我使用 OpenVPN 建立了一个隧道系统,让远程客户端可以像私有网络客户端一样访问私有资源。它使用私有网络上的客户端作为网关。
DistantClient <-> OpenVPN server <-> PrivateNetworkClient
它可以与 TAP 隧道一起使用,但是 TAP 不适用于 Android,有没有办法使用 TUN 获得同样的东西?
实际配置:
远程客户端
OpenVPN 客户端配置文件
client
dev tap
proto udp
remote XX.XX.XX.XX 1234
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
<ca>[...]</ca>
<key>[...]</key>
<cert>[...]</cert>
# private networks resolutions, 10.11.0.3 is the gateway-client IP on OpenVPN server
route 20.42.0.0 255.255.255.0 10.11.0.3
route 21.16.10.0 255.255.255.0 10.11.0.3
网关客户端
net.ipv4.ip_forward=1
已启用
IPTables 规则
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.11.0.0/24 -d 21.16.10.0/24 -i tap0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 10.11.0.0/24 -d 20.42.0.0/24 -i tap0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
*nat
-A POSTROUTING -o eth0 -j MASQUERADE
OpenVPN 客户端配置文件
client
dev tap
proto udp
remote XX.XX.XX.XX 1234
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
<ca>[...]</ca>
<key>[...]</key>
<cert>[...]</cert>
# Private forward
route 21.16.10.0 255.255.255.0 20.42.0.1
服务器
net.ipv4.ip_forward=1
已启用
IPTables 规则
*filter
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-track-forward -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 1234 -j ACCEPT
*nat
-A POSTROUTING -s 10.0.0.0/8 -o enp1s0 -j MASQUERADE
OpenVPN服务器配置文件
port 1234
proto udp
dev tap
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/work-server.crt
key /etc/openvpn/server/work-server.key
dh /etc/openvpn/server/dh.pem
crl-verify /etc/openvpn/server/crl.pem
server 10.11.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
keepalive 20 60
persist-key
persist-tun
compress lz4
daemon
user nobody
group nogroup
explicit-exit-notify 1
push "explicit-exit-notify 1"
log-append /var/log/openvpn.log
verb 3
ifconfig-pool-persist /etc/openvpn/ipp.txt
client-to-client