OpenVPN 连接到具有 2 个网关的服务器

OpenVPN 连接到具有 2 个网关的服务器

我在 Debian 服务器上遇到了路由问题(我认为是路由)。我有 2 个路由器作为网关(其中一个是公共的)。VPN 客户端连接到 Router1,但由于 OpenVpn 出站流量通过 Router2 返回到它们,因此获得 TLS 握手(图像上的蓝色箭头)。

Router1 已启用 1194 端口转发至 Debian 服务器第 2 个接口(192.168.40.39)

当我为客户端的 IP 创建路由时,客户端可以连接到 OVPN,例如 ip route add client_ip via 192.168.40.40

客户端有动态 IP,所以这不是一个解决方案。

配置

Router1 (internal ip) 192.168.40.40
Router2 (internal ip) 192.168.40.1
Server 1st eth (internal ip) 192.168.40.2
Server 2nd eth (internal ip) 192.168.40.39

路由

root@XXX:/etc/openvpn# ip route
default via 192.168.40.1 dev ens32 onlink
10.9.8.0/24 via 10.9.8.2 dev tun0
10.9.8.2 dev tun0 proto kernel scope link src 10.9.8.1
192.168.40.0/26 dev ens32 proto kernel scope link src 192.168.40.2
192.168.40.0/26 dev ens34 proto kernel scope link src 192.168.40.39

iptables

root@XXX:/etc/openvpn# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:openvpn

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain DOCKER (1 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

iptables 网络地址转换

root@XXX:/etc/openvpn# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !loopback/8           ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        anywhere

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

iptables mangle

root@XXX:/etc/openvpn# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

/etc/网络/接口

cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

#source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#allow-hotplug ens32
auto ens32
iface ens32 inet static
address 192.168.40.2
netmask 255.255.255.192
gateway 192.168.40.1

auto ens34
iface ens34 inet static
address 192.168.40.39
netmask 255.255.255.192
gateway 192.168.40.40

openvpn 服务器配置

root@XXX:/etc/openvpn# cat server.conf
port 1194
proto udp
dev tun

local 192.168.40.39

tls-server



ca      /etc/openvpn/easy-rsa/keys/ca.crt    # generated keys
cert    /etc/openvpn/easy-rsa/keys/server.crt
key     /etc/openvpn/easy-rsa/keys/server.key  # keep secret
dh      /etc/openvpn/easy-rsa/keys/dh2048.pem

server 10.9.8.0 255.255.255.0  # internal tun0 connection IP
ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo         # Compression - must be turned on at both end
persist-key
persist-tun

status log/openvpn-status.log

verb 6  # verbose mode
client-to-client

#add
#username-as-common-name
#duplicate-cn
#client-cert-not-required

样品视图

相关内容