Networking

伺服器沒有響應通過 vpn 路由的 ping

  • July 28, 2021

我有伺服器和虛擬機。我在這台伺服器上託管 OpenVPN。虛擬機有兩個介面:ens18 - 用於公共 IP, ens19 - 用於內部網路。我正在嘗試通過 VPN ping 10.2.0.3(ens19 上的虛擬機 ip),但沒有響應。當我tcpdump -i ens19 icmp在虛擬機上執行時,它返回:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens19, link-type EN10MB (Ethernet), capture size 262144 bytes
16:50:25.931910 IP 10.8.0.2 > 10.2.0.3: ICMP echo request, id 1, seq 80, length 40
16:50:29.381784 IP 10.8.0.2 > 10.2.0.3: ICMP echo request, id 1, seq 81, length 40

平輸出:

Pinging 10.2.0.3 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

機器 tcpdump 輸出:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
15:58:15.007090 IP 10.8.0.2 > 10.2.0.3: ICMP echo request, id 1, seq 45, length 40

我的 iptables 規則:

Chain INPUT (policy ACCEPT 2806K packets, 1097M bytes)
pkts bytes target     prot opt in     out     source               destination         
   0     0 ACCEPT     all  --  eth0   any     anywhere             anywhere             state RELATED,ESTABLISHED
198K   27M ACCEPT     udp  --  vmbr0  any     anywhere             anywhere             udp dpt:[my openvn port]
  40  2429 ACCEPT     all  --  tun0   any     anywhere             anywhere            
   0     0 ACCEPT     all  --  tun+   any     anywhere             anywhere            
   0     0 ACCEPT     all  --  tun+   any     anywhere             anywhere            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
197K   16M ACCEPT     all  --  tun0   vmbr0   anywhere             anywhere            
177K  336M ACCEPT     all  --  vmbr0  tun0    anywhere             anywhere            
  45  2540 ACCEPT     all  --  tun0   any     10.8.0.0/24          10.2.0.3            
   2   104 ACCEPT     all  --  tun0   any     10.8.0.0/24          10.2.0.0/24         
   0     0 ACCEPT     all  --  tun+   any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 3102K packets, 1303M bytes)
pkts bytes target     prot opt in     out     source               destination         
   0     0 ACCEPT     all  --  any    tun0    anywhere             anywhere       

我的路由表:

default via [my public ip] dev vmbr0 proto kernel onlink 
10.2.0.0/24 dev vmbr1 proto kernel scope link src 10.2.0.1 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 
[my public ip] dev vmbr0 proto kernel scope link src [my gateway] 

ip規則列表:

0:      from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default 

如果您需要一些額外的資訊,請添加評論。對不起,我的英語不好

通過@TomYan

在虛擬機上通過 10.2.0.1 執行 ip r add 10.8.0.0/24。對於 VPN 部分,將路由 10.2.0.0 255.255.255.0 添加到客戶端 conf,或者,將 push “route 10.2.0.0 255.255.255.0” 添加到伺服器 conf,假設您在客戶端 conf 上使用客戶端/拉取。請注意,如果 VM 和 VPN 客戶端都將伺服器用作其預設網關,則不需要這些路由

引用自:https://serverfault.com/questions/1070515