Networking

opvnvpn:在 LAN-behinds 中定址節點

  • May 31, 2011

我已經設置了一個可以遠端訪問的 openvpn 伺服器,一旦連接,它會在伺服器和客戶端上創建一個 tun0 設備,虛擬 IP 為 10.15.119.x。openvpn 伺服器本身是 10.15.119.1。

**問題:**我如何定址openvpn伺服器後面的區域網路中的其他節點?我可以使用地址 10.15.119.1:(port) 訪問 openvpn 伺服器本身上的服務,但我不知道如何處理與 openvpn 伺服器位於同一 LAN 中且不參與 openvpn 連接的其他節點:我會希望可以使用 10.15.119.x 範圍內的其他虛擬 IP 從客戶端節點定址此類節點,如果是這種情況,我只需要一種方法來知道這些 IP 是什麼

我很好地可以創建一些 iptables 和路由命令來將埠轉發到其他特定節點,但我確信必須有更好的方法來做到這一點,直接定址節點

伺服器配置文件:

dev tun
server 10.15.119.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
up ./office.up 
tls-server
dh /home/lurscher/keys/dh1024.pem
ca /home/lurscher/keys/ca.crt
cert /home/lurscher/keys/vpnCh8TestServer.crt
key /home/lurscher/keys/vpnCh8TestServer.key
status openvpn-status.log
log         openvpn.log
comp-lzo
verb 3

office.up 腳本有:

#!/bin/sh
#route 10.15.119.0 255.255.255.0
route add -net 10.15.119.0 netmask 255.255.255.0 gw $5 #fixed the wrong 10.15.0.0 address

client.conf 反而有:

dev tun
remote my.server.com
tls-client
pull 
ca /home/chuckq/keys/ca.crt
cert /home/chuckq/keys/vpnCh8TestClient.crt
key /home/chuckq/keys/vpnCh8TestClient.key
ns-cert-type server
; port 1194
; user nobody
; group nogroup
status openvpn-status.log
log         openvpn.log
comp-lzo
verb 3

來自伺服器的新 相關日誌:

Thu May 26 16:59:59 2011 vpnCh8TestClient/Y.Y.Y.Y:1194 PUSH: Received control message: 'PUSH_REQUEST'
Thu May 26 16:59:59 2011 vpnCh8TestClient/Y.Y.Y.Y:1194 SENT CONTROL [vpnCh8TestClient]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 10.15.119.1,topology net30,ifconfig 10.15.119.6 10.15.119.5' (status=1)
Thu May 26 17:02:17 2011 vpnCh8TestClient/Y.Y.Y.Y:1194 Replay-window backtrack occurred [1]

來自客戶端的相關日誌:

Thu May 26 16:53:30 2011 [vpnCh8TestServer] Peer Connection Initiated with [AF_INET]X.X.X.X:1194
Thu May 26 16:53:32 2011 SENT CONTROL [vpnCh8TestServer]: 'PUSH_REQUEST' (status=1)
Thu May 26 16:53:32 2011 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 10.15.119.1,topology net30,ifconfig 10.15.119.6 10.15.119.5'
Thu May 26 16:53:32 2011 OPTIONS IMPORT: --ifconfig/up options modified
Thu May 26 16:53:32 2011 OPTIONS IMPORT: route options modified
Thu May 26 16:53:32 2011 ROUTE default_gateway=10.21.2.254
Thu May 26 16:53:32 2011 TUN/TAP device tun0 opened
Thu May 26 16:53:32 2011 TUN/TAP TX queue length set to 100
Thu May 26 16:53:32 2011 /sbin/ifconfig tun0 10.15.119.6 pointopoint 10.15.119.5 mtu 1500
Thu May 26 16:53:32 2011 /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.15.119.5
Thu May 26 16:53:32 2011 /sbin/route add -net 10.15.119.1 netmask 255.255.255.255 gw 10.15.119.5
Thu May 26 16:53:32 2011 Initialization Sequence Completed

編輯感謝 wolfgangsz 注意到 office.up 中有一個錯字,我再次嘗試了 tracepath,但沒有任何改進:

$ tracepath 192.168.0.100
1:  10.15.119.6                                              0.261ms pmtu 1500
1:  10.15.119.1                                             88.989ms 
1:  10.15.119.1                                             58.752ms 
2:  no reply

請注意,當 ip 是來自 openvpn 伺服器的 IP 時,結果有何不同

$ tracepath 192.168.0.101
1:  10.15.119.6                                              0.308ms pmtu 1500
1:  192.168.0.101                                       115.713ms reached
1:  192.168.0.101                                        65.064ms reached
    Resume: pmtu 1500 hops 1 back 64 

客戶端的路由條目:

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.15.119.5     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.15.119.1     10.15.119.5     255.255.255.255 UGH   0      0        0 tun0
192.168.0.0     10.15.119.5     255.255.255.0   UG    0      0        0 tun0
10.21.2.0       0.0.0.0         255.255.255.0   U     1      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
0.0.0.0         10.21.2.254     0.0.0.0         UG    0      0        0 eth0

和(openvpn)伺服器上的路由條目:

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.15.119.2     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.15.119.0     10.15.119.2     255.255.255.0   UG    0      0        0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 vboxnet0
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth1
0.0.0.0         0.0.0.0         0.0.0.0         U     1002   0        0 eth0
0.0.0.0         0.0.0.0         0.0.0.0         U     1004   0        0 vboxnet0

**編輯 2:**我檢查了 IP 轉發是否啟用

$ cat /proc/sys/net/ipv4/ip_forward
1

這是伺服器中 iptables 的輸出:

$ sudo iptables -nv -L
Chain INPUT (policy DROP 1 packets, 52 bytes)
pkts bytes target     prot opt in     out     source               destination         
   0     0 DROP       all  --  eth0   *       127.0.0.1            0.0.0.0/0           
   0     0 DROP       all  --  eth0   *       0.0.0.0/0            127.0.0.1           
   0     0 DROP       all  --  eth0   *       192.168.0.0/16       0.0.0.0/0           
   0     0 DROP       all  --  eth0   *       172.16.0.0/12        0.0.0.0/0           
   0     0 DROP       all  --  eth0   *       10.0.0.0/8           0.0.0.0/0           
   8   416 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0           
   0     0 ACCEPT     all  --  *      *       0.0.0.0/0            127.0.0.1           
   0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
  91  8915 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
 293 28499 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
   1  1500 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0           
  18  2010 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
   0     0 DROP       all  --  eth0   *       127.0.0.1            0.0.0.0/0           
   0     0 DROP       all  --  eth0   *       0.0.0.0/0            127.0.0.1           
   0     0 DROP       all  --  eth0   *       192.168.0.0/16       0.0.0.0/0           
   0     0 DROP       all  --  eth0   *       172.16.0.0/12        0.0.0.0/0           
   0     0 DROP       all  --  eth0   *       10.0.0.0/8           0.0.0.0/0           
   0     0 DROP       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp spts:137:139 
   0     0 DROP       udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           udp spts:137:139 
   0     0 DROP       all  --  eth1   *      !10.0.0.0/24          0.0.0.0/0           
  38 57000 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           state NEW 
   0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

Chain OUTPUT (policy ACCEPT 306 packets, 34543 bytes)
pkts bytes target     prot opt in     out     source               destination         
   0     0 DROP       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp spts:137:139 
   0     0 DROP       udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           udp spts:137:139 
   0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           state NEW 

編輯 3

我想我遺漏了一條重要資訊,我認為它可能無關緊要,但最近的一個回答讓我覺得它可能;openvpn直接連接到路由器,並且在路由器配置中(在192.168.0.1)我已經為openvpn埠1194啟用了埠轉發到openvpn伺服器,這就是我目前遠端連接的方式


編輯 4

我嘗試在192.168.0.100(輔助伺服器)機器上執行以下命令,以查看是否可以通過為其提供 10.15.119.x 路由的路由來解決此問題:

sudo route add -net 10.15.119.0 netmask 255.255.255.0 gw 192.168.0.101

(192.168.0.101 是 openvpn 伺服器地址,192.168.0.100 是我想從外部訪問的輔助伺服器)

我試過這個並努力ping 10.15.119.1聯繫到openvpn伺服器,但是ping 10.15.119.6(我的客戶端IP)失敗了


編輯 5

tcpdump嘗試從客戶端 ping 192.168.0.100 時,我在 openvpn 伺服器上添加了結果:

$ sudo tcpdump -v -i any host 192.168.0.100
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
11:10:43.675915 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
   10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 1, length 64
11:10:43.675932 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
   10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 1, length 64
11:10:43.676149 IP (tos 0x0, ttl 64, id 40127, offset 0, flags [none], proto ICMP (1), length 84)
   services-host-1.local > 10.15.119.6: ICMP echo reply, id 2494, seq 1, length 64
11:10:43.778583 IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto UDP (17), length 103)
   services-host-1.local.mdns > 224.0.0.251.mdns: 0*- [0q] 1/0/0 100.0.168.192.in-addr.arpa. (Cache flush) PTR services-host-1.local. (75)
11:10:43.778588 IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto UDP (17), length 103)
   services-host-1.local.mdns > 224.0.0.251.mdns: 0*- [0q] 1/0/0 100.0.168.192.in-addr.arpa. (Cache flush) PTR services-host-1.local. (75)
11:10:44.681801 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
   10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 2, length 64
11:10:44.681809 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
   10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 2, length 64
11:10:44.682007 IP (tos 0x0, ttl 64, id 40128, offset 0, flags [none], proto ICMP (1), length 84)
   services-host-1.local > 10.15.119.6: ICMP echo reply, id 2494, seq 2, length 64
11:10:45.689926 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
   10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 3, length 64
11:10:45.689933 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
   10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 3, length 64
11:10:45.690121 IP (tos 0x0, ttl 64, id 40129, offset 0, flags [none], proto ICMP (1), length 84)
   services-host-1.local > 10.15.119.6: ICMP echo reply, id 2494, seq 3, length 64
11:10:46.698990 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
   10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 4, length 64
11:10:46.698997 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
   10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 4, length 64
11:10:46.699190 IP (tos 0x0, ttl 64, id 40130, offset 0, flags [none], proto ICMP (1), length 84)
   services-host-1.local > 10.15.119.6: ICMP echo reply, id 2494, seq 4, length 64
11:10:47.706870 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
   10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 5, length 64
11:10:47.706878 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
   10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 5, length 64
11:10:47.707067 IP (tos 0x0, ttl 64, id 40131, offset 0, flags [none], proto ICMP (1), length 84)
   services-host-1.local > 10.15.119.6: ICMP echo reply, id 2494, seq 5, length 64
11:10:48.680540 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has services-host-1.local tell openvpnServer, length 28
11:10:48.680737 ARP, Ethernet (len 6), IPv4 (len 4), Reply services-host-1.local is-at 08:00:27:a4:e2:01 (oui Unknown), length 28
11:10:48.684812 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has dfdlinkrouter tell services-host-1.local, length 28
11:10:48.685338 ARP, Ethernet (len 6), IPv4 (len 4), Reply dfdlinkrouter is-at 00:26:5a:ae:90:88 (oui Unknown), length 46
11:10:48.716100 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
   10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 6, length 64
11:10:48.716107 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
   10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 6, length 64
11:10:48.716347 IP (tos 0x0, ttl 64, id 40132, offset 0, flags [none], proto ICMP (1), length 84)
   services-host-1.local > 10.15.119.6: ICMP echo reply, id 2494, seq 6, length 64

所以看起來 ping 正在到達伺服器並且他回復了,但是數據包在進入 vpn 之前被丟棄了,所以我在 iptables 中添加了一行來記錄所有丟棄或拒絕的 INPUT 和 FORWARD 數據包,這是被過濾的內容/var/log/syslog

May 30 10:59:24 openvpnServer kernel: [40433.898392] iptables INPUT denied: IN=eth1 OUT= MAC= SRC=192.168.0.101 DST=224.0.0.251 LEN=98 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=78 
May 30 10:59:24 openvpnServer kernel: [40434.001003] iptables INPUT denied: IN=eth1 OUT= MAC=01:00:5e:00:00:fb:08:00:27:a4:e2:01:08:00 SRC=192.168.0.100 DST=224.0.0.251 LEN=62 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=42 
May 30 10:59:24 openvpnServer kernel: [40434.001102] iptables INPUT denied: IN=eth1 OUT= MAC= SRC=192.168.0.101 DST=224.0.0.251 LEN=72 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=52 
May 30 11:03:28 openvpnServer kernel: [40677.329586] iptables INPUT denied: IN=eth1 OUT= MAC= SRC=192.168.0.101 DST=224.0.0.251 LEN=67 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=47 
May 30 11:03:29 openvpnServer kernel: [40678.330065] iptables INPUT denied: IN=eth1 OUT= MAC= SRC=192.168.0.101 DST=224.0.0.251 LEN=67 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=47 

我已經從 iptables 中註釋掉了大多數 DROP 和 REJECT 命令,看看它是否有效,但我仍然遇到同樣的問題,這是我刪除所有 drop 後的 iptables

$ sudo iptables -L -nv
Chain INPUT (policy ACCEPT 88 packets, 15209 bytes)
pkts bytes target     prot opt in     out     source               destination         
3404 3162K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   0     0 REJECT     all  --  !lo    *       0.0.0.0/0            127.0.0.0/8         reject-with icmp-port-unreachable 
2950  249K ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
12881 6906K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
 162  9696 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
   1    42 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
   0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
  60 10407 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `iptables INPUT denied: ' 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
  30  2448 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
   0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
   0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `iptables FORWARD denied: ' 

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
2826  857K ACCEPT     all  --  *      tun+    0.0.0.0/0            0.0.0.0/0           
17443 5842K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0      

編輯 6

正如 Steven 所建議的那樣,我添加了 3 個 tcpdump,2 個在伺服器,1 個在客戶端,而從客戶端執行

$ ping 192.168.0.100
PING 192.168.0.100 (192.168.0.100) 56(84) bytes of data.
^C
--- 192.168.0.100 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4024ms

但首先我在 openvpn 伺服器上刷新了 al iptables 規則:

$ sudo iptables -L -nv
Chain INPUT (policy ACCEPT 206 packets, 26537 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 50 packets, 7781 bytes)
pkts bytes target     prot opt in     out     source               destination         

這是 openvpn 伺服器上第一個 tcpdump 的輸出

$ sudo tcpdump -vn -i tun0 '(host 192.168.0.100 or host 10.15.119.6)' and icmp
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
13:54:30.871403 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
   10.15.119.6 > 192.168.0.100: ICMP echo request, id 3145, seq 1, length 64
13:54:31.870534 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
   10.15.119.6 > 192.168.0.100: ICMP echo request, id 3145, seq 2, length 64
13:54:32.879562 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
   10.15.119.6 > 192.168.0.100: ICMP echo request, id 3145, seq 3, length 64

伺服器上的第二個 tcpdump:

$ sudo tcpdump -vn -i eth1 '(host 192.168.0.100 or host 10.15.119.6)' and icmp
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
13:54:30.871429 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
   10.15.119.6 > 192.168.0.100: ICMP echo request, id 3145, seq 1, length 64
13:54:30.875508 IP (tos 0x0, ttl 64, id 28969, offset 0, flags [none], proto ICMP (1), length 84)
   192.168.0.100 > 10.15.119.6: ICMP echo reply, id 3145, seq 1, length 64
13:54:31.870544 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
   10.15.119.6 > 192.168.0.100: ICMP echo request, id 3145, seq 2, length 64
13:54:31.870760 IP (tos 0x0, ttl 64, id 28970, offset 0, flags [none], proto ICMP (1), length 84)
   192.168.0.100 > 10.15.119.6: ICMP echo reply, id 3145, seq 2, length 64

和第三個 tcpdump,這次是在客戶端:

$ sudo tcpdump -vn -i eth0 host 192.168.0.100 and icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

重要的是在我執行的客戶端上可能有幫助的其他東西ip route show

$ sudo ip route show
10.15.119.5 dev tun0  proto kernel  scope link  src 10.15.119.6 
10.15.119.1 via 10.15.119.5 dev tun0 
192.168.0.0/24 via 10.15.119.5 dev tun0 
10.21.2.0/24 dev eth0  proto kernel  scope link  src 10.21.2.118  metric 1 
169.254.0.0/16 dev eth0  scope link  metric 1000 
default via 10.21.2.254 dev eth0  proto static 

openvpn 伺服器上的相同命令

$ sudo ip route show
10.15.119.2 dev tun0  proto kernel  scope link  src 10.15.119.1 
10.15.119.0/24 via 10.15.119.2 dev tun0 
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.101  metric 1 
169.254.0.0/16 dev eth1  scope link  metric 1000 
default via 192.168.0.1 dev eth1  proto static 

開放VPN版本:

$ openvpn –version OpenVPN 2.1.0 x86_64-pc-linux-gnu

$$ SSL $$ $$ LZO2 $$ $$ EPOLL $$ $$ PKCS11 $$ $$ MH $$ $$ PF_INET6 $$ $$ eurephia $$建立於 2010 年 7 月 12 日最初由 James Yonan 開發 版權所有 (C) 2002-2009 OpenVPN Technologies, Inc. 作業系統是 Ubuntu 10.10 x86_64


為什麼我會進入客戶端日誌:

ue May 31 14:45:41 2011 /sbin/ifconfig tun0 10.15.119.6 pointopoint 10.15.119.5 mtu 1500

Tue May 31 14:45:41 2011 /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.15.119.5

Tue May 31 14:45:41 2011 /sbin/route add -net 10.15.119.1 netmask 255.255.255.255 gw 10.15.119.5

虛擬網路的 255.255.255.255 遮罩是什麼?


@skrewler,這是 netstat 的結果:

首先,在 openvpn 執行時從客戶端:

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.15.119.5     0.0.0.0         255.255.255.255 UH        0 0          0 tun0
10.15.119.1     10.15.119.5     255.255.255.255 UGH       0 0          0 tun0
192.168.0.0     10.15.119.5     255.255.255.0   UG        0 0          0 tun0
10.21.2.0       0.0.0.0         255.255.255.0   U         0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
0.0.0.0         10.21.2.254     0.0.0.0         UG        0 0          0 eth0


$ ifconfig -a
eth0      Link encap:Ethernet  HWaddr 08:00:27:0c:86:1c  
         inet addr:10.21.2.118  Bcast:10.21.2.255  Mask:255.255.255.0
         inet6 addr: fe80::a00:27ff:fe0c:861c/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:22701 errors:0 dropped:0 overruns:0 frame:0
         TX packets:12806 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000 
         RX bytes:2855655 (2.8 MB)  TX bytes:1224261 (1.2 MB)

lo        Link encap:Local Loopback  
         inet addr:127.0.0.1  Mask:255.0.0.0
         inet6 addr: ::1/128 Scope:Host
         UP LOOPBACK RUNNING  MTU:16436  Metric:1
         RX packets:8 errors:0 dropped:0 overruns:0 frame:0
         TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0 
         RX bytes:480 (480.0 B)  TX bytes:480 (480.0 B)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
         inet addr:10.15.119.6  P-t-P:10.15.119.5  Mask:255.255.255.255
         UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:100 
         RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

和client.conf:

dev tun0
remote my.server.com
tls-client
pull
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
ns-cert-type server
status logs/openvpn-status.log
log         logs/openvpn.log
comp-lzo
verb 4

二、從openvpn伺服器

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.15.119.2     0.0.0.0         255.255.255.255 UH        0 0          0 tun0
10.15.119.0     10.15.119.2     255.255.255.0   UG        0 0          0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth1
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 eth1

伺服器配置文件

dev tun
server 10.15.119.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
tls-server
dh keys/dh1024.pem
ca keys/ca.crt
cert keys/openvpn-server-key.crt
key keys/openvpn-server-key.key
user nobody
group nogroup
status openvpn-status.log
log         logs/openvpn.log
comp-lzo
verb 4

通過上述設置,我能夠:

1)從客戶端 ping 到 192.168.0.101(openvpn 伺服器) 2)從 openvpn 伺服器 ping 到 10.15.119.6(客戶端)

我無法做的是從客戶端 ping 192.168.0.100(輔助 LAN 伺服器)。

192.168.0.100 實際上確實回復了客戶端,如 openserver 上的 tcpdump 所示,但不知何故,這些數據包並沒有返回客戶端

我瀏覽了這些回复,我想我很清楚你在這一切上所處的位置。

讓我們做一些簡單的檢查來縮小問題範圍:

從無法 ping 192.168.0.x 主機的 OpenVPN 客戶端之一: netstatn -rn 也給我們ifconfig -a*nix 或ipconfig /all ping <openvpn server external 10.21.x address> ping <openvpn 10.15.x address

從 openvpn 伺服器: netstatn -rn ping <a 192.168.0.x host> ping <a 10.15.x host> ping <a 10.21.x host>

此外,您目前的 openvpn 伺服器配置和客戶端配置可能在/etc/openvpn/server.conf客戶端機器上/etc/openvpn/<hostname>.confc:\program files\openvpn\config\<hostname.conf> or .ovpn


我有類似的設置。在我的 OpenVPN 伺服器上,我有這個 iptables 規則的等價物(將主機遮罩/介面更改為您的值應該是什麼):

# Generated by iptables-save v1.4.4 
*nat
:PREROUTING ACCEPT [5:332]
:POSTROUTING ACCEPT [5:740]
:OUTPUT ACCEPT [5:740]
-A POSTROUTING -s 10.15.119.0/2 -o eth1 -j MASQUERADE
COMMIT

看起來您的問題最明顯是因為您缺少 iptable_nat。

# lsmod | grep nat
iptable_nat             5011  1 
nf_nat                 19101  2 ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4      12548  3 iptable_nat,nf_nat
nf_conntrack           72270  4 ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4
ip_tables              17942  2 iptable_nat,iptable_filter
x_tables               21613  3 ipt_MASQUERADE,iptable_nat,ip_tables

modprobe iptable_nat或嘗試使用-a參數。

引用自:https://serverfault.com/questions/272259