我正在尝试使用 Openvpn 设置站点到站点 VPN,初始设置已完成,我的 openvpn 客户端节点 (201.100.0.x) 能够与 openvpn 服务器端节点 (192.0.0.x) 通信。但是,如果我从服务器端节点 (192.0.0.32) ping 任何客户端节点 (201.100.0.18),则不会收到回复,(我在端点上添加了正确的路由)。并且我可以通过分析 TCP dump 看到 ping 重播到达我的 openvpn 服务器。
服务器端节点:192.0.0.32(eth0)
服务器:192.0.0.39 (eth0);10.8.0.1 (tun0)
客户端节点:201.100.0.18(eth0)
Openvpn客户端:201.100.0.11 (eth0);10.8.0.6 (tun0)
server node> ping 201.100.0.18 -c 1
PING 201.100.0.18 (201.100.0.18) 56(84) bytes of data.
--- 201.100.0.18 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 10000ms
以下是 openvpn 服务器 eth0 的 TCP 转储
vpnserver> tcpdump -nni eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
09:41:00.796021 IP 192.0.0.32 > 201.100.0.18: ICMP echo request, id 47432, seq 1, length 64
09:41:00.836637 IP 201.100.0.18 > 192.0.0.32: ICMP echo reply, id 47432, seq 1, length 64
Ping 回复返回至 192.0.0.32,但并未转发至 192.0.0.39;需要知道原因吗?
IP 转发已启用,您可以在下面看到现有的防火墙规则
*filter
:INPUT ACCEPT [397:39519]
:FORWARD ACCEPT [6:504]
:OUTPUT ACCEPT [362:40521]
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
COMMIT
# Completed on Thu Nov 3 09:45:05 2016
# Generated by iptables-save v1.4.7 on Thu Nov 3 09:45:05 2016
*nat
:PREROUTING ACCEPT [31:3889]
:POSTROUTING ACCEPT [22:1848]
:OUTPUT ACCEPT [6:504]
-A POSTROUTING -o eth0 -j MASQUERADE << before adding this rule client sides nodes were not able to access server side nodes
COMMIT