什麼配置問題阻止 Samba 網路共享通過 VPN 可見?
我使用以下腳本使用 L2TP 和 IPSEC(使用 LibreSwan)設置了一個 VPN:https ://github.com/hwdsl2/setup-ipsec-vpn
我必須做的唯一更改是將“eth0”的實例更改為 Ubuntu 設備命名的新格式。我的設備是 enp0s31f6(主要)和 enp3s0(次要,未使用)。
最初我遇到了防火牆問題,根本無法連接到 VPN,實際上 SMB 共享不可見。我基本上暫時關閉了防火牆進行調試。
我已經嘗試擴展和更改 SMB.conf 中的主機和介面,並且我不得不使用它添加到 iptables 的一些規則來使用 enp0s31f6 而不是 eth0。我可以從家里或其他任何地方連接到 VPN,但我永遠無法連接到 VPN 伺服器上的共享。
如果我在使用 VPN 時從我的 Windows 7 機器導航到 \192.168.42.10,它會顯示我的共享。轉到任何其他 IP 都不會做任何事情,或者立即說它無法訪問。
具有 VPN 和 SMB 共享的伺服器正在執行 Ubuntu Server 15.10。客戶端是 Windows 7、8 和 10,以及 OSX El Capitan。
伺服器的 LAN IP 地址是:192.168.1.93 我的 LAN IP(連接到 VPN 時)是:192.168.42.10
從我的 samba 日誌中,我看不到我的電腦嘗試連接,這讓我認為無法從 VPN 連接訪問 SAMBA?
這是 iptables.rules 的輸出:
# Added by hwdsl2 VPN script *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 -j REJECT -A INPUT -p icmp -j ACCEPT -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT# -A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT -A INPUT -p udp --dport 1701 -j DROP -A INPUT -j DROP -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -i enp0s31f6 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i ppp+ -o enp0s31f6 -j ACCEPT # If you wish to allow traffic between VPN clients themselves, uncomment this line: -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT #-A FORWARD -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 192.168.42.0/24 -o enp0s31f6 -j SNAT --to-source "192.168.1.93" COMMIT
smb.conf 的輸出(相關部分):
[global] server role = standalone server server string = %h server (Samba, Ubuntu) passwd program = /usr/bin/passwd %u path = /home/kmdgserver/share log file = /var/log/samba/log.%m pam password change = yes dns proxy = no hosts allow = 10.0.0.0/255.255.254.0 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 192.168.42.0/24 192.168.1. 192.168. map to guest = bad user comment = KMDG Server Share max log size = 1000 syslog = 0 unix password sync = yes usershare allow guests = yes passdb backend = tdbsam obey pam restrictions = yes workgroup = WORKGROUP panic action = /usr/share/samba/panic-action %d passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . interfaces = enp0s31f6 enp3s0 10.8.0.0/24 127.0.0.0/8 [KMDG Server] writeable = yes valid users = kmdgserver,@kmdgserver force user = kmdgserver force group = kmdgserver write list = kmdgserver,@kmdgserver user = kmdgserver,@kmdgserver
以及 ipsec.conf 的輸出:
version 2.0 config setup virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10 protostack=netkey nhelpers=0 interfaces=%defaultroute conn vpnpsk auto=add #left=[public facing IP] left=192.168.1.93 #leftid=192.168.1.93 leftid=[public facing IP] leftsubnet=192.168.1.93/32 #leftsubnet=192.168.1.0/24 leftnexthop=%defaultroute leftprotoport=17/1701 rightprotoport=17/%any right=%any rightsubnet=192.168.1.0/24 #rightsubnetwithin=0.0.0.0/0 forceencaps=yes authby=secret pfs=no type=transport auth=esp ike=3des-sha1,aes-sha1 phase2alg=3des-sha1,aes-sha1 rekey=no keyingtries=5 dpddelay=30 dpdtimeout=120 dpdaction=clear
以及 xl2tpd.conf 的輸出:
[global] port = 1701 [lns default] ip range = 192.168.42.10-192.168.42.250 local ip = 192.168.1.93 require chap = yes refuse pap = yes require authentication = yes name = l2tpd pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
和 sysctl.conf:
# Log Martian Packets #net.ipv4.conf.all.log_martians = 1 # # Added by hwdsl2 VPN script kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296 net.ipv4.ip_forward = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.lo.send_redirects = 0 net.ipv4.conf.enp0s31f6.send_redirects = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.lo.rp_filter = 0 net.ipv4.conf.enp0s31f6.rp_filter = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.core.wmem_max = 12582912 net.core.rmem_max = 12582912 net.ipv4.tcp_rmem = 10240 87380 12582912 net.ipv4.tcp_wmem = 10240 87380 12582912
這是我從遠端位置的另一台電腦連接到 VPN 時 VPN/SMB 伺服器上 ifconfig 的輸出:
kmdgserver@jupiter:~$ ifconfig enp0s31f6 Link encap:Ethernet HWaddr 40:8d:5c:b9:1d:da inet addr:192.168.1.93 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::428d:5cff:feb9:1dda/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:683992926 errors:0 dropped:1 overruns:0 frame:0 TX packets:180842795 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:941095568867 (941.0 GB) TX bytes:19465551430 (19.4 GB) Interrupt:16 Memory:df200000-df220000 enp3s0 Link encap:Ethernet HWaddr 40:8d:5c:b9:1d:d8 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Memory:df100000-df11ffff lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:1551082 errors:0 dropped:0 overruns:0 frame:0 TX packets:1551082 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:699248341 (699.2 MB) TX bytes:699248341 (699.2 MB) ppp0 Link encap:Point-to-Point Protocol inet addr:192.168.1.93 P-t-P:192.168.42.10 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1280 Metric:1 RX packets:124 errors:0 dropped:0 overruns:0 frame:0 TX packets:5 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:18788 (18.7 KB) TX bytes:86 (86.0 B)
最近嘗試的 syslog 輸出:
May 13 14:27:31 jupiter xl2tpd[21396]: Connection established to [MY HOME IP], 1701. Local: 18878, Remote: 1 (ref=0/0). LNS session is 'default' May 13 14:27:31 jupiter xl2tpd[21396]: start_pppd: I'm running: May 13 14:27:31 jupiter xl2tpd[21396]: "/usr/sbin/pppd" May 13 14:27:31 jupiter xl2tpd[21396]: "passive" May 13 14:27:31 jupiter xl2tpd[21396]: "nodetach" May 13 14:27:31 jupiter xl2tpd[21396]: "192.168.1.93:192.168.42.10" May 13 14:27:31 jupiter xl2tpd[21396]: "refuse-pap" May 13 14:27:31 jupiter xl2tpd[21396]: "auth" May 13 14:27:31 jupiter xl2tpd[21396]: "require-chap" May 13 14:27:31 jupiter xl2tpd[21396]: "name" May 13 14:27:31 jupiter xl2tpd[21396]: "l2tpd" May 13 14:27:31 jupiter xl2tpd[21396]: "file" May 13 14:27:31 jupiter xl2tpd[21396]: "/etc/ppp/options.xl2tpd" May 13 14:27:31 jupiter xl2tpd[21396]: "/dev/pts/15" May 13 14:27:31 jupiter xl2tpd[21396]: Call established with [MY HOME IP], Local: 11552, Remote: 1, Serial: 0 May 13 14:27:32 jupiter pppd[31490]: pppd 2.4.6 started by root, uid 0 May 13 14:27:32 jupiter pppd[31490]: Using interface ppp0 May 13 14:27:32 jupiter pppd[31490]: Connect: ppp0 <--> /dev/pts/15 May 13 14:27:32 jupiter NetworkManager[749]: nm_device_get_device_type: assertion 'NM_IS_DEVICE (self)' failed May 13 14:27:32 jupiter NetworkManager[749]: <info> (ppp0): new Generic device (carrier: UNKNOWN, driver: 'unknown', ifindex: 12) May 13 14:27:32 jupiter NetworkManager[749]: <info> devices added (path: /sys/devices/virtual/net/ppp0, iface: ppp0) May 13 14:27:32 jupiter NetworkManager[749]: <info> device added (path: /sys/devices/virtual/net/ppp0, iface: ppp0): no ifupdown configuration found. May 13 14:27:35 jupiter pppd[31490]: user kmdgserver logged in on tty pts/15 intf ppp0 May 13 14:27:35 jupiter systemd[1]: Started Session c20 of user kmdgserver. May 13 14:27:36 jupiter pppd[31490]: local IP address 192.168.1.93 May 13 14:27:36 jupiter pppd[31490]: remote IP address 192.168.42.10 May 13 14:27:36 jupiter NetworkManager[749]: <info> keyfile: add connection in-memory ([SERVER KEY],"ppp0") May 13 14:27:37 jupiter NetworkManager[749]: <info> (ppp0): device state change: unmanaged -> unavailable (reason 'connection-assumed') [10 20 41] May 13 14:27:37 jupiter NetworkManager[749]: <info> (ppp0): device state change: unavailable -> disconnected (reason 'connection-assumed') [20 30 41] May 13 14:27:37 jupiter NetworkManager[749]: <info> Device 'ppp0' has no connection; scheduling activate_check in 0 seconds. May 13 14:27:37 jupiter NetworkManager[749]: <info> (ppp0): Activation: starting connection 'ppp0' ([SERVER KEY]) May 13 14:27:37 jupiter NetworkManager[749]: <info> (ppp0): device state change: disconnected -> prepare (reason 'none') [30 40 0] May 13 14:27:37 jupiter NetworkManager[749]: <info> (ppp0): device state change: prepare -> config (reason 'none') [40 50 0] May 13 14:27:37 jupiter NetworkManager[749]: <info> (ppp0): device state change: config -> ip-config (reason 'none') [50 70 0] May 13 14:27:37 jupiter NetworkManager[749]: <info> (ppp0): device state change: ip-config -> ip-check (reason 'none') [70 80 0] May 13 14:27:37 jupiter NetworkManager[749]: <info> (ppp0): device state change: ip-check -> secondaries (reason 'none') [80 90 0] May 13 14:27:37 jupiter NetworkManager[749]: <info> (ppp0): device state change: secondaries -> activated (reason 'none') [90 100 0] May 13 14:27:39 jupiter NetworkManager[749]: <info> (ppp0): Activation: successful, device activated. May 13 14:27:39 jupiter dbus[759]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' May 13 14:27:39 jupiter systemd[1]: Starting Network Manager Script Dispatcher Service... May 13 14:27:39 jupiter dbus[759]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher' May 13 14:27:39 jupiter systemd[1]: Started Network Manager Script Dispatcher Service. May 13 14:27:39 jupiter nm-dispatcher: Dispatching action 'up' for ppp0 May 13 14:31:34 jupiter org.gnome.zeitgeist.SimpleIndexer[2238]: ** (zeitgeist-fts:3028): WARNING **: Unable to get info on application://nautilus-autostart.desktop May 13 14:35:40 jupiter org.gnome.zeitgeist.SimpleIndexer[2238]: ** (zeitgeist-fts:3028): WARNING **: Unable to get info on application://nautilus-autostart.desktop
以及最近嘗試的 auth.log:
May 13 14:27:30 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: responding to Main Mode from unknown peer [MY HOME IP] May 13 14:27:30 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: STATE_MAIN_R1: sent MR1, expecting MI2 May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: STATE_MAIN_R2: sent MR2, expecting MI3 May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.2' May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: switched from "vpnpsk"[3] [MY HOME IP] to "vpnpsk" May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #3: deleting connection "vpnpsk" instance with peer [MY HOME IP] {isakmp=#0/ipsec=#0} May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #3: new NAT mapping for #3, was [MY HOME IP]:500, now [MY HOME IP]:4500 May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048} May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #3: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #3: the peer proposed: [SERVER IP]/32:17/1701 -> 192.168.0.2/32:17/0 May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #3: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4: responding to Quick Mode proposal {msgid:01000000} May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4: us: 192.168.1.93/32===192.168.1.93<192.168.1.93>[[SERVER IP]]:17/1701 May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4: them: [MY HOME IP][192.168.0.2]:17/1701===192.168.1.0/24 May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x3b5b2c52 <0xde6e289d xfrm=AES_128-HMAC_SHA1 NATOA=192.168.0.2 NATD=[MY HOME IP]:4500 DPD=active} May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x3b5b2c52 <0xde6e289d xfrm=AES_128-HMAC_SHA1 NATOA=192.168.0.2 NATD=[MY HOME IP]:4500 DPD=active} May 13 14:27:33 jupiter pppd[31490]: pam_unix(ppp:session): session opened for user kmdgserver by (uid=0) May 13 14:27:35 jupiter systemd-logind[753]: New session c20 of user kmdgserver. May 13 14:29:15 jupiter smbd: pam_unix(samba:session): session opened for user kmdgserver by (uid=0) May 13 14:30:15 jupiter smbd: pam_unix(samba:session): session closed for user kmdgserver May 13 14:30:41 jupiter smbd: pam_unix(samba:session): session opened for user kmdgserver by (uid=0) May 13 14:31:41 jupiter smbd: pam_unix(samba:session): session closed for user kmdgserver
IPsec VPN 腳本的作者在這裡。為了解決此問題,請進行以下更改:
在
/etc/ipsec.conf
中,刪除此行:rightsubnet=192.168.1.0/24
並取消註釋這一行:
#rightsubnetwithin=0.0.0.0/0
在
/etc/xl2tpd/xl2tpd.conf
中,替換這一行:local ip = 192.168.1.93
具有以下內容:
local ip = 192.168.42.1
現在重啟服務:
service ipsec restart service xl2tpd restart
重新連接 VPN。然後使用此 IP 訪問您的 SMB 共享:
\\192.168.42.1
注意:這是連接到 VPN 時伺服器本身的 IP 地址。
讓我知道這個是否奏效!