我在 Ubuntu 22.04 Proxmox VM 中运行一个 OpenVPN 服务器,我可以从该服务器访问客户端,而这些客户端可以访问我内部 LAN 中的设备。我的问题是内部网络上的设备无法与 OpenVPN 客户端通信。
OpenVPN 服务器配置
dev tun
proto udp
port 31194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/BigBlue_ddcfb602-831e-4315-8f53-b474de165743.crt
key /etc/openvpn/easy-rsa/pki/private/BigBlue_ddcfb602-831e-4315-8f53-b474de165743.key
#dh /etc/openvpn/easy-rsa/pki/dh2048.pem
dh /etc/openvpn/easy-rsa/pki/dh4096.pem
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 9.9.9.9"
push "dhcp-option DNS 149.112.112.112"
# Prevent DNS leaks on Windows
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
####################
push "route 192.168.0.0 255.255.0.0"
#push "block-outside-dns"
#data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC
###########
duplicate-cn
#####################
keepalive 15 120
remote-cert-tls client
#tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
#tls-crypt /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
OpenVPN 服务器路由
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 100 0 0 ens18
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 ens18
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-82ab37e0a70e
172.19.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-fb0c0a1415c0
192.168.0.0 0.0.0.0 255.255.0.0 U 100 0 0 ens18
OpenVPN 服务器 iptables
iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-fb0c0a1415c0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-fb0c0a1415c0 -j DOCKER
-A FORWARD -i br-fb0c0a1415c0 ! -o br-fb0c0a1415c0 -j ACCEPT
-A FORWARD -i br-fb0c0a1415c0 -o br-fb0c0a1415c0 -j ACCEPT
-A FORWARD -o br-82ab37e0a70e -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-82ab37e0a70e -j DOCKER
-A FORWARD -i br-82ab37e0a70e ! -o br-82ab37e0a70e -j ACCEPT
-A FORWARD -i br-82ab37e0a70e -o br-82ab37e0a70e -j ACCEPT
-A FORWARD -d 10.8.0.0/24 -i ens18 -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -i tun0 -o ens18 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 51821 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p udp -m udp --dport 51820 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-fb0c0a1415c0 -o br-fb0c0a1415c0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-fb0c0a1415c0 -o br-fb0c0a1415c0 -p tcp -m tcp --dport 3000 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-fb0c0a1415c0 -o br-fb0c0a1415c0 -p udp -m udp --dport 69 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3001 -j ACCEPT
-A DOCKER -d 172.18.0.5/32 ! -i br-82ab37e0a70e -o br-82ab37e0a70e -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-fb0c0a1415c0 ! -o br-fb0c0a1415c0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-82ab37e0a70e ! -o br-82ab37e0a70e -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-fb0c0a1415c0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-82ab37e0a70e -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
OpenVPN 客户端配置
client
dev tun
proto udp
remote xibanga.duckdns.org 31194
resolv-retry infinite
nobind
key-direction 1
remote-cert-tls server
tls-version-min 1.2
verify-x509-name BigBlue_ddcfb602-831e-4315-8f53-b474de165743 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
#########################
pull-filter ignore redirect-gateway
log /tmp/vpn.log
#############################
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<tls-auth>
</tls-auth>
OpenVPN 客户端路由
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.0.0 10.8.0.1 255.255.0.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
Lan windows 设备路由
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.9.59 25
10.8.0.0 255.255.255.0 192.168.9.10 192.168.9.59 26
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.0.0 255.255.0.0 On-link 192.168.9.59 281
192.168.9.59 255.255.255.255 On-link 192.168.9.59 281
192.168.56.0 255.255.255.0 On-link 192.168.56.1 281
192.168.56.1 255.255.255.255 On-link 192.168.56.1 281
192.168.56.255 255.255.255.255 On-link 192.168.56.1 281
192.168.255.255 255.255.255.255 On-link 192.168.9.59 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.56.1 281
224.0.0.0 240.0.0.0 On-link 192.168.9.59 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.56.1 281
255.255.255.255 255.255.255.255 On-link 192.168.9.59 281
===========================================================================
Lan Linux 设备路由
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 103 0 0 enp2s0
10.8.0.0 192.168.9.10 255.255.255.0 UG 0 0 0 enp2s0
10.10.20.0 0.0.0.0 255.255.255.0 U 102 0 0 enp3s0
10.145.79.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 enp2s0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
172.30.32.0 0.0.0.0 255.255.254.0 U 0 0 0 hassio
192.168.0.0 0.0.0.0 255.255.0.0 U 103 0 0 enp2s0
答案1
我认为您需要在客户端上为 10.8 网络设置适当的网关
答案2
好的,使用服务器 IPTables 编辑原始帖子后发现了问题。
-P FORWARD DROP
解决问题
iptables -P FORWARD ACCEPT