我的本地网络中有 2 个子网(192.168.4.0/24、192.168.5.0/24),但只有 1 个网关服务器(192.168.4.223),它有 2 个 OpenVPN 连接(10.100.2.6/24、10.100.3.6/24)。拓扑如下: 在此处输入图片描述
我想要让 192.168.4.0/24 中的计算机(例如计算机 B)通过 OpenVPN 服务器 2 连接到互联网,让 192.168.5.0/24 中的计算机(例如计算机 A)通过 OpenVPN 服务器 1 连接到互联网。
在OPENWRT路由器上:
## What I did:
vi /etc/iproute2/rt_tables
...
110 myovp # Add a table for 192.168.5.0/24
...
# Then add rules for iproute2 and iptables:
ip rule add fwmark 110 table 110
ip rule add to 192.168.4.0/24 table main
ip route add default via 192.168.4.223 dev br-lan_1 table 110
iptables -t mangle -A PREROUTING -i br-lan_2 -j MARK --set-mark 110
## Some outputs:
# Output of `ip rule`:
0: from all lookup local
32764: from all to 192.168.4.0/24 lookup main
32765: from all fwmark 0x6e lookup myovp
32766: from all lookup main
32767: from all lookup default
# Output of `ip route show`:
192.168.4.0/24 dev br-lan_1 proto kernel scope link src 192.168.4.1
192.168.5.0/24 dev br-lan_2 proto kernel scope link src 192.168.5.1
# Output of `ip route show table 110`:
default via 192.168.4.223 dev br-lan_1
# Output of `iptables -t mangle -L PREROUTING -v`
Chain PREROUTING (policy ACCEPT 871K packets, 177M bytes)
pkts bytes target prot opt in out source destination
28030 1954K MARK all -- br-lan_2 any anywhere anywhere MARK set 0x6e
在Debian Gateway Server:
## What I did:
vi /etc/iproute2/rt_tables
...
110 myovp # Add a table for 192.168.5.0/24
...
# Then add rules for iproute2 and iptables:
ip rule add fwmark 110 table 110
ip rule add to 192.168.4.0/24 table main
ip rule add to 192.168.5.0/24 table main
ip route add default via 10.100.2.1 dev tun0 table 110
ip route add 192.168.5.0/24 via 192.168.4.1 dev enp4s0
iptables -t mangle -A PREROUTING -i enp4s0 -s 192.168.5.0/24 -j MARK --set-mark 110
# Then add rules for NAT and FORWARD:
iptables -A FORWARD -i enp4s0 -j ACCEPT
iptables -A FORWARD -i tun1 -o enp4s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp4s0 -o tun1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o enp4s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp4s0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o tun1 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.4.0/24 -o tun1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.5.0/24 -o tun0 -j MASQUERADE
## Some outputs:
# Output of `ip addr`:
...
4: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 10.100.3.6/24 scope global tun1
valid_lft forever preferred_lft forever
inet6 fe80::fd55:444a:552a:a454/64 scope link stable-privacy
valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 10.100.2.6/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::af61:acf1:4e9c:b1a8/64 scope link stable-privacy
valid_lft forever preferred_lft forever
...
# Output of `ip route show`:
0.0.0.0/1 via 10.100.3.1 dev tun1
default via 192.168.4.1 dev enp4s0 proto static metric 100
10.100.2.0/24 dev tun0 proto kernel scope link src 10.100.2.5
10.100.3.0/24 dev tun1 proto kernel scope link src 10.100.3.5
128.0.0.0/1 via 10.100.3.1 dev tun1
192.168.4.0/24 dev enp4s0 proto kernel scope link src 192.168.4.223 metric 100
192.168.5.0/24 via 192.168.4.1 dev enp4s0
# Output of `ip route show table 110`:
default via 10.100.2.1 dev tun0
# Output of `ip rule`:
0: from all lookup local
32763: from all to 192.168.5.0/24 lookup main
32764: from all to 192.168.4.0/24 lookup main
32765: from all fwmark 0x6e lookup 110
32766: from all lookup main
32767: from all lookup default
# Output of `iptables -t filter -L -v`:
Chain INPUT (policy ACCEPT 30661 packets, 3126K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2117K 194M ACCEPT all -- enp4s0 any anywhere anywhere
3394K 4191M ACCEPT all -- tun1 enp4s0 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- enp4s0 tun1 anywhere anywhere state RELATED,ESTABLISHED
1541 133K ACCEPT all -- tun0 enp4s0 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- enp4s0 tun0 anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 35596 packets, 22M bytes)
pkts bytes target prot opt in out source destination
1044 108K ACCEPT all -- any tun1 anywhere anywhere
0 0 ACCEPT all -- any tun0 anywhere anywhere
# Output of `iptables -t nat -L -v`:
Chain PREROUTING (policy ACCEPT 208K packets, 34M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 266 packets, 46150 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 98 packets, 5876 bytes)
pkts bytes target prot opt in out source destination
27638 2036K MASQUERADE all -- any tun1 192.168.4.0/24 anywhere
347 19186 MASQUERADE all -- any tun0 192.168.5.0/24 anywhere
Chain OUTPUT (policy ACCEPT 95 packets, 5636 bytes)
pkts bytes target prot opt in out source destination
# Output of `iptables -t mangle -L PREROUTING -v`:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2829 215K MARK all -- enp4s0 any 192.168.5.0/24 anywhere MARK set 0x6e
在两个 OpenVPN 服务器上(除了子网 IP 地址和 Internet 地址外,它们几乎相同):
## What I did:
# First set up the OpenVPN server
# Then add rules for NAT and FORWARD:
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.100.2.0/24 -o eth0 -j MASQUERADE
## Some outputs
# Output of `ip addr`:
...
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 10.100.2.1/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::c31e:ba42:4cb5:d887/64 scope link stable-privacy
valid_lft forever preferred_lft forever
...
# Output of `iptables -t filter -L -v`:
Chain INPUT (policy ACCEPT 16M packets, 1026M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 1522K packets, 114M bytes)
pkts bytes target prot opt in out source destination
247M 192G ACCEPT all -- tun0 any anywhere anywhere
0 0 ACCEPT all -- tun0 eth0 anywhere anywhere state RELATED,ESTABLISHED
178M 106G ACCEPT all -- eth0 tun0 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- tun0 any 10.100.2.0/24 anywhere
Chain OUTPUT (policy ACCEPT 16M packets, 1047M bytes)
pkts bytes target prot opt in out source destination
55959 7717K ACCEPT all -- any tun0 anywhere anywhere
# Output of `iptables -t nat -L -v`:
Chain PREROUTING (policy ACCEPT 27M packets, 1809M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 11M packets, 605M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5047 packets, 386K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 996K packets, 83M bytes)
pkts bytes target prot opt in out source destination
16M 1063M MASQUERADE all -- any eth0 10.100.2.0/24 anywhere
此时,192.168.4.0/24 中的计算机(例如计算机B)就可以通过OpenVPN服务器2完美地连接到互联网了。
但在 192.168.5.0/24 中,计算机无法解析任何主机名。在计算机 A 上,ping 8.8.8.8工作正常,并tracert 8.8.8.8显示它可以通过 OpenVPN 服务器 1 访问 8.8.8.8 服务器,但nslookup google.com 8.8.8.8返回Query refused。
真的很抱歉发了这么长的帖子,但我真的不知道该做什么或我错过了什么。我不是网络方面的专家,所以任何具体的建议和帮助我都很感激。谢谢!
答案1
问题解决了。
OPENWRT由于某些难以解释的原因,默认情况下在 iptables 中添加了两条规则:
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53
真的不知道为什么卖给我路由器的人添加了它们。:(