VPN 客户端无法访问 LAN

tag-icon tag-icon iptables openvpn static-routes
VPN 客户端无法访问 LAN

我在办公室局域网上有一台运行开放 VPN 的公网 IP 服务器。外部 VPN 客户端可以通过公网 IP 连接到 VPN。

但一旦连接,他们就无法连接到办公室局域网上的其他服务器,但他们可以通过广域网访问任何站点。

我的 openvpn.conf 就像

local xx.xx.xx.xx
port 8443
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
;ifconfig-pool-persist ipp.txt
push "route 10.84.172.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.84.172.117"
push "dhcp-option DNS 9.9.9.9"
duplicate-cn
keepalive 10 120
tls-auth ta.key 0
key-direction 0
cipher AES-128-CBC
auth SHA256
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
verb 9

客户端配置如下

client
dev tun
proto tcp
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-128-CBC
auth SHA256
key-direction 1
comp-lzo
verb 3
mute 20

ip route show 输出是

default via xx.xx.xx.xx dev ens19 onlink 
10.8.0.0/24 via 10.8.0.2 dev tun0 
10.8.0.2 dev tun0  proto kernel  scope link  src 10.8.0.1 
10.84.172.0/24 dev ens18  proto kernel  scope link  src 10.84.172.76 
xx.xx.xx.xx/27 dev ens19  proto kernel  scope link  src  xx.xx.xx.xx

ifconfig 输出

ens18     Link encap:Ethernet  HWaddr e2:d0:37:41:fe:62  
          inet addr:10.84.172.76  Bcast:10.84.172.255  Mask:255.255.255.0
          inet6 addr: fe80::e0d0:37ff:fe41:fe62/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:300099 errors:0 dropped:7 overruns:0 frame:0
          TX packets:813 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:45852701 (45.8 MB)  TX bytes:108772 (108.7 KB)

ens19     Link encap:Ethernet  HWaddr a2:c9:4f:0f:b3:a8  
          inet addr:xx.xx.xx.xx  Bcast:xx.xx.xx.xx  Mask:255.255.255.224
          inet6 addr: fe80::a0c9:4fff:fe0f:b3a8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:121480 errors:0 dropped:31009 overruns:0 frame:0
          TX packets:37745 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:14195083 (14.1 MB)  TX bytes:6904167 (6.9 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:176 errors:0 dropped:0 overruns:0 frame:0
          TX packets:176 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:13296 (13.2 KB)  TX bytes:13296 (13.2 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

netsat -r 输出 https://pastebin.com/30ZRNRri

已启用 ipv4 转发

我相信我缺少 openvpn tun 子网和我的实际本地子网之间的一些静态路由,但我尝试在它们之间进行路由的路由都不起作用。

答案1

在此处输入图片描述我认为你应该取消注释推送路线openvpn.conf 文件中的行,看看它是否有效。

答案2

假设这是你想要的:

[OVPN Clients(10.8.0.0/24)]<-tunnel->[OVPN Svr(10.84.172.76)]<-LAN->[GW(10.84.172.1)]<-LAN->[SUBNET (10.84.172.0/24)]

并且您不能简单地将 10.8.0.0/24 --> 10.84.172.76 添加到 GW 的路由表中,您必须手动向每个 LAN 系统添加持久路由。

基于 Debian:编辑/etc/network/interfaces和添加

up route add -net 10.8.0.0/24 gw 10.84.172.76 dev [your_lan_nic (not tun!)]

基于 RHEL:编辑/etc/sysconfig/network-scripts/route-eth[your lan nic #]

10.8.0.0/24 via 10.84.172.76

我强烈建议您与网关管理员联系,以便在那里添加您的路线,而不必单独处理每个框。

我还建议您对 OpenVPN 配置做一些更改。

服务器配置(包含更改的理由):

local xx.xx.xx.xx
#port 8443 isn't officially registered with iana, but it is a default for apache tomcat ssl.
#you may be better served by using a less commonly-used port.
port 8443
#proto udp generally has significantly better performance than tcp.
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
#topology subnet is recommended over the default net30.
#you should only have to use net30 if an old Windows ovpn client needs to connect.
topology subnet
server 10.8.0.0 255.255.255.0
push "route 10.84.172.0 255.255.255.0"
;push "redirect-gateway def1 bypass-dhcp"   #leave this out for now to help diagnose routing issues.
push "dhcp-option DNS 10.84.172.117"
push "dhcp-option DNS 9.9.9.9"
duplicate-cn
keepalive 10 120
tls-auth ta.key 0
#key-direction is unneccessary.
#the tls-auth setting already includes the direction (0)
;key-direction 0
cipher AES-128-CBC
auth SHA256
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
#Use either log or log-append, not both.
#log overwrites the log every time the service starts.
#log-append continues to write to the file when the service starts.
log openvpn.log
;log-append openvpn.log
#you'll probably want to lower the verbosity so your logs are readable.
#verb 3 is usually plenty of information.
verb 9
#mute helps keep your logs readable by suppressing floods of the same error.
mute 20
#explicit-exit-notify helps clients reconnect should the server need to restart.
explicit-exit-notify 1

客户端配置:

client
dev tun
#as above, proto udp has much better performance than tcp
proto udp
#remote host [port] [proto] it's useful to identify the remote server.
#host can be either the IP or FQDN if you have a DNS record.
#I continue to recommend a different port.
remote xx.xx.xx.xx 8443 udp
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-128-CBC
auth SHA256
key-direction 1
comp-lzo
verb 3
mute 20

相关内容