类似这个问题无法通过 OpenVPN 隧道连接到 MariaDB
我无法通过 OpenVPN 连接到 MariaDB 服务器。设置如下 -
- Ubuntu 20.04,
- mariadb Ver 15.1 发行版 10.3.39-MariaDB,
- OpenVPN 2.4.7
- UFW 防火墙
发现和尝试:
- 将接口绑定到公共 IP 有效,我可以直接连接,但不能通过 OpenVPN
- 当 UFW 防火墙监听主接口时,我尝试在防火墙上进行端口转发,但没有通过隧道连接
- 我尝试将接口绑定到 0.0.0.0,但没有通过隧道连接
- 我尝试完全禁用 UFW,但无法通过隧道连接
- 我尝试删除绑定接口,但没有通过隧道连接
- 为了测试目的,我在端口 5000 上启动了虚拟监听器(nc -l 5000),并从我的 openvpn 客户端 telnet 到这个端口,它连接到了那个端口
- skip-networking 已禁用
结论- 这不是防火墙问题,因为我可以通过 OpenVPN 连接到 SAMBA,我也完全禁用了防火墙,但仍然无法建立连接
这是界面设置
root@machine:/home/myuser# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether fa:16:3e:ce:de:9a brd ff:ff:ff:ff:ff:ff
inet *PUBLIC IP* brd *PUBLIC IP BROADCAST* scope global dynamic ens3
valid_lft 64288sec preferred_lft 64288sec
inet6 *PUBLIC IPV6* scope link
valid_lft forever preferred_lft forever
102: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.1.1/24 brd 10.8.1.255 scope global tun1
valid_lft forever preferred_lft forever
inet6 fe80::c446:2ce1:c480:a740/64 scope link stable-privacy
valid_lft forever preferred_lft forever
TCP DUMP 检查 - 我的客户端有 IP 10.8.1.2
tcpdump -i tun1 -n port 3306
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun1, link-type RAW (Raw IP), capture size 262144 bytes
09:26:53.954949 IP 10.8.1.2.59977 > 10.8.1.1.3306: Flags [S], seq 771542358, win 64240, options [mss 1286,nop,wscale 8,nop,nop,sackOK], length 0
09:26:54.969398 IP 10.8.1.2.59977 > 10.8.1.1.3306: Flags [S], seq 771542358, win 64240, options [mss 1286,nop,wscale 8,nop,nop,sackOK], length 0
09:26:56.979356 IP 10.8.1.2.59977 > 10.8.1.1.3306: Flags [S], seq 771542358, win 64240, options [mss 1286,nop,wscale 8,nop,nop,sackOK], length 0
09:27:00.989474 IP 10.8.1.2.59977 > 10.8.1.1.3306: Flags [S], seq 771542358, win 64240, options [mss 1286,nop,wscale 8,nop,nop,sackOK], length 0
网络状态
netstat -naplut | grep 3306
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 158452/mysqld
Mariadb 50 服务器配置
[server]
# this is only for the mysqld standalone daemon
[mysqld]
#
# * Basic Settings
#
user = mysql
pid-file = /run/mysqld/mysqld.pid
socket = /run/mysqld/mysqld.sock
#port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
#skip-external-locking
bind-address = 0.0.0.0
UFW 状态
ufw status
Status: active
To Action From
-- ------ ----
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
20/tcp ALLOW Anywhere
21/tcp ALLOW Anywhere
1194/udp ALLOW Anywhere
Samba ALLOW 10.8.1.0/24
16/tcp ALLOW Anywhere
Apache Full ALLOW Anywhere
1195 ALLOW Anywhere
1195/udp ALLOW Anywhere
3306/tcp ALLOW 10.8.1.0/24
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
20/tcp (v6) ALLOW Anywhere (v6)
21/tcp (v6) ALLOW Anywhere (v6)
1194/udp (v6) ALLOW Anywhere (v6)
16/tcp (v6) ALLOW Anywhere (v6)
Apache Full (v6) ALLOW Anywhere (v6)
1195 (v6) ALLOW Anywhere (v6)
1195/udp (v6) ALLOW Anywhere (v6)
答案1
有三个因素在起作用:
- 您对 3306 的来源有严格的限制,范围是 10.8.1.0/24
- 您有 VPN,VPN 有时会自动将伪装规则插入 iptables。这会将客户端源 IP 更改为受严格源 IP 限制阻止的主机 IP。
- UFW 只是一个包装器
iptables,并不能展示整个画面。它简化了添加简单规则的过程,但对调试防火墙配置毫无帮助。