我正在尝试配置 OpenVPN Access Server,以通过 OpenVPN 服务器上建立的 IPSec 隧道路由某些流量。以下是寻址详细信息:
- OpenVPN 客户端 IP 范围:
10.0.1.0/24
- OpenVPN 服务器 IP(客户端连接到的位置):
x.x.x.x
- IPSec 隧道对端:
y.y.y.y
- IPSec 隧道子网:
(x.x.x.x) 10.0.1.0/24 <--> 172.30.239.0/25 (y.y.y.y)
从 OpenVPN 客户端的角度来看,预期的行为是这样的:
curl 172.30.239.75
-> 流量将从客户端流向 OpenVPN 服务器,通过 IPSec 隧道路由,最终进入172.30.239.0/25
网络curl google.com
-> 流量将从客户端传输到 OpenVPN 服务器,并通过其默认网关传输到公共互联网(根本不使用 IPSec 隧道)
我以为这种配置“可以正常工作”,因为 OpenVPN 客户端的 IP 地址是从与 IPSec 隧道相同的子网分配的,但不幸的是事实并非如此。
我能够直接从 OpenVPN 服务器访问远处的 IPSec 子网,例如curl 172.30.239.75
,因此隧道和一些路由工作正常。但是从 OpenVPN 客户端运行相同的请求就会超时(tcpdump
显示请求已到达 OpenVPN 服务器但就在那里结束)。
我完全不知道下一步该怎么做。你能帮我吗?我对此还很陌生,所以如果能提供详细的答案,我将不胜感激!这个问题与这是我之前做的但其缺乏足够的细节来支持实际实施。
下面我尝试收集相关的配置,但如果还有其他重要信息,请告诉我。
我没有添加任何自定义接口、路由或 iptables 规则。我尝试过的所有方法要么没有任何效果,要么搞砸了,所以下面的输出是 OpenVPN 和 IPSec 配置的内容。
接口
$ ifconfig (truncated)
as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.0.1.1 netmask 255.255.255.128 destination 10.0.1.1
as0t1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.0.1.129 netmask 255.255.255.128 destination 10.0.1.129
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet x.x.x.x netmask 255.255.252.0 broadcast x.x.x.x
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.7.177 netmask 255.255.252.0 broadcast 10.1.7.255
路由
以下[gw.gw.gw.gw]
是 eth0 iface 默认网关的 IP 地址
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 10.1.4.1 255.0.0.0 UG 0 0 0 eth1
10.0.1.0 0.0.0.0 255.255.255.128 U 0 0 0 as0t0
10.0.1.128 0.0.0.0 255.255.255.128 U 0 0 0 as0t1
10.1.4.0 0.0.0.0 255.255.252.0 U 0 0 0 eth1
169.254.169.254 10.1.4.1 255.255.255.255 UGH 0 0 0 eth1
x.x.x.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0
$ ip route list table all
172.30.239.0/25 via [gw.gw.gw.gw] dev eth0 table 220 proto static src 10.0.1.1
default via [gw.gw.gw.gw] dev eth0
10.0.1.0/25 dev as0t0 proto kernel scope link src 10.0.1.1
10.0.1.128/25 dev as0t1 proto kernel scope link src 10.0.1.129
x.x.x.0/22 dev eth0 proto kernel scope link src x.x.x.x
broadcast 10.0.1.0 dev as0t0 table local proto kernel scope link src 10.0.1.1
local 10.0.1.1 dev as0t0 table local proto kernel scope host src 10.0.1.1
broadcast 10.0.1.127 dev as0t0 table local proto kernel scope link src 10.0.1.1
broadcast 10.0.1.128 dev as0t1 table local proto kernel scope link src 10.0.1.129
local 10.0.1.129 dev as0t1 table local proto kernel scope host src 10.0.1.129
broadcast 10.0.1.255 dev as0t1 table local proto kernel scope link src 10.0.1.129
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast x.x.x.0 dev eth0 table local proto kernel scope link src x.x.x.x
local x.x.x.x dev eth0 table local proto kernel scope host src x.x.x.x
broadcast 185.26.51.255 dev eth0 table local proto kernel scope link src x.x.x.x
iptables
iptables-save
# Generated by iptables-save v1.8.4 on Thu May 27 23:20:08 2021
*nat
:PREROUTING ACCEPT [655:63952]
:INPUT ACCEPT [82:5300]
:OUTPUT ACCEPT [72:5613]
:POSTROUTING ACCEPT [72:5613]
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST
-A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE
-A AS0_NAT -o eth0 -j SNAT --to-source x.x.x.x
-A AS0_NAT -o eth1 -j SNAT --to-source 10.1.7.177
-A AS0_NAT -j ACCEPT
-A AS0_NAT_POST_REL_EST -j ACCEPT
-A AS0_NAT_PRE -m mark --mark 0x8000000/0x8000000 -j AS0_NAT
-A AS0_NAT_PRE -d 169.254.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST
-A AS0_NAT_PRE -j AS0_NAT
-A AS0_NAT_PRE_REL_EST -j ACCEPT
-A AS0_NAT_TEST -o as0t+ -j ACCEPT
-A AS0_NAT_TEST -m mark --mark 0x4000000/0x4000000 -j ACCEPT
-A AS0_NAT_TEST -d 10.0.1.0/24 -j ACCEPT
-A AS0_NAT_TEST -j AS0_NAT
COMMIT
# Completed on Thu May 27 23:20:08 2021
# Generated by iptables-save v1.8.4 on Thu May 27 23:20:08 2021
*mangle
:PREROUTING ACCEPT [48:3312]
:INPUT ACCEPT [19672:4609821]
:FORWARD ACCEPT [32480:9628950]
:OUTPUT ACCEPT [18602:11259270]
:POSTROUTING ACCEPT [51071:20887532]
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST
-A PREROUTING -i as0t+ -j AS0_MANGLE_TUN
-A AS0_MANGLE_PRE_REL_EST -j ACCEPT
-A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff
-A AS0_MANGLE_TUN -j ACCEPT
COMMIT
# Completed on Thu May 27 23:20:08 2021
# Generated by iptables-save v1.8.4 on Thu May 27 23:20:08 2021
*filter
:INPUT ACCEPT [12:660]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18526:11256230]
:AS0_ACCEPT - [0:0]
:AS0_IN - [0:0]
:AS0_IN_NAT - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_IN_ROUTE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_POST - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_WEBACCEPT - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A INPUT -i lo -j AS0_ACCEPT
-A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j AS0_ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j AS0_ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A FORWARD -o as0t+ -j AS0_OUT_S2C
-A OUTPUT -o as0t+ -j AS0_OUT_LOCAL
-A AS0_ACCEPT -j ACCEPT
-A AS0_IN -d 10.0.1.1/32 -j ACCEPT
-A AS0_IN -j AS0_IN_POST
-A AS0_IN_NAT -j MARK --set-xmark 0x8000000/0x8000000
-A AS0_IN_NAT -j ACCEPT
-A AS0_IN_POST -d 10.0.1.0/24 -j ACCEPT
-A AS0_IN_POST -o as0t+ -j AS0_OUT
-A AS0_IN_POST -j DROP
-A AS0_IN_PRE -d 169.254.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN
-A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN
-A AS0_IN_PRE -j ACCEPT
-A AS0_IN_ROUTE -j MARK --set-xmark 0x4000000/0x4000000
-A AS0_IN_ROUTE -j ACCEPT
-A AS0_OUT -j AS0_OUT_POST
-A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP
-A AS0_OUT_LOCAL -j ACCEPT
-A AS0_OUT_POST -j DROP
-A AS0_OUT_S2C -s 10.0.1.0/24 -j ACCEPT
-A AS0_OUT_S2C -j AS0_OUT
-A AS0_WEBACCEPT -j ACCEPT
COMMIT
# Completed on Thu May 27 23:20:08 2021
我还尝试过不让 OpenVPN 客户端 IP 子网和 IPSec 隧道子网重叠,但在这种情况下我也找不到设置路由的方法。不过,如果这种方式更好的话,这种设置绝对是一种选择。
答案1
最终的解决方案非常简单,只需通过 OpenVPN AS Web UI 即可完成。
我所要做的就是
- 去
VPN Settings > Routing
- 设置
Should VPN clients have access to private subnets (non-public networks on the server side)?
Yes, using routing
- 填写偏僻的IPSec 隧道子网(
172.30.239.0/25
)。这个很重要。我之前一直填写隧道的本地子网(10.0.1.0/24
),这是不正确的。
此后,OpenVPN AS 生成以下iptables
规则(仅选择与子网相关的规则):
*nat
-A AS0_NAT_TEST -d 172.30.239.0/25 -j ACCEPT
*filter
-A AS0_IN_POST -d 172.30.239.0/25 -j ACCEPT
-A AS0_OUT_S2C -s 172.30.239.0/25 -j ACCEPT
一切顺利。