从 openVPN 客户端到其所连接的 VLAN 的数据包丢失

tag-icon tag-icon networking server openvpn vlan
从 openVPN 客户端到其所连接的 VLAN 的数据包丢失

我对这个有点迷茫,非常感谢你的帮助!

设置 网络由 HP V1910-24G 交换机组成。整个公司在 192.168.2.0 内的 VLAN-ID 100 上运行。在 Ubuntu Server 上运行 openVPN-server 的服务器连接到 192.168.22.0 内的 VLAN-ID 30。

服务器正在运行:Ubuntu 18.04.2 LTS(GNU/Linux 4.15.0-70-通用 x86_64)

将来,我想创建多个 VLAN,并通过 VPN 连接它们。因此,请将此视为评估设置。

服务器接口 连接到交换机的 14 号端口,其配置如下:

untagged membership: 30
tagged membership: 100
Link Type: Hybrid
PVID: 30

服务器的接口:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 4c:cc:6a:44:e0:db brd ff:ff:ff:ff:ff:ff
    inet 192.168.22.100/24 brd 192.168.22.255 scope global enp2s0
       valid_lft forever preferred_lft forever
    inet6 fe80::4ecc:6aff:fe44:e0db/64 scope link
       valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::877c:3d1b:90fa:736a/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:0c:12:89:73 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
7: VLAN_100@enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 4c:cc:6a:44:e0:db brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.100/24 brd 192.168.2.255 scope global VLAN_100
       valid_lft forever preferred_lft forever
    inet6 fe80::4ecc:6aff:fe44:e0db/64 scope link
       valid_lft forever preferred_lft forever

openVPN 配置

port 1194
proto udp
dev tun
ca ......
cer ......
key ......
dh ......
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 192.168.22.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1

问题 我无法通过 vpn 连接 ping 192.168.2.0 网络中除网关/路由器 (192.168.2.1) 之外的任何设备。99% 的数据包都丢失了。这里我有一个 tcpdump,显示一个 ping 数据包,它成功返回到 ping 设备。

13:52:33.558835  In ethertype IPv4 (0x0800), length 100: 10.8.0.6 > 192.168.2.20: ICMP echo request, id 5501, seq 51, length 64
13:52:33.558862 Out 4c:cc:6a:44:e0:db ethertype IPv4 (0x0800), length 100: 10.8.0.6 > 192.168.2.20: ICMP echo request, id 5501, seq 51, length 64
13:52:33.558866 Out 4c:cc:6a:44:e0:db ethertype 802.1Q (0x8100), length 104: vlan 100, p 0, ethertype IPv4, 10.8.0.6 > 192.168.2.20: ICMP echo request, id 5501, seq 51, length 64
13:52:33.559398  In 00:1d:aa:b5:ee:e8 ethertype 802.1Q (0x8100), length 104: vlan 100, p 0, ethertype IPv4, 192.168.2.20 > 10.8.0.6: ICMP echo reply, id 5501, seq 51, length 64
13:52:33.559398  In 00:1d:aa:b5:ee:e8 ethertype IPv4 (0x0800), length 100: 192.168.2.20 > 10.8.0.6: ICMP echo reply, id 5501, seq 51, length 64
13:52:33.559427 Out ethertype IPv4 (0x0800), length 100: 192.168.2.20 > 10.8.0.6: ICMP echo reply, id 5501, seq 51, length 64

这是未返回 VPN 客户端的数据包。

13:52:34.571763  In ethertype IPv4 (0x0800), length 100: 10.8.0.6 > 192.168.2.20: ICMP echo request, id 5501, seq 52, length 64
13:52:34.571790 Out 4c:cc:6a:44:e0:db ethertype IPv4 (0x0800), length 100: 10.8.0.6 > 192.168.2.20: ICMP echo request, id 5501, seq 52, length 64
13:52:34.571794 Out 4c:cc:6a:44:e0:db ethertype 802.1Q (0x8100), length 104: vlan 100, p 0, ethertype IPv4, 10.8.0.6 > 192.168.2.20: ICMP echo request, id 5501, seq 52, length 64
13:52:34.572286  In 00:1d:aa:b5:ee:e8 ethertype IPv4 (0x0800), length 100: 192.168.2.20 > 10.8.0.6: ICMP echo reply, id 5501, seq 52, length 64

数据包上的 vlan_tag 似乎有问题。本地从/向服务器执行 ping 操作正常。(192.168.2.100 -> 192.168.2.20 反之亦然)

我该如何解决这个问题?谢谢大家!

ip 路由显示

default via 192.168.22.1 dev enp2s0 proto static
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.2.0/24 dev VLAN_100 proto kernel scope link src 192.168.2.100
192.168.22.0/24 dev enp2s0 proto kernel scope link src 192.168.22.100

答案1

看来整个想法都是错误的。

通过这种方式,ping 数据包会直接从 OpenVPN 服务器通过 VLAN 100 发送到 192.168.2.20。192.169.2.20 会回答 10.8.0.6,但必须将其答案发送到网关 (192.168.2.1),因为它不知道 10.8.0.6。此时它可能会被丢弃,因为它来自另一个发送它的 mac 地址。

因为 VLAN 之间本来就存在网关,所以我添加了一条静态规则,从 192.168.22.100 到 192.168.2.0,反之亦然,从 192.168.2.0 到 10.8.0.0。所以现在服务器和所有 VLAN 之间都有网关了。

相关内容