Vpn

從 Debian 10 到 11 的 Openvpn,停止路由我所有的數據包

  • August 21, 2021

我已經從 10 升級到 Debian 11。使用 Debian 10 openvpn 工作正常,現在我遇到了這個問題,我可以訪問我的 vpn 伺服器,但我無法 ping 或訪問我的區域網路遠端,除了 vpn 伺服器。這是遠端端的防火牆配置

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 2991
ACCEPT     udp  --  anywhere             anywhere             multiport dports 2991
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     tcp  --  192.168.0.0/24       anywhere             tcp dpt:cisco-sccp
ACCEPT     tcp  --  192.168.0.0/24       anywhere             tcp dpt:2004
ACCEPT     tcp  --  192.168.0.0/24       anywhere             tcp dpt:3000
ACCEPT     tcp  --  192.168.0.0/24       anywhere             tcp dpt:37890
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2124
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5861
ACCEPT     tcp  --  192.168.0.0/24       anywhere             tcp dpt:telnet
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:5900:5910
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     all  --  anywhere             anywhere            
LOGGING    all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
NFLOG      all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request

Chain LOGGING (1 references)
target     prot opt source               destination         
NFLOG      all  --  anywhere             anywhere             nflog-prefix  "[iptables-drop]:" nflog-group 11
DROP       all  --  anywhere             anywhere            
root@vpn:/etc/openvpn# 

這是 Openvpn 遠端端的配置

port 2991
proto tcp
dev tun
ca /etc/openvpn/certs/keys/ca.crt
cert /etc/openvpn/certs/keys/vpn.******.priv.crt
key /etc/openvpn/certs/keys/vpn.******.priv.key
dh /etc/openvpn/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 192.168.0.0 255.255.255.0"
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/certs/keys/ta.key 0
data-ciphers-fallback AES-256-CBC
user openvpn
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 7
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
auth-nocache

這是客戶端openvpn的配置(防火牆與遠端相同,所以我避免發布)

client
dev tun
proto tcp
remote ****** 2991
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
cert /etc/openvpn/certs/keys/vpn.******.priv.crt
key /etc/openvpn/certs/keys/vpn.******.priv.key
dh /etc/openvpn/dh2048.pem
remote-cert-tls server
tls-auth /etc/openvpn/certs/ta.key 1
data-ciphers-fallback AES-256-CBC
auth SHA512
auth-nocache
topology subnet
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
verb 7

我在伺服器上發現的唯一錯誤是這個..

ago 21 00:56:23 vpn ovpn-server[3791]: ******/*****:24545 GET INST BY VIRT: 192.168.0.12 [failed]

192.168.0.12 是 openvpn 伺服器 ip,我可以訪問它,但是 lan 192.168.0.02/24 中的每個 ip 都被阻止(沒有 ping,沒有 ssh,什麼都沒有)。

例如..

$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
^C
--- 192.168.0.1 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5133ms

$ ping 192.168.0.12
PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
64 bytes from 192.168.0.12: icmp_seq=1 ttl=64 time=166 ms
64 bytes from 192.168.0.12: icmp_seq=2 ttl=64 time=164 ms
64 bytes from 192.168.0.12: icmp_seq=3 ttl=64 time=84.9 ms
^C
--- 192.168.0.12 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 84.924/138.389/166.113/37.814 ms

找到解決方案。在 Debian 11 上,他們有一個壞主意(恕我直言),將經典的 eth0 重命名為 16 字元的長名稱!這使得無法在 iptables 或橋接工具中使用介面(允許的最大網路介面長度為 15),否則會收到此錯誤“介面名稱超過 15 個字元”所以我的 nat 轉到一個不存在的設備(eth0 消失了)。但幸運的是,有一個簡單的解決方案:

vim /etc/udev/rules.d/70-persistent-net.rules

#/etc/udev/rules.d/70-persistent-net.rules
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="YO:UR:MA:CA:DD:RES", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

當然替換“YO:UR:MA:CA:DD:RES”

重新啟動後,我看到舊的好 eth0 名稱並且全部恢復工作

引用自:https://serverfault.com/questions/1075232