OpenVPN 可能存在的路由问题

OpenVPN 可能存在的路由问题

我正在尝试在我的 Arch Box 上使用 OpenVPN,以便能够通过 OpenVPN 连接路由一些流量,但是不是所有流量。但是我在尝试使用 OpenVPN 隧道时遇到了问题,例如 curl --interface tun0 --ipv4 ifconfig.co

Curl 只会站在那里,不停地咀嚼。我尝试使用 tcpdump 来查看,结果如下

sudo tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
21:26:47.157506 IP higgins.48585 > 188.113.88.193.http: Flags [S], seq 3838273657, win 29200, options [mss 1460,sackOK,TS val 86206754 ecr 0,nop,wscale 7], length 0
21:26:47.175936 IP 188.113.88.193.http > higgins.48585: Flags [S.], seq 1582779772, ack 3838273658, win 28960, options [mss 1352,sackOK,TS val 89410613 ecr 86206754,nop,wscale 7], length 0
21:26:48.159089 IP higgins.48585 > 188.113.88.193.http: Flags [S], seq 3838273657, win 29200, options [mss 1460,sackOK,TS val 86207055 ecr 0,nop,wscale 7], length 0
21:26:48.177388 IP 188.113.88.193.http > higgins.48585: Flags [S.], seq 1582779772, ack 3838273658, win 28960, options [mss 1352,sackOK,TS val 89410863 ecr 86206754,nop,wscale 7], length 0
21:26:49.350452 IP 188.113.88.193.http > higgins.48585: Flags [S.], seq 1582779772, ack 3838273658, win 28960, options [mss 1352,sackOK,TS val 89411157 ecr 86206754,nop,wscale 7], length 0
21:26:50.162463 IP higgins.48585 > 188.113.88.193.http: Flags [S], seq 3838273657, win 29200, options [mss 1460,sackOK,TS val 86207656 ecr 0,nop,wscale 7], length 0
21:26:50.180780 IP 188.113.88.193.http > higgins.48585: Flags [S.], seq 1582779772, ack 3838273658, win 28960, options [mss 1352,sackOK,TS val 89411364 ecr 86206754,nop,wscale 7], length 0
21:26:54.175887 IP higgins.48585 > 188.113.88.193.http: Flags [S], seq 3838273657, win 29200, options [mss 1460,sackOK,TS val 86208860 ecr 0,nop,wscale 7], length 0
21:26:54.194130 IP 188.113.88.193.http > higgins.48585: Flags [S.], seq 1582779772, ack 3838273658, win 28960, options [mss 1352,sackOK,TS val 89412367 ecr 86206754,nop,wscale 7], length 0
21:26:58.350110 IP 188.113.88.193.http > higgins.48585: Flags [S.], seq 1582779772, ack 3838273658, win 28960, options [mss 1352,sackOK,TS val 89413407 ecr 86206754,nop,wscale 7], length 0
21:27:02.189071 IP higgins.48585 > 188.113.88.193.http: Flags [S], seq 3838273657, win 29200, options [mss 1460,sackOK,TS val 86211264 ecr 0,nop,wscale 7], length 0
21:27:02.207028 IP 188.113.88.193.http > higgins.48585: Flags [S.], seq 1582779772, ack 3838273658, win 28960, options [mss 1352,sackOK,TS val 89414371 ecr 86206754,nop,wscale 7], length 0

我的 OpenVPN 配置如下

client
user nobody
group nobody
auth-retry nointeract
dev tun
proto udp
remote pool.prd.se.ovpn.se 1194
remote pool.prd.se.ovpn.se 1195
dhcp-option DNS 46.227.67.134
dhcp-option DNS 46.227.67.135
remote-random
remote-cert-tls server
cipher AES-256-CBC
pull
nobind
auth-user-pass /etc/openvpn/ovpn.se.cred
reneg-sec 432000
resolv-retry infinite
comp-lzo
verb 4
mute-replay-warnings
replay-window 256
persist-key
persist-tun
ca /etc/openvpn/ovpn-ca.crt
tls-auth /etc/openvpn/ovpn-tls.key 1
script-security 2
route-nopull

我的 iptables 如下所示

# Generated by iptables-save v1.6.0 on Mon Apr 25 00:27:51 2016
*nat
:PREROUTING ACCEPT [3262:437462]
:INPUT ACCEPT [171:18235]
:OUTPUT ACCEPT [1901:151707]
:POSTROUTING ACCEPT [1734:132967]
-A POSTROUTING -s 10.128.0.0/16 -o enp3s0 -j MASQUERADE
-A POSTROUTING -s 10.128.0.0/24 -o enp3s0 -j MASQUERADE
-A POSTROUTING -o enp3s0 -j MASQUERADE
COMMIT
# Completed on Mon Apr 25 00:27:51 2016
# Generated by iptables-save v1.6.0 on Mon Apr 25 00:27:51 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [38410:467842615]
-A INPUT -i tun0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i tun+ -o enp3s0 -j ACCEPT
-A FORWARD -i enp3s0 -o tun+ -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Mon Apr 25 00:27:51 2016

ip addr给出

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether d0:50:99:52:b3:6d brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.10/24 brd 10.0.0.255 scope global enp3s0
       valid_lft forever preferred_lft forever
    inet6 fe80::febb:c610:7e4c:e134/64 scope link
       valid_lft forever preferred_lft forever
32: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 100
    link/none
    inet 10.128.0.37/16 brd 10.128.255.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 2a03:8600:1003:101:96c0:ee8d:9162:4fd0/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::48f2:b482:4ab6:fb52/64 scope link flags 800
       valid_lft forever preferred_lft forever

ip route给出

default via 10.0.0.1 dev enp3s0  src 10.0.0.10  metric 202
10.0.0.0/24 dev enp3s0  proto kernel  scope link  src 10.0.0.10  metric 202
10.128.0.0/16 dev tun0  proto kernel  scope link  src 10.128.0.37

sysctl -a | grep forward给出

~ $ sysctl -a | grep forward
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.enp3s0.forwarding = 1
net.ipv4.conf.enp3s0.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.enp3s0.stable_secret"
net.ipv6.conf.enp3s0.forwarding = 1
net.ipv6.conf.enp3s0.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.tun0.forwarding = 1
net.ipv6.conf.tun0.mc_forwarding = 0

我不是网络专家,所以很可能我错过了一些愚蠢的事情

答案1

您收到了来自 ifconfig.co 的 SYN+ACK 响应,但它们被忽略了。防火墙应该接受它们,但 rp_filter 可能会丢弃它们。正在向 ifconfig.co 添加路由

ip route add ifconfig.co dev tun0

解决这个问题?

如果是,您可以尝试禁用反向路径过滤(rp_filter sysctl 设置)

答案2

我还没有尝试过足够接近这种做法来确定(我总是在路由表中插入内容,或者使用网络命名空间,如 LXC,而不是那些 --interface <...> 东西)...但我认为可能只是没有网关可用于该接口。 ifconfig.co 不是本地链接,并且您的网关是通过 enp3s0,而不是 tun0。 (但是,如果是这种情况,他们的编码就很糟糕,因为它应该很容易返回错误 [没有到主机的路由],而不仅仅是挂起。)

相关内容