无法通过新的 openvpn 连接到本地网络上的服务器

tag-icon tag-icon openvpn
无法通过新的 openvpn 连接到本地网络上的服务器

我使用市场 AMI 在 AWS 上创建了一个 openvpn 服务器,我将网络地址和组默认 IP 的“vpn 设置”更改为10.0.0.0/20

然后,我下载了客户端文件并通过导入选项将其添加到我的 Ubuntu 18.04 vpn 设置中。

之后我尝试通过 ssh 连接到位于的另一台服务器,10.0.10.220尽管端口 22 已打开,但仍然失败了 ( 0.0.0.0/0)

当检查 ifconfig 以获取有关连接的详细信息时,我看到以下与 VPN 相关的内容。

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.0.8.2  netmask 255.255.252.0  destination 10.0.8.2
        inet6 fe80::eac9:76b7:5e88:68e4  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 141  bytes 7544 (7.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

注意,我的本地家庭网络192.168.X.X应该没有冲突

编辑**

ip route

default via 10.0.8.1 dev tun0 proto static metric 50 
default via 192.168.0.1 dev wlp2s0 proto static metric 600 
10.0.0.0/16 via 10.0.8.1 dev tun0 proto static metric 50 
10.0.8.0/22 dev tun0 proto kernel scope link src 10.0.8.2 metric 50 
18.204.38.141 via 192.168.0.1 dev wlp2s0 proto static metric 600 
169.254.0.0/16 dev wlp2s0 scope link metric 1000 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.0.0/24 dev wlp2s0 proto kernel scope link src 192.168.0.200 metric 600 
192.168.0.1 dev wlp2s0 proto static scope link metric 600

编辑 2** 我的地形代码

resource "aws_instance" "vpn" {
  ami           = "ami-0ca1c6f31c3fb1708"
  instance_type = "t3.micro"
  availability_zone = "us-east-1a"
  key_name = "josh"
  monitoring = true
  vpc_security_group_ids = [aws_security_group.vpn.id]
  disable_api_termination = true
  associate_public_ip_address = true
  subnet_id = aws_subnet.public["us-east-1a"].id
  source_dest_check = false

  tags = {
    Name = "VPN"
  }
}

resource "aws_eip" "vpn_eip" {
    instance = "${aws_instance.vpn.id}"
    vpc = true
}

resource "aws_security_group" "vpn" {
  name        = "vpn"
  description = "Allow vpn traffic"
  vpc_id      = aws_vpc.Main_VPC.id

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    from_port   = 943
    to_port     = 943
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    from_port   = 1194
    to_port     = 1194
    protocol    = "udp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    cidr_blocks     = ["0.0.0.0/0"]
  }
}

编辑3**

添加 Jenkins 服务器 TF

resource "aws_instance" "jenkins" {
  ami           = var.ubuntuAMI
  instance_type = "t3.small"
  availability_zone = "us-east-1a"
  key_name = "josh"
  monitoring = true
  vpc_security_group_ids = [aws_security_group.ssh_access.id, aws_security_group.jenkins.id]
  disable_api_termination = true
  associate_public_ip_address = true
  subnet_id = aws_subnet.public["us-east-1a"].id

  tags = {
    Name = "Jenkins"
  }
}

resource "aws_eip" "jenkins_eip" {
    instance = aws_instance.jenkins.id
    vpc = true
}


resource "aws_eip_association" "jenkins_eip_assoc" {
  instance_id   = "${aws_instance.jenkins.id}"
  allocation_id = "${aws_eip.jenkins_eip.id}"
}

resource "aws_security_group" "jenkins" {
  name        = "jenkns"
  description = "Allow jenkins traffic"
  vpc_id      = aws_vpc.Main_VPC.id

  ingress {
    from_port   = 80
    to_port     = 8080
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

答案1

两个问题

1) 您尚未对 VPN 服务器上的流量进行 NAT,因此其他系统需要返回路由,请在 AWS 中添加此路由或使所有流量看起来像是来自 VPN 服务器

2) 您无法访问互联网,因为您的源 IP 范围(vpn 子网)未在 vpn 路由器上进行 NAT

这两种情况都可以通过将此策略添加到运行 openvpn 的服务器来解决

iptables -t nat -A POSTROUTING -s 10.0.8.0/22 -o eth0 -j MASQUERADE
iptables save

或者

firewall-cmd --zone=external --add-masquerade --permanent
firewall-cmd --reload

相关内容