使用 tun 时允许欺骗

使用 tun 时允许欺骗

我有一个可用的 openvpn 设置,其中包含一个服务器和多个客户端。我该如何允许通过 openvpn 服务器进行 IP 欺骗?(演示安全概念)?

从客户端到服务器的正常 ping 操作一切顺利:

root@client: hping3 10.8.0.1
HPING 10.8.0.1 (tun0 10.8.0.1): NO FLAGS are set, 40 headers + 0 data bytes
len=40 ip=10.8.0.1 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=124.7 ms

root@server:/etc/openvpn# tcpdump -n -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
10:17:51.734167 IP 10.8.0.6.2146 > 10.8.0.1.0: Flags [], win 512, length 0

但是当欺骗数据包时,它不会到达 openvpn 服务器:

root@client: hping3 -a 10.0.8.120 10.8.0.1
HPING 10.8.0.1 (tun0 10.8.0.1): NO FLAGS are set, 40 headers + 0 data bytes

root@server:/etc/openvpn# tcpdump -n -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes

我当前的配置文件

服务器配置文件

local X.Y.Z.P
port 80
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
comp-lzo
persist-key
persist-tun
persist-local-ip
status openvpn-status.log
verb 3

客户端配置文件

client
dev tun
proto tcp
remote MYHOST..amazonaws.com 80
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3

相关内容