文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >子网与不工作局域网之间的OpenVPN路由

子网与不工作局域网之间的OpenVPN路由
EN

Server Fault用户
提问于 2022-05-01 04:14:36
回答 1查看 3.3K关注 0票数 0

我已经设置了一个带有拓扑子网的openVPN服务器。它包含一组子网,用于区域10.0.X.X中的客户端,这些子网被路由。在服务器网络中,有一个客户端(而不是VPN)运行VPN用户需要访问的服务。

因此,基本上,我试图让不同的用户组访问一个try服务。openvpn和webservice都在docker实例中运行。

任何帮助或提示都是非常感谢的,因为我从现在起的两周以来一直在与此斗争。

步骤:我使用路由和客户端到客户端设置openvpn conf。

代码语言:javascript
复制
server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/xxxx.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/xxxx.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun

proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun
status /tmp/openvpn-status.log
topology subnet
client-config-dir ccd

user nobody
group nogroup
comp-lzo no
client-to-client

### Route Configurations Below
route 192.168.254.0 255.255.255.0
route 10.0.0.0 255.255.255.0
route 10.0.1.0 255.255.255.0
route 10.0.3.0 255.255.255.0
route 10.0.4.0 255.255.255.0
route 10.0.5.0 255.255.255.0

### Push Configurations Below
#push "block-outside-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "comp-lzo no"
push "route 172.17.0.0 255.255.255.0"

我通过在/etc/sysctl.conf中设置net.ipv4.ip_forward = 1来配置转发

我配置了iptable规则

代码语言:javascript
复制
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -s 192.168.255.0/24 -d 172.17.0.0/24 -i tun0 -j ACCEPT
-A FORWARD -j ACCEPT
-A FORWARD -s 192.168.255.0/24 -d 10.0.0.0/24 -i tun0 -j ACCEPT

但是,从服务器范围内的IP (192.168.255.2)来说,无法平或访问任何东西(172.17.0.4或10.0.0.1)

一条丝线在入口结束

代码语言:javascript
复制
% traceroute 10.0.0.1
traceroute to 10.0.0.1 (10.0.0.1), 64 hops max, 52 byte packets
1 192.168.88.1 (192.168.88.1) 12.279 ms 3.251 ms 1.882 ms
2 *

这里还有我客户的日志

代码语言:javascript
复制
2022-04-30 06:24:38.983758 *Tunnelblick: macOS 12.3.1 (21E258); Tunnelblick 3.8.5beta05 (build 5650)
2022-04-30 06:24:39.446714 *Tunnelblick: Attempting connection with greenhive_master using shadow copy; Set nameserver = 769; monitoring connection
2022-04-30 06:24:39.450786 *Tunnelblick: openvpnstart start greenhive_master.tblk 52399 769 0 1 0 34652464 -ptADGNWradsgnw 2.4.10-openssl-1.1.1j
2022-04-30 06:24:39.477788 *Tunnelblick: openvpnstart starting OpenVPN
2022-04-30 06:24:39.857743 OpenVPN 2.4.10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Feb 25 2021
2022-04-30 06:24:39.857947 library versions: OpenSSL 1.1.1j  16 Feb 2021, LZO 2.10
2022-04-30 06:24:39.859534 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:52399
2022-04-30 06:24:39.859562 Need hold release from management interface, waiting...
2022-04-30 06:24:40.078894 *Tunnelblick: openvpnstart log:
     OpenVPN started successfully.
     Command used to start OpenVPN (one argument per displayed line):
          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.10-openssl-1.1.1j/openvpn
          --daemon
          --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Srobertk-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sgreenhive_master.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_34652464.52399.openvpn.log
          --cd /Library/Application Support/Tunnelblick/Users/robertk/greenhive_master.tblk/Contents/Resources
          --machine-readable-output
          --setenv IV_GUI_VER "net.tunnelblick.tunnelblick 5650 3.8.5beta05 (build 5650)"
          --verb 3
          --config /Library/Application Support/Tunnelblick/Users/robertk/greenhive_master.tblk/Contents/Resources/config.ovpn
          --setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Users/robertk/greenhive_master.tblk/Contents/Resources
          --verb 3
          --cd /Library/Application Support/Tunnelblick/Users/robertk/greenhive_master.tblk/Contents/Resources
          --management 127.0.0.1 52399 /Library/Application Support/Tunnelblick/geeielmngfddkiiidnhcaaaogadlpdifnpjaepip.mip
          --management-query-passwords
          --management-hold
          --script-security 2
          --route-up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
          --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2022-04-30 06:24:40.108790 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:52399
2022-04-30 06:24:40.136505 MANAGEMENT: CMD 'pid'
2022-04-30 06:24:40.136565 MANAGEMENT: CMD 'auth-retry interact'
2022-04-30 06:24:40.136595 MANAGEMENT: CMD 'state on'
2022-04-30 06:24:40.136615 MANAGEMENT: CMD 'state'
2022-04-30 06:24:40.136655 MANAGEMENT: CMD 'bytecount 1'
2022-04-30 06:24:40.138068 *Tunnelblick: Established communication with OpenVPN
2022-04-30 06:24:40.152091 *Tunnelblick: >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
2022-04-30 06:24:40.154175 MANAGEMENT: CMD 'hold release'
2022-04-30 06:24:40.155529 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2022-04-30 06:24:40.161486 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-04-30 06:24:40.161545 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-04-30 06:24:40.161718 MANAGEMENT: >STATE:1651292680,RESOLVE,,,,,,
2022-04-30 06:24:40.259123 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
2022-04-30 06:24:40.259272 Socket Buffers: R=[786896->786896] S=[9216->9216]
2022-04-30 06:24:40.259296 UDP link local: (not bound)
2022-04-30 06:24:40.259311 UDP link remote: [AF_INET]xx.xx.xx.xx:1194
2022-04-30 06:24:40.259354 MANAGEMENT: >STATE:1651292680,WAIT,,,,,,
2022-04-30 06:24:40.305386 MANAGEMENT: >STATE:1651292680,AUTH,,,,,,
2022-04-30 06:24:40.305631 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=06c4262e 884c5cdc
2022-04-30 06:24:40.369493 VERIFY OK: depth=1, CN=greenhive
2022-04-30 06:24:40.370236 VERIFY KU OK
2022-04-30 06:24:40.370275 Validating certificate extended key usage
2022-04-30 06:24:40.370301 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-04-30 06:24:40.370323 VERIFY EKU OK
2022-04-30 06:24:40.370346 VERIFY OK: depth=0, CN=VPN.greenhive.at
2022-04-30 06:24:40.439317 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
2022-04-30 06:24:40.439596 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2022-04-30 06:24:40.439767 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2022-04-30 06:24:40.439834 [VPN.greenhive.at] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
2022-04-30 06:24:41.558800 MANAGEMENT: >STATE:1651292681,GET_CONFIG,,,,,,
2022-04-30 06:24:41.559492 SENT CONTROL [VPN.greenhive.at]: 'PUSH_REQUEST' (status=1)
2022-04-30 06:24:41.652600 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,comp-lzo no,route 172.17.0.0 255.255.255.0,route-gateway 192.168.255.1,topology subnet,ping 10,ping-restart 60,ifconfig 192.168.255.2 255.255.255.0,peer-id 1,cipher AES-256-GCM'
2022-04-30 06:24:41.652921 OPTIONS IMPORT: timers and/or timeouts modified
2022-04-30 06:24:41.652958 OPTIONS IMPORT: compression parms modified
2022-04-30 06:24:41.652985 OPTIONS IMPORT: --ifconfig/up options modified
2022-04-30 06:24:41.653008 OPTIONS IMPORT: route options modified
2022-04-30 06:24:41.653030 OPTIONS IMPORT: route-related options modified
2022-04-30 06:24:41.653051 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-04-30 06:24:41.653072 OPTIONS IMPORT: peer-id set
2022-04-30 06:24:41.653094 OPTIONS IMPORT: adjusting link_mtu to 1624
2022-04-30 06:24:41.653115 OPTIONS IMPORT: data channel crypto options modified
2022-04-30 06:24:41.653139 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-04-30 06:24:41.653816 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-04-30 06:24:41.653851 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-04-30 06:24:41.654722 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2022-04-30 06:24:41.654977 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2022-04-30 06:24:41.655036 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2022-04-30 06:24:41.655181 Opened utun device utun3
2022-04-30 06:24:41.655203 MANAGEMENT: >STATE:1651292681,ASSIGN_IP,,192.168.255.2,,,,
2022-04-30 06:24:41.655217 /sbin/ifconfig utun3 delete
                           ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2022-04-30 06:24:41.665109 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2022-04-30 06:24:41.666818 /sbin/ifconfig utun3 192.168.255.2 192.168.255.2 netmask 255.255.255.0 mtu 1500 up
2022-04-30 06:24:41.672645 /sbin/route add -net 192.168.255.0 192.168.255.2 255.255.255.0
                           add net 192.168.255.0: gateway 192.168.255.2
2022-04-30 06:24:41.679237 MANAGEMENT: >STATE:1651292681,ADD_ROUTES,,,,,,
2022-04-30 06:24:41.679318 /sbin/route add -net 172.17.0.0 192.168.255.1 255.255.255.0
                           add net 172.17.0.0: gateway 192.168.255.1
                           06:24:41 *Tunnelblick:  **********************************************
                           06:24:41 *Tunnelblick:  Start of output from client.up.tunnelblick.sh
                           06:24:43 *Tunnelblick:  Retrieved from OpenVPN: name server(s) [ 8.8.8.8 8.8.4.4 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
                           06:24:44 *Tunnelblick:  WARNING: Ignoring DomainName 'openvpn' because DomainName was set manually and '-allowChangesToManuallySetNetworkSettings' was not specified
                           06:24:44 *Tunnelblick:  WARNING: Ignoring ServerAddresses '8.8.8.8 8.8.4.4' because ServerAddresses was set manually and '-allowChangesToManuallySetNetworkSettings' was not specified
                           06:24:44 *Tunnelblick:  Setting search domains to '8.8.8.8 8.8.4.4' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
                           06:24:45 *Tunnelblick:  Saved the DNS and SMB configurations so they can be restored
                           06:24:45 *Tunnelblick:  Did not change DNS ServerAddresses setting of '8.8.8.8 8.8.4.4' (but re-set it)
                           06:24:45 *Tunnelblick:  Changed DNS SearchDomains setting from 'openvpn' to '8.8.8.8 8.8.4.4'
                           06:24:45 *Tunnelblick:  Changed DNS DomainName setting from '' to '8.8.8.8 8.8.4.4'
                           06:24:45 *Tunnelblick:  Did not change SMB NetBIOSName setting of ''
                           06:24:45 *Tunnelblick:  Did not change SMB Workgroup setting of ''
                           06:24:45 *Tunnelblick:  Did not change SMB WINSAddresses setting of ''
                           06:24:45 *Tunnelblick:  DNS servers '8.8.8.8 8.8.4.4' were set manually
                           06:24:45 *Tunnelblick:  DNS servers '8.8.8.8 8.8.4.4' will be used for DNS queries when the VPN is active
                           06:24:45 *Tunnelblick:  The DNS servers include only free public DNS servers known to Tunnelblick.
                           06:24:45 *Tunnelblick:  Flushed the DNS cache via dscacheutil
                           06:24:45 *Tunnelblick:  /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
                           06:24:45 *Tunnelblick:  Notified mDNSResponder that the DNS cache was flushed
                           06:24:45 *Tunnelblick:  Not notifying mDNSResponderHelper that the DNS cache was flushed because it is not running
                           06:24:45 *Tunnelblick:  Setting up to monitor system configuration with process-network-changes
                           06:24:45 *Tunnelblick:  End of output from client.up.tunnelblick.sh
                           06:24:45 *Tunnelblick:  **********************************************
2022-04-30 06:24:45.352811 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2022-04-30 06:24:45.352830 Initialization Sequence Completed
2022-04-30 06:24:45.352845 MANAGEMENT: >STATE:1651292685,CONNECTED,SUCCESS,192.168.255.2,xx.xx.xx.xx,1194,,
2022-04-30 06:24:46.571157 *Tunnelblick: Routing info stdout:
   route to: 8.8.4.4
destination: 8.8.4.4
    gateway: 192.168.88.1
  interface: en0
      flags: <UP,GATEWAY,HOST,DONE,WASCLONED,IFSCOPE,IFREF,GLOBAL>
 recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire
       0         0         0         0         0         0      1500         0 
stderr:

2022-04-30 06:24:46.593014 *Tunnelblick: Warning: DNS server Address 8.8.4.4 is a known public DNS server but is not being routed through the VPN
2022-04-30 06:24:46.680197 *Tunnelblick: Routing info stdout:
   route to: 8.8.8.8
destination: 8.8.8.8
    gateway: 192.168.88.1
  interface: en0
      flags: <UP,GATEWAY,HOST,DONE,WASCLONED,IFSCOPE,IFREF,GLOBAL>
 recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire
       0         0         0         0         0         0      1500         0 
stderr:

2022-04-30 06:24:46.705581 *Tunnelblick: Warning: DNS server Address 8.8.8.8 is a known public DNS server but is not being routed through the VPN

编辑:这里是服务器的ip路由。

代码语言:javascript
复制
bash-5.0# ip route 
default via 172.17.0.1 dev eth0 
10.0.0.0/24 via 192.168.255.2 dev tun0 
10.0.1.0/24 via 192.168.255.2 dev tun0 
10.0.3.0/24 via 192.168.255.2 dev tun0 
172.17.0.0/16 dev eth0 proto kernel scope link src 
172.17.0.2 192.168.254.0/24 via 192.168.255.2 dev tun0 192.168.255.0/24 dev tun0 proto kernel scope link src 192.168.255.1

客户的

代码语言:javascript
复制
172.17/24          192.168.255.2      UGSc            utun3

Statuslog

代码语言:javascript
复制
bash-5.0# cat /tmp/openvpn-status.log
OpenVPN CLIENT LIST
Updated,Sun May  1 08:20:48 2022
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
at_dev_1,179.115.236.15:34846,23335,23021,Sun May  1 07:14:26 2022
master,179.115.236.15:64773,9574,9889,Sun May  1 07:55:44 2022
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
192.168.255.2,master,179.115.236.15:64773,Sun May  1 07:55:44 2022
10.0.0.1,at_dev_1,179.115.236.15:34846,Sun May  1 07:14:26 2022
GLOBAL STATS
Max bcast/mcast queue length,1
END

在这里编辑一个图像以显示情况图解解释

iptables
docker
openvpn
EN

回答 1

Server Fault用户

发布于 2022-05-01 08:56:18

所以我们看到你在OpenVPN内没有任何内部路线。这可能是因为您在配置中没有使用任何iroute语句。这就是为什么只有服务器和客户端的VPN地址可以相互访问。

从网络(OSI L3)的角度看,OpenVPN“拓扑子网”VPN的一般结构如下所示:

代码语言:javascript
复制
                                          192.168.255.10[tun] (client2) [eth] 10.0.2.1 --- ...
                                                   |
                                              [client2].9                         [eth] 10.0.1.1 --- ...
(server) [tun]192.168.255.1 --- .2[server] (OpenVPN process) [client1].5 --- 192.168.255.6[tun] (client1)
[eth] 10.0.0.1 --- ...                       .13[client3]
                                                   |
         ... --- 10.0.3.1 [eth] (client3) [tun]192.168.255.14

在这个有三个客户端的例子中,OpenVPN进程看起来像一个有四个接口的路由器(一个面向服务器)。这个路由器也需要路由设置!这就是iroute关键字的作用。

因此,客户端要到达服务器后面的网络10.0.0.0/24,就需要通过各自的面向OpenVPN客户端的“地址”(例如,client1需要ip route add 10.0.0.0/24 via 192.168.255.5)路由到该网络。这些路线你推“推路线”。要到达其他客户端后面的网络,您可以创建类似的路由;在我的示例中,这些网络是连续的,所有这些网络都可以压缩到单个push "route 10.0.0.0 255.255.252.0"中。

此外,OpenVPN“路由器”需要通过“客户端”地址向这些网络提供适当的路由。例如,10.0.1.0/24网络应通过192.168.255.6路由。为此,服务器需要代表iroute 10.0.1.0 255.255.255.0运行client1。为了达到这个目的,你把

iroute 10.0.1.0 255.255.255.0

进入客户端配置目录(CCD)中的client1文件,因此它在具有公共名称的client1成功身份验证的客户端之后立即执行。

服务器背后的网络不需要iroute。它似乎使用服务器“接口”作为最后的网关。

票数 0
EN
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://serverfault.com/questions/1099885

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档