Openvpn 不转发内部子网流量

Openvpn 不转发内部子网流量

我正在使用 openvpn(带有 webmin 和 ubuntu 18.10),并且流量没有在子网之间转发 =[Openvpn 正在创建一个带有错误(我认为)网关的路由表

我需要 2 个(或更多)具有转发流量的子网,但只有一个(管理服务器子网)可以创建请求。

客户端-服务器子网无法看到同一子网中的其他设备...但只能连接管理服务器上的设备

客户端可以连接(我使用 tcpdump 和 ping 测试过)... iptables 不会阻止任何转发流量

VPN 服务器配置好了吗?我需要在每个配置中添加“route”命令吗?

管理服务器配置文件

port 1195
proto udp
dev tun0
ca keys/admin/ca.crt
cert keys/admin/admin-server.crt
key keys/admin/admin-server.key
dh keys/admin/dh2048.pem
topology subnet
server 172.20.0.0 255.255.255.0
crl-verify keys/admin/crl.pem
cipher AES-256-CFB
user nobody
group nogroup
status servers/admin-server/logs/openvpn-status.log
log-append servers/admin-server/logs/openvpn.log
verb 2
mute 20
max-clients 100
management 127.0.0.1 7506
keepalive 10 120
client-config-dir /etc/openvpn/servers/admin-server/ccd
comp-lzo
persist-key
persist-tun
ccd-exclusive
route 172.21.0.0 255.255.255.0
push "route 172.21.0.0 255.255.255.0"

客户端服务器配置文件

port 1194
proto udp
dev tun1
ca keys/clientes/ca.crt
cert keys/clientes/clientes-server.crt
key keys/clientes/clientes-server.key
dh keys/clientes/dh2048.pem
topology subnet
server 172.21.0.0 255.255.255.0
crl-verify keys/clientes/crl.pem
cipher AES-256-CBC
user nobody
group nogroup
status servers/clientes-server/logs/openvpn-status.log
log-append servers/clientes-server/logs/openvpn.log
verb 2
mute 20
max-clients 100
management 127.0.0.1 7505
keepalive 10 120
client-config-dir /etc/openvpn/servers/clientes-network/ccd
comp-lzo
persist-key
persist-tun
ccd-exclusive
topology subnet
route 172.20.0.0 255.255.255.0
push "route 172.20.0.0 255.255.255.0"

clientes-joao.ovpn(客户端配置到clientes.server)

client
proto udp
dev tun
ca ca.crt
dh dh2048.pem
cert clientes-joao.crt
key clientes-joao.key
remote xx.xx.xx 1194
cipher AES-256-CBC
verb 2
mute 20
keepalive 10 120
comp-lzo
persist-key
persist-tun
resolv-retry infinite
nobind

路线

$ route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG    100    0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.0.0.1        0.0.0.0         255.255.255.255 UH    100    0        0 eth0
172.20.0.0      172.21.0.2      255.255.255.0   UG    0      0        0 tun1
172.20.0.0      0.0.0.0         255.255.255.0   U     0      0        0 tun0
172.21.0.0      0.0.0.0         255.255.255.0   U     0      0        0 tun1

iptables

$ iptables -S

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p udp -m udp --dport 1195 -j ACCEPT
-A FORWARD -i tun0 -o tun+ -j ACCEPT
-A FORWARD -i tun+ -o tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 10000 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 1195 -j LOG

是否配置

$ ifconfig

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 172.20.0.1  netmask 255.255.255.0  destination 172.20.0.1
        inet6 fe80::2b43:ffe6:df7f:33f  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10  bytes 480 (480.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 172.21.0.1  netmask 255.255.255.0  destination 172.21.0.1
        inet6 fe80::326:a44b:6bf3:f10b  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 46  bytes 5861 (5.8 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 98  bytes 8117 (8.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

管理服务器日志

$ cat servers/admin-server/logs/openvpn.log

Wed Jan 30 19:37:34 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep  5 2018
Wed Jan 30 19:37:34 2019 library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.08
Wed Jan 30 19:37:34 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:7506
Wed Jan 30 19:37:34 2019 Diffie-Hellman initialized with 2048 bit key
Wed Jan 30 19:37:34 2019 TUN/TAP device tun0 opened
Wed Jan 30 19:37:34 2019 TUN/TAP TX queue length set to 100
Wed Jan 30 19:37:34 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jan 30 19:37:34 2019 /sbin/ip link set dev tun0 up mtu 1500
Wed Jan 30 19:37:34 2019 /sbin/ip addr add dev tun0 172.20.0.1/24 broadcast 172.20.0.255
Wed Jan 30 19:37:34 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Jan 30 19:37:34 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jan 30 19:37:34 2019 UDPv4 link local (bound): [AF_INET][undef]:1195
Wed Jan 30 19:37:34 2019 UDPv4 link remote: [AF_UNSPEC]
Wed Jan 30 19:37:34 2019 GID set to nogroup
Wed Jan 30 19:37:34 2019 UID set to nobody
Wed Jan 30 19:37:34 2019 MULTI: multi_init called, r=256 v=256
Wed Jan 30 19:37:34 2019 IFCONFIG POOL: base=172.20.0.2 size=252, ipv6=0
Wed Jan 30 19:37:34 2019 Initialization Sequence Completed

客户端-服务器日志

 $ cat servers/clientes-server/logs/openvpn.log

Wed Jan 30 19:37:40 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep  5 2018
Wed Jan 30 19:37:40 2019 library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.08
Wed Jan 30 19:37:40 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:7505
Wed Jan 30 19:37:40 2019 Diffie-Hellman initialized with 2048 bit key
Wed Jan 30 19:37:40 2019 ROUTE_GATEWAY 10.0.0.1/255.255.255.0 IFACE=eth0 HWADDR=0a:91:77:ec:fd:8c
Wed Jan 30 19:37:40 2019 TUN/TAP device tun1 opened
Wed Jan 30 19:37:40 2019 TUN/TAP TX queue length set to 100
Wed Jan 30 19:37:40 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jan 30 19:37:40 2019 /sbin/ip link set dev tun1 up mtu 1500
Wed Jan 30 19:37:40 2019 /sbin/ip addr add dev tun1 172.21.0.1/24 broadcast 172.21.0.255
Wed Jan 30 19:37:40 2019 /sbin/ip route add 172.20.0.0/24 via 172.21.0.2
RTNETLINK answers: File exists
Wed Jan 30 19:37:40 2019 ERROR: Linux route add command failed: external program exited with error status: 2
Wed Jan 30 19:37:40 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Jan 30 19:37:40 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jan 30 19:37:40 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Jan 30 19:37:40 2019 UDPv4 link remote: [AF_UNSPEC]
Wed Jan 30 19:37:40 2019 GID set to nogroup
Wed Jan 30 19:37:40 2019 UID set to nobody
Wed Jan 30 19:37:40 2019 MULTI: multi_init called, r=256 v=256
Wed Jan 30 19:37:40 2019 IFCONFIG POOL: base=172.21.0.2 size=252, ipv6=0
Wed Jan 30 19:37:40 2019 Initialization Sequence Completed

谢谢!

相关内容