我正在尝试在 AWS 上使用 Pritunl 设置 OpenVPN 服务器,但在让我的 AWS 节点通过 VPN 连接到 VPC 之外的节点时遇到了问题。
基本上我的设置是
[ AWS Instance ] -- [ AWS OpenVpn Instance ] -- [ Local OS X Machine ]
目前,来自 OS X 计算机的流量运行良好。我可以 ping VPC 后面的任何实例。但是,当我尝试 ping 本地 OS X 计算机(或更准确地说是访问在该计算机上运行的服务器)时,连接会挂起。
AWS 节点位于 172.31.0.0/16 子网中,OS X 计算机位于 192.168.241.0/24 子网中。在 OpenVpn 实例计算机上,ping 正常:
ubuntu@ip-172-31-11-153:~$ ping 192.168.241.2
PING 192.168.241.2 (192.168.241.2) 56(84) bytes of data.
64 bytes from 192.168.241.2: icmp_seq=1 ttl=64 time=186 ms
64 bytes from 192.168.241.2: icmp_seq=2 ttl=64 time=170 ms
在 AWS 实例上,ping 挂起:
ubuntu@ip-172-31-32-5:~$ ping 192.168.241.2
PING 192.168.241.2 (192.168.241.2) 56(84) bytes of data.
^C
--- 192.168.241.2 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2015ms
在 OpenVPN 机器上,使用 tcpdump,我可以看到数据包到达机器,但是从未发送回复
ubuntu@ip-172-31-11-153:~$ sudo tcpdump -i any -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
02:04:32.706204 IP 172.31.32.5 > 192.168.241.2: ICMP echo request, id 31959, seq 1, length 64
02:04:33.705490 IP 172.31.32.5 > 192.168.241.2: ICMP echo request, id 31959, seq 2, length 64
02:04:34.705519 IP 172.31.32.5 > 192.168.241.2: ICMP echo request, id 31959, seq 3, length 64
02:04:35.705436 IP 172.31.32.5 > 192.168.241.2: ICMP echo request, id 31959, seq 4, length 64
为了进行比较,以下是 OpenVPN 计算机 ping 本地 OS X 计算机时发生的情况
ubuntu@ip-172-31-11-153:~$ sudo tcpdump -i any -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
02:06:13.214559 IP 192.168.241.1 > 192.168.241.2: ICMP echo request, id 4169, seq 1, length 64
02:06:13.791529 IP 192.168.241.2 > 192.168.241.1: ICMP echo reply, id 4169, seq 1, length 64
02:06:14.215124 IP 192.168.241.1 > 192.168.241.2: ICMP echo request, id 4169, seq 2, length 64
02:06:14.370423 IP 192.168.241.2 > 192.168.241.1: ICMP echo reply, id 4169, seq 2, length 64
AWS 控制台中的路由表已配置(192.168.241.0/24 -> OpenVpn Instance
)
OpenVPN 实例已启用 IP 转发 ( echo 1 > /proc/sys/net/ipv4/ip_forward
)
OpenVPN 实例上的源/目标检查已禁用。
我已经尝试过ip route add
(11.153 是 openvpn 实例),它只是返回一个错误:
ubuntu@ip-172-31-32-5:~$ sudo ip route add 192.168.241.0/24 via 172.31.11.153
RTNETLINK answers: Network is unreachable
我的 IP 表定义如下:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere ip-172-31-0-0.us-east-2.compute.internal/16 /* pritunl-5a1f3acaf55623048c5ccaf0 */
ACCEPT all -- anywhere ip-192-168-241-0.us-east-2.compute.internal/24 /* pritunl-5a1f3acaf55623048c5ccaf0 */
DROP all -- anywhere anywhere /* pritunl-5a1f3acaf55623048c5ccaf0 */
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- ip-172-31-0-0.us-east-2.compute.internal/16 anywhere ctstate RELATED,ESTABLISHED /* pritunl-5a1f3acaf55623048c5ccaf0 */
ACCEPT all -- anywhere ip-172-31-0-0.us-east-2.compute.internal/16 /* pritunl-5a1f3acaf55623048c5ccaf0 */
ACCEPT all -- ip-192-168-241-0.us-east-2.compute.internal/24 anywhere /* pritunl-5a1f3acaf55623048c5ccaf0 */
ACCEPT all -- anywhere ip-192-168-241-0.us-east-2.compute.internal/24 /* pritunl-5a1f3acaf55623048c5ccaf0 */
DROP all -- anywhere anywhere /* pritunl-5a1f3acaf55623048c5ccaf0 */
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- ip-172-31-0-0.us-east-2.compute.internal/16 anywhere /* pritunl-5a1f3acaf55623048c5ccaf0 */
ACCEPT all -- ip-192-168-241-0.us-east-2.compute.internal/24 anywhere /* pritunl-5a1f3acaf55623048c5ccaf0 */
DROP all -- anywhere anywhere /* pritunl-5a1f3acaf55623048c5ccaf0 */
答案1
下列的 -https://docs.pritunl.com/v1/docs/routing-issues,
我取消选中“限制路由”选项。