我无法弄清楚哪些配置出了问题,导致使用 OpenVPN 的手动路由无法工作。
以下是在服务器下隐藏客户端公共 IP 的一般思路:
[应用程序 -> tun0(10.0.0.2) -> Openvpn 客户端] ----> [Openvpn 服务器(10.0.0.1) -> eth0->公共 IP]---->[www 上的任何站点]
现在可以绝对确定的是,直到Openvpn Server(10.0.0.1)一切正常。
我可以通过 tcpdump 或动词 7 上方的日志在客户端或服务器上跟踪 Openvpn 隧道中的通信。
在测试中,我用的curl
是客户端的APP,简单的curl --interface tun0 google.com
就会启动链。
服务器配置
dev tun0
lport 1100
proto udp
ifconfig 10.0.0.1 10.0.0.2
secret static 0
tun-mtu 1400
txqueuelen 1000
fragment 0
mssfix 0
log-append /var/some.log
verb 7
另外,ip_forward和masquerade的SNAT设置为On:
# cd /proc/sys/net/ipv4
# cat ip_forward
1
# firewall-cmd --info-zone=public
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 1100/udp 1200/udp 1200/tcp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
客户端配置
daemon
dev tun
remote [openvpn server's IP]
rport 1100
lport 1100
proto udp
ifconfig 10.0.0.2 10.0.0.1
secret static 1
writepid /run/tunpid
log-append /var/some.log
tun-mtu 1400
txqueuelen 1000
fragment 0
mssfix 0
verb 7
此外,通过 tun0 的任何流量都会手动路由到对等 Openvpn 服务器:
# ip route add default via 10.0.0.1 table vpn
# ip route list table vpn
default via 10.0.0.1 dev tun0
除了“def1”路由(意味着任何到其他主机的流量都通过 vpn 对等体 10.0.0.1 路由)之外,此配置意味着来自 tun0 的任何流量都通过 vpn 对等体路由。
登录服务器当客户端执行curl --interface tun0 google.com
Sun Jun 5 06:52:37 2022 us=280095 UDPv4 READ [100] from [AF_INET][Client VPN Port]: DATA len=100
Sun Jun 5 06:52:37 2022 us=280157 PID_TEST [0] [STATIC-0] [EEEEEEEEEEEEEEEEEEEEEEEE] 1654411282:24 1654411282:25 t=1654411957[0] r=[0,64,15,0,1] sl=[40,24,64,528]
Sun Jun 5 06:52:37 2022 us=280176 TUN WRITE [60]
Sun Jun 5 06:52:37 2022 us=280782 TUN READ [60]
Sun Jun 5 06:52:37 2022 us=280803 UDPv4 WRITE [100] to [AF_INET][Client VPN Port]: DATA len=100
Sun Jun 5 06:52:37 2022 us=584143 TUN READ [60]
Sun Jun 5 06:52:37 2022 us=584220 UDPv4 WRITE [100] to [AF_INET][Client VPN Port]: DATA len=100
Sun Jun 5 06:52:38 2022 us=281407 UDPv4 READ [100] from [AF_INET][Client VPN Port]: DATA len=100
Sun Jun 5 06:52:38 2022 us=281460 PID_TEST [0] [STATIC-0] [1EEEEEEEEEEEEEEEEEEEEEEEE] 1654411282:25 1654411282:26 t=1654411958[0] r=[-1,64,15,0,1] sl=[39,25,64,528]
Sun Jun 5 06:52:38 2022 us=281471 TUN WRITE [60]
Sun Jun 5 06:52:38 2022 us=281984 TUN READ [60]
Sun Jun 5 06:52:38 2022 us=282006 UDPv4 WRITE [100] to [AF_INET][Client VPN Port]: DATA len=100
Sun Jun 5 06:52:40 2022 us=287353 UDPv4 READ [100] from [AF_INET][Client VPN Port]: DATA len=100
Sun Jun 5 06:52:40 2022 us=287413 PID_TEST [0] [STATIC-0] [23EEEEEEEEEEEEEEEEEEEEEEEE] 1654411282:26 1654411282:27 t=1654411960[0] r=[-3,64,15,0,1] sl=[38,26,64,528]
Sun Jun 5 06:52:40 2022 us=287425 TUN WRITE [60]
Sun Jun 5 06:52:40 2022 us=287924 TUN READ [60]
Sun Jun 5 06:52:40 2022 us=287948 UDPv4 WRITE [100] to [AF_INET][Client VPN Port]: DATA len=100
Sun Jun 5 06:52:42 2022 us=304171 TUN READ [60]
Sun Jun 5 06:52:42 2022 us=304246 UDPv4 WRITE [100] to [AF_INET][Client VPN Port]: DATA len=100
Sun Jun 5 06:52:46 2022 us=336203 TUN READ [60]
Sun Jun 5 06:52:46 2022 us=336289 UDPv4 WRITE [100] to [AF_INET][Client VPN Port]: DATA len=100
Sun Jun 5 06:52:54 2022 us=400251 TUN READ [60]
Sun Jun 5 06:52:54 2022 us=400332 UDPv4 WRITE [100] to [AF_INET][Client VPN Port]: DATA len=100
任何关于解决问题的建议都值得赞赏。但我不需要使用默认路由的建议def1
,因为该设置无法满足除非使用 tun0 指定,否则客户端的流量不会通过 openvpn 路由的需求。
conntrack -E
跟踪发现客户端确实询问了服务器,服务器尝试连接 google.com 142.250.74.174:80,但它没有改变源 IP,而是只写了 10.0.0.2,所以 google.com 无法回复。简而言之,服务器上没有伪装。
[NEW] udp 17 30 src=[Client's IP] dst=[Server's IP] sport=1100 dport=1100 [UNREPLIED] src=[Server's IP] dst=[Client's IP] sport=1100 dport=1100
[NEW] tcp 6 120 SYN_SENT src=10.0.0.2 dst=142.250.74.174 sport=60418 dport=80 [UNREPLIED] src=142.250.74.174 dst=[Server's IP] sport=80 dport=60418
[UPDATE] tcp 6 60 SYN_RECV src=10.0.0.2 dst=142.250.74.174 sport=60418 dport=80 src=142.250.74.174 dst=[Server's IP] sport=80 dport=60418
[UPDATE] udp 17 30 src=[Client's IP] dst=[Server's IP] sport=1100 dport=1100 src=[Server's IP] dst=[Client's IP] sport=1100 dport=1100
[UPDATE] udp 17 180 src=[Client's IP] dst=[Server's IP] sport=1100 dport=1100 src=[Server's IP] dst=[Client's IP] sport=1100 dport=1100 [ASSURED]
[UPDATE] tcp 6 59 SYN_RECV src=10.0.0.2 dst=142.250.74.174 sport=60418 dport=80 src=142.250.74.174 dst=[Server's IP] sport=80 dport=60418
[UPDATE] tcp 6 60 SYN_RECV src=10.0.0.2 dst=142.250.74.174 sport=60418 dport=80 src=142.250.74.174 dst=[Server's IP] sport=80 dport=60418
[UPDATE] tcp 6 60 SYN_RECV src=10.0.0.2 dst=142.250.74.174 sport=60418 dport=80 src=142.250.74.174 dst=[Server's IP] sport=80 dport=60418