我有一个 Ubuntu 路由器,我最近将它连接到 VPN 服务以绕过互联网过滤。这个想法是使用 VPN 来做所有事情,机器还托管一些东西,所以正常的 IP 仍然需要工作。当 VPN 连接时,我无法从网络外部 ping 外部接口,它还托管一个只有在 VPN 未连接时才能访问的 Web 服务器。
路由器看到了传入的数据包,但似乎没有发送回复。
传入的数据包没有到达 INPUT iptables 链,我看到了这一点
Capturing on 'p5p1'
1 0.000000000 91.121.133.139 → 86.13.39.252 TCP 74 46830→443 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=43316855 TSecr=0 WS=128
2 0.998501403 91.121.133.139 → 86.13.39.252 TCP 74 [TCP Retransmission] 46830→443 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=43317105 TSecr=0 WS=128
3 3.002695195 91.121.133.139 → 86.13.39.252 TCP 74 [TCP Retransmission] 46830→443 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=43317606 TSecr=0 WS=128
但这个数字并没有上升
1 44 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
环顾四周,这听起来像是与路由或连接跟踪有关的事情,但我没有发现任何人遇到同样的问题。
其他一些可能有意义的信息
路由表
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.34.10.5 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 86.13.39.1 0.0.0.0 UG 0 0 0 p5p1
10.34.10.1 10.34.10.5 255.255.255.255 UGH 0 0 0 tun0
10.34.10.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
81.187.30.110 86.13.39.1 255.255.255.255 UGH 0 0 0 p5p1
81.187.30.111 86.13.39.1 255.255.255.255 UGH 0 0 0 p5p1
81.187.30.112 86.13.39.1 255.255.255.255 UGH 0 0 0 p5p1
81.187.30.113 86.13.39.1 255.255.255.255 UGH 0 0 0 p5p1
81.187.30.114 86.13.39.1 255.255.255.255 UGH 0 0 0 p5p1
81.187.30.115 86.13.39.1 255.255.255.255 UGH 0 0 0 p5p1
81.187.30.116 86.13.39.1 255.255.255.255 UGH 0 0 0 p5p1
81.187.30.117 86.13.39.1 255.255.255.255 UGH 0 0 0 p5p1
81.187.30.118 86.13.39.1 255.255.255.255 UGH 0 0 0 p5p1
81.187.30.119 86.13.39.1 255.255.255.255 UGH 0 0 0 p5p1
86.13.39.0 0.0.0.0 255.255.255.0 U 0 0 0 p5p1
90.155.3.0 86.13.39.1 255.255.255.0 UG 0 0 0 p5p1
90.155.103.0 86.13.39.1 255.255.255.0 UG 0 0 0 p5p1
104.238.169.126 86.13.39.1 255.255.255.255 UGH 0 0 0 p5p1
128.0.0.0 10.34.10.5 128.0.0.0 UG 0 0 0 tun0
185.150.144.0 86.13.39.1 255.255.252.0 UG 0 0 0 p5p1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 p4p1
路由规则
jacek@saturn: ~ $ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
是否配置
jacek@saturn: ~ $ ifconfig
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 163286 bytes 151310144 (151.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 163286 bytes 151310144 (151.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
p4p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::96de:80ff:feac:6b53 prefixlen 64 scopeid 0x20<link>
ether 94:de:80:ac:6b:53 txqueuelen 1000 (Ethernet)
RX packets 64227222 bytes 90185530723 (90.1 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4077370 bytes 5387966885 (5.3 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
p5p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 86.13.39.252 netmask 255.255.255.0 broadcast 255.255.255.255
inet6 fe80::96de:80ff:feac:6b51 prefixlen 64 scopeid 0x20<link>
ether 94:de:80:ac:6b:51 txqueuelen 1000 (Ethernet)
RX packets 15457848 bytes 5153012970 (5.1 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1002737 bytes 205402684 (205.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.34.10.6 netmask 255.255.255.255 destination 10.34.10.5
inet6 fe80::35ba:653d:44a:1dc3 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 54434 bytes 63968785 (63.9 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 17087 bytes 1622925 (1.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
如有任何建议我将非常感激:)
答案1
您的默认路由是通过 VPN 的。因此,ping 会从正常接口进入,但会通过 VPN 出去(随后会丢失)。
如果您的路由器本身不需要连接任何东西,我就不会通过 vpn 设置默认路由,而是使用源 nat 规则将客户端流量映射到 10.34.10.6 作为源地址,从而使该流量通过 vpn 传出。