Routing
將部分 OpenVPN 流量路由到伺服器上的 IPSec 隧道
我正在嘗試將 OpenVPN 訪問伺服器配置為通過在 OpenVPN 伺服器上建立的 IPSec 隧道路由某些流量。這些是定址細節:
- OpenVPN 客戶端 IP 範圍:
10.0.1.0/24
- OpenVPN 伺服器 IP(客戶端連接到的地方):
x.x.x.x
- IPSec 隧道對等體:
y.y.y.y
- IPSec 隧道子網:
(x.x.x.x) 10.0.1.0/24 <--> 172.30.239.0/25 (y.y.y.y)
從 OpenVPN 客戶端來看,預期的行為是這樣的:
curl 172.30.239.75
-> 流量將從客戶端流向 OpenVPN 伺服器,通過 IPSec 隧道路由,最終進入172.30.239.0/25
網路curl google.com
-> 流量將通過其預設網關從客戶端到 OpenVPN 伺服器和公共網際網路(根本不使用 IPSec 隧道)我認為這種配置會“正常工作”,因為 OpenVPN 客戶端的 IP 地址是從與 IPSec 隧道相同的子網分配的,但遺憾的是事實並非如此。
我可以直接從 OpenVPN 伺服器訪問遠端 IPSec 子網,例如
curl 172.30.239.75
,因此隧道和一些路由正在工作。但是從 OpenVPN 客戶端執行相同的請求只是超時(tcpdump
表明請求到達 OpenVPN 伺服器但它在那裡結束)。我完全不知道接下來應該嘗試什麼。你能幫幫我嗎?我對此很陌生,因此非常感謝您提供詳細的答案!這個問題與我之前提出的這個問題有關,但沒有足夠的細節來實際實現。
下面我嘗試收集相關配置,但如果還有其他重要的內容,請告訴我。
我沒有添加任何自定義介面、路由或 iptables 規則。我嘗試過的所有這些要麼沒有任何效果,要麼搞砸了,所以下面的輸出是 OpenVPN 和 IPSec 配置的。
介面
$ ifconfig (truncated) as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.0.1.1 netmask 255.255.255.128 destination 10.0.1.1 as0t1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.0.1.129 netmask 255.255.255.128 destination 10.0.1.129 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet x.x.x.x netmask 255.255.252.0 broadcast x.x.x.x eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.1.7.177 netmask 255.255.252.0 broadcast 10.1.7.255
路由
下面
[gw.gw.gw.gw]
是eth0 iface預設網關的IP地址$ route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default _gateway 0.0.0.0 UG 0 0 0 eth0 10.0.0.0 10.1.4.1 255.0.0.0 UG 0 0 0 eth1 10.0.1.0 0.0.0.0 255.255.255.128 U 0 0 0 as0t0 10.0.1.128 0.0.0.0 255.255.255.128 U 0 0 0 as0t1 10.1.4.0 0.0.0.0 255.255.252.0 U 0 0 0 eth1 169.254.169.254 10.1.4.1 255.255.255.255 UGH 0 0 0 eth1 x.x.x.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0 $ ip route list table all 172.30.239.0/25 via [gw.gw.gw.gw] dev eth0 table 220 proto static src 10.0.1.1 default via [gw.gw.gw.gw] dev eth0 10.0.1.0/25 dev as0t0 proto kernel scope link src 10.0.1.1 10.0.1.128/25 dev as0t1 proto kernel scope link src 10.0.1.129 x.x.x.0/22 dev eth0 proto kernel scope link src x.x.x.x broadcast 10.0.1.0 dev as0t0 table local proto kernel scope link src 10.0.1.1 local 10.0.1.1 dev as0t0 table local proto kernel scope host src 10.0.1.1 broadcast 10.0.1.127 dev as0t0 table local proto kernel scope link src 10.0.1.1 broadcast 10.0.1.128 dev as0t1 table local proto kernel scope link src 10.0.1.129 local 10.0.1.129 dev as0t1 table local proto kernel scope host src 10.0.1.129 broadcast 10.0.1.255 dev as0t1 table local proto kernel scope link src 10.0.1.129 broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 broadcast x.x.x.0 dev eth0 table local proto kernel scope link src x.x.x.x local x.x.x.x dev eth0 table local proto kernel scope host src x.x.x.x broadcast 185.26.51.255 dev eth0 table local proto kernel scope link src x.x.x.x
iptables
iptables-save # Generated by iptables-save v1.8.4 on Thu May 27 23:20:08 2021 *nat :PREROUTING ACCEPT [655:63952] :INPUT ACCEPT [82:5300] :OUTPUT ACCEPT [72:5613] :POSTROUTING ACCEPT [72:5613] :AS0_NAT - [0:0] :AS0_NAT_POST_REL_EST - [0:0] :AS0_NAT_PRE - [0:0] :AS0_NAT_PRE_REL_EST - [0:0] :AS0_NAT_TEST - [0:0] -A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST -A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST -A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE -A AS0_NAT -o eth0 -j SNAT --to-source x.x.x.x -A AS0_NAT -o eth1 -j SNAT --to-source 10.1.7.177 -A AS0_NAT -j ACCEPT -A AS0_NAT_POST_REL_EST -j ACCEPT -A AS0_NAT_PRE -m mark --mark 0x8000000/0x8000000 -j AS0_NAT -A AS0_NAT_PRE -d 169.254.0.0/16 -j AS0_NAT_TEST -A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST -A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST -A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST -A AS0_NAT_PRE -j AS0_NAT -A AS0_NAT_PRE_REL_EST -j ACCEPT -A AS0_NAT_TEST -o as0t+ -j ACCEPT -A AS0_NAT_TEST -m mark --mark 0x4000000/0x4000000 -j ACCEPT -A AS0_NAT_TEST -d 10.0.1.0/24 -j ACCEPT -A AS0_NAT_TEST -j AS0_NAT COMMIT # Completed on Thu May 27 23:20:08 2021 # Generated by iptables-save v1.8.4 on Thu May 27 23:20:08 2021 *mangle :PREROUTING ACCEPT [48:3312] :INPUT ACCEPT [19672:4609821] :FORWARD ACCEPT [32480:9628950] :OUTPUT ACCEPT [18602:11259270] :POSTROUTING ACCEPT [51071:20887532] :AS0_MANGLE_PRE_REL_EST - [0:0] :AS0_MANGLE_TUN - [0:0] -A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST -A PREROUTING -i as0t+ -j AS0_MANGLE_TUN -A AS0_MANGLE_PRE_REL_EST -j ACCEPT -A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff -A AS0_MANGLE_TUN -j ACCEPT COMMIT # Completed on Thu May 27 23:20:08 2021 # Generated by iptables-save v1.8.4 on Thu May 27 23:20:08 2021 *filter :INPUT ACCEPT [12:660] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [18526:11256230] :AS0_ACCEPT - [0:0] :AS0_IN - [0:0] :AS0_IN_NAT - [0:0] :AS0_IN_POST - [0:0] :AS0_IN_PRE - [0:0] :AS0_IN_ROUTE - [0:0] :AS0_OUT - [0:0] :AS0_OUT_LOCAL - [0:0] :AS0_OUT_POST - [0:0] :AS0_OUT_S2C - [0:0] :AS0_WEBACCEPT - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT -A INPUT -i lo -j AS0_ACCEPT -A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j AS0_ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j AS0_ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT -A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE -A FORWARD -o as0t+ -j AS0_OUT_S2C -A OUTPUT -o as0t+ -j AS0_OUT_LOCAL -A AS0_ACCEPT -j ACCEPT -A AS0_IN -d 10.0.1.1/32 -j ACCEPT -A AS0_IN -j AS0_IN_POST -A AS0_IN_NAT -j MARK --set-xmark 0x8000000/0x8000000 -A AS0_IN_NAT -j ACCEPT -A AS0_IN_POST -d 10.0.1.0/24 -j ACCEPT -A AS0_IN_POST -o as0t+ -j AS0_OUT -A AS0_IN_POST -j DROP -A AS0_IN_PRE -d 169.254.0.0/16 -j AS0_IN -A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN -A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN -A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN -A AS0_IN_PRE -j ACCEPT -A AS0_IN_ROUTE -j MARK --set-xmark 0x4000000/0x4000000 -A AS0_IN_ROUTE -j ACCEPT -A AS0_OUT -j AS0_OUT_POST -A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP -A AS0_OUT_LOCAL -j ACCEPT -A AS0_OUT_POST -j DROP -A AS0_OUT_S2C -s 10.0.1.0/24 -j ACCEPT -A AS0_OUT_S2C -j AS0_OUT -A AS0_WEBACCEPT -j ACCEPT COMMIT # Completed on Thu May 27 23:20:08 2021
我還嘗試不讓 OpenVPN 客戶端 IP 子網和 IPSec 隧道子網重疊,但在這種情況下我也找不到設置路由的方法。不過,這種設置絕對是一種選擇,如果那樣的話會更好。
最終解決方案非常簡單,完全可以通過 OpenVPN AS Web UI 完成。
我所要做的就是
- 去
VPN Settings > Routing
- 設置
Should VPN clients have access to private subnets (non-public networks on the server side)?
為Yes, using routing
- 填寫遠端IPSec 隧道子網 (
172.30.239.0/25
)。這個很重要。我之前一直在填寫隧道的本地子網(10.0.1.0/24
),這是不正確的。在此之後,OpenVPN AS 生成以下
iptables
規則(僅選擇與子網相關的規則):*nat -A AS0_NAT_TEST -d 172.30.239.0/25 -j ACCEPT *filter -A AS0_IN_POST -d 172.30.239.0/25 -j ACCEPT -A AS0_OUT_S2C -s 172.30.239.0/25 -j ACCEPT
一切正常。