我想将所有流量路由到另一个 VPN 节点,同时:
- 保持与 VPN 服务器的连接处于活动状态(已生效)
- 仍在该客户端上接受 WAN 连接。
我的客户端节点配置:
# 35.1.1.1: WAN IP of VPN-Server
# 192.168.8.1: WAN Gateway of Client
# 10.25.0.1: Internal VPN Server IP (not used below)
# 10.25.0.3: VPN Gatway for the Client (The gatway itself is also an Client)
ip route add 35.1.1.1/32 via 192.168.8.1 # protect route to VPN-Server
ip route del default via 192.168.8.1 # remove original default route
ip route add default via 10.25.0.3 # redirect to another VPN Node
运行这些命令时,网关可以工作 - 来自客户端节点的每个流量都通过 VPN 网关(10.25.0.3)路由,同时保持与服务器(35.1.1.1/10.25.0.1)的连接完好无损。
唯一的问题是,客户端不再接受连接。我读了一些关于的内容fwmark
,sourced based policy rules
但我不明白我真正需要什么以及我需要输入什么命令。
答案1
为了实现这个功能:
这种方式不需要fwmark
任何额外的防火墙规则。
这是我的工作配置脚本。我尝试尽可能多地进行评论。
INTERFACE=tun0 # the VPN interface
#REMOTEADDRESS=35.1.1.1 # Real IP of VPN server
REMOTEADDRESS=`dig +short <VPN-Server>` # Enter the hostname of the VPN srever or replace the expression via IP, see above
VPN_GATEWAY=10.25.0.3
#ORIGINAL_GATEWAY="via 192.168.8.1 dev eth0"
ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 2-5`
ORIGINAL_NAMESERVER=`cat /etc/resolv.conf | grep ^nameserver | cut -d ' ' -f 2`
# Disable Reverse Path filtering
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter # ETH device
echo 0 > /proc/sys/net/ipv4/conf/tun0/rp_filter # VPN device
ip route add $REMOTEADDRESS $ORIGINAL_GATEWAY # protect route to VPN-Server
ip route add $ORIGINAL_NAMESERVER $ORIGINAL_GATEWAY # OPTIONAL: protect route to DNS. Required for Google Cloud.
ip route add $VPN_GATEWAY dev $INTERFACE
ip route add 0.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
ip route add 128.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
# Add custom routing table
echo 200 custom >> /etc/iproute2/rt_tables
ip rule add from 192.168.8.100 table custom prio 1 # Real Client IP
ip route del default via 192.168.8.1 # Real Gateway
ip route add default via 192.168.8.1 dev eth0 table custom