Openvpn服务器作为客户端:从服务器IP连接到客户端

Openvpn服务器作为客户端:从服务器IP连接到客户端

我是 OpenVPN 新手,找不到任何类似的答案。我有 3 台 Linux 机器(Ubuntu 16.04):

A 和 S 在同一个网络中。B 在不同的网络中,并且受到严格限制。

机器 S 上有一个 OpenVPN 服务器,并且启用了“客户端到客户端”指令。

A 和 B 互相看到(ping、连接)对方和服务器通过 VPN因为他们是客户。

问题是:如何让服务器能够通过 VPN 查看(ping、连接)客户端?路由似乎没问题,但我遇到了连接超时。

我需要每台机器(包括服务器)在我的 VPN 中不受限制地互相查看(ping、连接)。所有三台机器都可以单独访问互联网,它们必须仅通过 VPN 互相查看(ping、连接),无需 LAN 转发。

我用了https://github.com/Nyr/openvpn-install要安装的脚本。在 server.conf 中附加“客户端到客户端”标志。

更新: tcpdump显示服务器通过默认路由使用“真实网络”访问 VPN-IP。服务器上可能存在一些路由问题?

我当前的配置(如上所述,半工作状态)源自 kal3v 的帖子:

服务器:

tls-server
tls-auth ta.key 0  # This has to be added, or does not connects
proto tcp
port 443
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

client-to-client

keepalive 10 120

comp-lzo

persist-key
persist-tun

status openvpn-status.log
log-append  /var/log/openvpn.log
verb 4
mute 20

客户:

client
tls-client  # This has to be added, or does not connects
dev tun
proto tcp-client
remote [SERVER IP REDACTED] 443
resolv-retry infinite

ca ca.crt
cert client1.crt
key client1.key

nobind
persist-key
persist-tun
comp-lzo
tls-auth ta.key 1  # This has to be added, or does not connects

#status openvpn-status.log
#log-append  /var/log/openvpn.log
verb 4
mute 20
<ca>
[REDACTED]
</ca>
<cert>
[REDACTED]
</cert>
<key>
[REDACTED]
</key>
<tls-auth>
[REDACTED]
</tls-auth>

服务器 ifconfig -a:

em1       Link encap:Ethernet  HWaddr [REDACTED]  
          inet addr:[REDACTED]  Bcast:[REDACTED]  Mask:[REDACTED]
          inet6 addr: [REDACTED] Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2399844 errors:0 dropped:0 overruns:0 frame:0
          TX packets:530948 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:719766790 (719.7 MB)  TX bytes:435347738 (435.3 MB)
          Interrupt:20 Memory:f7200000-f7220000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:98881 errors:0 dropped:0 overruns:0 frame:0
          TX packets:98881 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:9737053 (9.7 MB)  TX bytes:9737053 (9.7 MB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:84 errors:0 dropped:0 overruns:0 frame:0
          TX packets:67 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:9634 (9.6 KB)  TX bytes:13102 (13.1 KB)

服务器iptables -n -L:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  10.8.0.0/24          0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

服务器 netstat -nr:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         [REDACTED]      0.0.0.0         UG        0 0          0 em1
[REDACTED]      0.0.0.0         [REDACTED]      U         0 0          0 em1
10.8.0.0        10.8.0.2        255.255.255.0   UG        0 0          0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun0

客户端ifconfig -a:

eno1      Link encap:Ethernet  HWaddr [REDACTED]
          inet addr:[REDACTED]  Bcast:[REDACTED]  Mask:[REDACTED]
          inet6 addr: [REDACTED] Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:241633 errors:0 dropped:0 overruns:0 frame:0
          TX packets:78722 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:224498248 (224.4 MB)  TX bytes:10952745 (10.9 MB)
          Interrupt:20 Memory:fe400000-fe420000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:779 errors:0 dropped:0 overruns:0 frame:0
          TX packets:779 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:73331 (73.3 KB)  TX bytes:73331 (73.3 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:64 errors:0 dropped:0 overruns:0 frame:0
          TX packets:84 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:12922 (12.9 KB)  TX bytes:9634 (9.6 KB)

客户端iptables -n -L:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

客户端netstat -nr

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         [REDACTED]      0.0.0.0         UG        0 0          0 eno1
[REDACTED]      0.0.0.0         [REDACTED]      U         0 0          0 eno1
10.8.0.0        10.8.0.5        255.255.255.0   UG        0 0          0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH        0 0          0 tun0

答案1

解决方案是:

不知何故,有以下防火墙规则将服务器定向到真实的 LAN 而不是 VPN,以访问必须删除的 VPN 客户端:

服务器 iptables -t nat -L -n -v --line-numbers:

Chain PREROUTING (policy ACCEPT 249K packets, 44M bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 247K packets, 44M bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 3954 packets, 273K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 3890 packets, 269K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      208 15001 SNAT       all  --  *      *       10.8.0.0/24          0.0.0.0/0            to:[REDACTED SERVER_REAL_IP]

在服务器上:iptables -t nat -D POSTROUTING 1

瞧!一切正常……

要使其永久删除/注释相应的行/etc/rc.local

感谢大家的帮助!

答案2

以下是一个示例最小适用于以下网络设置的客户端到客户端 SSL/TLS 配置:

+------------------+            |                                                                 
|                  |            |                                                                 
|                  | 10.132.0.2 |                                                                 
|    Client 1      -------------|                                                                 
|                  |            |                                             +------------------+
|                  |            |                                             |                  |
+------------------+            |104.199.78.27                 130.211.80.223 |                  |
                             /- --------------  The Internet   ---------------|    Client 2      |
                           /-   |                                             |                  |
+------------------+     /-     |                                             |                  |
|                  |   /-       |                                             +------------------+
|                  | /-         |                                                                 
|  OpenVPN server  --------------                                                                 
|                  | 10.132.0.3 |                                                                 
|                  |            |                                                                 
+------------------+            |     

104.199.78.2710.132.0.3被 NAT 到OpenVPN 服务器的内部。该10.8.0.0/24网络将用于所有 VPN 客户端。

以下是 OpenVPN 服务器配置:

tls-server
proto tcp
port 443
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh2048.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

client-to-client

keepalive 10 120

comp-lzo

persist-key
persist-tun

status openvpn-status.log
log-append  /var/log/openvpn.log
verb 4
mute 20 

这是客户端 1 的配置:

client
dev tun
proto tcp-client
remote 10.132.0.3 443
resolv-retry infinite

ca ca.crt
cert client1.crt
key client1.key

nobind
persist-key
persist-tun
comp-lzo

status openvpn-status.log
log-append  /var/log/openvpn.log
verb 4
mute 20      

这是客户端2的配置:

client
dev tun
proto tcp-client
remote 104.199.78.27 443
resolv-retry infinite

ca ca.crt
cert client2.crt
key client2.key

nobind
persist-key
persist-tun
comp-lzo

status openvpn-status.log
log-append  /var/log/openvpn.log
verb 4
mute 20

当一切正常运行时,我们获得以下 IP 和路由配置:

server% ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:27 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:3971 (3.8 KiB)  TX bytes:3051 (2.9 KiB)

server% ip route show to match 10.8.0.0/24
default via 10.132.0.1 dev eth0 
10.8.0.0/24 via 10.8.0.2 dev tun0     

client1% ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:3 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:252 (252.0 B)  TX bytes:252 (252.0 B)

client1% ip route show to match 10.8.0.1
default via 10.132.0.1 dev eth0 
10.8.0.0/24 via 10.8.0.5 dev tun0 

client2% ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.10  P-t-P:10.8.0.9  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:5 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:420 (420.0 B)  TX bytes:420 (420.0 B)

client2% ip route show to match 10.8.0.1
default via 10.132.0.1 dev eth0 
10.8.0.0/24 via 10.8.0.9 dev tun0

因此我们拥有客户端到客户端的连接:

server% ping -c 1 10.8.0.6
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
64 bytes from 10.8.0.6: icmp_seq=1 ttl=64 time=1.45 ms

--- 10.8.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.456/1.456/1.456/0.000 ms
root@server:/etc/openvpn# ping -c 1 10.8.0.10
PING 10.8.0.10 (10.8.0.10) 56(84) bytes of data.
64 bytes from 10.8.0.10: icmp_seq=1 ttl=64 time=0.779 ms

--- 10.8.0.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.779/0.779/0.779/0.000 ms

client1% ping -c 1 10.8.0.10
PING 10.8.0.10 (10.8.0.10) 56(84) bytes of data.
64 bytes from 10.8.0.10: icmp_seq=1 ttl=64 time=1.39 ms

--- 10.8.0.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.392/1.392/1.392/0.000 ms
root@client1:/etc/openvpn# ping -c 1 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=1.54 ms

--- 10.8.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.540/1.540/1.540/0.000 ms

client2% ping -c 1 10.8.0.6
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
64 bytes from 10.8.0.6: icmp_seq=1 ttl=64 time=1.12 ms

--- 10.8.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.124/1.124/1.124/0.000 ms
root@client2:/etc/openvpn# ping -c 1 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.584 ms

--- 10.8.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.584/0.584/0.584/0.000 ms

相关内容