Networking

Openvpn 已連接但無法訪問內網站點

  • July 26, 2020

我已經配置了 openvpn 伺服器並且也能夠登錄。但是,在連接建立後,我無法訪問 Intranet 網站。

伺服器 ifconfig 如下所示

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
      valid_lft forever preferred_lft forever
   inet6 ::1/128 scope host 
      valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
   link/ether 52:54:00:03:90:0b brd ff:ff:ff:ff:ff:ff
   inet 192.168.0.253/24 brd 192.168.0.255 scope global noprefixroute enp1s0
      valid_lft forever preferred_lft forever
   inet6 fd01::5054:ff:fe03:900b/64 scope global dynamic noprefixroute 
      valid_lft 259sec preferred_lft 259sec
   inet6 fe80::5054:ff:fe03:900b/64 scope link noprefixroute 
      valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
   link/none 
   inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
      valid_lft forever preferred_lft forever
   inet6 fe80::aa36:56c8:3a99:2a98/64 scope link stable-privacy 
      valid_lft forever preferred_lft forever

和 iptables 輸出

Chain INPUT (policy ACCEPT 149 packets, 9788 bytes)
pkts bytes target     prot opt in     out     source               destination         
 322 37460 ACCEPT     udp  --  enp1s0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 346 packets, 28928 bytes)
pkts bytes target     prot opt in     out     source               destination    

伺服器託管在安裝在 KVM 上的虛擬機上,並通過橋接連接到本地網路。我認為 iptables 轉發和接受從隧道到乙太網的流量存在一些問題。我真的對iptables一無所知。一點幫助將不勝感激。

內部辦公網路

traceroute officework.net
traceroute to officework.net (192.168.0.2), 30 hops max, 60 byte packets
1  192.168.0.2 (192.168.0.2)  2.994 ms !X  2.885 ms !X  2.841 ms !X

外部辦公網路 外部辦公網路

traceroute officework.net
officework.net: Name or service not known
Cannot handle "host" cmdline arg `officework.net' on position 1 (argc 1)

帶 IP 的 Trceroute

traceroute 192.168.0.2
traceroute to 192.168.0.2 (192.168.0.2), 30 hops max, 60 byte packets
1  _gateway (192.168.43.1)  1.549 ms  1.416 ms  43.679 ms
2  * * *
3  10.71.135.19 (10.71.135.19)  31.621 ms  40.307 ms  31.470 ms
4  192.168.31.239 (192.168.31.239)  31.274 ms 192.168.31.243 (192.168.31.243)  36.119 ms  40.036 ms
5  192.168.37.9 (192.168.37.9)  39.465 ms  39.675 ms  39.683 ms
6  172.25.11.164 (172.25.11.164)  35.374 ms  24.760 ms  35.150 ms
7  * * *
8  * * *
9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

辦公網路外的 ifconfig

ifconfig
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
       inet 127.0.0.1  netmask 255.0.0.0
       inet6 ::1  prefixlen 128  scopeid 0x10<host>
       loop  txqueuelen 1000  (Local Loopback)
       RX packets 96  bytes 7644 (7.4 KiB)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 96  bytes 7644 (7.4 KiB)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
       inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5
       inet6 fe80::3374:cf7a:d81:cc05  prefixlen 64  scopeid 0x20<link>
       unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
       RX packets 0  bytes 0 (0.0 B)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 39  bytes 3394 (3.3 KiB)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
       inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
       ether 52:54:00:87:ae:c6  txqueuelen 1000  (Ethernet)
       RX packets 0  bytes 0 (0.0 B)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 0  bytes 0 (0.0 B)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
       inet 192.168.43.187  netmask 255.255.255.0  broadcast 192.168.43.255
       inet6 2409:4060:9f:2013:387c:6e1c:5399:a2c7  prefixlen 64  scopeid 0x0<global>
       inet6 fe80::31a:f142:92dd:f67a  prefixlen 64  scopeid 0x20<link>
       ether a8:a7:95:67:0f:23  txqueuelen 1000  (Ethernet)
       RX packets 6976  bytes 5783306 (5.5 MiB)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 7029  bytes 1291358 (1.2 MiB)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

最後Google確實幫助解決了這個問題。正如我在https://openvpn.net/community-resources/how-to/#scope中解釋的那樣

push "route 192.168.0.0 255.255.255.0"

在伺服器配置文件中並添加了 iptables

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source  192.168.0.253

現在一切都像一個魅力。如果您希望 DNS 正常工作,只需在 Wifi 或 Lan 連接中添加 DNS 伺服器條目,您就在辦公室。

您需要使用託管 Intranet 站點記錄的 DNS 伺服器,而不是公共 DNS 伺服器。可能是您的內部伺服器。嘗試在瀏覽器中輸入 Intranet 站點的 IP 地址,看看是否可以連接。

引用自:https://serverfault.com/questions/1026622