我是 OpenVPN 新手,找不到任何类似的答案。我有 3 台 Linux 机器(Ubuntu 16.04):
A 和 S 在同一个网络中。B 在不同的网络中,并且受到严格限制。
机器 S 上有一个 OpenVPN 服务器,并且启用了“客户端到客户端”指令。
A 和 B 互相看到(ping、连接)对方和服务器通过 VPN因为他们是客户。
问题是:如何让服务器能够通过 VPN 查看(ping、连接)客户端?路由似乎没问题,但我遇到了连接超时。
我需要每台机器(包括服务器)在我的 VPN 中不受限制地互相查看(ping、连接)。所有三台机器都可以单独访问互联网,它们必须仅通过 VPN 互相查看(ping、连接),无需 LAN 转发。
我用了https://github.com/Nyr/openvpn-install要安装的脚本。在 server.conf 中附加“客户端到客户端”标志。
更新: tcpdump
显示服务器通过默认路由使用“真实网络”访问 VPN-IP。服务器上可能存在一些路由问题?
我当前的配置(如上所述,半工作状态)源自 kal3v 的帖子:
服务器:
tls-server
tls-auth ta.key 0 # This has to be added, or does not connects
proto tcp
port 443
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 4
mute 20
客户:
client
tls-client # This has to be added, or does not connects
dev tun
proto tcp-client
remote [SERVER IP REDACTED] 443
resolv-retry infinite
ca ca.crt
cert client1.crt
key client1.key
nobind
persist-key
persist-tun
comp-lzo
tls-auth ta.key 1 # This has to be added, or does not connects
#status openvpn-status.log
#log-append /var/log/openvpn.log
verb 4
mute 20
<ca>
[REDACTED]
</ca>
<cert>
[REDACTED]
</cert>
<key>
[REDACTED]
</key>
<tls-auth>
[REDACTED]
</tls-auth>
服务器 ifconfig -a:
em1 Link encap:Ethernet HWaddr [REDACTED]
inet addr:[REDACTED] Bcast:[REDACTED] Mask:[REDACTED]
inet6 addr: [REDACTED] Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2399844 errors:0 dropped:0 overruns:0 frame:0
TX packets:530948 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:719766790 (719.7 MB) TX bytes:435347738 (435.3 MB)
Interrupt:20 Memory:f7200000-f7220000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:98881 errors:0 dropped:0 overruns:0 frame:0
TX packets:98881 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:9737053 (9.7 MB) TX bytes:9737053 (9.7 MB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:84 errors:0 dropped:0 overruns:0 frame:0
TX packets:67 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:9634 (9.6 KB) TX bytes:13102 (13.1 KB)
服务器iptables -n -L:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 10.8.0.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
服务器 netstat -nr:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 [REDACTED] 0.0.0.0 UG 0 0 0 em1
[REDACTED] 0.0.0.0 [REDACTED] U 0 0 0 em1
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
客户端ifconfig -a:
eno1 Link encap:Ethernet HWaddr [REDACTED]
inet addr:[REDACTED] Bcast:[REDACTED] Mask:[REDACTED]
inet6 addr: [REDACTED] Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:241633 errors:0 dropped:0 overruns:0 frame:0
TX packets:78722 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:224498248 (224.4 MB) TX bytes:10952745 (10.9 MB)
Interrupt:20 Memory:fe400000-fe420000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:779 errors:0 dropped:0 overruns:0 frame:0
TX packets:779 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:73331 (73.3 KB) TX bytes:73331 (73.3 KB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:64 errors:0 dropped:0 overruns:0 frame:0
TX packets:84 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:12922 (12.9 KB) TX bytes:9634 (9.6 KB)
客户端iptables -n -L:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
客户端netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 [REDACTED] 0.0.0.0 UG 0 0 0 eno1
[REDACTED] 0.0.0.0 [REDACTED] U 0 0 0 eno1
10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
答案1
解决方案是:
不知何故,有以下防火墙规则将服务器定向到真实的 LAN 而不是 VPN,以访问必须删除的 VPN 客户端:
服务器 iptables -t nat -L -n -v --line-numbers:
Chain PREROUTING (policy ACCEPT 249K packets, 44M bytes)
num pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 247K packets, 44M bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3954 packets, 273K bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3890 packets, 269K bytes)
num pkts bytes target prot opt in out source destination
1 208 15001 SNAT all -- * * 10.8.0.0/24 0.0.0.0/0 to:[REDACTED SERVER_REAL_IP]
在服务器上:iptables -t nat -D POSTROUTING 1
瞧!一切正常……
要使其永久删除/注释相应的行/etc/rc.local。
感谢大家的帮助!
答案2
以下是一个示例最小适用于以下网络设置的客户端到客户端 SSL/TLS 配置:
+------------------+ |
| | |
| | 10.132.0.2 |
| Client 1 -------------|
| | | +------------------+
| | | | |
+------------------+ |104.199.78.27 130.211.80.223 | |
/- -------------- The Internet ---------------| Client 2 |
/- | | |
+------------------+ /- | | |
| | /- | +------------------+
| | /- |
| OpenVPN server --------------
| | 10.132.0.3 |
| | |
+------------------+ |
104.199.78.27
10.132.0.3
被 NAT 到OpenVPN 服务器的内部。该10.8.0.0/24
网络将用于所有 VPN 客户端。
以下是 OpenVPN 服务器配置:
tls-server
proto tcp
port 443
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 4
mute 20
这是客户端 1 的配置:
client
dev tun
proto tcp-client
remote 10.132.0.3 443
resolv-retry infinite
ca ca.crt
cert client1.crt
key client1.key
nobind
persist-key
persist-tun
comp-lzo
status openvpn-status.log
log-append /var/log/openvpn.log
verb 4
mute 20
这是客户端2的配置:
client
dev tun
proto tcp-client
remote 104.199.78.27 443
resolv-retry infinite
ca ca.crt
cert client2.crt
key client2.key
nobind
persist-key
persist-tun
comp-lzo
status openvpn-status.log
log-append /var/log/openvpn.log
verb 4
mute 20
当一切正常运行时,我们获得以下 IP 和路由配置:
server% ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:27 errors:0 dropped:0 overruns:0 frame:0
TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:3971 (3.8 KiB) TX bytes:3051 (2.9 KiB)
server% ip route show to match 10.8.0.0/24
default via 10.132.0.1 dev eth0
10.8.0.0/24 via 10.8.0.2 dev tun0
client1% ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:3 errors:0 dropped:0 overruns:0 frame:0
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:252 (252.0 B) TX bytes:252 (252.0 B)
client1% ip route show to match 10.8.0.1
default via 10.132.0.1 dev eth0
10.8.0.0/24 via 10.8.0.5 dev tun0
client2% ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.10 P-t-P:10.8.0.9 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:5 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:420 (420.0 B) TX bytes:420 (420.0 B)
client2% ip route show to match 10.8.0.1
default via 10.132.0.1 dev eth0
10.8.0.0/24 via 10.8.0.9 dev tun0
因此我们拥有客户端到客户端的连接:
server% ping -c 1 10.8.0.6
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
64 bytes from 10.8.0.6: icmp_seq=1 ttl=64 time=1.45 ms
--- 10.8.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.456/1.456/1.456/0.000 ms
root@server:/etc/openvpn# ping -c 1 10.8.0.10
PING 10.8.0.10 (10.8.0.10) 56(84) bytes of data.
64 bytes from 10.8.0.10: icmp_seq=1 ttl=64 time=0.779 ms
--- 10.8.0.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.779/0.779/0.779/0.000 ms
client1% ping -c 1 10.8.0.10
PING 10.8.0.10 (10.8.0.10) 56(84) bytes of data.
64 bytes from 10.8.0.10: icmp_seq=1 ttl=64 time=1.39 ms
--- 10.8.0.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.392/1.392/1.392/0.000 ms
root@client1:/etc/openvpn# ping -c 1 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=1.54 ms
--- 10.8.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.540/1.540/1.540/0.000 ms
client2% ping -c 1 10.8.0.6
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
64 bytes from 10.8.0.6: icmp_seq=1 ttl=64 time=1.12 ms
--- 10.8.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.124/1.124/1.124/0.000 ms
root@client2:/etc/openvpn# ping -c 1 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.584 ms
--- 10.8.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.584/0.584/0.584/0.000 ms