我一直在努力从 vpn 服务器访问 vpnclient 子网。服务器和客户端都在装有 openvpn 的 Linux 机器上运行。隧道已正确建立。服务器和客户端上的防火墙已禁用。
------------------ -------- ----------------------- -------------
| vpn server |----| INET |-----| vpn client |--------| |
| tun0: 10.8.0.1 | -------- | tun0: 10.8.0.2 | | SUBNET |
| | | eth0: 192.168.1.45 | | |
| | | wlan: 10.10.0.1 | | 10.10.0.0 |
------------------ ----------------------- -------------
两台 Linux 机器的
server.conf中都有 ip_forward=1
local 45.138.196.247
port 1194
proto udp
dev tun
......
topology subnet
client-to-client
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 5
explicit-exit-notify
client-config-dir /etc/openvpn/ccd
ccd-exclusive
客户端配置文件
client
dev tun
proto udp
remote 45.138.196.247 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
.....
ignore-unknown-option block-outside-dns
block-outside-dns
verb 5
auth-nocache
topology subnet
客户端的 ccd:
ifconfig-push 10.8.0.2 255.255.255.0
iroute 10.10.0.0 255.255.255.0
另外我在服务器上添加了静态路由:
route add -net 10.10.0.0 netmask 255.255.255.0 gw 10.8.0.1
从服务器 ping 10.10.0.1 和/或 10.10.0.2 (pc) 失败。我认为路由方面仍存在问题。
答案1
偶然间我发现了这个问题。
我运行以下命令:
root@vpnServer:/etc/openvpn# iptables -t nat -L -n -v --line-numbers Chain PREROUTING (policy ACCEPT 81998 packets, 22M bytes) num pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 9509 packets, 694K bytes) num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 99 packets, 7563 bytes) num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 183 packets, 13588 bytes) num pkts bytes target prot opt in out source destination 1 57 4281 SNAT all -- * * 10.8.0.0/24 !10.8.0.0/24 to:45.138.196.247
我删除了链 POSTROUTING 编号 1:
现在我可以 ping 通 vpn 客户端后面的子网了!root@vpnServer:/etc/openvpn# iptables -t nat -D POSTROUTING 1
root@vpnServer:/etc/openvpn# iptables -t nat -L -n -v --line-numbers Chain PREROUTING (policy ACCEPT 1 packets, 165 bytes) num pkts bytes target prot opt in out source destinationChain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination
root@vpnServer:/etc/openvpn# ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2) 56(84) bytes of data.
64 bytes from 10.8.0.2: icmp_seq=1 ttl=64 time=26.4 ms
64 bytes from 10.8.0.2: icmp_seq=2 ttl=64 time=26.6 ms
我使用 openvpn-install.sh 安装并创建 openvpn 配置文件。该脚本显然通过在 Chain POSTROUTING 中添加该条目而搞乱了 iptables!我认为最好逐步手动完成整个配置过程。不要依赖该脚本。它会在没有任何控制和警告的情况下配置其他东西!
答案2
启动 VPN 客户端之前的客户端路由表
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 eth0 10.10.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan0 192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
vpn客户端启动后的路由表
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 eth0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.10.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
45.138.196.247 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
128.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan0
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0