将桥接流量路由至 VPN 隧道(AWS 客户端 VPN 终端节点)

将桥接流量路由至 VPN 隧道(AWS 客户端 VPN 终端节点)

eth0我在&之间创建了桥梁wlan0。以下是ifconfig

root@ubuntu:~ $ ifconfig
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.24.11.15  netmask 255.255.255.0  broadcast 10.24.11.255
        inet6 fe80::1fd4:f47a:59d2:1de8  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:8e:38:ee  txqueuelen 1000  (Ethernet)
        RX packets 2571  bytes 308138 (300.9 KiB)
        RX errors 0  dropped 230  overruns 0  frame 0
        TX packets 2511  bytes 289807 (283.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether b8:27:eb:db:6d:bb  txqueuelen 1000  (Ethernet)
        RX packets 6268  bytes 1641477 (1.5 MiB)
        RX errors 0  dropped 39  overruns 0  frame 0
        TX packets 7141  bytes 1630895 (1.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 454  bytes 30843 (30.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 454  bytes 30843 (30.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.20.1.226  netmask 255.255.255.224  destination 10.20.1.226
        inet6 fe80::ea4d:bb87:d649:5308  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1407  bytes 94382 (92.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether b8:27:eb:8e:38:ee  txqueuelen 1000  (Ethernet)
        RX packets 5095  bytes 1401614 (1.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5124  bytes 1660553 (1.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

路由表:

root@ubuntu:~ $ sudo ip route
0.0.0.0/1 via 10.20.1.225 dev tun0
default via 10.24.11.1 dev br0 src 10.24.11.15 metric 204
10.20.1.224/27 dev tun0 proto kernel scope link src 10.20.1.226
10.24.11.0/24 dev br0 proto kernel scope link src 10.24.11.15 metric 204
52.36.18.24 via 10.24.11.1 dev br0
128.0.0.0/1 via 10.20.1.225 dev tun0

root@ubuntu:~ $ sudo route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.20.1.225     128.0.0.0       UG    0      0        0 tun0
0.0.0.0         10.24.11.1      0.0.0.0         UG    204    0        0 br0
10.20.1.224     0.0.0.0         255.255.255.224 U     0      0        0 tun0
10.24.11.0      0.0.0.0         255.255.255.0   U     204    0        0 br0
52.36.18.24     10.24.11.1      255.255.255.255 UGH   0      0        0 br0
128.0.0.0       10.20.1.225     128.0.0.0       UG    0      0        0 tun0

子网10.2.0.0/16可通过隧道到达,tun010.2.1.145从此盒子 ping IP。但无法10.2.1.145从连接到此盒子的设备ping wlan0。还可以10.24.11.15从连接到此盒子的设备pingwlan0

如果我执行traceroute 10.2.1.145连接到此盒子的设备wlan0,连接将eth0通过公共 IP 进行。

eth010.24.11.15,但在创建桥梁后,它转移到br0

我这里缺少哪条路线来疏导10.2.0.0/16交通tun0

以下是更多输出:

root@ubuntu:~ $ ip route get 10.2.1.145 from 10.24.11.23 iif br0
10.2.1.145 from 10.24.11.23 via 10.20.0.225 dev tun0
    cache  iif br0

root@ubuntu:~ $ sudo ip netconf show dev tun0
ipv4 dev tun0 forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
root@ubuntu:~ $

root@ubuntu:~ $ sudo ip netconf show dev br0
ipv4 dev br0 forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off

从 WiFi 客户端和tcpdumpubuntu 进行 Ping 操作:

root@client:~# ping 10.2.1.145

root@ubuntu:~ $ sudo tcpdump -ni br0 'icmp and ip host 10.2.1.145'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:30:56.903893 IP 10.24.11.23 > 10.2.1.145: ICMP echo request, id 34567, seq 8, length 64
15:30:57.904278 IP 10.24.11.23 > 10.2.1.145: ICMP echo request, id 34567, seq 9, length 64
15:30:58.904826 IP 10.24.11.23 > 10.2.1.145: ICMP echo request, id 34567, seq 10, length 64


root@client:~# ping 10.2.1.145

root@ubuntu:~ $ sudo tcpdump -nei eth0 'icmp and ip host 10.2.1.145'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:26:55.356091 ac:bc:32:bf:ad:57 > 18:b1:69:75:7a:f4, ethertype IPv4 (0x0800), length 98: 10.24.11.147 > 10.2.1.145: ICMP echo request, id 5646, seq 169, length 64

iptables-保存:

root@ubuntu:~ $ sudo iptables-save
# Generated by iptables-save v1.6.0 on Mon May  6 15:37:25 2019
*nat
:PREROUTING ACCEPT [1299:221082]
:INPUT ACCEPT [290:32450]
:OUTPUT ACCEPT [4762:319088]
:POSTROUTING ACCEPT [680:45560]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Mon May  6 15:37:25 2019
root@ubuntu:~ $ uname -a
Linux raspberrypi 4.14.98-v7+ #1200 SMP Tue Feb 12 20:27:48 GMT 2019 armv7l GNU/Linux

root@ubuntu:~ $ sudo ip rule ls
0:  from all lookup local
32766:  from all lookup main
32767:  from all lookup default

root@ubuntu:~ $ sudo ip route ls table all
0.0.0.0/1 via 10.20.2.129 dev tun0
default via 10.24.11.1 dev br0 src 10.24.11.15 metric 204
10.20.2.128/27 dev tun0 proto kernel scope link src 10.20.2.130
10.24.11.0/24 dev br0 proto kernel scope link src 10.24.11.15 metric 204
52.37.118.218 via 10.24.11.1 dev br0
128.0.0.0/1 via 10.20.2.129 dev tun0
broadcast 10.20.2.128 dev tun0 table local proto kernel scope link src 10.20.2.130
local 10.20.2.130 dev tun0 table local proto kernel scope host src 10.20.2.130
broadcast 10.20.2.159 dev tun0 table local proto kernel scope link src 10.20.2.130
broadcast 10.24.11.0 dev br0 table local proto kernel scope link src 10.24.11.15
local 10.24.11.15 dev br0 table local proto kernel scope host src 10.24.11.15
broadcast 10.24.11.255 dev br0 table local proto kernel scope link src 10.24.11.15
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
fe80::/64 dev br0 proto kernel metric 256  pref medium
fe80::/64 dev tun0 proto kernel metric 256  pref medium
local ::1 dev lo table local proto kernel metric 0  pref medium
local fe80::1fd4:f47a:59d2:1de8 dev br0 table local proto kernel metric 0  pref medium
local fe80::54bf:cf69:4385:4b1c dev tun0 table local proto kernel metric 0  pref medium
ff00::/8 dev br0 table local metric 256  pref medium
ff00::/8 dev tun0 table local metric 256  pref medium

root@ubuntu:~ $ sudo ip -4 a ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.24.11.15/24 brd 10.24.11.255 scope global br0
       valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    inet 10.20.2.130/27 brd 10.20.2.159 scope global tun0
       valid_lft forever preferred_lft forever
root@ubuntu:~ $

VPN 的另一边不是openvpn server,因为我正在尝试AWS 客户端 VPN 终端节点这里。我确实在 ubuntu 主机上运行了sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE。无法访问 VPN 服务器。

更新 :

在 wifi 客户端上

    root@client:~ $ ifconfig
    eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether b8:27:eb:d2:02:8c  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

     lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

    wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.24.11.201  netmask 255.255.255.0  broadcast 10.24.11.255
        inet6 fe80::f9e2:e7af:ab5f:7865  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:87:57:d9  txqueuelen 1000  (Ethernet)
        RX packets 86  bytes 7978 (7.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 97  bytes 16637 (16.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@client:~ $ ip -4 route list
default via 10.24.11.1 dev wlan0 src 10.24.11.201 metric 303
10.24.11.0/24 dev wlan0 proto kernel scope link src 10.24.11.201 metric 303

我删除sudo route del default gw 10.24.11.1 wlan0并添加了sudo route add default gw 10.24.11.15 wlan0wifi 客户端

root@client:~ $ ip -4 route list
default via 10.24.11.15 dev wlan0
10.24.11.0/24 dev wlan0 proto kernel scope link src 10.24.11.201 metric 303

然后尝试

root@client:~# ping 10.2.1.145
PING 10.2.1.145 (10.2.1.145): 56 data bytes

root@ubuntu:~ $ sudo tcpdump -ni br0 'icmp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:40:03.832209 IP 10.24.11.201 > 10.2.1.145: ICMP echo request, id 614, seq 121, length 64
13:40:04.879329 IP 10.24.11.201 > 10.2.1.145: ICMP echo request, id 614, seq 122, length 64
13:40:05.911833 IP 10.24.11.201 > 10.2.1.145: ICMP echo request, id 614, seq 123, length 64

root@ubuntu:~ $ sudo tcpdump -ni tun0 'icmp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
13:40:49.539044 IP 10.24.11.201 > 10.2.1.145: ICMP echo request, id 618, seq 1, length 64
13:40:50.553286 IP 10.24.11.201 > 10.2.1.145: ICMP echo request, id 618, seq 2, length 64
13:40:51.597073 IP 10.24.11.201 > 10.2.1.145: ICMP echo request, id 618, seq 3, length 64

在 Ubuntu 上运行

1iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

2sudo iptables -A FORWARD -i br0 -o tun0 -j ACCEPT

3sudo iptables -A FORWARD -i tun0 -o br0 -j ACCEPT

root@ubuntu:~ $ sudo iptables-save -c
# Generated by iptables-save v1.6.0 on Mon May 13 20:30:31 2019
*filter
:INPUT ACCEPT [32:2202]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [49:4174]
[0:0] -A FORWARD -i br0 -o tun0 -j ACCEPT
[0:0] -A FORWARD -i tun0 -o br0 -j ACCEPT
COMMIT
# Completed on Mon May 13 20:30:31 2019
# Generated by iptables-save v1.6.0 on Mon May 13 20:30:31 2019
*nat
:PREROUTING ACCEPT [7:1109]
:INPUT ACCEPT [2:144]
:OUTPUT ACCEPT [20:1340]
:POSTROUTING ACCEPT [4:268]
[0:0] -A POSTROUTING -o eth0 -j MASQUERADE
[16:1072] -A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Mon May 13 20:30:31 2019

root@client:~ $ ping 10.2.1.145
PING 10.2.1.145 (10.2.1.145) 56(84) bytes of data.

root@ubuntu:~ $ sudo iptables-save -c
# Generated by iptables-save v1.6.0 on Mon May 13 20:31:24 2019
*filter
:INPUT ACCEPT [119:7998]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [218:19046]
[0:0] -A FORWARD -i br0 -o tun0 -j ACCEPT
[0:0] -A FORWARD -i tun0 -o br0 -j ACCEPT
COMMIT
# Completed on Mon May 13 20:31:24 2019
# Generated by iptables-save v1.6.0 on Mon May 13 20:31:24 2019
*nat
:PREROUTING ACCEPT [10:1331]
:INPUT ACCEPT [5:366]
:OUTPUT ACCEPT [45:3015]
:POSTROUTING ACCEPT [9:603]
[0:0] -A POSTROUTING -o eth0 -j MASQUERADE
[36:2412] -A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Mon May 13 20:31:24 2019

然后 :

root@client:~ $ ping 10.20.1.225

root@ubuntu:~ $ sudo tcpdump -ni br0 'icmp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:42:07.498023 IP 10.24.11.201 > 10.20.1.225: ICMP echo request, id 15212, seq 208, length 64
09:42:08.537648 IP 10.24.11.201 > 10.20.1.225: ICMP echo request, id 15212, seq 209, length 64
09:42:09.577700 IP 10.24.11.201 > 10.20.1.225: ICMP echo request, id 15212, seq 210, length 64

root@ubuntu:~ $ sudo tcpdump -ni tun0 'icmp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

root@client:~ $ ping 10.2.1.145

root@ubuntu:~ $ sudo tcpdump -ni br0 'icmp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:43:32.055291 IP 10.24.11.201 > 10.2.1.145: ICMP echo request, id 15215, seq 12, length 64
09:43:33.099422 IP 10.24.11.201 > 10.2.1.145: ICMP echo request, id 15215, seq 13, length 64
09:43:34.135264 IP 10.24.11.201 > 10.2.1.145: ICMP echo request, id 15215, seq 14, length 64

root@ubuntu:~ $ sudo tcpdump -ni tun0 'icmp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

看起来ICMP echo request包裹没有被转发到tun0

答案1

那么,让我们尝试解决您的问题。为了更好地理解,我绘制了网络拓扑图。为了阐明发生了什么,我在 ubuntu 主机内以图形方式拆分了 l2 和 l3 处理 - 这将有助于进一步推理。

网络拓扑结构

检查以下步骤:

  • 检查 wifi 客户端上的路由(此处及后续内容 -10.24.11.X替换为此设备的实际 IP 地址)。您的方案需要以下两种可能性之一:default route via 10.24.11.15或更好(我认为)10.2.0.0/16 via 10.24.11.15

  • ip route get 10.2.1.145 from 10.24.11.X iif br0使用和命令检查 ubuntu 主机上的转发ip route get 10.24.11.X from 10.2.1.145 iif tun0。它应该返回类似10.2.1.145 from 10.24.11.X via 10.20.1.225 dev tun0(有效路由) 的内容。如果它返回类似 的内容RTNETLINK answers: No route to host,则表示您尚未启用 ip 转发(全局或每个接口)。使用命令启用它。还要使用命令检查和接口sysctl上的转发(应该有字符串)。tun0br0ip netconf show dev ...forwarding on

  • ping 10.2.1.145在 wifi 客户端上运行命令,在 ubuntu 主机上运行tcpdump -ni br0 'icmp and ip host 10.24.11.X'和。您应该会看到一些从 wifi 客户端到主机的数据包。如果没有看到,请使用命令检查防火墙(并将输出粘贴到问题中以获取有关您的情况的帮助)。如果您看到,但在 tcpdump 中看不到,那么您需要检查远程站点。tcpdump -ni tun0 'icmp'icmp echo request10.2.1.145iptables-saveicmp echo requesticmp echo reply

  • 您的方案还需要在远程端(在 上openvpn server)进行一些路由设置。 openvpn 服务器本身应该有路由,并且通过10.24.11.0/24 via 10.20.1.226上的路由应到同一子网。 建立连接的另一种方式是使用 ubuntu 主机上的 NAT(但稍后会介绍)。some remote hostopenvpn server

  • 在 openvpn 服务器上运行ip route get 10.2.1.145 from 10.24.11.X iif tunXip route get 10.24.11.X from 10.2.1.145 iif ethZ命令(其中tunXethZ是 open vpn 服务器的对应接口)。两个命令都应显示有效路由,否则使用ip netconf show命令检查转发的启用情况(并使用 启用它sysctl)。

  • tcpdump -ni tunX 'icmp and ip host 10.2.1.145'在 openvpn 服务器上运行该命令。您应该会看到icmp echo requests来自远程 wifi 客户端的传入和来自主机的传出icmp echo reply10.2.1.145如果您没有看到icmp echo reply,请在上运行 tcpdump(或 wireshark)some remote host并检查其上的防火墙设置。

  • 如果您没有对另一方的管理权限,并且无法在其上设置路由,则应在 ubuntu 主机上使用 NAT。您应该在防火墙规则集中添加下一条规则(为了安全起见iptables-save,最好使用iptables-apply命令):

iptables -t nat -A POSTROUTING \
         -o tun0 \
    -j MASQUERADE
  • 最后一步是检查防火墙。您的设置需要允许通过 ubuntu 主机转发数据包。简化规则:
iptables -A FORWARD -i br0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o br0 -j ACCEPT
  • 然后检查命令输出中的防火墙规则计数器iptables-save -c。方括号中的数字是格式为的规则的匹配计数器[packets:bytes]。重新启动ping并检查它。至少应该命中 NAT 规则。规则的顺序非常重要!

  • 如果上述步骤无法帮助您解决问题,请将其他信息添加到问题中,我将提供一些其他步骤来解决问题。

相关内容