 > 192.168.0.213: ICMP echo request, id 1, seq 83, length 40
12:46:14.652217 IP 172.20.2.1 > 172.20.2.101: ICMP host 192.168.0.213 unreachable, length 68
12:46:14.652244 IP 172.20.2.1 > 172.20.2.101: ICMP host 192.168.0.213 unreachable, length 68
12:46:14.657835 IP 172.20.2.101 > 192.168.0.213: ICMP echo request, id 1, seq 84, length 40
12:46:14.657835 IP 172.20.2.101 > 192.168.0.213: ICMP echo request, id 1, seq 84, length 40
12:46:17.656214 IP 172.20.2.1 > 172.20.2.101: ICMP host 192.168.0.213 unreachable, length 68
12:46:17.656241 IP 172.20.2.1 > 172.20.2.101: ICMP host 192.168.0.213 unreachable, length 68
12:46:17.661768 IP 172.20.2.101 > 192.168.0.213: ICMP echo request, id 1, seq 85, length 40
12:46:17.661768 IP 172.20.2.101 > 192.168.0.213: ICMP echo request, id 1, seq 85, length 40
12:46:20.660206 IP 172.20.2.1 > 172.20.2.101: ICMP host 192.168.0.213 unreachable, length 68
12:46:20.660233 IP 172.20.2.1 > 172.20.2.101: ICMP host 192.168.0.213 unreachable, length 68
12:46:20.665362 IP 172.20.2.101 > 192.168.0.213: ICMP echo request, id 1, seq 86, length 40
12:46:20.665362 IP 172.20.2.101 > 192.168.0.213: ICMP echo request, id 1, seq 86, length 40
12:46:23.666797 IP 172.20.2.1 > 172.20.2.101: ICMP host 192.168.0.213 unreachable, length 68
12:46:23.666824 IP 172.20.2.1 > 172.20.2.101: ICMP host 192.168.0.213 unreachable, length 68
======OpenWRT client tcpdump icmp filtered ====================================================
12:44:17.299404 IP 172.20.2.1 > 172.20.2.100: ICMP redirect 172.20.2.101 to host 172.20.2.101, length 48
12:44:18.461809 IP 172.20.2.1 > 172.20.2.100: ICMP redirect 172.20.2.101 to host 172.20.2.101, length 196
12:44:19.464258 IP 172.20.2.1 > 172.20.2.100: ICMP redirect 172.20.2.101 to host 172.20.2.101, length 196
12:44:20.466652 IP 172.20.2.1 > 172.20.2.100: ICMP redirect 172.20.2.101 to host 172.20.2.101, length 196
12:44:20.944332 IP 172.20.2.1 > 172.20.2.100: ICMP redirect 172.20.2.101 to host 172.20.2.101, length 48
12:44:32.311732 IP 172.20.2.1 > 172.20.2.100: ICMP redirect 172.20.2.101 to host 172.20.2.101, length 308
编辑:不能放那么多代码,所以http://pastebin.com/ThgqBUgM(链接不再有效)
答案1
您的问题可能是路由问题,Ubuntu 服务器必须知道在哪里找到 192.168.0.0/24 - route add -net 192.168.0.0/24 gw 172.20.1.100,否则此路由将与默认网关匹配,数据包将使用错误的接口进行路由。转发数据包的每个设备(OpenWRT 和 Ubuntu)都必须知道 3 个网络192.168.0.0/24:192.168.1.0/24和172.20.1.0/24。