OpenVPNd路由转发

Question

我试图在我的网络上设置一个OpenVPN守护进程，但是在iptables +路由方面有一些问题。

以下是我的配置的一瞥:当前局域网在192.168.2.0/24，OpenVPN守护进程在192.168.2.251上运行

守护进程很好地启动，但是每当我从客户端启动连接时，我都会看到以下消息：

Mon Feb  5 17:41:59 2018 /sbin/ip link set dev tun0 up mtu 1500
Mon Feb  5 17:41:59 2018 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Mon Feb  5 17:41:59 2018 /sbin/ip route add 192.168.2.251/32 dev br0
RTNETLINK answers: File exists
Mon Feb  5 17:41:59 2018 ERROR: Linux route add command failed: external program exited with error status: 2
Mon Feb  5 17:41:59 2018 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5
Mon Feb  5 17:41:59 2018 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
Mon Feb  5 17:41:59 2018 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5

首先，为什么错误状态2，其次，为什么在守护进程的server.conf中注释push路由时看到路由添加？

这是问题的一部分，另一部分是我不知道如何将新的iptables规则“合并”到我当前的iptables规则？我现在有这些规则，按照这个顺序(主NIC是eth0，openvpn的是tun0)：

$IPT -F INPUT
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

# VPNd rules
$IPT -A INPUT -i eth0 -p udp --dport 1199 -j ACCEPT #openVPNd runs on udp/1199
$IPT -A INPUT -i tun0 -j ACCEPT
$IPT -A FORWARD -i eth0 -j ACCEPT
$IPT -A OUTPUT -o tun0 -j ACCEPT

在/etc/sysctl.conf中设置了net.ipv4转发=1。

现在，我的错误规则的影响之一是，在vpn服务器上连接的客户端不能在my之外的服务器上连接(192.168.2.0/24)。我希望我的客户能够连接他们选择的任何地方，从我的vpn链接。

我刚刚注意到，上面的错误消息似乎只显示在使用桥接网络的客户端主机上(我的一些客户端也是KVM管理程序)。在OSX上，对于实例和我的VM，它不会出现。有联系吗？

我错过了什么？

iptables -vL输出：

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3975  963K ACCEPT     all  --  eth0   any     anywhere             anywhere             state RELATED,ESTABLISHED
    5   308 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:ssh
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:http
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:https
    6   492 ACCEPT     udp  --  eth0   any     anywhere             anywhere             udp dpt:dmidi
    0     0 ACCEPT     all  --  tun0   any     anywhere             anywhere
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:grcp
    0     0 ACCEPT     udp  --  eth0   any     anywhere             anywhere             udp dpt:25826
 2198  432K REJECT     all  --  eth0   any     anywhere             anywhere             reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth0   any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 1552 packets, 225K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    tun0    anywhere             anywhere

iptables -t nat -VL输出：

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

(空?)

VPN守护进程的ip addr输出：：ip addr

2: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:5f:f8:44 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.251/24 brd 192.168.2.255 scope global eth0
       valid_lft forever preferred_lft forever
3: tun0:  mtu 1500 qdisc pfifo_fast 
state UNKNOWN qlen 100
    link/none
    inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
       valid_lft forever preferred_lft forever

所有客户端都在同一个/24上(192.168.2.0)。在同一子网上的两个客户端使用桥接接口(br0而不是物理接口，如eth0)；我不认为这很重要，但可以这么说，我不想掉以轻心。

新输出：

[20:00:45|root@vpntst:~]: iptables -vL;iptables -t nat -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  212 17577 ACCEPT     all  --  eth0   any     anywhere             anywhere             state RELATED,ESTABLISHED
    1    60 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:ssh
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:http
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:https
    0     0 ACCEPT     udp  --  eth0   any     anywhere             anywhere             udp dpt:dmidi
    0     0 ACCEPT     all  --  tun0   any     anywhere             anywhere
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:grcp
    0     0 ACCEPT     udp  --  eth0   any     anywhere             anywhere             udp dpt:25826
   13  2621 REJECT     all  --  eth0   any     anywhere             anywhere             reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth0   any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 144 packets, 16717 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    tun0    anywhere             anywhere
Chain PREROUTING (policy ACCEPT 20 packets, 3509 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 12 packets, 912 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 12 packets, 912 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  any    eth0    10.8.0.0/24          anywhere

和我的防火墙脚本：#!/bin/bash =/sbin/iptables

case "$1" in
start)
$IPT -F INPUT
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
# VPNd rules
$IPT -A INPUT -i eth0 -p udp --dport 1199 -j ACCEPT
$IPT -A INPUT -i tun0 -j ACCEPT
$IPT -A FORWARD -i eth0 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
$IPT -A OUTPUT -o tun0 -j ACCEPT

# Other rules
$IPT -A INPUT -i eth0 -p tcp --dport 9123 -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --dport 25826 -j ACCEPT
$IPT -A INPUT -i eth0 -j REJECT
exit 0
;;
stop)
$IPT -F INPUT
exit 0
;;

* )
echo "Usage: /etc/init.d/firewall {start|stop}"
exit 1
;;
esac

现在，我已经从https://chichivica.github.io/2017/08/02/Install-OpenVPN-on-Fedora-26/获得了设置vpnd的说明。我现在意识到，这里没有提到路由或其他任何东西。我确定需要的一件事是启用/etc/sysctl.conf中的ipv4转发。否则，我会严格按照那个链接上的指示操作，没有别的。

SERVER.CONF

这是我在server.conf中的路由配置。几分钟前，我甚至试着评论上一次推，不幸的是，同样的结果：

[9:03:07|root@vpntst:openvpn]: egrep "route|redirect" server.conf|egrep -v ^\#
;push "route 192.168.2.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;route 192.168.40.128 255.255.255.248
;route 10.9.0.0 255.255.255.252
push "redirect-gateway def1 bypass-dhcp"

这件事让我发疯:-)

Answer 1

这个答案是没有答案的，真的。我不能在这个问题上更进一步，因为我需要在我的输出路由器上添加静态路由，而我的ISP阻止我这样做。

案件结束，直到我改变ISP