OpenVPN 隧道在一段时间后无法在子网中工作

tag-icon tag-icon routing openvpn
OpenVPN 隧道在一段时间后无法在子网中工作

好吧,这听起来很奇怪,我有一个带有 2 个客户端的 OpenVPN 服务器,1 个客户端运行正常,但第二个客户端在大约 1 天后就掉线了。

服务器是 10.7.2.1,客户端 1 是 10.7.2.2(不工作),客户端 2 是 10.7.2.3。

每个网络的内部网络如下:

服务器(10.7.2.1):
10.0.96.0/24

客户端1(10.7.2.2):
10.21.0.0/24
192.168.0.0/24

客户端2(10.7.2.3):
10.22.0.0/24

因此,从今天起,就不可能从 192.168.0.3 ping 到 10.0.96.253:

ping 10.0.96.253
PING 10.0.96.253 (10.0.96.253) 56(84) bytes of data.
^C
--- 10.0.96.253 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7590ms

我确信数据包被正确路由:

10.0.96.0/24 via 10.7.2.1 dev tun1 
10.7.2.0/24 dev tun1  proto kernel  scope link  src 10.7.2.2 
10.22.0.0/24 via 10.7.2.1 dev tun1

也可以通过 tcpdump 进行验证:

[Interface:eth0:]    10:41:37.446320 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 20316, seq 4, length 64
[Interface:tun1:]    10:41:37.446332 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 20316, seq 4, length 64
[Interface:eth0:]    10:41:38.446967 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 20316, seq 5, length 64
[Interface:tun1:]    10:41:38.446983 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 20316, seq 5, length 64

tun1 是客户端 1 上的网络接口。

32: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none 
    inet 10.7.2.2/24 brd 10.7.2.255 scope global tun1
       valid_lft forever preferred_lft forever

在服务器端执行 tcpdump 时,什么都没有显示!

如果我直接从客户端 ping 的话它确实有效:

ping 10.0.96.253
PING 10.0.96.253 (10.0.96.253) 56(84) bytes of data.
64 bytes from 10.0.96.253: icmp_seq=1 ttl=63 time=31.8 ms
64 bytes from 10.0.96.253: icmp_seq=2 ttl=63 time=31.3 ms
64 bytes from 10.0.96.253: icmp_seq=3 ttl=63 time=32.9 ms
64 bytes from 10.0.96.253: icmp_seq=4 ttl=63 time=31.7 ms
64 bytes from 10.0.96.253: icmp_seq=5 ttl=63 time=32.2 ms
64 bytes from 10.0.96.253: icmp_seq=6 ttl=63 time=38.4 ms
64 bytes from 10.0.96.253: icmp_seq=7 ttl=63 time=32.8 ms
^C
--- 10.0.96.253 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6008ms
rtt min/avg/max/mdev = 31.331/33.060/38.428/2.264 ms

在 tcpdump 中也可见

[Interface:tun1:]    10:44:41.828197 IP 10.7.2.2 > 10.0.96.253: ICMP echo request, id 51791, seq 5, length 64
[Interface:tun1:]    10:44:41.860386 IP 10.0.96.253 > 10.7.2.2: ICMP echo reply, id 51791, seq 5, length 64

通过 systemctl restart openvpn@samba 重新连接 openvpn 后,它再次可以工作!

再次从 192.168.0.3 到 10.0.96.253:

ping 10.0.96.253
PING 10.0.96.253 (10.0.96.253) 56(84) bytes of data.
64 bytes from 10.0.96.253: icmp_seq=1 ttl=62 time=33.9 ms
64 bytes from 10.0.96.253: icmp_seq=2 ttl=62 time=31.4 ms
64 bytes from 10.0.96.253: icmp_seq=3 ttl=62 time=32.0 ms
64 bytes from 10.0.96.253: icmp_seq=4 ttl=62 time=32.9 ms
^C
--- 10.0.96.253 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3275ms
rtt min/avg/max/mdev = 31.496/32.589/33.915/0.947 ms

以及相应的 tcpdump:

[Interface:eth0:]    10:47:25.230275 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 31580, seq 4, length 64
[Interface:tun1:]    10:47:25.230301 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 31580, seq 4, length 64
[Interface:tun1:]    10:47:25.262723 IP 10.0.96.253 > 192.168.0.3: ICMP echo reply, id 31580, seq 4, length 64
[Interface:eth0:]    10:47:25.262739 IP 10.0.96.253 > 192.168.0.3: ICMP echo reply, id 31580, seq 4, length 64

第二个客户端没有显示此行为。所以我很困惑,不知道该去哪里找,有人知道我该怎么做吗?

服务器配置:

port                  1194
proto                 udp
dev                   tun
ca                    samba.ca.crt
cert                  samba.crt
key                   samba.key
dh                    samba.dh.pem
server                10.7.2.0 255.255.255.0
ifconfig-pool-persist samba.ipp.txt
route                 10.0.96.0 255.255.255.0
route                 192.168.0.0 255.255.255.0 10.7.2.2
route                 10.21.0.0 255.255.255.0 10.7.2.2
route                 10.22.0.0 255.255.255.0 10.7.2.3
topology              subnet
mode                  server

client-to-client

client-config-dir     samba.ccd
ccd-exclusive         samba.ccd
comp-lzo
persist-key
persist-tun
status                samba.openvpn-status.log
log-append            /var/log/samba.openvpn.log
verb                  4
keepalive             10 120

服务器 OpenVPN 版本:

OpenVPN 2.3.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Aug  4 2015

客户端配置:

client
dev              tun
proto            udp
remote           xx.xx.xx.xx 1194
resolv-retry     infinite
nobind
persist-key
persist-tun
ca               samba.ca.crt
cert             samba.crt
key              samba.key
comp-lzo
verb             4
status           samba.openvpn-status.log
log-append       /var/log/samba.openvpn.log

客户端 CCD:

client-to-client
iroute 10.21.0.0 255.255.255.0
iroute 192.168.0.0 255.255.255.0
push "route 10.0.96.0 255.255.255.0"
push "route 10.22.0.0 255.255.255.0"

客户端 OpenVPN 版本:

OpenVPN 2.3.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Aug  4 2015

相关内容