我在办公室局域网上有一台运行开放 VPN 的公网 IP 服务器。外部 VPN 客户端可以通过公网 IP 连接到 VPN。
但一旦连接,他们就无法连接到办公室局域网上的其他服务器,但他们可以通过广域网访问任何站点。
我的 openvpn.conf 就像
local xx.xx.xx.xx
port 8443
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
;ifconfig-pool-persist ipp.txt
push "route 10.84.172.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.84.172.117"
push "dhcp-option DNS 9.9.9.9"
duplicate-cn
keepalive 10 120
tls-auth ta.key 0
key-direction 0
cipher AES-128-CBC
auth SHA256
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 9
客户端配置如下
client
dev tun
proto tcp
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-128-CBC
auth SHA256
key-direction 1
comp-lzo
verb 3
mute 20
ip route show 输出是
default via xx.xx.xx.xx dev ens19 onlink
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
10.84.172.0/24 dev ens18 proto kernel scope link src 10.84.172.76
xx.xx.xx.xx/27 dev ens19 proto kernel scope link src xx.xx.xx.xx
ifconfig 输出
ens18 Link encap:Ethernet HWaddr e2:d0:37:41:fe:62
inet addr:10.84.172.76 Bcast:10.84.172.255 Mask:255.255.255.0
inet6 addr: fe80::e0d0:37ff:fe41:fe62/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:300099 errors:0 dropped:7 overruns:0 frame:0
TX packets:813 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:45852701 (45.8 MB) TX bytes:108772 (108.7 KB)
ens19 Link encap:Ethernet HWaddr a2:c9:4f:0f:b3:a8
inet addr:xx.xx.xx.xx Bcast:xx.xx.xx.xx Mask:255.255.255.224
inet6 addr: fe80::a0c9:4fff:fe0f:b3a8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:121480 errors:0 dropped:31009 overruns:0 frame:0
TX packets:37745 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14195083 (14.1 MB) TX bytes:6904167 (6.9 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:176 errors:0 dropped:0 overruns:0 frame:0
TX packets:176 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:13296 (13.2 KB) TX bytes:13296 (13.2 KB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
netsat -r 输出 https://pastebin.com/30ZRNRri
已启用 ipv4 转发
我相信我缺少 openvpn tun 子网和我的实际本地子网之间的一些静态路由,但我尝试在它们之间进行路由的路由都不起作用。
答案1
答案2
假设这是你想要的:
[OVPN Clients(10.8.0.0/24)]<-tunnel->[OVPN Svr(10.84.172.76)]<-LAN->[GW(10.84.172.1)]<-LAN->[SUBNET (10.84.172.0/24)]
并且您不能简单地将 10.8.0.0/24 --> 10.84.172.76 添加到 GW 的路由表中,您必须手动向每个 LAN 系统添加持久路由。
基于 Debian:编辑/etc/network/interfaces
和添加
up route add -net 10.8.0.0/24 gw 10.84.172.76 dev [your_lan_nic (not tun!)]
基于 RHEL:编辑/etc/sysconfig/network-scripts/route-eth[your lan nic #]
10.8.0.0/24 via 10.84.172.76
我强烈建议您与网关管理员联系,以便在那里添加您的路线,而不必单独处理每个框。
我还建议您对 OpenVPN 配置做一些更改。
服务器配置(包含更改的理由):
local xx.xx.xx.xx
#port 8443 isn't officially registered with iana, but it is a default for apache tomcat ssl.
#you may be better served by using a less commonly-used port.
port 8443
#proto udp generally has significantly better performance than tcp.
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
#topology subnet is recommended over the default net30.
#you should only have to use net30 if an old Windows ovpn client needs to connect.
topology subnet
server 10.8.0.0 255.255.255.0
push "route 10.84.172.0 255.255.255.0"
;push "redirect-gateway def1 bypass-dhcp" #leave this out for now to help diagnose routing issues.
push "dhcp-option DNS 10.84.172.117"
push "dhcp-option DNS 9.9.9.9"
duplicate-cn
keepalive 10 120
tls-auth ta.key 0
#key-direction is unneccessary.
#the tls-auth setting already includes the direction (0)
;key-direction 0
cipher AES-128-CBC
auth SHA256
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
#Use either log or log-append, not both.
#log overwrites the log every time the service starts.
#log-append continues to write to the file when the service starts.
log openvpn.log
;log-append openvpn.log
#you'll probably want to lower the verbosity so your logs are readable.
#verb 3 is usually plenty of information.
verb 9
#mute helps keep your logs readable by suppressing floods of the same error.
mute 20
#explicit-exit-notify helps clients reconnect should the server need to restart.
explicit-exit-notify 1
客户端配置:
client
dev tun
#as above, proto udp has much better performance than tcp
proto udp
#remote host [port] [proto] it's useful to identify the remote server.
#host can be either the IP or FQDN if you have a DNS record.
#I continue to recommend a different port.
remote xx.xx.xx.xx 8443 udp
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-128-CBC
auth SHA256
key-direction 1
comp-lzo
verb 3
mute 20