我在具有内部子网的 VLAN 内设置了 VPN 服务器。VPN 服务器上配置了一个使用 IPSec 的 VPN,可以连接到内部子网。
另外,我安装了 OpenVPN 服务器,但客户端无法连接到内部子网。服务器配置如下:
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "route 10.16.0.0 255.255.0.0"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
内部子网是 10.16.0.0/16。
从连接客户端到内部子网中的 IP 地址的跟踪路由显示以下输出:
traceroute to 10.16.15.13 (10.16.15.13), 30 hops max, 60 byte packets
1 10.8.0.1 (10.8.0.1) 1.867 ms 1.757 ms 1.677 ms
2 * * *
3 * * *
与所连接客户端的外部连接正在工作。
输出自ip route list:
0.0.0.0/1 via 10.8.0.1 dev tun0
default via VM-GATEWAY dev ens3
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.4
10.16.0.0/16 via 10.8.0.1 dev tun0
VM-GATEWAY dev ens3 scope link
128.0.0.0/1 via 10.8.0.1 dev tun0
VM-IP via VM-GATEWAY dev ens3
ifconfig从openvpn 服务器上输出:
ens19: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet OPENVPN-HOST-IP netmask 255.255.255.248 broadcast OPENVPN-HOST-GATEWAY
inet6 fe80::9883:beff:fe99:305e prefixlen 64 scopeid 0x20<link>
ether 9a:83:be:99:30:5e txqueuelen 1000 (Ethernet)
RX packets 6500104 bytes 3982668113 (3.7 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7271114 bytes 4037705401 (3.7 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Lokale Schleife)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1280
inet 192.168.42.1 netmask 255.255.255.255 destination 192.168.42.10
ppp txqueuelen 3 (Punkt-zu-Punkt-Verbindung)
RX packets 208705 bytes 28271807 (26.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 189459 bytes 120966692 (115.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.16.0.1 netmask 255.255.0.0 destination 10.16.0.1
inet6 fe80::f8ab:a6e:149f:eec4 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 269 bytes 19394 (18.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7 bytes 336 (336.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
输出自iptables -L:
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
输出自ip addr list:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 6e:3e:98:f6:26:2f brd ff:ff:ff:ff:ff:ff
3: ens19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 9a:83:be:99:30:5e brd ff:ff:ff:ff:ff:ff
inet OPENVPN-HOST-IP/29 brd OPENVPN-BROADCAST-IP scope global ens19
valid_lft forever preferred_lft forever
inet 10.16.0.2/16 scope global ens19
valid_lft forever preferred_lft forever
inet6 fe80::9883:beff:fe99:305e/64 scope link
valid_lft forever preferred_lft forever
5: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1
link/ipip 0.0.0.0 brd 0.0.0.0
10: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc pfifo_fast state UNKNOWN group default qlen 3
link/ppp
inet 192.168.42.1 peer 192.168.42.10/32 scope global ppp0
valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.16.0.1/16 brd 10.16.255.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::4ef6:f672:4240:6eef/64 scope link flags 800
valid_lft forever preferred_lft forever
内容/etc/openvpn/openvpn-status.log:
OpenVPN CLIENT LIST
Updated,Tue Nov 27 19:38:12 2018
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
vm-monitoring,CLIENT-IP:53718,4883,3650,Tue Nov 27 19:38:05 2018
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.16.0.2,vm-monitoring,CLIENT-IP:53718,Tue Nov 27 19:38:07 2018
GLOBAL STATS
Max bcast/mcast queue length,1
END
您知道如何解决此问题吗?
答案1
您的 openvpn 服务器与 10.16.0.0 位于不同的子网。更改您的 openvpn 服务器行
server 10.8.0.0 255.255.255.0
到
server 10.16.0.0 255.255.0.0
并重新启动 openvpn 服务。
安装 iptables,在 wan 输入链上启用端口 1194:
iptables -t nat -A PREROUTING -p udp --dport 1194 -j ACCEPT
启用从 10.16.0.0 转发数据包到 lan 区域:
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
为连接的 VPN 客户端启用 Internet 访问:
iptables -t nat -A POSTROUTING -s 10.16.0.0/16 -o ens3 -j MASQUERADE