Openvpn
使用 TAP 設備在 Linux 上橋接(Virtualbox)
使用 TAP 設備在 Linux 上橋接
您好,我有以下架構:
為了能夠 ping 遠端主機,在我的情況下是分離主機 1,我啟動了橋接設備 br0,它在伺服器上結合了 tap0 + eth2,並將本地網路(192.168.111.0/24)與遠端 openvpn 客戶端(vpn2)橋接,但是仍然沒有運氣,請你建議我做錯了什麼
我可以 ping:vpn1 -> vpn2 vpn2 -> vpn1 vpn1 -> separatehost1 我無法從 vpn2(客戶端)ping 單獨的host1,反之亦然(目標主機無法訪問)。
伺服器配置文件
#Server config proto udp port 1194 persist-key persist-tun keepalive 10 60 tls-auth /etc/openvpn/movpn/ta.key 0 remote-cert-tls client dh /etc/openvpn/movpn/dh2048.pem ca /etc/openvpn/movpn/ca.crt cert /etc/openvpn/movpn/server.crt key /etc/openvpn/movpn/server.key user nobody group nogroup # use ‘group nogroup’ on Debian/Ubuntu verb 3 daemon log-append /var/log/openvpn.log #client-to-client dev tap0 server-bridge 192.168.111.101 255.255.255.0 192.168.111.128 192.168.111.200所有模式都是使用 Vagrantfile + net.ipv4.ip_forward = 1 創建的。
調出
br0界面的腳本:#!/bin/bash br="br0" tap="tap0" eth="eth2" br_ip="192.168.111.101" br_netmask="255.255.255.0" br_broadcast="192.168.111.255" # Create the tap adapter openvpn --mktun --dev $tap # Create the bridge and add interfaces brctl addbr $br brctl addif $br $eth brctl addif $br $tap # Configure the bridge ifconfig $tap 0.0.0.0 promisc up ifconfig $eth 0.0.0.0 promisc up ifconfig $br $br_ip netmask $br_netmask broadcast $br_broadcast
根據我的故障排除,伺服器沒有將icmp數據包轉發到separatehost1,我不知道為什麼……
root@vpn1:/etc/openvpn/movpn# ip -d link show br0 12: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 08:00:27:6c:77:40 brd ff:ff:ff:ff:ff:ff promiscuity 0 bridge forward_delay 1500 hello_time 200 max_age 2000 ageing_time 30000 stp_state 0 priority 32768 vlan_filtering 0 vlan_protocol 802.1Q bridge_id 8000.8:0:27:6c:77:40 designated_root 8000.8:0:27:6c:77:40 root_port 0 root_path_cost 0 topology_change 0 topology_change_detected 0 hello_timer 0.00 tcn_timer 0.00 topology_change_timer 0.00 gc_timer 150.00 vlan_default_pvid 1 vlan_stats_enabled 0 group_fwd_mask 0 group_address 01:80:c2:00:00:00 mcast_snooping 1 mcast_router 1 mcast_query_use_ifaddr 0 mcast_querier 0 mcast_hash_elasticity 4 mcast_hash_max 512 mcast_last_member_count 2 mcast_startup_query_count 2 mcast_last_member_interval 100 mcast_membership_interval 26000 mcast_querier_interval 25500 mcast_query_interval 12500 mcast_query_response_interval 1000 mcast_startup_query_interval 3124 mcast_stats_enabled 0 mcast_igmp_version 2 mcast_mld_version 1 nf_call_iptables 0 nf_call_ip6tables 0 nf_call_arptables 0 addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 root@vpn1:/etc/openvpn/movpn# ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 link/ether 08:00:27:b4:26:99 brd ff:ff:ff:ff:ff:ff 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 link/ether 08:00:27:db:97:af brd ff:ff:ff:ff:ff:ff 4: eth2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP mode DEFAULT group default qlen 1000 link/ether 08:00:27:6c:77:40 brd ff:ff:ff:ff:ff:ff 11: tap0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP mode DEFAULT group default qlen 100 link/ether d6:df:32:8a:b0:5e brd ff:ff:ff:ff:ff:ff 12: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 08:00:27:6c:77:40 brd ff:ff:ff:ff:ff:ff root@separatehosts1:~# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:b4:26:99 brd ff:ff:ff:ff:ff:ff inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic eth0 valid_lft 76182sec preferred_lft 76182sec 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:a5:4b:55 brd ff:ff:ff:ff:ff:ff inet 192.168.111.102/24 brd 192.168.111.255 scope global eth1 valid_lft forever preferred_lft forever root@vpn1:/etc/openvpn/movpn# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:b4:26:99 brd ff:ff:ff:ff:ff:ff inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic eth0 valid_lft 75325sec preferred_lft 75325sec 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:db:97:af brd ff:ff:ff:ff:ff:ff inet 192.168.33.101/24 brd 192.168.33.255 scope global eth1 valid_lft forever preferred_lft forever 4: eth2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP group default qlen 1000 link/ether 08:00:27:6c:77:40 brd ff:ff:ff:ff:ff:ff inet6 fe80::a00:27ff:fe6c:7740/64 scope link valid_lft forever preferred_lft forever 11: tap0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP group default qlen 100 link/ether d6:df:32:8a:b0:5e brd ff:ff:ff:ff:ff:ff 12: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 08:00:27:6c:77:40 brd ff:ff:ff:ff:ff:ff inet 192.168.111.101/24 brd 192.168.111.255 scope global br0 valid_lft forever preferred_lft forever root@vpn2:/etc/openvpn/movpn# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:b4:26:99 brd ff:ff:ff:ff:ff:ff inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic eth0 valid_lft 75777sec preferred_lft 75777sec 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:d8:ad:47 brd ff:ff:ff:ff:ff:ff inet 192.168.33.102/24 brd 192.168.33.255 scope global eth1 valid_lft forever preferred_lft forever 9: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 link/ether 2a:2f:98:b3:34:81 brd ff:ff:ff:ff:ff:ff inet 192.168.111.128/24 brd 192.168.111.255 scope global tap0 valid_lft forever preferred_lft forever
VirtualBox 預設在虛擬交換機程式碼中直接使用基於 MAC 的過濾。它知道 VM 的 MAC 地址,並且不傳遞任何其他數據包(除了多播和廣播)。原因當然是安全性 - 否則 VM 可以嘗試重定向流量等。
幾個小時後,我重新啟動了所有主機並且流量開始通過隧道,在我看來,Virtualbox 的虛擬交換機發現我已經創建了額外的介面,並且在重新啟動之前在重新啟動 arp 請求後阻止了它們並且所有流量都開始正常工作: )
希望這個答案能節省您的時間。
單獨的主機1-> vpn2
root@separatehosts1:~# ping 192.168.111.128 PING 192.168.111.128 (192.168.111.128) 56(84) bytes of data. 64 bytes from 192.168.111.128: icmp_seq=1 ttl=64 time=2.62 ms 64 bytes from 192.168.111.128: icmp_seq=2 ttl=64 time=2.50 ms 64 bytes from 192.168.111.128: icmp_seq=3 ttl=64 time=2.42 ms 64 bytes from 192.168.111.128: icmp_seq=4 ttl=64 time=1.57 ms 64 bytes from 192.168.111.128: icmp_seq=5 ttl=64 time=2.53 ms ^C --- 192.168.111.128 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4258ms rtt min/avg/max/mdev = 1.571/2.333/2.624/0.386 msvpn2 -> 分離主機1
root@vpn2:~# ping 192.168.111.102 PING 192.168.111.102 (192.168.111.102) 56(84) bytes of data. 64 bytes from 192.168.111.102: icmp_seq=1 ttl=64 time=1.21 ms 64 bytes from 192.168.111.102: icmp_seq=2 ttl=64 time=2.02 ms 64 bytes from 192.168.111.102: icmp_seq=3 ttl=64 time=2.15 ms 64 bytes from 192.168.111.102: icmp_seq=4 ttl=64 time=1.71 ms 64 bytes from 192.168.111.102: icmp_seq=5 ttl=64 time=2.63 ms ^C --- 192.168.111.102 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4009ms rtt min/avg/max/mdev = 1.214/1.946/2.634/0.474 ms