如何将 OpenVPN 架构 TAP 迁移到 TUN

如何将 OpenVPN 架构 TAP 迁移到 TUN

我使用 OpenVPN 建立了一个隧道系统,让远程客户端可以像私有网络客户端一样访问私有资源。它使用私有网络上的客户端作为网关。

DistantClient <-> OpenVPN server <-> PrivateNetworkClient

它可以与 TAP 隧道一起使用,但是 TAP 不适用于 Android,有没有办法使用 TUN 获得同样的东西?

实际配置:

远程客户端

OpenVPN 客户端配置文件

client
dev tap
proto udp
remote XX.XX.XX.XX 1234

cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
<ca>[...]</ca>
<key>[...]</key>
<cert>[...]</cert>

# private networks resolutions, 10.11.0.3 is the gateway-client IP on OpenVPN server
route 20.42.0.0 255.255.255.0 10.11.0.3
route 21.16.10.0 255.255.255.0 10.11.0.3

网关客户端

net.ipv4.ip_forward=1已启用

IPTables 规则

-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.11.0.0/24 -d 21.16.10.0/24 -i tap0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 10.11.0.0/24 -d 20.42.0.0/24 -i tap0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
*nat
-A POSTROUTING -o eth0 -j MASQUERADE

OpenVPN 客户端配置文件

client
dev tap
proto udp
remote XX.XX.XX.XX 1234

cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
<ca>[...]</ca>
<key>[...]</key>
<cert>[...]</cert>

# Private forward
route 21.16.10.0 255.255.255.0 20.42.0.1

服务器

net.ipv4.ip_forward=1已启用

IPTables 规则

*filter
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-track-forward -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 1234 -j ACCEPT
*nat
-A POSTROUTING -s 10.0.0.0/8 -o enp1s0 -j MASQUERADE

OpenVPN服务器配置文件

port 1234
proto udp
dev tap

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/work-server.crt
key /etc/openvpn/server/work-server.key
dh /etc/openvpn/server/dh.pem
crl-verify /etc/openvpn/server/crl.pem

server 10.11.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"

cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
keepalive 20 60
persist-key
persist-tun
compress lz4
daemon
user nobody
group nogroup
explicit-exit-notify 1
push "explicit-exit-notify 1"
log-append /var/log/openvpn.log
verb 3

ifconfig-pool-persist /etc/openvpn/ipp.txt
client-to-client

相关内容