Openvpn 已连接但无法访问内网站点

tag-icon tag-icon networking openvpn centos7 local-area-network
Openvpn 已连接但无法访问内网站点

我已经配置了 openvpn 服务器,也可以登录。但是建立连接后,我无法访问内网网站。

服务器 ifconfig 如下所示

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:03:90:0b brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.253/24 brd 192.168.0.255 scope global noprefixroute enp1s0
       valid_lft forever preferred_lft forever
    inet6 fd01::5054:ff:fe03:900b/64 scope global dynamic noprefixroute 
       valid_lft 259sec preferred_lft 259sec
    inet6 fe80::5054:ff:fe03:900b/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::aa36:56c8:3a99:2a98/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

以及 iptables 输出

Chain INPUT (policy ACCEPT 149 packets, 9788 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  322 37460 ACCEPT     udp  --  enp1s0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 346 packets, 28928 bytes)
 pkts bytes target     prot opt in     out     source               destination

该服务器托管在安装在 KVM 上的虚拟机上,并通过桥接连接到本地网络。我认为 iptables 在转发和接受从隧道到以太网的流量方面存在一些问题。我对 iptables 确实一无所知。如能提供一点帮助,我将不胜感激。

办公室内部网络

traceroute officework.net
traceroute to officework.net (192.168.0.2), 30 hops max, 60 byte packets
 1  192.168.0.2 (192.168.0.2)  2.994 ms !X  2.885 ms !X  2.841 ms !X

办公室外网络 办公室外网络

traceroute officework.net
officework.net: Name or service not known
Cannot handle "host" cmdline arg `officework.net' on position 1 (argc 1)

带 IP 的 Trceroute

traceroute 192.168.0.2
traceroute to 192.168.0.2 (192.168.0.2), 30 hops max, 60 byte packets
 1  _gateway (192.168.43.1)  1.549 ms  1.416 ms  43.679 ms
 2  * * *
 3  10.71.135.19 (10.71.135.19)  31.621 ms  40.307 ms  31.470 ms
 4  192.168.31.239 (192.168.31.239)  31.274 ms 192.168.31.243 (192.168.31.243)  36.119 ms  40.036 ms
 5  192.168.37.9 (192.168.37.9)  39.465 ms  39.675 ms  39.683 ms
 6  172.25.11.164 (172.25.11.164)  35.374 ms  24.760 ms  35.150 ms
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

ifconfig 办公室外网络

ifconfig
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 96  bytes 7644 (7.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 96  bytes 7644 (7.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5
        inet6 fe80::3374:cf7a:d81:cc05  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 39  bytes 3394 (3.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:87:ae:c6  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.43.187  netmask 255.255.255.0  broadcast 192.168.43.255
        inet6 2409:4060:9f:2013:387c:6e1c:5399:a2c7  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::31a:f142:92dd:f67a  prefixlen 64  scopeid 0x20<link>
        ether a8:a7:95:67:0f:23  txqueuelen 1000  (Ethernet)
        RX packets 6976  bytes 5783306 (5.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7029  bytes 1291358 (1.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

答案1

您需要使用托管内联网站点记录的 DNS 服务器,而不是公共 DNS 服务器。可能是您的内部服务器。尝试在浏览器中输入内联网站点的 IP 地址,看看是否能连接。

答案2

最后谷歌确实帮助解决了这个问题。正如解释的那样https://openvpn.net/community-resources/how-to/#scope我补充道

push "route 192.168.0.0 255.255.255.0"

在服务器配置文件中添加iptables

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source  192.168.0.253

现在一切都运行正常。如果您希望 DNS 正常工作,只需在 Wifi 或 Lan 连接中添加 DNS 服务器条目,您就可以在办公室了。

相关内容