Routing

將部分 OpenVPN 流量路由到伺服器上的 IPSec 隧道

  • May 28, 2021

我正在嘗試將 OpenVPN 訪問伺服器配置為通過在 OpenVPN 伺服器上建立的 IPSec 隧道路由某些流量。這些是定址細節:

  • OpenVPN 客戶端 IP 範圍:10.0.1.0/24
  • OpenVPN 伺服器 IP(客戶端連接到的地方):x.x.x.x
  • IPSec 隧道對等體:y.y.y.y
  • IPSec 隧道子網:(x.x.x.x) 10.0.1.0/24 <--> 172.30.239.0/25 (y.y.y.y)

從 OpenVPN 客戶端來看,預期的行為是這樣的:

  • curl 172.30.239.75-> 流量將從客戶端流向 OpenVPN 伺服器,通過 IPSec 隧道路由,最終進入172.30.239.0/25網路
  • curl google.com-> 流量將通過其預設網關從客戶端到 OpenVPN 伺服器和公共網際網路(根本不使用 IPSec 隧道)

我認為這種配置會“正常工作”,因為 OpenVPN 客戶端的 IP 地址是從與 IPSec 隧道相同的子網分配的,但遺憾的是事實並非如此。

我可以直接從 OpenVPN 伺服器訪問遠端 IPSec 子網,例如curl 172.30.239.75,因此隧道和一些路由正在工作。但是從 OpenVPN 客戶端執行相同的請求只是超時(tcpdump表明請求到達 OpenVPN 伺服器但它在那裡結束)。

我完全不知道接下來應該嘗試什麼。你能幫幫我嗎?我對此很陌生,因此非常感謝您提供詳細的答案!這個問題與我之前提出的這個問題有關,但沒有足夠的細節來實際實現。

下面我嘗試收集相關配置,但如果還有其他重要的內容,請告訴我。

我沒有添加任何自定義介面、路由或 iptables 規則。我嘗試過的所有這些要麼沒有任何效果,要麼搞砸了,所以下面的輸出是 OpenVPN 和 IPSec 配置的。

介面

$ ifconfig (truncated)
as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
       inet 10.0.1.1  netmask 255.255.255.128  destination 10.0.1.1

as0t1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
       inet 10.0.1.129  netmask 255.255.255.128  destination 10.0.1.129

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
       inet x.x.x.x  netmask 255.255.252.0  broadcast x.x.x.x

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
       inet 10.1.7.177  netmask 255.255.252.0  broadcast 10.1.7.255

路由

下面[gw.gw.gw.gw]是eth0 iface預設網關的IP地址

$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    0      0        0 eth0
10.0.0.0        10.1.4.1        255.0.0.0       UG    0      0        0 eth1
10.0.1.0        0.0.0.0         255.255.255.128 U     0      0        0 as0t0
10.0.1.128      0.0.0.0         255.255.255.128 U     0      0        0 as0t1
10.1.4.0        0.0.0.0         255.255.252.0   U     0      0        0 eth1
169.254.169.254 10.1.4.1        255.255.255.255 UGH   0      0        0 eth1
x.x.x.0         0.0.0.0         255.255.252.0   U     0      0        0 eth0



$ ip route list table all
172.30.239.0/25 via [gw.gw.gw.gw] dev eth0 table 220 proto static src 10.0.1.1
default via [gw.gw.gw.gw] dev eth0
10.0.1.0/25 dev as0t0 proto kernel scope link src 10.0.1.1
10.0.1.128/25 dev as0t1 proto kernel scope link src 10.0.1.129
x.x.x.0/22 dev eth0 proto kernel scope link src x.x.x.x
broadcast 10.0.1.0 dev as0t0 table local proto kernel scope link src 10.0.1.1
local 10.0.1.1 dev as0t0 table local proto kernel scope host src 10.0.1.1
broadcast 10.0.1.127 dev as0t0 table local proto kernel scope link src 10.0.1.1
broadcast 10.0.1.128 dev as0t1 table local proto kernel scope link src 10.0.1.129
local 10.0.1.129 dev as0t1 table local proto kernel scope host src 10.0.1.129
broadcast 10.0.1.255 dev as0t1 table local proto kernel scope link src 10.0.1.129
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast x.x.x.0 dev eth0 table local proto kernel scope link src x.x.x.x
local x.x.x.x dev eth0 table local proto kernel scope host src x.x.x.x
broadcast 185.26.51.255 dev eth0 table local proto kernel scope link src x.x.x.x

iptables

iptables-save
# Generated by iptables-save v1.8.4 on Thu May 27 23:20:08 2021
*nat
:PREROUTING ACCEPT [655:63952]
:INPUT ACCEPT [82:5300]
:OUTPUT ACCEPT [72:5613]
:POSTROUTING ACCEPT [72:5613]
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST
-A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE
-A AS0_NAT -o eth0 -j SNAT --to-source x.x.x.x
-A AS0_NAT -o eth1 -j SNAT --to-source 10.1.7.177
-A AS0_NAT -j ACCEPT
-A AS0_NAT_POST_REL_EST -j ACCEPT
-A AS0_NAT_PRE -m mark --mark 0x8000000/0x8000000 -j AS0_NAT
-A AS0_NAT_PRE -d 169.254.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST
-A AS0_NAT_PRE -j AS0_NAT
-A AS0_NAT_PRE_REL_EST -j ACCEPT
-A AS0_NAT_TEST -o as0t+ -j ACCEPT
-A AS0_NAT_TEST -m mark --mark 0x4000000/0x4000000 -j ACCEPT
-A AS0_NAT_TEST -d 10.0.1.0/24 -j ACCEPT
-A AS0_NAT_TEST -j AS0_NAT
COMMIT
# Completed on Thu May 27 23:20:08 2021
# Generated by iptables-save v1.8.4 on Thu May 27 23:20:08 2021
*mangle
:PREROUTING ACCEPT [48:3312]
:INPUT ACCEPT [19672:4609821]
:FORWARD ACCEPT [32480:9628950]
:OUTPUT ACCEPT [18602:11259270]
:POSTROUTING ACCEPT [51071:20887532]
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST
-A PREROUTING -i as0t+ -j AS0_MANGLE_TUN
-A AS0_MANGLE_PRE_REL_EST -j ACCEPT
-A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff
-A AS0_MANGLE_TUN -j ACCEPT
COMMIT
# Completed on Thu May 27 23:20:08 2021
# Generated by iptables-save v1.8.4 on Thu May 27 23:20:08 2021
*filter
:INPUT ACCEPT [12:660]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18526:11256230]
:AS0_ACCEPT - [0:0]
:AS0_IN - [0:0]
:AS0_IN_NAT - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_IN_ROUTE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_POST - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_WEBACCEPT - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A INPUT -i lo -j AS0_ACCEPT
-A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j AS0_ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j AS0_ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A FORWARD -o as0t+ -j AS0_OUT_S2C
-A OUTPUT -o as0t+ -j AS0_OUT_LOCAL
-A AS0_ACCEPT -j ACCEPT
-A AS0_IN -d 10.0.1.1/32 -j ACCEPT
-A AS0_IN -j AS0_IN_POST
-A AS0_IN_NAT -j MARK --set-xmark 0x8000000/0x8000000
-A AS0_IN_NAT -j ACCEPT
-A AS0_IN_POST -d 10.0.1.0/24 -j ACCEPT
-A AS0_IN_POST -o as0t+ -j AS0_OUT
-A AS0_IN_POST -j DROP
-A AS0_IN_PRE -d 169.254.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN
-A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN
-A AS0_IN_PRE -j ACCEPT
-A AS0_IN_ROUTE -j MARK --set-xmark 0x4000000/0x4000000
-A AS0_IN_ROUTE -j ACCEPT
-A AS0_OUT -j AS0_OUT_POST
-A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP
-A AS0_OUT_LOCAL -j ACCEPT
-A AS0_OUT_POST -j DROP
-A AS0_OUT_S2C -s 10.0.1.0/24 -j ACCEPT
-A AS0_OUT_S2C -j AS0_OUT
-A AS0_WEBACCEPT -j ACCEPT
COMMIT
# Completed on Thu May 27 23:20:08 2021

我還嘗試不讓 OpenVPN 客戶端 IP 子網和 IPSec 隧道子網重疊,但在這種情況下我也找不到設置路由的方法。不過,這種設置絕對是一種選擇,如果那樣的話會更好。

最終解決方案非常簡單,完全可以通過 OpenVPN AS Web UI 完成。

我所要做的就是

  • VPN Settings > Routing
  • 設置Should VPN clients have access to private subnets (non-public networks on the server side)?Yes, using routing
  • 填寫遠端IPSec 隧道子網 ( 172.30.239.0/25)。這個很重要。我之前一直在填寫隧道的本地子網(10.0.1.0/24),這是不正確的。

在此之後,OpenVPN AS 生成以下iptables規則(僅選擇與子網相關的規則):

*nat
-A AS0_NAT_TEST -d 172.30.239.0/25 -j ACCEPT

*filter
-A AS0_IN_POST -d 172.30.239.0/25 -j ACCEPT
-A AS0_OUT_S2C -s 172.30.239.0/25 -j ACCEPT

一切正常。

引用自:https://serverfault.com/questions/1064913