Ubuntu

什麼配置問題阻止 Samba 網路共享通過 VPN 可見?

  • June 23, 2016

我使用以下腳本使用 L2TP 和 IPSEC(使用 LibreSwan)設置了一個 VPN:https ://github.com/hwdsl2/setup-ipsec-vpn

我必須做的唯一更改是將“eth0”的實例更改為 Ubuntu 設備命名的新格式。我的設備是 enp0s31f6(主要)和 enp3s0(次要,未使用)。

最初我遇到了防火牆問題,根本無法連接到 VPN,實際上 SMB 共享不可見。我基本上暫時關閉了防火牆進行調試。

我已經嘗試擴展和更改 SMB.conf 中的主機和介面,並且我不得不使用它添加到 iptables 的一些規則來使用 enp0s31f6 而不是 eth0。我可以從家里或其他任何地方連接到 VPN,但我永遠無法連接到 VPN 伺服器上的共享。

如果我在使用 VPN 時從我的 Windows 7 機器導航到 \192.168.42.10,它會顯示我的共享。轉到任何其他 IP 都不會做任何事情,或者立即說它無法訪問。

具有 VPN 和 SMB 共享的伺服器正在執行 Ubuntu Server 15.10。客戶端是 Windows 7、8 和 10,以及 OSX El Capitan。

伺服器的 LAN IP 地址是:192.168.1.93 我的 LAN IP(連接到 VPN 時)是:192.168.42.10

從我的 samba 日誌中,我看不到我的電腦嘗試連接,這讓我認為無法從 VPN 連接訪問 SAMBA?

這是 iptables.rules 的輸出:

# Added by hwdsl2 VPN script
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT#
-A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp --dport 1701 -j DROP
-A INPUT -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i enp0s31f6 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o enp0s31f6 -j ACCEPT
# If you wish to allow traffic between VPN clients themselves, uncomment this line:
-A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
#-A FORWARD -j DROP
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.42.0/24 -o enp0s31f6 -j SNAT --to-source "192.168.1.93"
COMMIT

smb.conf 的輸出(相關部分):

[global]
   server role = standalone server
   server string = %h server (Samba, Ubuntu)
   passwd program = /usr/bin/passwd %u
   path = /home/kmdgserver/share
   log file = /var/log/samba/log.%m
   pam password change = yes
   dns proxy = no
   hosts allow = 10.0.0.0/255.255.254.0 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 192.168.42.0/24 192.168.1. 192.168.
   map to guest = bad user
   comment = KMDG Server Share
   max log size = 1000
   syslog = 0
   unix password sync = yes
   usershare allow guests = yes
   passdb backend = tdbsam
   obey pam restrictions = yes
   workgroup = WORKGROUP
   panic action = /usr/share/samba/panic-action %d
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

interfaces = enp0s31f6 enp3s0 10.8.0.0/24 127.0.0.0/8

[KMDG Server]
   writeable = yes
   valid users = kmdgserver,@kmdgserver
   force user = kmdgserver
   force group = kmdgserver
   write list = kmdgserver,@kmdgserver
   user = kmdgserver,@kmdgserver

以及 ipsec.conf 的輸出:

version 2.0

config setup
 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
 #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10
 protostack=netkey
 nhelpers=0
 interfaces=%defaultroute

conn vpnpsk
 auto=add
 #left=[public facing IP]
 left=192.168.1.93
 #leftid=192.168.1.93
 leftid=[public facing IP]
 leftsubnet=192.168.1.93/32
 #leftsubnet=192.168.1.0/24
 leftnexthop=%defaultroute
 leftprotoport=17/1701
 rightprotoport=17/%any
 right=%any
 rightsubnet=192.168.1.0/24
 #rightsubnetwithin=0.0.0.0/0
 forceencaps=yes
 authby=secret
 pfs=no
 type=transport
 auth=esp
 ike=3des-sha1,aes-sha1
 phase2alg=3des-sha1,aes-sha1
 rekey=no
 keyingtries=5
 dpddelay=30
 dpdtimeout=120
 dpdaction=clear

以及 xl2tpd.conf 的輸出:

[global]
port = 1701

[lns default]
ip range = 192.168.42.10-192.168.42.250
local ip = 192.168.1.93
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tpd
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

和 sysctl.conf:

# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

# Added by hwdsl2 VPN script
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296

net.ipv4.ip_forward = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.enp0s31f6.send_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.enp0s31f6.rp_filter = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

net.core.wmem_max = 12582912
net.core.rmem_max = 12582912
net.ipv4.tcp_rmem = 10240 87380 12582912
net.ipv4.tcp_wmem = 10240 87380 12582912

這是我從遠端位置的另一台電腦連接到 VPN 時 VPN/SMB 伺服器上 ifconfig 的輸出:

kmdgserver@jupiter:~$ ifconfig
enp0s31f6 Link encap:Ethernet  HWaddr 40:8d:5c:b9:1d:da  
         inet addr:192.168.1.93  Bcast:192.168.1.255  Mask:255.255.255.0
         inet6 addr: fe80::428d:5cff:feb9:1dda/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:683992926 errors:0 dropped:1 overruns:0 frame:0
         TX packets:180842795 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000 
         RX bytes:941095568867 (941.0 GB)  TX bytes:19465551430 (19.4 GB)
         Interrupt:16 Memory:df200000-df220000 

enp3s0    Link encap:Ethernet  HWaddr 40:8d:5c:b9:1d:d8  
         UP BROADCAST MULTICAST  MTU:1500  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000 
         RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
         Memory:df100000-df11ffff 

lo        Link encap:Local Loopback  
         inet addr:127.0.0.1  Mask:255.0.0.0
         inet6 addr: ::1/128 Scope:Host
         UP LOOPBACK RUNNING  MTU:65536  Metric:1
         RX packets:1551082 errors:0 dropped:0 overruns:0 frame:0
         TX packets:1551082 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0 
         RX bytes:699248341 (699.2 MB)  TX bytes:699248341 (699.2 MB)

ppp0      Link encap:Point-to-Point Protocol  
         inet addr:192.168.1.93  P-t-P:192.168.42.10  Mask:255.255.255.255
         UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1280  Metric:1
         RX packets:124 errors:0 dropped:0 overruns:0 frame:0
         TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:3 
         RX bytes:18788 (18.7 KB)  TX bytes:86 (86.0 B)

最近嘗試的 syslog 輸出:

May 13 14:27:31 jupiter xl2tpd[21396]: Connection established to [MY HOME IP], 1701.  Local: 18878, Remote: 1 (ref=0/0).  LNS session is 'default'
May 13 14:27:31 jupiter xl2tpd[21396]: start_pppd: I'm running:
May 13 14:27:31 jupiter xl2tpd[21396]: "/usr/sbin/pppd"
May 13 14:27:31 jupiter xl2tpd[21396]: "passive"
May 13 14:27:31 jupiter xl2tpd[21396]: "nodetach"
May 13 14:27:31 jupiter xl2tpd[21396]: "192.168.1.93:192.168.42.10"
May 13 14:27:31 jupiter xl2tpd[21396]: "refuse-pap"
May 13 14:27:31 jupiter xl2tpd[21396]: "auth"
May 13 14:27:31 jupiter xl2tpd[21396]: "require-chap"
May 13 14:27:31 jupiter xl2tpd[21396]: "name"
May 13 14:27:31 jupiter xl2tpd[21396]: "l2tpd"
May 13 14:27:31 jupiter xl2tpd[21396]: "file"
May 13 14:27:31 jupiter xl2tpd[21396]: "/etc/ppp/options.xl2tpd"
May 13 14:27:31 jupiter xl2tpd[21396]: "/dev/pts/15"
May 13 14:27:31 jupiter xl2tpd[21396]: Call established with [MY HOME IP], Local: 11552, Remote: 1, Serial: 0
May 13 14:27:32 jupiter pppd[31490]: pppd 2.4.6 started by root, uid 0
May 13 14:27:32 jupiter pppd[31490]: Using interface ppp0
May 13 14:27:32 jupiter pppd[31490]: Connect: ppp0 <--> /dev/pts/15
May 13 14:27:32 jupiter NetworkManager[749]: nm_device_get_device_type: assertion 'NM_IS_DEVICE (self)' failed
May 13 14:27:32 jupiter NetworkManager[749]: <info>  (ppp0): new Generic device (carrier: UNKNOWN, driver: 'unknown', ifindex: 12)
May 13 14:27:32 jupiter NetworkManager[749]: <info>  devices added (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
May 13 14:27:32 jupiter NetworkManager[749]: <info>  device added (path: /sys/devices/virtual/net/ppp0, iface: ppp0): no ifupdown configuration found.
May 13 14:27:35 jupiter pppd[31490]: user kmdgserver logged in on tty pts/15 intf ppp0
May 13 14:27:35 jupiter systemd[1]: Started Session c20 of user kmdgserver.
May 13 14:27:36 jupiter pppd[31490]: local  IP address 192.168.1.93
May 13 14:27:36 jupiter pppd[31490]: remote IP address 192.168.42.10
May 13 14:27:36 jupiter NetworkManager[749]: <info>  keyfile: add connection in-memory ([SERVER KEY],"ppp0")
May 13 14:27:37 jupiter NetworkManager[749]: <info>  (ppp0): device state change: unmanaged -> unavailable (reason 'connection-assumed') [10 20 41]
May 13 14:27:37 jupiter NetworkManager[749]: <info>  (ppp0): device state change: unavailable -> disconnected (reason 'connection-assumed') [20 30 41]
May 13 14:27:37 jupiter NetworkManager[749]: <info>  Device 'ppp0' has no connection; scheduling activate_check in 0 seconds.
May 13 14:27:37 jupiter NetworkManager[749]: <info>  (ppp0): Activation: starting connection 'ppp0' ([SERVER KEY])
May 13 14:27:37 jupiter NetworkManager[749]: <info>  (ppp0): device state change: disconnected -> prepare (reason 'none') [30 40 0]
May 13 14:27:37 jupiter NetworkManager[749]: <info>  (ppp0): device state change: prepare -> config (reason 'none') [40 50 0]
May 13 14:27:37 jupiter NetworkManager[749]: <info>  (ppp0): device state change: config -> ip-config (reason 'none') [50 70 0]
May 13 14:27:37 jupiter NetworkManager[749]: <info>  (ppp0): device state change: ip-config -> ip-check (reason 'none') [70 80 0]
May 13 14:27:37 jupiter NetworkManager[749]: <info>  (ppp0): device state change: ip-check -> secondaries (reason 'none') [80 90 0]
May 13 14:27:37 jupiter NetworkManager[749]: <info>  (ppp0): device state change: secondaries -> activated (reason 'none') [90 100 0]
May 13 14:27:39 jupiter NetworkManager[749]: <info>  (ppp0): Activation: successful, device activated.
May 13 14:27:39 jupiter dbus[759]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
May 13 14:27:39 jupiter systemd[1]: Starting Network Manager Script Dispatcher Service...
May 13 14:27:39 jupiter dbus[759]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
May 13 14:27:39 jupiter systemd[1]: Started Network Manager Script Dispatcher Service.
May 13 14:27:39 jupiter nm-dispatcher: Dispatching action 'up' for ppp0
May 13 14:31:34 jupiter org.gnome.zeitgeist.SimpleIndexer[2238]: ** (zeitgeist-fts:3028): WARNING **: Unable to get info on application://nautilus-autostart.desktop
May 13 14:35:40 jupiter org.gnome.zeitgeist.SimpleIndexer[2238]: ** (zeitgeist-fts:3028): WARNING **: Unable to get info on application://nautilus-autostart.desktop

以及最近嘗試的 auth.log:

May 13 14:27:30 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: responding to Main Mode from unknown peer [MY HOME IP]
May 13 14:27:30 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: STATE_MAIN_R1: sent MR1, expecting MI2
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: STATE_MAIN_R2: sent MR2, expecting MI3
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.2'
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: switched from "vpnpsk"[3] [MY HOME IP] to "vpnpsk"
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #3: deleting connection "vpnpsk" instance with peer [MY HOME IP] {isakmp=#0/ipsec=#0}
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #3: new NAT mapping for #3, was [MY HOME IP]:500, now [MY HOME IP]:4500
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #3: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #3: the peer proposed: [SERVER IP]/32:17/1701 -> 192.168.0.2/32:17/0
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #3: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4: responding to Quick Mode proposal {msgid:01000000}
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4:     us: 192.168.1.93/32===192.168.1.93<192.168.1.93>[[SERVER IP]]:17/1701
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4:   them: [MY HOME IP][192.168.0.2]:17/1701===192.168.1.0/24
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x3b5b2c52 <0xde6e289d xfrm=AES_128-HMAC_SHA1 NATOA=192.168.0.2 NATD=[MY HOME IP]:4500 DPD=active}
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x3b5b2c52 <0xde6e289d xfrm=AES_128-HMAC_SHA1 NATOA=192.168.0.2 NATD=[MY HOME IP]:4500 DPD=active}
May 13 14:27:33 jupiter pppd[31490]: pam_unix(ppp:session): session opened for user kmdgserver by (uid=0)
May 13 14:27:35 jupiter systemd-logind[753]: New session c20 of user kmdgserver.
May 13 14:29:15 jupiter smbd: pam_unix(samba:session): session opened for user kmdgserver by (uid=0)
May 13 14:30:15 jupiter smbd: pam_unix(samba:session): session closed for user kmdgserver
May 13 14:30:41 jupiter smbd: pam_unix(samba:session): session opened for user kmdgserver by (uid=0)
May 13 14:31:41 jupiter smbd: pam_unix(samba:session): session closed for user kmdgserver

IPsec VPN 腳本的作者在這裡。為了解決此問題,請進行以下更改:

/etc/ipsec.conf中,刪除此行:

rightsubnet=192.168.1.0/24

並取消註釋這一行:

#rightsubnetwithin=0.0.0.0/0

/etc/xl2tpd/xl2tpd.conf中,替換這一行:

local ip = 192.168.1.93

具有以下內容:

local ip = 192.168.42.1

現在重啟服務:

service ipsec restart
service xl2tpd restart

重新連接 VPN。然後使用此 IP 訪問您的 SMB 共享:

\\192.168.42.1

注意:這是連接到 VPN 時伺服器本身的 IP 地址。

讓我知道這個是否奏效!

引用自:https://serverfault.com/questions/776668