连接到 openvpn 后,我甚至无法 ping 通 vpn 地址(172.16.0.1),这是我的 vpn 配置:
##protocol port
port 1194
proto tcp
dev tun
##ip server client
server 172.16.0.0 255.255.0.0
##key
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
##option
persist-key
persist-tun
keepalive 5 60
reneg-sec 432000
##option authen.
comp-lzo
user nobody
#group nogroup
client-to-client
username-as-common-name
client-cert-not-required
auth-user-pass-verify /etc/openvpn/scripts/login.sh via-env
##push to client
max-clients 50
push "persist-key"
push "persist-tun"
push "redirect-gateway local def1"
push "explicit-exit-notify 1"
#push "route 172.16.1.0 255.255.255.0 172.16.1.1"
#push "route-gateway 172.16.1.1"
#push "route add 10.123.0.0 255.255.0.0 172.16.1.1"
##DNS-Server
push "dhcp-option DNS 10.96.0.10"
##script connect-disconnect
script-security 2
##client-connect /etc/openvpn/scripts/connect.sh
client-disconnect /etc/openvpn/scripts/disconnect.sh
##log-status
##status /etc/openvpn/log/tcp_443.log
##log-append /etc/openvpn/log/openvpn.log
verb 3
连接后,我发现创建了一些奇怪的路线:
default via 172.16.0.5 dev tun0 proto static metric 50
default via 192.168.10.1 dev enp5s0 proto dhcp metric 100
172.16.0.0/16 via 172.16.0.5 dev tun0 proto static metric 50
172.16.0.5 dev tun0 proto kernel scope link src 172.16.0.6 metric 50
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.10.0/24 dev enp5s0 proto kernel scope link src 192.168.10.181 metric 100
192.168.10.1 dev enp5s0 proto static scope link metric 100
194.177.28.83 via 192.168.10.1 dev enp5s0 proto static metric 100
为什么添加的是 172.16.0.5 而不是 172.16.0.1?这样的地址根本不存在。
编辑:
就像评论中提到的那样,是的,它是对等 IP,在我删除“#push“redirect-gateway local def1”后,它开始 ping VPN IP,但我仍然无法连接到 VPN 后面的服务。我的防火墙规则是:
iptables -A FORWARD -i tun0 -o eth0 -s 172.16.0.0/24 -d 10.0.0.0/8 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 172.16.0.0/24 -j MASQUERADE