Linux
OpenVPN:連接時客戶端無法 ping 4.2.2.2
我的客戶端連接到 vpn 時無法上網。我有
push "redirect-gateway def1"
和
root@vortex:/home# cat /proc/sys/net/ipv4/ip_forward 1
放。
Sserver 和客戶端連接良好且無錯誤,並且可以通過 VPN 相互 ping,但僅此而已。
root@vortex:/home# cat /etc/openvpn/server.conf
mode server tls-server port 1194 proto udp dev tun #ca /usr/share/easy-rsa/keys/ca.crt # generated keys #cert /usr/share/easy-rsa/keys/server.crt #key /usr/share/easy-rsa/keys/server.key # keep secret #dh /usr/share/easy-rsa/keys/dh2048.pem ca /pki/ca.crt cert /pki/issued/vortex.trade.com.crt key /pki/private/vortex.trade.com.key dh /pki/dh.pem server 10.9.8.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo # Compression - must be turned on at both end persist-key persist-tun status /var/log/openvpn-status.log verb 1 # verbose mode user nobody group nogroup client-config-dir /etc/openvpn/ccd client-to-client push "redirect-gateway def1" push "redirect-gateway bypass-dhcp" push "route 192.168.0.0 255.255.255.0" #push "dhcp-option DNS 188.120.247.2" #push "dhcp-option DNS 188.120.247.8" #push "dhcp-option DNS 82.146.59.250" push "dhcp-option DNS 4.2.2.2" log /var/log/openvpn/openvpn.log
root@vortex:/home# cat /etc/iptables/rules.v4
# Generated by iptables-save v1.6.0 on Mon Jul 20 07:13:41 2020 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -s 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 2222 -j DROP -A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 1194 -j ACCEPT -A INPUT -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 53 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 80 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 443 -j ACCEPT -A INPUT -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 695 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 3128 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 6667 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 9001 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 9030 -j ACCEPT -A INPUT -i tun0 -j ACCEPT -A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: " -A INPUT -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i tun0 -j ACCEPT -A FORWARD -s 10.9.8.0/24 -i tun0 -o eth0 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -d 10.9.8.14/32 -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "iptables_FORWARD_denied: " -A FORWARD -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -j ACCEPT -A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 2222 -j ACCEPT -A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED -m udp --sport 1194 -j ACCEPT -A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 53 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443 -j ACCEPT -A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 695 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 3128 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 6667 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 9001 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 9030 -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT -A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_OUTPUT_denied: " -A OUTPUT -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Mon Jul 20 07:13:41 2020 # Generated by iptables-save v1.6.0 on Mon Jul 20 07:13:41 2020 *nat :PREROUTING ACCEPT [58:7571] :INPUT ACCEPT [8:2109] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [2:120] COMMIT # Completed on Mon Jul 20 07:13:41 2020 # Generated by iptables-save v1.6.0 on Mon Jul 20 07:13:41 2020 *mangle :PREROUTING ACCEPT [254:43256] :INPUT ACCEPT [216:40502] :FORWARD ACCEPT [7:420] :OUTPUT ACCEPT [93:16424] :POSTROUTING ACCEPT [100:16844] COMMIT # Completed on Mon Jul 20 07:13:41 2020
這個問題似乎確實出現在敲門安裝之後,但不確定。
root@vortex:/home# cat /etc/knockd.conf
[options] UseSyslog Interface = IFACE [SSH] sequence = 90,90,90 seq_timeout = 15 tcpflags = syn start_command = /sbin/iptables -I INPUT -i eth0 -s %IP% -p tcp --dport 2222 -j ACCEPT stop_command = /sbin/iptables -D INPUT -i eth0 -s %IP% -p tcp --dport 2222 -j ACCEPT cmd_timeout = 20
客戶:
root@Inspiron-laptop:/home/# cat /etc/openvpn/client.conf client remote 188.120.224.182 dev tun #ifconfig 10.9.8.2 10.9.8.1 nobind #persist-key #persist-tun tls-client ca /etc/openvpn/ca.crt cert /etc/openvpn/dell.trade.com.crt key /etc/openvpn/dell.trade.com.key comp-lzo verb 3 redirect-gateway def1 ping-restart 60 log /var/log/openvpn/openvpn.log
隧道介面正常
root@Inspiron 筆記型電腦:/home/# ifconfig
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 1044649 bytes 565199288 (565.1 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1044649 bytes 565199288 (565.1 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.9.8.10 netmask 255.255.255.255 destination 10.9.8.9 inet6 fe80::82a9:e454:8136:6d9f prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 29 bytes 4077 (4.0 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.43.160 netmask 255.255.255.0 broadcast 192.168.43.255 inet6 fe80::3fdf:a130:31c3:32eb prefixlen 64 scopeid 0x20<link> inet6 2600:100a:b128:d429:ef84:249c:a98d:f078 prefixlen 64 scopeid 0x0<global> inet6 2600:100a:b128:d429:9cdb:5dbf:2415:6022 prefixlen 64 scopeid 0x0<global> ether dc:53:60:6d:f3:62 txqueuelen 1000 (Ethernet) RX packets 7446346 bytes 5129002739 (5.1 GB) RX errors 0 dropped 212149 overruns 0 frame 0 TX packets 4900063 bytes 859603059 (859.6 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlx1cbfcebf5fba: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.43.25 netmask 255.255.255.0 broadcast 192.168.43.255 inet6 2600:100a:b128:d429:fc6e:cdca:d721:6d6c prefixlen 64 scopeid 0x0<global> inet6 fe80::fde3:a1d3:3dc5:56ec prefixlen 64 scopeid 0x20<link> inet6 2600:100a:b128:d429:c93:106a:f84a:4f78 prefixlen 64 scopeid 0x0<global> ether 1c:bf:ce:bf:5f:ba txqueuelen 1000 (Ethernet) RX packets 526561 bytes 480490738 (480.4 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 456675 bytes 94595265 (94.5 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
連接後,我可以從客戶端的隧道 ping VPN 的 WAN 介面。
root@Inspiron-laptop:/home/# ping 188.120.224.182 PING 188.120.224.182 (188.120.224.182) 56(84) bytes of data. 64 bytes from 188.120.224.182: icmp_seq=1 ttl=46 time=212 ms 64 bytes from 188.120.224.182: icmp_seq=2 ttl=46 time=310 ms 64 bytes from 188.120.224.182: icmp_seq=3 ttl=46 time=329 ms 64 bytes from 188.120.224.182: icmp_seq=4 ttl=46 time=180 ms ^C --- 188.120.224.182 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3001ms rtt min/avg/max/mdev = 180.428/257.780/328.903/63.126 ms
但沒有更遠
root@Inspiron-laptop:/home/# ping 4.2.2.2 PING 4.2.2.2 (4.2.2.2) 56(84) bytes of data. ^C --- 4.2.2.2 ping statistics --- 6 packets transmitted, 0 received, 100% packet loss, time 5098ms
我懷疑防火牆,但我找不到問題。
您在 VPN 伺服器上缺少用於轉換 IPv4 流量的 NAT 規則。也許它被刪除了,也許你從來沒有過。我不能說。但是,一旦您將這樣的規則添加到 nat 表中,您就應該開始獲取 IPv4 流量。就像是:
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
應該讓你開始。
警告:您的 VPN 伺服器不提供 IPv6 連接。這意味著您的 IPv6 流量不會通過 VPN,但會繼續通過您現有的本地連接。這稱為洩漏,通常是一個嚴重的問題。您需要重新配置您的 VPN 伺服器以向您的客戶端提供 IPv6 連接。