OpenVPN充當客戶端+伺服器的問題
我有 3 個 Amazon VPC(Dev - 10.100.0.0/16,QA - 10.101.0.0/16,Prod - 10.104.0.0/16)。這些 VPN 中的每一個都有一個 OpenVPN 伺服器。他們按如下方式分配客戶端 IP:
Dev - 10.100.0.0/16 - Tunnel 10.7.0.0/24 QA - 10.101.0.0/16 - Tunnel 10.8.0.0/24 Prod - 10.104.0.0/16 - Tunnel 10.9.0.0/24
我有一個現場執行的 Ubuntu LTS 12.04 伺服器,並且我已經建立了 3 個客戶端連接(每個 VPC 一個)。我可以通過 ssh 進入這個 Ubuntu 機器並繞過所有三個子網(10.100、10.101、10.104),沒有任何問題。
這是我的客戶端配置
$$ DEV / 10.100.x / tun 10.7.0.x $$:
client dev tun proto udp remote dev.ip.addr 1193 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/ca.crt auth-user-pass /tmp/password.txt comp-lzo verb 3 reneg-sec 0 tls-client remote-cert-tls server
這是我的客戶端配置
$$ QA / 10.101.x / tun 10.8.0.x $$:
client dev tun proto udp remote qa.ip.addr 1194 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/ca.crt auth-user-pass /tmp/password.txt comp-lzo verb 3 reneg-sec 0 tls-client remote-cert-tls server
這是我的客戶端配置
$$ PROD / 10.104.x / tun 10.9.0.x $$:
client dev tun proto udp remote prod.ip.addr 1195 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/ca.crt auth-user-pass /tmp/password.txt comp-lzo verb 3 reneg-sec 0 tls-client remote-cert-tls server
現在,我希望我的員工(在內部,在辦公室)通過 VPN 連接到這台伺服器(192.168.1.19),該伺服器與我的 VPC 有 3 個連接。而且,我希望他們能夠連接到 10.100、10.101 和 10.104 網路(通過 sql 客戶端、telnet 到記憶體記憶體伺服器等)。我想通過這個 vpn 介面路由除 80,443 和 3389 之外的所有流量。
Office 伺服器的 OpenVPN 伺服器配置 (192.168.1.19 / tun 10.10.0.x):
port 1196 proto udp dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/hqs-openvpn.mycompany.co.crt key /etc/openvpn/easy-rsa/keys/hqs-openvpn.mycompany.co.key dh /etc/openvpn/easy-rsa/keys/dh1024.pem plugin /usr/lib/openvpn/openvpn-auth-pam.so /etc/pam.d/login #plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf client-cert-not-required username-as-common-name server 10.10.0.0 255.255.255.0 push "route 10.7.0.0 255.255.255.0" push "route 10.8.0.0 255.255.255.0" push "route 10.9.0.0 255.255.255.0" push "route 10.10.0.0 255.255.255.0" push "route 10.104.0.0 255.255.0.0" push "route 10.101.0.0 255.255.0.0" push "route 10.100.0.0 255.255.0.0" push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 5 30 comp-lzo persist-key persist-tun verb 3 user nobody group nogroup log-append /var/log/openvpn status /tmp/vpn.status 10
這是我分發給員工的配置(192.168.1.x / tun 10.10.0.x)
client dev tun proto udp remote 192.168.1.19 1196 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/ca.crt auth-user-pass /tmp/password.txt comp-lzo verb 3 reneg-sec 0 tls-client remote-cert-tls server
從伺服器(通過 ssh 到 192.168.1.19):
- 我能夠到達 10.104
- 我能得到 10 10.100
- 我能得到 10 10.101
root@vpn-hqs:~# traceroute 10.104.10.104 traceroute to 10.104.10.104 (10.104.10.104), 30 hops max, 60 byte packets 1 10.9.0.1 (10.9.0.1) 86.094 ms 86.079 ms 86.079 ms 2 10.104.10.104 (10.104.10.104) 86.084 ms 86.086 ms 86.087 ms root@vpn-hqs:~# traceroute 10.100.10.168 traceroute to 10.100.10.168 (10.100.10.168), 30 hops max, 60 byte packets 1 10.7.0.1 (10.7.0.1) 87.130 ms 87.121 ms 87.121 ms 2 10.100.10.168 (10.100.10.168) 87.126 ms 87.238 ms 87.243 ms root@vpn-hqs:~# traceroute 10.101.10.168 traceroute to 10.101.10.168 (10.101.10.168), 30 hops max, 60 byte packets 1 10.8.0.1 (10.8.0.1) 87.954 ms 87.939 ms 87.937 ms 2 10.101.10.168 (10.101.10.168) 87.943 ms 87.944 ms 88.031 ms root@vpn-hqs:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 br0 10.7.0.0 10.7.0.17 255.255.0.0 UG 0 0 0 tun0 10.7.0.17 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 10.8.0.0 10.8.0.33 255.255.0.0 UG 0 0 0 tun1 10.8.0.33 0.0.0.0 255.255.255.255 UH 0 0 0 tun1 10.9.0.0 10.9.0.13 255.255.0.0 UG 0 0 0 tun2 10.9.0.13 0.0.0.0 255.255.255.255 UH 0 0 0 tun2 10.10.0.0 10.10.0.2 255.255.255.0 UG 0 0 0 tun3 10.10.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun3 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
這是我的伺服器 (192.168.1.19) 的 if 配置:
root@vpn-hqs:~# ifconfig -a br0 Link encap:Ethernet HWaddr 00:1d:09:26:43:3d inet addr:192.168.1.19 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::21d:9ff:fe26:433d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:17149 errors:0 dropped:0 overruns:0 frame:0 TX packets:2770 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2213528 (2.2 MB) TX bytes:286915 (286.9 KB) eth0 Link encap:Ethernet HWaddr 00:1d:09:26:43:3d inet6 addr: fe80::21d:9ff:fe26:433d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:18666 errors:0 dropped:0 overruns:0 frame:0 TX packets:2773 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2719828 (2.7 MB) TX bytes:300485 (300.4 KB) Interrupt:16 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.7.0.18 P-t-P:10.7.0.17 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:10 errors:0 dropped:0 overruns:0 frame:0 TX packets:18 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:876 (876.0 B) TX bytes:1104 (1.1 KB) tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.34 P-t-P:10.8.0.33 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:18 errors:0 dropped:0 overruns:0 frame:0 TX packets:34 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1584 (1.5 KB) TX bytes:2040 (2.0 KB) tun2 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.9.0.14 P-t-P:10.9.0.13 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:18 errors:0 dropped:0 overruns:0 frame:0 TX packets:34 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1584 (1.5 KB) TX bytes:2040 (2.0 KB) tun3 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.10.0.1 P-t-P:10.10.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:13 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:740 (740.0 B) TX bytes:0 (0.0 B)
現在,我可以從我的 Windows 電腦連接到 192.168.1.19 就好了。而且,我得到一個 IP 地址 10.10.0.6。完美的。
但是,當我通過 ssh 連接到 192.168.1.19 時,我無法連接/ping/telnet 到 10.104.0.0/16、10.101.0.0/16 和 10.100.0.0/16 上的任何東西。這是我的 Windows 框的路由表:
IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.220 10 0.0.0.0 128.0.0.0 10.10.0.5 10.10.0.6 30 10.7.0.0 255.255.255.0 10.10.0.5 10.10.0.6 30 10.8.0.0 255.255.255.0 10.10.0.5 10.10.0.6 30 10.9.0.0 255.255.255.0 10.10.0.5 10.10.0.6 30 10.10.0.0 255.255.255.0 10.10.0.5 10.10.0.6 30 10.10.0.1 255.255.255.255 10.10.0.5 10.10.0.6 30 10.10.0.4 255.255.255.252 On-link 10.10.0.6 286 10.10.0.6 255.255.255.255 On-link 10.10.0.6 286 10.10.0.7 255.255.255.255 On-link 10.10.0.6 286 10.100.0.0 255.255.0.0 10.10.0.5 10.10.0.6 30 10.101.0.0 255.255.0.0 10.10.0.5 10.10.0.6 30 10.104.0.0 255.255.0.0 10.10.0.5 10.10.0.6 30 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 128.0.0.0 128.0.0.0 10.10.0.5 10.10.0.6 30 192.168.1.0 255.255.255.0 On-link 192.168.1.220 266 192.168.1.19 255.255.255.255 192.168.1.1 192.168.1.220 10 192.168.1.220 255.255.255.255 On-link 192.168.1.220 266 192.168.1.255 255.255.255.255 On-link 192.168.1.220 266 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.1.220 266 224.0.0.0 240.0.0.0 On-link 10.10.0.6 286 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.1.220 266 255.255.255.255 255.255.255.255 On-link 10.10.0.6 286 =========================================================================== Persistent Routes: None
讓我的 10.10.0.0/24 VPN 客戶端與 10.100.0.0/16、10.101.0.0/16 和 10.104.0.0/16 客戶端交談的任何幫助將不勝感激!
固定的。請參閱此處以獲取說明: