我正在尝试在我的网络上设置一个 OpenVPN 守护进程,但是 iptables + 路由存在一些问题。
以下是我的配置: - 当前 LAN 位于 192.168.2.0/24,OpenVPN 守护程序在 192.168.2.251 上运行
守护进程启动正常,但每当我从客户端发起连接时,都会看到以下消息:
Mon Feb 5 17:41:59 2018 /sbin/ip link set dev tun0 up mtu 1500
Mon Feb 5 17:41:59 2018 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Mon Feb 5 17:41:59 2018 /sbin/ip route add 192.168.2.251/32 dev br0
RTNETLINK answers: File exists
Mon Feb 5 17:41:59 2018 ERROR: Linux route add command failed: external program exited with error status: 2
Mon Feb 5 17:41:59 2018 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5
Mon Feb 5 17:41:59 2018 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
Mon Feb 5 17:41:59 2018 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
首先,为什么出现错误状态 2;其次,为什么在守护进程的 server.conf 中注释掉推送路由后,还会看到路由添加?
这是问题的一部分,另一部分是我不知道如何将新的 iptables 规则“合并”到我当前的 iptables 规则中?我目前有这些规则,按此顺序(主 NIC 是 eth0,openvpn 是 tun0):
$IPT -F INPUT
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
<some other rules>
# VPNd rules
$IPT -A INPUT -i eth0 -p udp --dport 1199 -j ACCEPT #openVPNd runs on udp/1199
$IPT -A INPUT -i tun0 -j ACCEPT
$IPT -A FORWARD -i eth0 -j ACCEPT
$IPT -A OUTPUT -o tun0 -j ACCEPT
<some other rules>
/etc/sysctl.conf 中设置了 net.ipv4.forwarding = 1
现在,我的错误规则造成的后果之一是,连接到 VPN 服务器上的客户端无法连接到我的局域网 (192.168.2.0/24) 之外的服务器。我希望我的客户端能够从我的 VPN 链接连接到他们选择的任何地方。
我刚刚注意到上面的错误消息似乎只出现在使用桥接网络的客户端主机上(我的一些客户端也是 KVM 虚拟机管理程序)。例如,在 OSX 和我的虚拟机上,它不会显示。有链接吗?
我错过了什么?
iptables -vL 输出:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3975 963K ACCEPT all -- eth0 any anywhere anywhere state RELATED,ESTABLISHED
5 308 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:https
6 492 ACCEPT udp -- eth0 any anywhere anywhere udp dpt:dmidi
0 0 ACCEPT all -- tun0 any anywhere anywhere
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:grcp
0 0 ACCEPT udp -- eth0 any anywhere anywhere udp dpt:25826
2198 432K REJECT all -- eth0 any anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 any anywhere anywhere
Chain OUTPUT (policy ACCEPT 1552 packets, 225K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any tun0 anywhere anywhere
iptables -t nat -VL 输出:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
(空的 ?)
VPN 守护进程的 ip addr 输出:[19:28:50|jfgratton@vpntst:~]: ip addr
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:5f:f8:44 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.251/24 brd 192.168.2.255 scope global eth0
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN qlen 100
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
所有客户端都在同一个 /24 (192.168.2.0) 上。两个客户端虽然位于同一个子网中,但使用桥接接口 (br0 而不是 eth0 等物理接口);我认为这并不重要,但我想尽一切办法。
新输出:
[20:00:45|root@vpntst:~]: iptables -vL;iptables -t nat -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
212 17577 ACCEPT all -- eth0 any anywhere anywhere state RELATED,ESTABLISHED
1 60 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:https
0 0 ACCEPT udp -- eth0 any anywhere anywhere udp dpt:dmidi
0 0 ACCEPT all -- tun0 any anywhere anywhere
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:grcp
0 0 ACCEPT udp -- eth0 any anywhere anywhere udp dpt:25826
13 2621 REJECT all -- eth0 any anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 any anywhere anywhere
Chain OUTPUT (policy ACCEPT 144 packets, 16717 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any tun0 anywhere anywhere
Chain PREROUTING (policy ACCEPT 20 packets, 3509 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 12 packets, 912 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 12 packets, 912 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any eth0 10.8.0.0/24 anywhere
我的防火墙脚本:#!/bin/bash IPT=/sbin/iptables
case "$1" in
start)
$IPT -F INPUT
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
# VPNd rules
$IPT -A INPUT -i eth0 -p udp --dport 1199 -j ACCEPT
$IPT -A INPUT -i tun0 -j ACCEPT
$IPT -A FORWARD -i eth0 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
$IPT -A OUTPUT -o tun0 -j ACCEPT
# Other rules
$IPT -A INPUT -i eth0 -p tcp --dport 9123 -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --dport 25826 -j ACCEPT
$IPT -A INPUT -i eth0 -j REJECT
exit 0
;;
stop)
$IPT -F INPUT
exit 0
;;
* )
echo "Usage: /etc/init.d/firewall {start|stop}"
exit 1
;;
esac
现在,我已经按照说明设置了 vpndhttps://chichivica.github.io/2017/08/02/Install-OpenVPN-on-Fedora-26/。我现在意识到那里没有提到路由或任何东西。我做的一件事是,我确信这是必要的,那就是在 /etc/sysctl.conf 中启用 ipv4 转发。除此之外,我严格遵循该链接上的说明,没有其他操作。
服务器配置文件
这是我在 server.conf 中的路由配置。几分钟前我甚至尝试注释掉最后一次推送,但不幸的是,结果还是一样:
[9:03:07|root@vpntst:openvpn]: egrep "route|redirect" server.conf|egrep -v ^\#
;push "route 192.168.2.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;route 192.168.40.128 255.255.255.248
;route 10.9.0.0 255.255.255.252
push "redirect-gateway def1 bypass-dhcp"
这真让我抓狂 :-)
答案1
这个答案其实不算答案。我无法继续回答这个问题,因为我需要在传出路由器上添加静态路由,但我的 ISP 不允许我这样做。
除非我更换 ISP,否则案件将结案