為什麼一個特定 IP 的 OpenVPN 路由流量錯誤?
我有以下拓撲,其中每個站點的 x 不同:
[OpenVPN client] < - > [OpenVPN Access Server] < - > [pfSense router] < - > [IPSec connected sites] 172.27.244.21 10.128.20.5 10.128.20.1 10.130.x.1
我可以從 OpenVPN 客戶端或直接從 OpenVPN 訪問伺服器 ping IPSec 站點中的設備。有一個站點 (10.130.7.1) 我無法從一個 OpenVPN 客戶端 ping,但我可以直接從 OpenVPN 訪問伺服器 ping 站點。
OpenVPN (Windows) 客戶端的 Ping 結果:
Pinging 10.130.2.1 with 32 bytes of data: Reply from 10.130.2.1: bytes=32 time=160ms TTL=62 Reply from 10.130.2.1: bytes=32 time=142ms TTL=62 Reply from 10.130.2.1: bytes=32 time=126ms TTL=62 Reply from 10.130.2.1: bytes=32 time=103ms TTL=62 Pinging 10.130.17.1 with 32 bytes of data: Reply from 10.130.17.1: bytes=32 time=46ms TTL=62 Reply from 10.130.17.1: bytes=32 time=51ms TTL=62 Reply from 10.130.17.1: bytes=32 time=55ms TTL=62 Reply from 10.130.17.1: bytes=32 time=29ms TTL=62 Pinging 10.130.7.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.
來自 OpenVPN 訪問伺服器 (SSH) 的 Ping 結果
PING 10.130.2.1 (10.130.2.1) 56(84) bytes of data. 64 bytes from 10.130.2.1: icmp_seq=1 ttl=63 time=136 ms 64 bytes from 10.130.2.1: icmp_seq=2 ttl=63 time=111 ms 64 bytes from 10.130.2.1: icmp_seq=3 ttl=63 time=122 ms 64 bytes from 10.130.2.1: icmp_seq=4 ttl=63 time=166 ms PING 10.130.17.1 (10.130.17.1) 56(84) bytes of data. 64 bytes from 10.130.17.1: icmp_seq=1 ttl=63 time=29.1 ms 64 bytes from 10.130.17.1: icmp_seq=2 ttl=63 time=29.1 ms 64 bytes from 10.130.17.1: icmp_seq=3 ttl=63 time=29.5 ms 64 bytes from 10.130.17.1: icmp_seq=4 ttl=63 time=29.5 ms PING 10.130.7.1 (10.130.7.1) 56(84) bytes of data. 64 bytes from 10.130.7.1: icmp_seq=1 ttl=63 time=29.5 ms 64 bytes from 10.130.7.1: icmp_seq=2 ttl=63 time=28.8 ms 64 bytes from 10.130.7.1: icmp_seq=3 ttl=63 time=28.5 ms 64 bytes from 10.130.7.1: icmp_seq=4 ttl=63 time=28.5 ms
對我來說,請求到
10.130.7.1
. 為了調試這個,我從我的 OpenVPN 客戶端做了一個跟踪路由:Tracing route to 10.130.2.1 over a maximum of 30 hops 1 1 ms 1 ms 1 ms 172.27.232.1 2 2 ms 2 ms 1 ms 10.128.20.1 3 115 ms 115 ms 116 ms 10.130.2.1 Tracing route to 10.130.17.1 over a maximum of 30 hops 1 1 ms 1 ms 2 ms 172.27.232.1 2 1 ms 1 ms 1 ms 10.128.20.1 3 76 ms 38 ms 42 ms 10.130.17.1 Tracing route to 10.130.7.1 over a maximum of 30 hops 1 1 ms 2 ms 2 ms 172.27.232.1 2 * * * Request timed out. 3 * * * Request timed out.
由於請求似乎發往 OpenVPN 訪問伺服器 (172.27.253.1),我
tcpdump
在從 Windows 客戶端 ping 時做了一個:10:27:53.900720 In ethertype IPv4 (0x0800), length 76: 172.27.244.21 > 10.130.2.1: ICMP echo request, id 1, seq 1036, length 40 10:27:53.900756 Out 6a:fd:3e:82:c5:b8 ethertype IPv4 (0x0800), length 76: 10.128.20.5 > 10.130.2.1: ICMP echo request, id 1, seq 1036, length 40 10:27:54.001502 In 00:25:90:bd:8a:4a ethertype IPv4 (0x0800), length 76: 10.130.2.1 > 10.128.20.5: ICMP echo reply, id 1, seq 1036, length 40 10:27:54.001531 Out ethertype IPv4 (0x0800), length 76: 10.130.2.1 > 172.27.244.21: ICMP echo reply, id 1, seq 1036, length 40 10:27:57.048858 In ethertype IPv4 (0x0800), length 76: 172.27.244.21 > 10.130.17.1: ICMP echo request, id 1, seq 1037, length 40 10:27:57.048909 Out 6a:fd:3e:82:c5:b8 ethertype IPv4 (0x0800), length 76: 10.128.20.5 > 10.130.17.1: ICMP echo request, id 1, seq 1037, length 40 10:27:57.077173 In 00:25:90:bd:8a:4a ethertype IPv4 (0x0800), length 76: 10.130.17.1 > 10.128.20.5: ICMP echo reply, id 1, seq 1037, length 40 10:27:57.077204 Out ethertype IPv4 (0x0800), length 76: 10.130.17.1 > 172.27.244.21: ICMP echo reply, id 1, seq 1037, length 40 10:27:59.502909 In ethertype IPv4 (0x0800), length 76: 172.27.244.21 > 10.130.7.1: ICMP echo request, id 1, seq 1038, length 40 10:27:59.502966 Out 6a:fd:3e:82:c5:b8 ethertype IPv4 (0x0800), length 76: 172.27.244.21 > 10.130.7.1: ICMP echo request, id 1, seq 1038, length 40
哈!,請求通過(ping 請求來自的 OpenVPN 客戶端地址)
10.130.7.1
從伺服器“發出” 。為什麼會這樣?為什麼它不像對和的請求一樣通過(OpenVPN 訪問伺服器 IP)發出?172.27.244.21
10.128.20.5``10.130.2.1``10.130.17.1
我不知道它是否需要,但只是為了確定訪問伺服器的路由表
root@axx-ovpn-as01:/home/axxmin# routel target gateway source proto scope dev tbl default 10.128.20.1 static ens18 10.128.20.0/ 24 10.128.20.5 kernel link ens18 172.27.224.0/ 21 172.27.224.1 kernel link as0t0 172.27.232.0/ 21 172.27.232.1 kernel link as0t1 172.27.244.21 static as0t1 10.128.20.0 broadcast 10.128.20.5 kernel link ens18 local 10.128.20.5 local 10.128.20.5 kernel host ens18 local 10.128.20.255 broadcast 10.128.20.5 kernel link ens18 local 127.0.0.0 broadcast 127.0.0.1 kernel link lo local 127.0.0.0/ 8 local 127.0.0.1 kernel host lo local 127.0.0.1 local 127.0.0.1 kernel host lo local 127.255.255.255 broadcast 127.0.0.1 kernel link lo local 172.27.224.0 broadcast 172.27.224.1 kernel link as0t0 local 172.27.224.1 local 172.27.224.1 kernel host as0t0 local 172.27.231.255 broadcast 172.27.224.1 kernel link as0t0 local 172.27.232.0 broadcast 172.27.232.1 kernel link as0t1 local 172.27.232.1 local 172.27.232.1 kernel host as0t1 local 172.27.239.255 broadcast 172.27.232.1 kernel link as0t1 local ::1 local kernel lo fe80::/ 64 kernel ens18 fe80::/ 64 kernel as0t0 fe80::/ 64 kernel as0t1 ::1 local kernel lo local fe80::1cea:a857:88ab:b687 local kernel as0t1 local fe80::68fd:3eff:fe82:c5b8 local kernel ens18 local fe80::a3cb:f651:4066:8cb local kernel as0t0 local ff00::/ 8 ens18 local ff00::/ 8 as0t0 local ff00::/ 8 as0t1 local
問題是我
10.130.7.0/24
在 OpenVPN Access Server 使用者組的錯誤欄位中配置了網路。我在Subnets assigned to this group (optional):
現場配置它,而不是Allow Access To networks and service
像我為其他網路所做的那樣在現場配置它。我沒有直接注意到它,因為不同的網路配置在不同的組中。Allow Access To networks and service
也僅在啟用時可用Access controll
。