Linux

OpenVPN充當客戶端+伺服器的問題

  • January 29, 2013

我有 3 個 Amazon VPC(Dev - 10.100.0.0/16,QA - 10.101.0.0/16,Prod - 10.104.0.0/16)。這些 VPN 中的每一個都有一個 OpenVPN 伺服器。他們按如下方式分配客戶端 IP:

Dev - 10.100.0.0/16 - Tunnel 10.7.0.0/24
QA - 10.101.0.0/16 - Tunnel 10.8.0.0/24
Prod - 10.104.0.0/16 - Tunnel 10.9.0.0/24

我有一個現場執行的 Ubuntu LTS 12.04 伺服器,並且我已經建立了 3 個客戶端連接(每個 VPC 一個)。我可以通過 ssh 進入這個 Ubuntu 機器並繞過所有三個子網(10.100、10.101、10.104),沒有任何問題。

這是我的客戶端配置

$$ DEV / 10.100.x / tun 10.7.0.x $$:

client
dev tun
proto udp
remote dev.ip.addr 1193 
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
auth-user-pass /tmp/password.txt
comp-lzo
verb 3
reneg-sec 0
tls-client
remote-cert-tls server

這是我的客戶端配置

$$ QA / 10.101.x / tun 10.8.0.x $$:

client
dev tun
proto udp
remote qa.ip.addr 1194 
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
auth-user-pass /tmp/password.txt
comp-lzo
verb 3
reneg-sec 0
tls-client
remote-cert-tls server

這是我的客戶端配置

$$ PROD / 10.104.x / tun 10.9.0.x $$:

client
dev tun
proto udp
remote prod.ip.addr 1195 
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
auth-user-pass /tmp/password.txt
comp-lzo
verb 3
reneg-sec 0
tls-client
remote-cert-tls server

現在,我希望我的員工(在內部,在辦公室)通過 VPN 連接到這台伺服器(192.168.1.19),該伺服器與我的 VPC 有 3 個連接。而且,我希望他們能夠連接到 10.100、10.101 和 10.104 網路(通過 sql 客戶端、telnet 到記憶體記憶體伺服器等)。我想通過這個 vpn 介面路由除 80,443 和 3389 之外的所有流量。

Office 伺服器的 OpenVPN 伺服器配置 (192.168.1.19 / tun 10.10.0.x):

port 1196
proto udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/hqs-openvpn.mycompany.co.crt
key /etc/openvpn/easy-rsa/keys/hqs-openvpn.mycompany.co.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
plugin /usr/lib/openvpn/openvpn-auth-pam.so /etc/pam.d/login
#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
client-cert-not-required
username-as-common-name

server 10.10.0.0 255.255.255.0
push "route 10.7.0.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
push "route 10.9.0.0 255.255.255.0"
push "route 10.10.0.0 255.255.255.0"
push "route 10.104.0.0 255.255.0.0"
push "route 10.101.0.0 255.255.0.0"
push "route 10.100.0.0 255.255.0.0"

push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
verb 3

user nobody
group nogroup

log-append /var/log/openvpn
status /tmp/vpn.status 10

這是我分發給員工的配置(192.168.1.x / tun 10.10.0.x)

client
dev tun
proto udp
remote 192.168.1.19 1196 
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
auth-user-pass /tmp/password.txt
comp-lzo
verb 3
reneg-sec 0
tls-client
remote-cert-tls server

從伺服器(通過 ssh 到 192.168.1.19):

  • 我能夠到達 10.104
  • 我能得到 10 10.100
  • 我能得到 10 10.101
root@vpn-hqs:~# traceroute 10.104.10.104
traceroute to 10.104.10.104 (10.104.10.104), 30 hops max, 60 byte packets
1  10.9.0.1 (10.9.0.1)  86.094 ms  86.079 ms  86.079 ms
2  10.104.10.104 (10.104.10.104)  86.084 ms  86.086 ms  86.087 ms
root@vpn-hqs:~# traceroute 10.100.10.168
traceroute to 10.100.10.168 (10.100.10.168), 30 hops max, 60 byte packets
1  10.7.0.1 (10.7.0.1)  87.130 ms  87.121 ms  87.121 ms
2  10.100.10.168 (10.100.10.168)  87.126 ms  87.238 ms  87.243 ms
root@vpn-hqs:~# traceroute 10.101.10.168
traceroute to 10.101.10.168 (10.101.10.168), 30 hops max, 60 byte packets
1  10.8.0.1 (10.8.0.1)  87.954 ms  87.939 ms  87.937 ms
2  10.101.10.168 (10.101.10.168)  87.943 ms  87.944 ms  88.031 ms
root@vpn-hqs:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    100    0        0 br0
10.7.0.0        10.7.0.17       255.255.0.0     UG    0      0        0 tun0
10.7.0.17       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.8.0.0        10.8.0.33       255.255.0.0     UG    0      0        0 tun1
10.8.0.33       0.0.0.0         255.255.255.255 UH    0      0        0 tun1
10.9.0.0        10.9.0.13       255.255.0.0     UG    0      0        0 tun2
10.9.0.13       0.0.0.0         255.255.255.255 UH    0      0        0 tun2
10.10.0.0       10.10.0.2       255.255.255.0   UG    0      0        0 tun3
10.10.0.2       0.0.0.0         255.255.255.255 UH    0      0        0 tun3
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0

這是我的伺服器 (192.168.1.19) 的 if 配置:

root@vpn-hqs:~# ifconfig -a
br0       Link encap:Ethernet  HWaddr 00:1d:09:26:43:3d  
         inet addr:192.168.1.19  Bcast:192.168.1.255  Mask:255.255.255.0
         inet6 addr: fe80::21d:9ff:fe26:433d/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:17149 errors:0 dropped:0 overruns:0 frame:0
         TX packets:2770 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0 
         RX bytes:2213528 (2.2 MB)  TX bytes:286915 (286.9 KB)

eth0      Link encap:Ethernet  HWaddr 00:1d:09:26:43:3d  
         inet6 addr: fe80::21d:9ff:fe26:433d/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:18666 errors:0 dropped:0 overruns:0 frame:0
         TX packets:2773 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000 
         RX bytes:2719828 (2.7 MB)  TX bytes:300485 (300.4 KB)
         Interrupt:16 

lo        Link encap:Local Loopback  
         inet addr:127.0.0.1  Mask:255.0.0.0
         inet6 addr: ::1/128 Scope:Host
         UP LOOPBACK RUNNING  MTU:16436  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0 
         RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
         inet addr:10.7.0.18  P-t-P:10.7.0.17  Mask:255.255.255.255
         UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
         RX packets:10 errors:0 dropped:0 overruns:0 frame:0
         TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:100 
         RX bytes:876 (876.0 B)  TX bytes:1104 (1.1 KB)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
         inet addr:10.8.0.34  P-t-P:10.8.0.33  Mask:255.255.255.255
         UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
         RX packets:18 errors:0 dropped:0 overruns:0 frame:0
         TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:100 
         RX bytes:1584 (1.5 KB)  TX bytes:2040 (2.0 KB)

tun2      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
         inet addr:10.9.0.14  P-t-P:10.9.0.13  Mask:255.255.255.255
         UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
         RX packets:18 errors:0 dropped:0 overruns:0 frame:0
         TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:100 
         RX bytes:1584 (1.5 KB)  TX bytes:2040 (2.0 KB)

tun3      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
         inet addr:10.10.0.1  P-t-P:10.10.0.2  Mask:255.255.255.255
         UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
         RX packets:13 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:100 
         RX bytes:740 (740.0 B)  TX bytes:0 (0.0 B)

現在,我可以從我的 Windows 電腦連接到 192.168.1.19 就好了。而且,我得到一個 IP 地址 10.10.0.6。完美的。

但是,當我通過 ssh 連接到 192.168.1.19 時,我無法連接/ping/telnet 到 10.104.0.0/16、10.101.0.0/16 和 10.100.0.0/16 上的任何東西。這是我的 Windows 框的路由表:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
         0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.220     10
         0.0.0.0        128.0.0.0        10.10.0.5        10.10.0.6     30
        10.7.0.0    255.255.255.0        10.10.0.5        10.10.0.6     30
        10.8.0.0    255.255.255.0        10.10.0.5        10.10.0.6     30
        10.9.0.0    255.255.255.0        10.10.0.5        10.10.0.6     30
       10.10.0.0    255.255.255.0        10.10.0.5        10.10.0.6     30
       10.10.0.1  255.255.255.255        10.10.0.5        10.10.0.6     30
       10.10.0.4  255.255.255.252         On-link         10.10.0.6    286
       10.10.0.6  255.255.255.255         On-link         10.10.0.6    286
       10.10.0.7  255.255.255.255         On-link         10.10.0.6    286
      10.100.0.0      255.255.0.0        10.10.0.5        10.10.0.6     30
      10.101.0.0      255.255.0.0        10.10.0.5        10.10.0.6     30
      10.104.0.0      255.255.0.0        10.10.0.5        10.10.0.6     30
       127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
       127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
 127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
       128.0.0.0        128.0.0.0        10.10.0.5        10.10.0.6     30
     192.168.1.0    255.255.255.0         On-link     192.168.1.220    266
    192.168.1.19  255.255.255.255      192.168.1.1    192.168.1.220     10
   192.168.1.220  255.255.255.255         On-link     192.168.1.220    266
   192.168.1.255  255.255.255.255         On-link     192.168.1.220    266
       224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
       224.0.0.0        240.0.0.0         On-link     192.168.1.220    266
       224.0.0.0        240.0.0.0         On-link         10.10.0.6    286
 255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
 255.255.255.255  255.255.255.255         On-link     192.168.1.220    266
 255.255.255.255  255.255.255.255         On-link         10.10.0.6    286
===========================================================================
Persistent Routes:
 None

讓我的 10.10.0.0/24 VPN 客戶端與 10.100.0.0/16、10.101.0.0/16 和 10.104.0.0/16 客戶端交談的任何幫助將不勝感激!

固定的。請參閱此處以獲取說明:

https://forums.openvpn.net/post27110.html#p27110

引用自:https://serverfault.com/questions/471599