我的服务器上已安装并运行 OpenVPN。我希望所有来自客户端的流量都通过 VPN 服务器路由。
客户端连接正常但无法连接到互联网。
服务器配置:
port 443
proto udp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/brimstone.crt
key /etc/openvpn/certs/brimstone.key # This file should be kept secret
dh /etc/openvpn/certs/dh4096.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push redirect-gateway def1
keepalive 10 120
tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
cipher AES-256-CBC
auth SHA384
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
iptables-保存:
# Generated by iptables-save v1.4.14 on Fri Jul 24 07:44:57 2015
*raw
:PREROUTING ACCEPT [69770:12550856]
:OUTPUT ACCEPT [52469:5225827]
COMMIT
# Completed on Fri Jul 24 07:44:57 2015
# Generated by iptables-save v1.4.14 on Fri Jul 24 07:44:57 2015
*nat
:PREROUTING ACCEPT [171:11702]
:POSTROUTING ACCEPT [136:8184]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
COMMIT
# Completed on Fri Jul 24 07:44:57 2015
# Generated by iptables-save v1.4.14 on Fri Jul 24 07:44:57 2015
*mangle
:PREROUTING ACCEPT [69770:12550856]
:INPUT ACCEPT [69068:12508784]
:FORWARD ACCEPT [684:41112]
:OUTPUT ACCEPT [52469:5225827]
:POSTROUTING ACCEPT [53153:5266939]
COMMIT
# Completed on Fri Jul 24 07:44:57 2015
# Generated by iptables-save v1.4.14 on Fri Jul 24 07:44:57 2015
*filter
:INPUT DROP [25:2952]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [320:45993]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state NEW -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 443 -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
COMMIT
# Completed on Fri Jul 24 07:44:57 2015
配置转发/路由时我是否遗漏了什么?
编辑:
事实证明我犯了一个非常愚蠢的错误......我写下了我需要的 iptables 规则,然后在实际应用它们时忘记了一条。
我忘了允许已建立或相关的会话转发。
答案1
我能想到的几件事
1)确保您的服务器是路由器,例如,它将把来自您的客户端的数据包转发到其他网络..这样做是这样的:
echo 1 > /proc/sys/net/ipv4/ip_forward
或者使其更加永久:
pico /etc/sysctl.conf
取消注释或者添加如下内容:
net.ipv4.ip_forward=1
另外,客户端是否获取了 IP 地址和 DNS 设置?也许通过 VPN 推送 DHCP 是个好主意