Vpn
訪問 openvpn 客戶端子網
我一直在努力從 vpn 伺服器訪問 vpnclient 子網。伺服器和客戶端都在帶有 openvpn 的 linux 機器上執行。隧道已正確建立。伺服器和客戶端上的防火牆被禁用。
------------------ -------- ----------------------- ------------- | vpn server |----| INET |-----| vpn client |--------| | | tun0: 10.8.0.1 | -------- | tun0: 10.8.0.2 | | SUBNET | | | | eth0: 192.168.1.45 | | | | | | wlan: 10.10.0.1 | | 10.10.0.0 | ------------------ ----------------------- -------------
兩台 linux 機器都有 ip_forward=1
server.conf
local 45.138.196.247 port 1194 proto udp dev tun ...... topology subnet client-to-client server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 5 explicit-exit-notify client-config-dir /etc/openvpn/ccd ccd-exclusive
客戶端配置文件
client dev tun proto udp remote 45.138.196.247 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server ..... ignore-unknown-option block-outside-dns block-outside-dns verb 5 auth-nocache topology subnet
客戶的ccd:
ifconfig-push 10.8.0.2 255.255.255.0 iroute 10.10.0.0 255.255.255.0
另外我在伺服器上添加了靜態路由:
route add -net 10.10.0.0 netmask 255.255.255.0 gw 10.8.0.1
從伺服器 ping 10.10.0.1 和/或 10.10.0.2 (pc) 失敗。我相信仍然缺少路由的某些東西。
巧合的是,我發現了問題。
我執行以下命令:
root@vpnServer:/etc/openvpn# iptables -t nat -L -n -v --line-numbers Chain PREROUTING (policy ACCEPT 81998 packets, 22M bytes) num pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 9509 packets, 694K bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 99 packets, 7563 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 183 packets, 13588 bytes) num pkts bytes target prot opt in out source destination 1 57 4281 SNAT all -- * * 10.8.0.0/24 !10.8.0.0/24 to:45.138.196.247
我刪除了 Chain POSTROUTING num 1:
root@vpnServer:/etc/openvpn# iptables -t nat -D POSTROUTING 1 root@vpnServer:/etc/openvpn# iptables -t nat -L -n -v --line-numbers Chain PREROUTING (policy ACCEPT 1 packets, 165 bytes) num pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination
現在我可以在 vpn 客戶端后面 ping 子網了!
root@vpnServer:/etc/openvpn# ping 10.8.0.2 PING 10.8.0.2 (10.8.0.2) 56(84) bytes of data. 64 bytes from 10.8.0.2: icmp_seq=1 ttl=64 time=26.4 ms 64 bytes from 10.8.0.2: icmp_seq=2 ttl=64 time=26.6 ms
我使用 openvpn-install.sh 來安裝和創建 openvpn 配置文件。該腳本顯然通過在 Chain POSTROUTING 中添加該條目而弄亂了 iptables!我認為最好逐步手動完成整個配置過程。不要依賴那個腳本。它在沒有任何控制和警告的情況下配置其他東西!