OpenVPN icmp 无法完全返回

tag-icon tag-icon iptables openvpn
OpenVPN icmp 无法完全返回

我有

  • 服务器:192.168.5.77
  • 打开服务器VPN:192.168.5.202
  • 客户端1:10.8.1.2
  • 客户端2:10.8.0.3

当我从客户端 2 ping 服务器到服务器时:

server: tcpdump  icmp -n -q
14:41:32.689212 IP 192.168.5.202 > 192.168.5.77: ICMP echo request, id 12, seq 1, length 64
14:41:32.689257 IP 192.168.5.77 > 192.168.5.202: ICMP echo reply, id 12, seq 1, length 64
14:41:33.704333 IP 192.168.5.202 > 192.168.5.77: ICMP echo request, id 12, seq 2, length 64
14:41:33.704378 IP 192.168.5.77 > 192.168.5.202: ICMP echo reply, id 12, seq 2, length 64
openServerVPN tcpdump  icmp -n -q
16:41:32.691194 IP 10.8.0.3 > 192.168.5.77: ICMP echo request, id 12, seq 1, length 64
16:41:32.691573 IP 192.168.5.77 > 10.8.0.3: ICMP echo reply, id 12, seq 1, length 64
16:41:32.960443 IP 192.168.5.202 > 10.8.0.3: ICMP 192.168.5.202 udp port 53 unreachable, length 67
16:41:32.996227 IP 192.168.5.202 > 10.8.0.3: ICMP 192.168.5.202 udp port 53 unreachable, length 67
16:41:33.706305 IP 10.8.0.3 > 192.168.5.77: ICMP echo request, id 12, seq 2, length 64
16:41:33.706710 IP 192.168.5.77 > 10.8.0.3: ICMP echo reply, id 12, seq 2, length 64

ping 答复已返回到客户端 2

但是当我从客户端 1 ping 时,服务器似乎不知道 openServerVPN 在哪里:

server: tcpdump  icmp -n -q
14:39:04.889226 IP 192.168.5.202 > 192.168.5.77: ICMP echo request, id 11, seq 48, length 64
14:39:04.889252 IP 192.168.5.77 > 192.168.5.202: ICMP echo reply, id 11, seq 48, length 64
14:39:05.912198 IP 192.168.5.202 > 192.168.5.77: ICMP echo request, id 11, seq 49, length 64
14:39:05.912238 IP 192.168.5.77 > 192.168.5.202: ICMP echo reply, id 11, seq 49, length 64
14:39:06.911324 IP 192.168.5.202 > 192.168.5.77: ICMP echo request, id 11, seq 50, length 64
14:39:06.911370 IP 192.168.5.77 > 192.168.5.202: ICMP echo reply, id 11, seq 50, length 64
14:39:07.496717 IP 192.168.5.202 > 192.168.5.77: ICMP host 192.168.5.202 unreachable, length 92
14:39:07.496739 IP 192.168.5.202 > 192.168.5.77: ICMP host 192.168.5.202 unreachable, length 92
14:39:07.496744 IP 192.168.5.202 > 192.168.5.77: ICMP host 192.168.5.202 unreachable, length 92
14:39:07.889982 IP 192.168.5.202 > 192.168.5.77: ICMP echo request, id 11, seq 51, length 64

openServerVPN tcpdump  icmp -n -q
16:38:59.879419 IP 10.8.1.2 > 192.168.5.77: ICMP echo request, id 11, seq 43, length 64
16:39:00.902542 IP 10.8.1.2 > 192.168.5.77: ICMP echo request, id 11, seq 44, length 64
16:39:01.879307 IP 10.8.1.2 > 192.168.5.77: ICMP echo request, id 11, seq 45, length 64
16:39:02.888641 IP 10.8.1.2 > 192.168.5.77: ICMP echo request, id 11, seq 46, length 64
16:39:03.880365 IP 10.8.1.2 > 192.168.5.77: ICMP echo request, id 11, seq 47, length 64
16:39:04.890346 IP 10.8.1.2 > 192.168.5.77: ICMP echo request, id 11, seq 48, length 64
16:39:05.913296 IP 10.8.1.2 > 192.168.5.77: ICMP echo request, id 11, seq 49, length 64
16:39:06.912412 IP 10.8.1.2 > 192.168.5.77: ICMP echo request, id 11, seq 50, length 64
16:39:07.891099 IP 10.8.1.2 > 192.168.5.77: ICMP echo request, id 11, seq 51, length 64

他获得了良好的 IP 来回复,但 ping 回复却无法到达 openServerVPN。

IPTABLE openServerVPN:

    Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  10.8.0.0/24          anywhere             ctstate NEW
ACCEPT     all  --  10.8.1.0/24          anywhere             ctstate NEW
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  10.8.1.0/24         !10.8.1.0/24          to:192.168.5.202
SNAT       all  --  10.8.0.0/24         !10.8.0.0/24          to:192.168.5.202
MASQUERADE  all  --  10.8.0.0/24          anywhere
MASQUERADE  all  --  10.8.1.0/24          anywhere

[编辑]

此外,当我从 client2 ping 到 openServerVPN 时,它可以工作

17:13:58.857825 IP 10.8.0.1 > 10.8.0.3: ICMP echo reply, id 16, seq 8, length 64
17:13:59.654237 IP 192.168.5.202 > 10.8.0.3: ICMP 192.168.5.202 udp port 53 unreachable, length 73
17:13:59.654300 IP 192.168.5.202 > 10.8.0.3: ICMP 192.168.5.202 udp port 53 unreachable, length 73
17:13:59.837156 IP 10.8.0.3 > 10.8.0.1: ICMP echo request, id 16, seq 9, length 64
17:13:59.837206 IP 10.8.0.1 > 10.8.0.3: ICMP echo reply, id 16, seq 9, length 64

但在客户端 1 上 openServerVPN 失败:

17:07:43.889960 IP 10.8.1.2 > 192.168.5.202: ICMP echo request, id 14, seq 17, length 64
17:07:44.897419 IP 10.8.1.2 > 192.168.5.202: ICMP echo request, id 14, seq 18, length 64
17:07:45.898396 IP 10.8.1.2 > 192.168.5.202: ICMP echo request, id 14, seq 19, length 64
17:07:46.900194 IP 10.8.1.2 > 192.168.5.202: ICMP echo request, id 14, seq 20, length 64
17:07:47.910821 IP 10.8.1.2 > 192.168.5.202: ICMP echo request, id 14, seq 21, length 64

[/编辑]

您知道我应该看什么/在哪里尝试吗?

相关内容