我在 Debian 服务器上遇到了路由问题(我认为是路由)。我有 2 个路由器作为网关(其中一个是公共的)。VPN 客户端连接到 Router1,但由于 OpenVpn 出站流量通过 Router2 返回到它们,因此获得 TLS 握手(图像上的蓝色箭头)。
Router1 已启用 1194 端口转发至 Debian 服务器第 2 个接口(192.168.40.39)
当我为客户端的 IP 创建路由时,客户端可以连接到 OVPN,例如 ip route add client_ip via 192.168.40.40
客户端有动态 IP,所以这不是一个解决方案。
配置
Router1 (internal ip) 192.168.40.40
Router2 (internal ip) 192.168.40.1
Server 1st eth (internal ip) 192.168.40.2
Server 2nd eth (internal ip) 192.168.40.39
路由
root@XXX:/etc/openvpn# ip route
default via 192.168.40.1 dev ens32 onlink
10.9.8.0/24 via 10.9.8.2 dev tun0
10.9.8.2 dev tun0 proto kernel scope link src 10.9.8.1
192.168.40.0/26 dev ens32 proto kernel scope link src 192.168.40.2
192.168.40.0/26 dev ens34 proto kernel scope link src 192.168.40.39
iptables
root@XXX:/etc/openvpn# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere state NEW udp dpt:openvpn
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
iptables 网络地址转换
root@XXX:/etc/openvpn# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !loopback/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
iptables mangle
root@XXX:/etc/openvpn# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
/etc/网络/接口
cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
#source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
#allow-hotplug ens32
auto ens32
iface ens32 inet static
address 192.168.40.2
netmask 255.255.255.192
gateway 192.168.40.1
auto ens34
iface ens34 inet static
address 192.168.40.39
netmask 255.255.255.192
gateway 192.168.40.40
openvpn 服务器配置
root@XXX:/etc/openvpn# cat server.conf
port 1194
proto udp
dev tun
local 192.168.40.39
tls-server
ca /etc/openvpn/easy-rsa/keys/ca.crt # generated keys
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # keep secret
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.9.8.0 255.255.255.0 # internal tun0 connection IP
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo # Compression - must be turned on at both end
persist-key
persist-tun
status log/openvpn-status.log
verb 6 # verbose mode
client-to-client
#add
#username-as-common-name
#duplicate-cn
#client-cert-not-required