简洁版本:
我希望我的 aws ubuntu openvpn 服务器将所有客户端的互联网流量转发到另一台服务器,而不是直接将其发送出去。
长版本:
我正在 aws 中设置一个环境,出于审计原因,所有互联网流量都必须通过特定网关路由。一些用户将通过 openvpn 连接到网络。我已设置 openvpn 服务器,用户可以连接,但他们的所有流量都流出 openvpn 的网关/ip。
即当我的客户访问 ipcow.com 时,他们看到的是 AAAA,而我希望他们看到的是 BBBB
子网配置
--------------------------------------------------
| A.A.A.A - VPN - 10.0.200.10 | |
-------------------------------------| Private |
| B.B.B.B - Gateway/NAT - 10.0.0.200 | |
--------------------------------------------------
服务器配置文件
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push route "0.0.0.0 0.0.0.0 10.0.0.200"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
客户端.ovpn
client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote P.P.P.P 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3
连接日志
Unrecognized option or missing parameter(s) in vpn.ovpn:14: block-outside-dns (2.3.10)
OpenVPN 2.3.10 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 14 2016
library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.09
Control Channel Authentication: tls-auth using INLINE static key file
Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDPv4 link local: [undef]
UDPv4 link remote: [AF_INET]P.P.P.P:1194
TLS: Initial packet from [AF_INET]P.P.P.P:1194, sid=5678375f 5c54cccd
VERIFY OK: depth=1, CN=ChangeMe
Validating certificate key usage
++ Certificate has key usage 00a0, expects 00a0
VERIFY KU OK
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
VERIFY EKU OK
VERIFY OK: depth=0, CN=server
Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
[server] Peer Connection Initiated with [AF_INET]P.P.P.P:1194
SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route 10.0.0.0 255.255.0.0,route 0.0.0.0 0.0.0.0 10.0.0.200 0,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: route-related options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
ROUTE_GATEWAY 192.168.42.129/255.255.255.0 IFACE=enp0s20f0u1 HWADDR=
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
/usr/bin/ip link set dev tun0 up mtu 1500
/usr/bin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
/usr/bin/ip route add P.P.P.P/32 via 192.168.42.129
/usr/bin/ip route add 0.0.0.0/1 via 10.8.0.1
/usr/bin/ip route add 128.0.0.0/1 via 10.8.0.1
/usr/bin/ip route add 10.0.0.0/16 via 10.8.0.1
/usr/bin/ip route add 0.0.0.0/0 metric 0 via 10.0.0.200
RTNETLINK answers: Network is unreachable
ERROR: Linux route add command failed: external program exited with error status: 2
Initialization Sequence Completed
我尝试添加 0.0.0.0/0 路线,显然没有成功。