我使用市场 AMI 在 AWS 上创建了一个 openvpn 服务器,我将网络地址和组默认 IP 的“vpn 设置”更改为10.0.0.0/20
然后,我下载了客户端文件并通过导入选项将其添加到我的 Ubuntu 18.04 vpn 设置中。
之后我尝试通过 ssh 连接到位于的另一台服务器,10.0.10.220
尽管端口 22 已打开,但仍然失败了 ( 0.0.0.0/0
)
当检查 ifconfig 以获取有关连接的详细信息时,我看到以下与 VPN 相关的内容。
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.0.8.2 netmask 255.255.252.0 destination 10.0.8.2
inet6 fe80::eac9:76b7:5e88:68e4 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 141 bytes 7544 (7.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
注意,我的本地家庭网络192.168.X.X
应该没有冲突
编辑**
ip route
default via 10.0.8.1 dev tun0 proto static metric 50
default via 192.168.0.1 dev wlp2s0 proto static metric 600
10.0.0.0/16 via 10.0.8.1 dev tun0 proto static metric 50
10.0.8.0/22 dev tun0 proto kernel scope link src 10.0.8.2 metric 50
18.204.38.141 via 192.168.0.1 dev wlp2s0 proto static metric 600
169.254.0.0/16 dev wlp2s0 scope link metric 1000
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.0.0/24 dev wlp2s0 proto kernel scope link src 192.168.0.200 metric 600
192.168.0.1 dev wlp2s0 proto static scope link metric 600
编辑 2** 我的地形代码
resource "aws_instance" "vpn" {
ami = "ami-0ca1c6f31c3fb1708"
instance_type = "t3.micro"
availability_zone = "us-east-1a"
key_name = "josh"
monitoring = true
vpc_security_group_ids = [aws_security_group.vpn.id]
disable_api_termination = true
associate_public_ip_address = true
subnet_id = aws_subnet.public["us-east-1a"].id
source_dest_check = false
tags = {
Name = "VPN"
}
}
resource "aws_eip" "vpn_eip" {
instance = "${aws_instance.vpn.id}"
vpc = true
}
resource "aws_security_group" "vpn" {
name = "vpn"
description = "Allow vpn traffic"
vpc_id = aws_vpc.Main_VPC.id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 943
to_port = 943
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 1194
to_port = 1194
protocol = "udp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
编辑3**
添加 Jenkins 服务器 TF
resource "aws_instance" "jenkins" {
ami = var.ubuntuAMI
instance_type = "t3.small"
availability_zone = "us-east-1a"
key_name = "josh"
monitoring = true
vpc_security_group_ids = [aws_security_group.ssh_access.id, aws_security_group.jenkins.id]
disable_api_termination = true
associate_public_ip_address = true
subnet_id = aws_subnet.public["us-east-1a"].id
tags = {
Name = "Jenkins"
}
}
resource "aws_eip" "jenkins_eip" {
instance = aws_instance.jenkins.id
vpc = true
}
resource "aws_eip_association" "jenkins_eip_assoc" {
instance_id = "${aws_instance.jenkins.id}"
allocation_id = "${aws_eip.jenkins_eip.id}"
}
resource "aws_security_group" "jenkins" {
name = "jenkns"
description = "Allow jenkins traffic"
vpc_id = aws_vpc.Main_VPC.id
ingress {
from_port = 80
to_port = 8080
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
答案1
两个问题
1) 您尚未对 VPN 服务器上的流量进行 NAT,因此其他系统需要返回路由,请在 AWS 中添加此路由或使所有流量看起来像是来自 VPN 服务器
2) 您无法访问互联网,因为您的源 IP 范围(vpn 子网)未在 vpn 路由器上进行 NAT
这两种情况都可以通过将此策略添加到运行 openvpn 的服务器来解决
iptables -t nat -A POSTROUTING -s 10.0.8.0/22 -o eth0 -j MASQUERADE
iptables save
或者
firewall-cmd --zone=external --add-masquerade --permanent
firewall-cmd --reload