我的客户端在连接到 VPN 时无法上网。我有
push "redirect-gateway def1"
和
root@vortex:/home# cat /proc/sys/net/ipv4/ip_forward
1
放。
Sserver 和客户端连接正常且没有错误,并且可以通过 VPN 互相 ping 通,但仅此而已。
root@vortex:/home# cat /etc/openvpn/server.conf
mode server
tls-server
port 1194
proto udp
dev tun
#ca /usr/share/easy-rsa/keys/ca.crt # generated keys
#cert /usr/share/easy-rsa/keys/server.crt
#key /usr/share/easy-rsa/keys/server.key # keep secret
#dh /usr/share/easy-rsa/keys/dh2048.pem
ca /pki/ca.crt
cert /pki/issued/vortex.trade.com.crt
key /pki/private/vortex.trade.com.key
dh /pki/dh.pem
server 10.9.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo # Compression - must be turned on at both end
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 1 # verbose mode
user nobody
group nogroup
client-config-dir /etc/openvpn/ccd
client-to-client
push "redirect-gateway def1"
push "redirect-gateway bypass-dhcp"
push "route 192.168.0.0 255.255.255.0"
#push "dhcp-option DNS 188.120.247.2"
#push "dhcp-option DNS 188.120.247.8"
#push "dhcp-option DNS 82.146.59.250"
push "dhcp-option DNS 4.2.2.2"
log /var/log/openvpn/openvpn.log
root@vortex:/home# cat /etc/iptables/rules.v4
# Generated by iptables-save v1.6.0 on Mon Jul 20 07:13:41 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -j DROP
-A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 443 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 695 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 3128 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 6667 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 9001 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 9030 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: "
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -s 10.9.8.0/24 -i tun0 -o eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.9.8.14/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "iptables_FORWARD_denied: "
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 2222 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED -m udp --sport 1194 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 695 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 3128 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 6667 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 9001 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 9030 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_OUTPUT_denied: "
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Mon Jul 20 07:13:41 2020
# Generated by iptables-save v1.6.0 on Mon Jul 20 07:13:41 2020
*nat
:PREROUTING ACCEPT [58:7571]
:INPUT ACCEPT [8:2109]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [2:120]
COMMIT
# Completed on Mon Jul 20 07:13:41 2020
# Generated by iptables-save v1.6.0 on Mon Jul 20 07:13:41 2020
*mangle
:PREROUTING ACCEPT [254:43256]
:INPUT ACCEPT [216:40502]
:FORWARD ACCEPT [7:420]
:OUTPUT ACCEPT [93:16424]
:POSTROUTING ACCEPT [100:16844]
COMMIT
# Completed on Mon Jul 20 07:13:41 2020
该问题似乎是在 knockd 安装后出现的,但不确定。
root@vortex:/home# cat /etc/knockd.conf
[options]
UseSyslog
Interface = IFACE
[SSH]
sequence = 90,90,90
seq_timeout = 15
tcpflags = syn
start_command = /sbin/iptables -I INPUT -i eth0 -s %IP% -p tcp --dport 2222 -j ACCEPT
stop_command = /sbin/iptables -D INPUT -i eth0 -s %IP% -p tcp --dport 2222 -j ACCEPT
cmd_timeout = 20
客户:
root@Inspiron-laptop:/home/# cat /etc/openvpn/client.conf
client
remote 188.120.224.182
dev tun
#ifconfig 10.9.8.2 10.9.8.1
nobind
#persist-key
#persist-tun
tls-client
ca /etc/openvpn/ca.crt
cert /etc/openvpn/dell.trade.com.crt
key /etc/openvpn/dell.trade.com.key
comp-lzo
verb 3
redirect-gateway def1
ping-restart 60
log /var/log/openvpn/openvpn.log
隧道接口正常
root@Inspiron-laptop:/home/# ifconfig
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1044649 bytes 565199288 (565.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1044649 bytes 565199288 (565.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.9.8.10 netmask 255.255.255.255 destination 10.9.8.9
inet6 fe80::82a9:e454:8136:6d9f prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 29 bytes 4077 (4.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.43.160 netmask 255.255.255.0 broadcast 192.168.43.255
inet6 fe80::3fdf:a130:31c3:32eb prefixlen 64 scopeid 0x20<link>
inet6 2600:100a:b128:d429:ef84:249c:a98d:f078 prefixlen 64 scopeid 0x0<global>
inet6 2600:100a:b128:d429:9cdb:5dbf:2415:6022 prefixlen 64 scopeid 0x0<global>
ether dc:53:60:6d:f3:62 txqueuelen 1000 (Ethernet)
RX packets 7446346 bytes 5129002739 (5.1 GB)
RX errors 0 dropped 212149 overruns 0 frame 0
TX packets 4900063 bytes 859603059 (859.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlx1cbfcebf5fba: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.43.25 netmask 255.255.255.0 broadcast 192.168.43.255
inet6 2600:100a:b128:d429:fc6e:cdca:d721:6d6c prefixlen 64 scopeid 0x0<global>
inet6 fe80::fde3:a1d3:3dc5:56ec prefixlen 64 scopeid 0x20<link>
inet6 2600:100a:b128:d429:c93:106a:f84a:4f78 prefixlen 64 scopeid 0x0<global>
ether 1c:bf:ce:bf:5f:ba txqueuelen 1000 (Ethernet)
RX packets 526561 bytes 480490738 (480.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 456675 bytes 94595265 (94.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
连接后,我可以从客户端的隧道 ping 通 VPN 的 WAN 接口。
root@Inspiron-laptop:/home/# ping 188.120.224.182
PING 188.120.224.182 (188.120.224.182) 56(84) bytes of data.
64 bytes from 188.120.224.182: icmp_seq=1 ttl=46 time=212 ms
64 bytes from 188.120.224.182: icmp_seq=2 ttl=46 time=310 ms
64 bytes from 188.120.224.182: icmp_seq=3 ttl=46 time=329 ms
64 bytes from 188.120.224.182: icmp_seq=4 ttl=46 time=180 ms
^C
--- 188.120.224.182 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 180.428/257.780/328.903/63.126 ms
但仅此而已
root@Inspiron-laptop:/home/# ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2) 56(84) bytes of data.
^C
--- 4.2.2.2 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5098ms
我怀疑是防火墙的问题,但找不到问题所在。
答案1
您在 VPN 服务器上缺少一条用于转换 IPv4 流量的 NAT 规则。也许它已被删除,也许您从未有过。我无法说。但是,只要您将这样的规则添加到 nat 表,您就应该开始获取 IPv4 流量。类似:
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
应该可以帮助你开始。
警告:您的 VPN 服务器未提供 IPv6 连接。这意味着您的 IPv6 流量将不会通过 VPN,但将继续通过您现有的本地连接流动。这称为泄漏,通常是一个严重的问题。您需要重新配置 VPN 服务器以向客户端提供 IPv6 连接。