OpenVPN LAN 设备无法访问客户端

tag-icon tag-icon ubuntu openvpn
OpenVPN LAN 设备无法访问客户端

我在 Ubuntu 22.04 Proxmox VM 中运行一个 OpenVPN 服务器,我可以从该服务器访问客户端,而这些客户端可以访问我内部 LAN 中的设备。我的问题是内部网络上的设备无法与 OpenVPN 客户端通信。

OpenVPN 服务器配置

dev tun
proto udp
port 31194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/BigBlue_ddcfb602-831e-4315-8f53-b474de165743.crt
key /etc/openvpn/easy-rsa/pki/private/BigBlue_ddcfb602-831e-4315-8f53-b474de165743.key
#dh /etc/openvpn/easy-rsa/pki/dh2048.pem
dh /etc/openvpn/easy-rsa/pki/dh4096.pem
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 9.9.9.9"
push "dhcp-option DNS 149.112.112.112"
# Prevent DNS leaks on Windows
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
####################
push "route 192.168.0.0 255.255.0.0"
#push "block-outside-dns"
#data-ciphers  AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC  
###########
duplicate-cn
#####################
keepalive 15 120
remote-cert-tls client
#tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
#tls-crypt /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device. 
#duplicate-cn
# Generated for use by PiVPN.io

OpenVPN 服务器路由

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG    100    0        0 ens18
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 ens18
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-82ab37e0a70e
172.19.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-fb0c0a1415c0
192.168.0.0     0.0.0.0         255.255.0.0     U     100    0        0 ens18

OpenVPN 服务器 iptables

iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-fb0c0a1415c0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-fb0c0a1415c0 -j DOCKER
-A FORWARD -i br-fb0c0a1415c0 ! -o br-fb0c0a1415c0 -j ACCEPT
-A FORWARD -i br-fb0c0a1415c0 -o br-fb0c0a1415c0 -j ACCEPT
-A FORWARD -o br-82ab37e0a70e -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-82ab37e0a70e -j DOCKER
-A FORWARD -i br-82ab37e0a70e ! -o br-82ab37e0a70e -j ACCEPT
-A FORWARD -i br-82ab37e0a70e -o br-82ab37e0a70e -j ACCEPT
-A FORWARD -d 10.8.0.0/24 -i ens18 -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -i tun0 -o ens18 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 51821 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p udp -m udp --dport 51820 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-fb0c0a1415c0 -o br-fb0c0a1415c0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-fb0c0a1415c0 -o br-fb0c0a1415c0 -p tcp -m tcp --dport 3000 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-fb0c0a1415c0 -o br-fb0c0a1415c0 -p udp -m udp --dport 69 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3001 -j ACCEPT
-A DOCKER -d 172.18.0.5/32 ! -i br-82ab37e0a70e -o br-82ab37e0a70e -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-fb0c0a1415c0 ! -o br-fb0c0a1415c0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-82ab37e0a70e ! -o br-82ab37e0a70e -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-fb0c0a1415c0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-82ab37e0a70e -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

OpenVPN 客户端配置

client
dev tun
proto udp
remote xibanga.duckdns.org 31194
resolv-retry infinite
nobind
key-direction 1
remote-cert-tls server
tls-version-min 1.2
verify-x509-name BigBlue_ddcfb602-831e-4315-8f53-b474de165743 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
#########################
pull-filter ignore redirect-gateway
log /tmp/vpn.log
#############################
<ca>

</ca>
<cert>

</cert>
<key>

</key>
<tls-auth>

</tls-auth>

OpenVPN 客户端路由

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.0.0     10.8.0.1        255.255.0.0     UG    0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

Lan windows 设备路由

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.1.254     192.168.9.59     25
         10.8.0.0    255.255.255.0     192.168.9.10     192.168.9.59     26
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.0.0      255.255.0.0         On-link      192.168.9.59    281
     192.168.9.59  255.255.255.255         On-link      192.168.9.59    281
     192.168.56.0    255.255.255.0         On-link      192.168.56.1    281
     192.168.56.1  255.255.255.255         On-link      192.168.56.1    281
   192.168.56.255  255.255.255.255         On-link      192.168.56.1    281
  192.168.255.255  255.255.255.255         On-link      192.168.9.59    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      192.168.56.1    281
        224.0.0.0        240.0.0.0         On-link      192.168.9.59    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      192.168.56.1    281
  255.255.255.255  255.255.255.255         On-link      192.168.9.59    281
===========================================================================

Lan Linux 设备路由

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG    103    0        0 enp2s0
10.8.0.0        192.168.9.10    255.255.255.0   UG    0      0        0 enp2s0
10.10.20.0      0.0.0.0         255.255.255.0   U     102    0        0 enp3s0
10.145.79.0     0.0.0.0         255.255.255.0   U     0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 enp2s0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.30.32.0     0.0.0.0         255.255.254.0   U     0      0        0 hassio
192.168.0.0     0.0.0.0         255.255.0.0     U     103    0        0 enp2s0

答案1

我认为您需要在客户端上为 10.8 网络设置适当的网关

答案2

好的,使用服务器 IPTables 编辑原始帖子后发现了问题。

-P FORWARD DROP

解决问题

iptables -P FORWARD ACCEPT

相关内容