OpenVPN客户端无法与LAN通信

OpenVPN客户端无法与LAN通信

我正在运行 FreshTomato 2023.5 并尝试设置 OpenVPN 服务器。我可以生成客户端配置并让 iPhone 使用 openvpn 客户端进行连接。然后我可以 ping FastTomato 路由器,但我无法 ping 或以其他方式访问内部 LAN 上的任何机器。

按照说明操作后,我看不出哪里配置错误了 - 我知道勾选“将 LAN0 (br0) 推送到客户端”将允许客户端查看 LAN 上的机器。我是不是漏掉了什么规则?

我的 FastTomato 路由器的地址是 192.168.10.1 - 内部 LAN 是 192.168.10.0/24,VPN 子网是 10.6.0.0/24

该路由器也是我的LAN的默认网关。

基本配置:

在此处输入图片描述

高级配置:

我也尝试过选中“直接让客户端重定向互联网流量”选项,但毫无效果——我假设这会指示客户端将所有互联网流量发送到 VPN。我更愿意只发送发往 LAN 的流量。我相信这叫做拆分隧道。

在此处输入图片描述

客户端日志(隐藏了公共 IP 和 DNS 名称)

[Feb 07, 2024, 19:53:13] START CONNECTION
[Feb 07, 2024, 19:53:13] ----- OpenVPN Start -----
OpenVPN core 3.8.3connect1 ios arm64 64-bit
[Feb 07, 2024, 19:53:13] OpenVPN core 3.8.3connect1 ios arm64 64-bit
[Feb 07, 2024, 19:53:13] Frame=512/2112/512 mssfix-ctrl=1250
[Feb 07, 2024, 19:53:13] NOTE: This configuration contains options that were not used:
[Feb 07, 2024, 19:53:13] Unsupported option (ignored)
[Feb 07, 2024, 19:53:13] 3 [ncp-ciphers] [CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CB...]
[Feb 07, 2024, 19:53:13] 11 [resolv-retry] [infinite]
[Feb 07, 2024, 19:53:13] UNKNOWN/UNSUPPORTED OPTIONS
[Feb 07, 2024, 19:53:13] 15 [status] [status]
[Feb 07, 2024, 19:53:13] EVENT: RESOLVE
[Feb 07, 2024, 19:53:13] Contacting xxx.xxx.xxx.xxx:1194 via UDP
[Feb 07, 2024, 19:53:13] EVENT: WAIT
[Feb 07, 2024, 19:53:13] Connecting to [x.x.co.uk]:1194 (86.31.66.136) via UDP
[Feb 07, 2024, 19:53:13] EVENT: CONNECTING
[Feb 07, 2024, 19:53:13] Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
[Feb 07, 2024, 19:53:13] Creds: Username/Password
[Feb 07, 2024, 19:53:13] Sending Peer Info:
IV_VER=3.8.3connect1
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.ios_3.4.1-5463
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1

[Feb 07, 2024, 19:53:13] VERIFY OK: depth=1, /C=GB/ST=Yorks/L=York/O=FreshTomato/OU=IT/CN=server, signature: RSA-SHA256
[Feb 07, 2024, 19:53:13] VERIFY OK: depth=0, /C=GB/ST=Yorks/L=York/O=FreshTomato/OU=IT/CN=server, signature: RSA-SHA256
[Feb 07, 2024, 19:53:13] SSL Handshake: peer certificate: CN=server, 2048 bit RSA, cipher: TLS_CHACHA20_POLY1305_SHA256   TLSv1.3 Kx=any      Au=any   Enc=CHACHA20/POLY1305(256) Mac=AEAD

[Feb 07, 2024, 19:53:13] Session is ACTIVE
[Feb 07, 2024, 19:53:13] EVENT: GET_CONFIG
[Feb 07, 2024, 19:53:13] Sending PUSH_REQUEST to server...
[Feb 07, 2024, 19:53:13] OPTIONS:
0 [route] [192.168.10.0] [255.255.255.0]
1 [dhcp-option] [DNS] [192.168.10.1]
2 [route-gateway] [10.6.0.1]
3 [topology] [subnet]
4 [ping] [15]
5 [ping-restart] [60]
6 [ifconfig] [10.6.0.2] [255.255.255.0]
7 [peer-id] [0]
8 [cipher] [CHACHA20-POLY1305]

[Feb 07, 2024, 19:53:13] PROTOCOL OPTIONS:
 cipher: CHACHA20-POLY1305
 digest: NONE
 key-derivation: OpenVPN PRF
 compress: NONE
 peer ID: 0
[Feb 07, 2024, 19:53:13] EVENT: ASSIGN_IP
[Feb 07, 2024, 19:53:13] NIP: preparing TUN network settings
[Feb 07, 2024, 19:53:13] NIP: init TUN network settings with endpoint: xxx.xxx.xxx.xxx
[Feb 07, 2024, 19:53:13] NIP: adding IPv4 address to network settings 10.6.0.2/255.255.255.0
[Feb 07, 2024, 19:53:13] NIP: adding (included) IPv4 route 10.6.0.0/24
[Feb 07, 2024, 19:53:13] NIP: adding (included) IPv4 route 192.168.10.0/24
[Feb 07, 2024, 19:53:13] NIP: adding DNS 192.168.10.1
[Feb 07, 2024, 19:53:13] NIP: allowFamily(AF_INET, 1)
[Feb 07, 2024, 19:53:13] NIP: allowFamily(AF_INET6, 1)
[Feb 07, 2024, 19:53:13] NIP: adding match domain ALL
[Feb 07, 2024, 19:53:13] NIP: adding DNS specific routes:
[Feb 07, 2024, 19:53:13] NIP: adding (included) IPv4 route 192.168.10.1/32
[Feb 07, 2024, 19:53:13] Connected via NetworkExtensionTUN
[Feb 07, 2024, 19:53:13] EVENT: CONNECTED [email protected]:1194 (xxx.xxx.xxx.xxx) via /UDP on NetworkExtensionTUN/10.6.0.2/ gw=[/] mtu=(default)

客户端配置(由 Tomato 2023.5 自动生成)

remote x.x.x.x 1194
proto udp
dev tun
ncp-ciphers CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
client
remote-cert-tls server
; ca ca.pem
<ca>
... certs go here

答案1

然后我可以 ping FastTomato 路由器,但无法 ping 或以其他方式访问内部 LAN 上的任何机器。

我不确定你是如何安装 Openvpn 服务器的,但看起来你缺少IP 转发(服务器端)因此这个命令应该可以修复这个问题:

echo 1 > /proc/sys/net/ipv4/ip_forward

一些背景信息:什么是 IP 转发?如何在 Linux 上启用 IP 转发?

相关内容