OpenWRT + OpenVPN - 连接 VPN 成功,但无法 ping 通 LAN,无法 ping 通外部

OpenWRT + OpenVPN - 连接 VPN 成功,但无法 ping 通 LAN,无法 ping 通外部

我正在使用 OpenWrt 上的 OpenVPN 客户端设置 VPN 连接。客户端连接到服务器,但我无法使用 tun0 接口 ping 任何网络主机

Ping 示例:

ping -I tun0 192.168.1.252
PING 192.168.1.252 (192.168.1.252): 56 data bytes
ping: sendto: No such device

ping -I tun0 google.it
ping: bad address 'google.it'

细节:

本地网络:192.168.1.0/24
本地网络网关:192.168.1.252

ifconfig 命令:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
      inet addr:10.86.0.42  P-t-P:10.86.0.41  Mask:255.255.255.255
      inet6 addr: fe80::54b9:1a92:10b8:9975/64 Scope:Link
      UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:100 
      RX bytes:0 (0.0 B)  TX bytes:304 (304.0 B)

openwrt日志:

Mon Sep 23 19:46:29 2019 daemon.notice openvpn(expressvpn)[1366]: [Server-2720-0a] Inactivity timeout (--ping-restart), restarting
Mon Sep 23 19:46:29 2019 daemon.notice openvpn(expressvpn)[1366]: SIGUSR1[soft,ping-restart] received, process restarting
Mon Sep 23 19:46:29 2019 daemon.notice openvpn(expressvpn)[1366]: Restart pause, 5 second(s)
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.183.105.195:1195
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: Socket Buffers: R=[163840->327680] S=[163840->327680]
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: UDP link local: (not bound)
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: UDP link remote: [AF_INET]185.183.105.195:1195
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: TLS: Initial packet from [AF_INET]185.183.105.195:1195, sid=34c1a1c3 38782ada
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: VERIFY OK: .....censored.....
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: VERIFY KU OK
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: Validating certificate extended key usage
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: VERIFY EKU OK
Mon Sep 23 19:46:34 2019 daemon.notice openvpn(expressvpn)[1366]: VERIFY OK: .....censored.....
Mon Sep 23 19:46:35 2019 daemon.warn openvpn(expressvpn)[1366]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1602', remote='link-mtu 1606'
Mon Sep 23 19:46:35 2019 daemon.warn openvpn(expressvpn)[1366]: WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic'
Mon Sep 23 19:46:35 2019 daemon.notice openvpn(expressvpn)[1366]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Sep 23 19:46:35 2019 daemon.notice openvpn(expressvpn)[1366]: [Server-2720-0a] Peer Connection Initiated with [AF_INET]185.183.105.195:1195
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: SENT CONTROL [Server-2720-0a]: 'PUSH_REQUEST' (status=1)
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.86.0.1,comp-lzo no,route 10.86.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.86.0.46 10.86.0.45,peer-id 10,cipher AES-256-GCM'
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: OPTIONS IMPORT: timers and/or timeouts modified
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: OPTIONS IMPORT: compression parms modified
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: OPTIONS IMPORT: --ifconfig/up options modified
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: OPTIONS IMPORT: route options modified
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: OPTIONS IMPORT: peer-id set
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: OPTIONS IMPORT: adjusting link_mtu to 1625
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: OPTIONS IMPORT: data channel crypto options modified
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: NCP: overriding user-set keysize with default
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: Preserving previous TUN/TAP instance: tun0
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: /sbin/route del -net 10.86.0.1 netmask 255.255.255.255
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: /sbin/route del -net 185.183.105.195 netmask 255.255.255.255
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: Closing TUN/TAP interface
Mon Sep 23 19:46:36 2019 daemon.notice openvpn(expressvpn)[1366]: /sbin/ifconfig tun0 0.0.0.0
Mon Sep 23 19:46:36 2019 daemon.notice netifd: Network device 'tun0' link is down
Mon Sep 23 19:46:36 2019 daemon.notice netifd: Interface 'expressevpn' has link connectivity loss
Mon Sep 23 19:46:36 2019 daemon.notice netifd: Interface 'expressevpn' is now down
Mon Sep 23 19:46:36 2019 daemon.notice netifd: Interface 'expressevpn' is disabled
Mon Sep 23 19:46:37 2019 daemon.notice openvpn(expressvpn)[1366]: TUN/TAP device tun0 opened
Mon Sep 23 19:46:37 2019 daemon.notice openvpn(expressvpn)[1366]: TUN/TAP TX queue length set to 100
Mon Sep 23 19:46:37 2019 daemon.notice openvpn(expressvpn)[1366]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Sep 23 19:46:37 2019 daemon.notice openvpn(expressvpn)[1366]: /sbin/ifconfig tun0 10.86.0.46 pointopoint 10.86.0.45 mtu 1500
Mon Sep 23 19:46:37 2019 daemon.notice netifd: Interface 'expressevpn' is enabled
Mon Sep 23 19:46:37 2019 daemon.notice netifd: Interface 'expressevpn' is setting up now
Mon Sep 23 19:46:37 2019 daemon.notice netifd: Interface 'expressevpn' is now up
Mon Sep 23 19:46:37 2019 daemon.notice netifd: Network device 'tun0' link is up
Mon Sep 23 19:46:37 2019 daemon.notice netifd: Interface 'expressevpn' has link connectivity
Mon Sep 23 19:46:37 2019 user.notice firewall: Reloading firewall due to ifup of expressevpn (tun0)
Mon Sep 23 19:46:37 2019 daemon.err openvpn(expressvpn)[1366]: write UDP: Operation not permitted (code=1)
Mon Sep 23 19:46:37 2019 daemon.err openvpn(expressvpn)[1366]: write UDP: Operation not permitted (code=1)
Mon Sep 23 19:46:39 2019 daemon.notice openvpn(expressvpn)[1366]: /sbin/route add -net 185.183.105.195 netmask 255.255.255.255 gw 192.168.1.252
Mon Sep 23 19:46:39 2019 daemon.notice openvpn(expressvpn)[1366]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.86.0.45
Mon Sep 23 19:46:39 2019 daemon.notice openvpn(expressvpn)[1366]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.86.0.45
Mon Sep 23 19:46:39 2019 daemon.notice openvpn(expressvpn)[1366]: /sbin/route add -net 10.86.0.1 netmask 255.255.255.255 gw 10.86.0.45
Mon Sep 23 19:46:39 2019 daemon.notice openvpn(expressvpn)[1366]: Initialization Sequence Completed

/etc/config/防火墙

    config defaults                                                                                                                                       
        option syn_flood '1'                                                                                                                          
        option input 'ACCEPT'                                                                                                                         
        option output 'ACCEPT'                                                                                                                        
        option forward 'ACCEPT'                                                                                                                       

config zone                                                                                                                                           
        option name 'lan'                                                                                                                             
        option input 'ACCEPT'                                                                                                                         
        option output 'ACCEPT'                                                                                                                        
        option forward 'ACCEPT'                                                                                                                       
        option network 'lan'                                                                                                                          

config zone                                                                                                                                           
        option name 'wan'                                                                                                                             
        option input 'REJECT'                                                                                                                         
        option output 'ACCEPT'                                                                                                                        
        option forward 'REJECT'                                                                                                                       
        option masq '1'                                                                                                                               
        option mtu_fix '1'                                                                                                                            
        option network 'wan wan6'                                                                                                                     

config rule                                                                                                                                           
        option name 'Allow-DHCP-Renew'                                                                                                                
        ....                                                                                                                         

config rule                                                                                                                                           
        option name 'Allow-Ping'                                                                                                                      
        ....                  
config rule                                                                                                                                   
        option name 'Allow-IGMP'                                                                                                              
        ...                                                                                                               

config rule                                                                                                                                   
        option name 'Allow-DHCPv6'                                                                                                            
        option src 'wan'                                                                                                                      
        .....                                                                                                                

config rule                                                                                                                                   
        option name 'Allow-MLD'                                                                                                               
        ...                
config rule                                                                                                                                   
        option name 'Allow-ICMPv6-Input'                                                                                                      
        .....                                                                                                             

config rule                                                                                                                                   
        option name 'Allow-ICMPv6-Forward'                                                                                                    
           ....          
config rule                                                                                                                                   
        option name 'Allow-IPSec-ESP'                                                                                                         
        ....                                                                                                                

config rule                                                                                                                                   
        option name 'Allow-ISAKMP'                                                                                                            
        ....                                                                                                           

config include                                                                                                                                
        option path '/etc/firewall.user'                                                                                                      

config forwarding                                                                                                                             
        option dest 'wan'                                                                                                                     
        option src 'lan'                                                                                                                      

config zone                                                                                                                                   
        option name 'vpn'                                                                                                                     
        option output 'ACCEPT'                                                                                                                
        option device 'tun0'                                                                                                                  
        option masq '1'                                                                                                                       
        option mtu_fix '1'                                                                                                                    
        option network 'expressevpn'                                                                                                          
        option input 'REJECT'                                                                                                                 
        option forward 'REJECT'                                                                                                               

config forwarding                                                                                                                             
        option dest 'vpn'                                                                                                                     
        option src 'lan'   

/etc/config/网络

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdbb:c451:1704::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.252'
        option dns '8.8.8.8'
        option stp '1'
        option ifname 'eth0.1 eth0.2'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '50:64:2b:b4:6f:18'

config interface 'wan'
        option proto 'dhcp'
        option type 'bridge'
        option clientid 'root'
        option ifname 'eth0.2'

config interface 'wan6'                   
        option proto 'dhcpv6'             
        option ifname 'eth0'              
        option reqaddress 'try'           
        option reqprefix 'auto'           
        option clientid 'root'            
        option auto '0'                   

config switch                             
        option name 'switch0'  
        option reset '1'                  
        option enable_vlan '1'            

config switch_vlan             
        option device 'switch0'           
        option vlan '1'        
        option ports '2 3 6t'  

config switch_vlan             
        option device 'switch0'
        option vlan '2'        
        option ports '1 6t'    

config interface 'expressevpn' 
        option proto 'static'  
        option delegate '0'    
        option ifname 'tun0'   

openvpn 配置:

config openvpn 'expressvpn'
    option dev 'tun'
    option reneg_sec '0'
    option verb '3'
    option persist_key '1'
    option nobind '1'
    option persist_tun '1'
    option client '1'
    option remote_cert_tls 'server'
    option fast_io '1'
    option route_delay '2'
    option tun_mtu '1500'
    option sndbuf '524288'
    option rcvbuf '524288'
    option pull '1'
    list remote '......'
    option remote_random '1'
    option auth_user_pass '/etc/openvpn/userpass.txt'
    option tls_client '1'
    option cipher 'AES-256-CBC'
    option keysize '256'
    option auth 'SHA512'
    option key_direction '1'
    option tls_auth '/etc/openvpn/tlsauth.key'
    option port '1195'
    option enabled '1'
    option ca '/etc/luci-uploads/cbid.openvpn.expressvpn.ca'
    option cert '/etc/luci-uploads/cbid.openvpn.expressvpn.cert'
    option key '/etc/luci-uploads/cbid.openvpn.expressvpn.key'
    option redirect_gateway 'def1'

IP路由:

0.0.0.0/1 via 10.86.0.41 dev tun0 
default via 192.168.1.252 dev br-lan 
10.86.0.1 via 10.86.0.41 dev tun0 
10.86.0.41 dev tun0 scope link  src 10.86.0.42 
128.0.0.0/1 via 10.86.0.41 dev tun0 
185.183.105.195 via 192.168.1.252 dev br-lan 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 

我很抱歉,但我在这方面不太实际,因为这可能存在完全错误的设置

答案1

VPN 服务器正在将您的默认网关重定向到 VPN。因此您无法访问本地网络内的任何内容,只能访问 VPN 服务器允许您访问的内容。

您可以使用OpenVPN 社区维基忽略网关的重定向。

要么通过过滤推送的选项openvpn配置文件

pull-filter ignore redirect-gateway

第二种选择是忽略从服务器推送的所有路由openvpn配置文件

route-noexec 

或者

route-nopull 

最后一个选项是使用优先级更高的路由覆盖默认路由

route 0.0.0.0 192.0.0.0 192.168.1.252
route 64.0.0.0 192.0.0.0 192.168.1.252
route 128.0.0.0 192.0.0.0 192.168.1.252
route 192.0.0.0 192.0.0.0 192.168.1.252

您可以按照UCI 网络备忘单

相关内容