Networking

我正在嘗試綁定兩個 Internet 上行鏈路以提高 VPN 速度,但沒有運氣

  • August 1, 2020

我正在嘗試在本指南下綁定兩個 Internet 上行鏈路以提高 VPN 速度: 如何綁定兩個(多個)Internet 連接以提高速度和故障轉移

但是我有一些問題:

我已經為此工作了好幾天,但它從來沒有工作過。

首先,我的網路拓撲:https ://i.imgur.com/yEj6JGM.png

在我的場景中,請查看我的配置:

客戶端:

vim /etc/網路/介面

auto ens160
iface ens160 inet static
 address 192.168.50.254
 netmask 255.255.255.0
 gateway 192.168.50.1
 post-up /usr/local/bin/vpn-start
 pre-down /usr/local/bin/vpn-stop

我的路由是否在 vpn-start 中正確設置?

# vim /usr/local/bin/vpn-start
#!/bin/bash
openvpn --config /etc/openvpn/tap0.conf
openvpn --config /etc/openvpn/tap1.conf
ip link add bond0 type bond
ip addr add 10.80.0.2/30 dev bond0

ip link set tap0 master bond0
ip link set tap1 master bond0
ip link set bond0 up mtu 1440
ip route add 192.168.50.0/24 via 10.80.0.1  <--Is this right?

防火牆配置怎麼樣?

version 6

lan="ens160"
vpn="bond+"

interface "${lan}" lan
 policy accept

interface "${vpn}" vpn
 policy accept

router vpn2lan inface "${vpn}" outface "${lan}"
 policy accept

伺服器端:

tap0.conf:

# disable encryption, traffic continues unencrypted anyways
auth none
cipher none
dev tap0
mode p2p
port 1194
local 192.168.0.250   <-- Local ip or public ip?
proto udp
log /var/log/tap0.log
verb 3
ping 2
ping-restart 10
persist-tun
compress lz4-v2
daemon

防火牆配置:

version 6
server_vpn_ports="udp/1194-1195"
client_vpn_ports="default"
snat4 to 192.168.0.250 outface ens33 dst not 192.168.0.250  <-- What does this mean? local ip or public ip?
interface ens33 web
 protection strong
 server ssh accept
 server vpn accept
 # more servers here as per your needs
 client all accept
interface bond0 vpn
 policy accept
router4 web2vpn inface ens33 outface bond0 dst 192.168.50.0/24,10.80.0.2  <--Is this right?
 client all accept

完成所有設置後,連結似乎已建立:

客戶端:

root@ubcloud:~# cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)

Bonding Mode: load balancing (round-robin)
MII Status: down
MII Polling Interval (ms): 0
Up Delay (ms): 0
Down Delay (ms): 0

客戶端 tap1.log:

Sat Aug  1 06:44:39 2020 ******* WARNING *******: All encryption and authentication features disabled -- All data will be tunnelled as clear text and will not be protected against man-in-the-middle changes. PLEASE DO RECONSIDER THIS CONFIGURATION!
Sat Aug  1 06:44:39 2020 Preserving previous TUN/TAP instance: tap1
Sat Aug  1 06:44:39 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]118.152.247.193:1195
Sat Aug  1 06:44:39 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Aug  1 06:44:39 2020 UDP link local (bound): [AF_INET]192.168.50.254:1195
Sat Aug  1 06:44:39 2020 UDP link remote: [AF_INET]118.152.247.193:1195
Sat Aug  1 06:44:39 2020 Peer Connection Initiated with [AF_INET]118.152.247.193:1195
Sat Aug  1 06:44:41 2020 Initialization Sequence Completed

從客戶端 ping 隧道 ip:

root@ubcloud:~# ping 10.80.0.2
PING 10.80.0.2 (10.80.0.2) 56(84) bytes of data.
64 bytes from 10.80.0.2: icmp_seq=1 ttl=64 time=0.019 ms
64 bytes from 10.80.0.2: icmp_seq=2 ttl=64 time=0.025 ms
64 bytes from 10.80.0.2: icmp_seq=3 ttl=64 time=0.026 ms
^C
--- 10.80.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2050ms
rtt min/avg/max/mdev = 0.019/0.023/0.026/0.005 ms
root@ubcloud:~# ping 10.80.0.1
PING 10.80.0.1 (10.80.0.1) 56(84) bytes of data.
From 10.80.0.2 icmp_seq=1 Destination Host Unreachable
From 10.80.0.2 icmp_seq=2 Destination Host Unreachable
From 10.80.0.2 icmp_seq=3 Destination Host Unreachable

伺服器端:

root@ubcloud:~# cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)

Bonding Mode: load balancing (round-robin)
MII Status: up
MII Polling Interval (ms): 0
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: tap0
MII Status: up
Speed: 10 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: a6:fa:e9:55:79:2c
Slave queue ID: 0

Slave Interface: tap1
MII Status: up
Speed: 10 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: ae:b9:4a:50:b0:dc
Slave queue ID: 0

伺服器 tap0.log:

root@ubcloud:~# cat /var/log/tap0.log
Sat Aug  1 06:43:27 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Sat Aug  1 06:43:27 2020 OpenVPN 2.4.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 30 2019
Sat Aug  1 06:43:27 2020 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
Sat Aug  1 06:43:27 2020 ******* WARNING *******: All encryption and authentication features disabled -- All data will be tunnelled as clear text and will not be protected against man-in-the-middle changes. PLEASE DO RECONSIDER THIS CONFIGURATION!
Sat Aug  1 06:43:27 2020 TUN/TAP device tap0 opened
Sat Aug  1 06:43:27 2020 TUN/TAP TX queue length set to 100
Sat Aug  1 06:43:27 2020 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Aug  1 06:43:27 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Aug  1 06:43:27 2020 UDPv4 link local (bound): [AF_INET]192.168.0.250:1194
Sat Aug  1 06:43:27 2020 UDPv4 link remote: [AF_UNSPEC]
Sat Aug  1 06:43:30 2020 Peer Connection Initiated with [AF_INET]172.227.224.139:1194
Sat Aug  1 06:43:30 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Aug  1 06:43:30 2020 Initialization Sequence Completed

從伺服器 ping 隧道 ip:

root@ubcloud:~# ping 10.80.0.1
PING 10.80.0.1 (10.80.0.1) 56(84) bytes of data.
64 bytes from 10.80.0.1: icmp_seq=1 ttl=64 time=0.048 ms
64 bytes from 10.80.0.1: icmp_seq=2 ttl=64 time=0.059 ms
^C
--- 10.80.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1030ms
rtt min/avg/max/mdev = 0.048/0.053/0.059/0.009 ms
root@ubcloud:~# ping 10.80.0.2
PING 10.80.0.2 (10.80.0.2) 56(84) bytes of data.
From 10.80.0.1 icmp_seq=1 Destination Host Unreachable
From 10.80.0.1 icmp_seq=2 Destination Host Unreachable
From 10.80.0.1 icmp_seq=3 Destination Host Unreachable

任何想法我做錯了什麼?如何在客戶端設置路由,讓區域網路內的所有流量讓區域網路內的流量通過隧道從伺服器出去?

再次感謝!

我認為您應該考慮升級 VPN 基礎設施而不是綁定作為解決方法。

2 個綁定的 VPN 連結永遠不會像具有單個連結所需頻寬的專用 VPN 連接那樣好。

在我們的姊妹網站 Network Engineering 上提出的類似問題:

將這些連結“粘合”在一起在紙面上聽起來是個好主意,但在實踐中效果並不好。如果您嘗試在兩個連結之間拆分單個連接,您將得到無序數據包,尤其是在兩個不同的網路上,這將顯著降低您的吞吐量。你最好只使用一個連結。

遠端使用者的 VPN 軟體不夠複雜,無法建立兩個 VPN 連接,然後做出路由決策以使用最佳路徑。我不知道有任何此類產品。您可能必須創建一些自定義的東西,但我懷疑這是否值得付出努力。

引用自:https://serverfault.com/questions/1028514