我正在使用 openvpn(带有 webmin 和 ubuntu 18.10),并且流量没有在子网之间转发 =[Openvpn 正在创建一个带有错误(我认为)网关的路由表
我需要 2 个(或更多)具有转发流量的子网,但只有一个(管理服务器子网)可以创建请求。
客户端-服务器子网无法看到同一子网中的其他设备...但只能连接管理服务器上的设备
客户端可以连接(我使用 tcpdump 和 ping 测试过)... iptables 不会阻止任何转发流量
VPN 服务器配置好了吗?我需要在每个配置中添加“route”命令吗?
管理服务器配置文件
port 1195
proto udp
dev tun0
ca keys/admin/ca.crt
cert keys/admin/admin-server.crt
key keys/admin/admin-server.key
dh keys/admin/dh2048.pem
topology subnet
server 172.20.0.0 255.255.255.0
crl-verify keys/admin/crl.pem
cipher AES-256-CFB
user nobody
group nogroup
status servers/admin-server/logs/openvpn-status.log
log-append servers/admin-server/logs/openvpn.log
verb 2
mute 20
max-clients 100
management 127.0.0.1 7506
keepalive 10 120
client-config-dir /etc/openvpn/servers/admin-server/ccd
comp-lzo
persist-key
persist-tun
ccd-exclusive
route 172.21.0.0 255.255.255.0
push "route 172.21.0.0 255.255.255.0"
客户端服务器配置文件
port 1194
proto udp
dev tun1
ca keys/clientes/ca.crt
cert keys/clientes/clientes-server.crt
key keys/clientes/clientes-server.key
dh keys/clientes/dh2048.pem
topology subnet
server 172.21.0.0 255.255.255.0
crl-verify keys/clientes/crl.pem
cipher AES-256-CBC
user nobody
group nogroup
status servers/clientes-server/logs/openvpn-status.log
log-append servers/clientes-server/logs/openvpn.log
verb 2
mute 20
max-clients 100
management 127.0.0.1 7505
keepalive 10 120
client-config-dir /etc/openvpn/servers/clientes-network/ccd
comp-lzo
persist-key
persist-tun
ccd-exclusive
topology subnet
route 172.20.0.0 255.255.255.0
push "route 172.20.0.0 255.255.255.0"
clientes-joao.ovpn(客户端配置到clientes.server)
client
proto udp
dev tun
ca ca.crt
dh dh2048.pem
cert clientes-joao.crt
key clientes-joao.key
remote xx.xx.xx 1194
cipher AES-256-CBC
verb 2
mute 20
keepalive 10 120
comp-lzo
persist-key
persist-tun
resolv-retry infinite
nobind
路线
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.1 0.0.0.0 UG 100 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.0.0.1 0.0.0.0 255.255.255.255 UH 100 0 0 eth0
172.20.0.0 172.21.0.2 255.255.255.0 UG 0 0 0 tun1
172.20.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
172.21.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun1
iptables
$ iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p udp -m udp --dport 1195 -j ACCEPT
-A FORWARD -i tun0 -o tun+ -j ACCEPT
-A FORWARD -i tun+ -o tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 10000 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 1195 -j LOG
是否配置
$ ifconfig
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 172.20.0.1 netmask 255.255.255.0 destination 172.20.0.1
inet6 fe80::2b43:ffe6:df7f:33f prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10 bytes 480 (480.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 172.21.0.1 netmask 255.255.255.0 destination 172.21.0.1
inet6 fe80::326:a44b:6bf3:f10b prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 46 bytes 5861 (5.8 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 98 bytes 8117 (8.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
管理服务器日志
$ cat servers/admin-server/logs/openvpn.log
Wed Jan 30 19:37:34 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 5 2018
Wed Jan 30 19:37:34 2019 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Wed Jan 30 19:37:34 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:7506
Wed Jan 30 19:37:34 2019 Diffie-Hellman initialized with 2048 bit key
Wed Jan 30 19:37:34 2019 TUN/TAP device tun0 opened
Wed Jan 30 19:37:34 2019 TUN/TAP TX queue length set to 100
Wed Jan 30 19:37:34 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jan 30 19:37:34 2019 /sbin/ip link set dev tun0 up mtu 1500
Wed Jan 30 19:37:34 2019 /sbin/ip addr add dev tun0 172.20.0.1/24 broadcast 172.20.0.255
Wed Jan 30 19:37:34 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Jan 30 19:37:34 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jan 30 19:37:34 2019 UDPv4 link local (bound): [AF_INET][undef]:1195
Wed Jan 30 19:37:34 2019 UDPv4 link remote: [AF_UNSPEC]
Wed Jan 30 19:37:34 2019 GID set to nogroup
Wed Jan 30 19:37:34 2019 UID set to nobody
Wed Jan 30 19:37:34 2019 MULTI: multi_init called, r=256 v=256
Wed Jan 30 19:37:34 2019 IFCONFIG POOL: base=172.20.0.2 size=252, ipv6=0
Wed Jan 30 19:37:34 2019 Initialization Sequence Completed
客户端-服务器日志
$ cat servers/clientes-server/logs/openvpn.log
Wed Jan 30 19:37:40 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 5 2018
Wed Jan 30 19:37:40 2019 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Wed Jan 30 19:37:40 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:7505
Wed Jan 30 19:37:40 2019 Diffie-Hellman initialized with 2048 bit key
Wed Jan 30 19:37:40 2019 ROUTE_GATEWAY 10.0.0.1/255.255.255.0 IFACE=eth0 HWADDR=0a:91:77:ec:fd:8c
Wed Jan 30 19:37:40 2019 TUN/TAP device tun1 opened
Wed Jan 30 19:37:40 2019 TUN/TAP TX queue length set to 100
Wed Jan 30 19:37:40 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jan 30 19:37:40 2019 /sbin/ip link set dev tun1 up mtu 1500
Wed Jan 30 19:37:40 2019 /sbin/ip addr add dev tun1 172.21.0.1/24 broadcast 172.21.0.255
Wed Jan 30 19:37:40 2019 /sbin/ip route add 172.20.0.0/24 via 172.21.0.2
RTNETLINK answers: File exists
Wed Jan 30 19:37:40 2019 ERROR: Linux route add command failed: external program exited with error status: 2
Wed Jan 30 19:37:40 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Jan 30 19:37:40 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jan 30 19:37:40 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Jan 30 19:37:40 2019 UDPv4 link remote: [AF_UNSPEC]
Wed Jan 30 19:37:40 2019 GID set to nogroup
Wed Jan 30 19:37:40 2019 UID set to nobody
Wed Jan 30 19:37:40 2019 MULTI: multi_init called, r=256 v=256
Wed Jan 30 19:37:40 2019 IFCONFIG POOL: base=172.21.0.2 size=252, ipv6=0
Wed Jan 30 19:37:40 2019 Initialization Sequence Completed
谢谢!