Vpn

訪問 openvpn 客戶端子網

  • February 7, 2020

我一直在努力從 vpn 伺服器訪問 vpnclient 子網。伺服器和客戶端都在帶有 openvpn 的 linux 機器上執行。隧道已正確建立。伺服器和客戶端上的防火牆被禁用。

------------------    --------     -----------------------        -------------
| vpn server     |----| INET |-----| vpn client          |--------|           |
| tun0: 10.8.0.1 |    --------     | tun0: 10.8.0.2      |        | SUBNET    |
|                |                 | eth0: 192.168.1.45  |        |           |
|                |                 | wlan: 10.10.0.1     |        | 10.10.0.0 |
------------------                 -----------------------        -------------

兩台 linux 機器都有 ip_forward=1

server.conf

local 45.138.196.247
port 1194
proto udp
dev tun
......
topology subnet
client-to-client
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 5
explicit-exit-notify
client-config-dir /etc/openvpn/ccd
ccd-exclusive

客戶端配置文件

client
dev tun
proto udp
remote 45.138.196.247 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
.....
ignore-unknown-option block-outside-dns
block-outside-dns
verb 5
auth-nocache
topology subnet

客戶的ccd:

ifconfig-push 10.8.0.2 255.255.255.0
iroute 10.10.0.0 255.255.255.0

另外我在伺服器上添加了靜態路由:

route add -net 10.10.0.0 netmask 255.255.255.0 gw 10.8.0.1

從伺服器 ping 10.10.0.1 和/或 10.10.0.2 (pc) 失敗。我相信仍然缺少路由的某些東西。

巧合的是,我發現了問題。

我執行以下命令:

root@vpnServer:/etc/openvpn# iptables -t nat -L -n -v --line-numbers
Chain PREROUTING (policy ACCEPT 81998 packets, 22M bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 9509 packets, 694K bytes)
num pkts bytes target prot opt in out source destination



Chain OUTPUT (policy ACCEPT 99 packets, 7563 bytes)
num pkts bytes target prot opt in out source destination



Chain POSTROUTING (policy ACCEPT 183 packets, 13588 bytes)
num pkts bytes target prot opt in out source destination
1 57 4281 SNAT all -- * * 10.8.0.0/24 !10.8.0.0/24 to:45.138.196.247

我刪除了 Chain POSTROUTING num 1:

root@vpnServer:/etc/openvpn# iptables -t nat -D POSTROUTING 1  

root@vpnServer:/etc/openvpn# iptables -t nat -L -n -v --line-numbers
Chain PREROUTING (policy ACCEPT 1 packets, 165 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination



Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination



Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

現在我可以在 vpn 客戶端后面 ping 子網了!

root@vpnServer:/etc/openvpn# ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2) 56(84) bytes of data.
64 bytes from 10.8.0.2: icmp_seq=1 ttl=64 time=26.4 ms
64 bytes from 10.8.0.2: icmp_seq=2 ttl=64 time=26.6 ms

我使用 openvpn-install.sh 來安裝和創建 openvpn 配置文件。該腳本顯然通過在 Chain POSTROUTING 中添加該條目而弄亂了 iptables!我認為最好逐步手動完成整個配置過程。不要依賴那個腳本。它在沒有任何控制和警告的情況下配置其他東西!

引用自:https://serverfault.com/questions/1002186