我正在设置一个辅助(DD-WRT)路由器作为OpenVPN客户端,以便所有的客户端只需连接到路由器即可获得VPN访问权限。 但似乎客户端的stream量总是通过主网关,而不是build立的VPN隧道。
ISP modem+router(gateway) <--LAN cable--> DD-WRT OpenVPN client <--LAN/WIFI--> clients 这个二级DD-WRT OpenVPN客户端可以连接到远程OpenVPN服务器。
我可以通过首先telnet到DD-WRT ping主机在服务器端子网。
OpenVPN服务器也显示DD-WRT客户端连接正确。
wget -O – http://icanhazip.com返回远程服务器的公有IP。
所以隧道正常。
来自连接到我的DD-WRT的客户端的stream量通过我的网关路由器,而不是通过VPN隧道tun0。
我想我需要将stream量从br0接口转发到tun0接口。 我已经尝试了下面的iptables规则,并检查IPv4转发已启用 。
cat /proc/sys/net/ipv4/ip_forward ==> 1 cat /proc/sys/net/ipv4/conf/tun0/forwarding ==> 1 cat /proc/sys/net/ipv4/conf/br0/forwarding ==> 1 # These rules are saved by pressing the 'Save firewall' button #and rebooting the DD-WRT router. iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
另外
# These rules are saved by pressing the 'Save firewall' button # and rebooting the DD-WRT router. iptables -I FORWARD -s 192.168.2.0/24 -d 192.168.66.0/24 -j ACCEPT iptables -I FORWARD -s 192.168.66.0/24 -d 192.168.2.0/24 -j ACCEPT
ISP modem +网关路由器
No settings modified. It is as ISP has set it.
DD-WRT OpenVPN客户端
- Firmware: DD-WRT v24-sp2 (08/12/10) vpn - SPI firewall: Disabled - WAN: Disabled - Operating mode: Router (this disables NAT, right?) - Gateway: 192.168.2.1 - Local DNS: 8.8.8.8 - NTP client: Enabled
我不发布VPN服务器/客户端configuration,因为客户端可以无误地连接到服务器,ping和wget命令都可以在DD-WRT内正常工作。
所以,我的问题是:
如何将连接到DD-WRT的客户端的所有stream量路由到它的OpenVPN隧道tun0? 我使用iptables不正确吗? 也许增加一个新的路线?
如果缺less一些信息,请询问。 先谢谢你! 🙂
PS以下更多信息。
root@DD-WRT:~# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 87.219.xxx.xxx 192.168.2.1 255.255.255.255 UGH 0 0 0 br0 192.168.66.1 192.168.66.5 255.255.255.255 UGH 0 0 0 tun0 192.168.66.5 * 255.255.255.255 UH 0 0 0 tun0 192.168.5.0 192.168.66.5 255.255.255.0 UG 0 0 0 tun0 192.168.2 .0 * 255.255.255.0 U 0 0 0 br0 169.254.0.0 * 255.255.0.0 U 0 0 0 br0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 192.168.66.5 128.0.0.0 UG 0 0 0 tun0 128.0.0.0 192.168.66.5 128.0.0.0 UG 0 0 0 tun0 default 192.168.2.1 0.0.0.0 UG 0 0 0 br0
root@DD-WRT:~# ip route show 87.219.xxx.xxx via 192.168.2.1 dev br0 192.168.66.1 via 192.168.66.5 dev tun0 192.168.66.5 dev tun0 proto kernel scope link src 192.168.66.6 192.168.5.0/24 via 192.168.66.5 dev tun0 192.168.2.0/24 dev br0 proto kernel scope link src 192.168.2.160 169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1 127.0.0.0/8 dev lo scope link 0.0.0.0/1 via 192.168.66.5 dev tun0 128.0.0.0/1 via 192.168.66.5 dev tun0 default via 192.168.2.1 dev br0
root@DD-WRT:~# ip rule show 0: from all lookup local 32766: from all lookup main 32767: from all lookup default
root@DD-WRT:~# cat /var/log/messages | grep openvpn May 24 15:47:21 DD-WRT daemon.notice openvpn[699]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Aug 12 2010 May 24 15:47:21 DD-WRT daemon.warn openvpn[699]: WARNING: file '/tmp/openvpncl/client.key' is group or others accessible May 24 15:47:21 DD-WRT daemon.notice openvpn[702]: UDPv4 link local: [undef] May 24 15:47:21 DD-WRT daemon.notice openvpn[702]: UDPv4 link remote: 87.219.xxx.xxx:1194 May 24 15:47:23 DD-WRT daemon.notice openvpn[702]: [server] Peer Connection Initiated with 87.219.xxx.xxx:1194 May 24 15:47:25 DD-WRT daemon.notice openvpn[702]: TUN/TAP device tun0 opened May 24 15:47:25 DD-WRT daemon.notice openvpn[702]: /sbin/ifconfig tun0 192.168.66.6 pointopoint 192.168.66.5 mtu 1500 May 24 15:47:26 DD-WRT daemon.notice openvpn[702]: Initialization Sequence Completed
root@DD-WRT:~# ifconfig br0 Link encap:Ethernet HWaddr 00:1D:73:55:1C:A4 inet addr:192.168.2.160 Bcast:192.168.2.255 Mask:255.255.255.0 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:14119 errors:0 dropped:0 overruns:0 frame:0 TX packets:10639 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2068891 (1.9 MiB) TX bytes:5382302 (5.1 MiB) br0:0 Link encap:Ethernet HWaddr 00:1D:73:55:1C:A4 inet addr:169.254.255.1 Bcast:169.254.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 eth0 Link encap:Ethernet HWaddr 00:1D:73:55:1C:A4 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:13136 errors:0 dropped:0 overruns:0 frame:0 TX packets:10847 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2180726 (2.0 MiB) TX bytes:5517739 (5.2 MiB) Interrupt:4 eth1 Link encap:Ethernet HWaddr 00:1D:73:55:1C:A6 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:210 errors:0 dropped:0 overruns:0 frame:198105 TX packets:3683 errors:14 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:41273 (40.3 KiB) TX bytes:963954 (941.3 KiB) Interrupt:2 Base address:0x5000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1 RX packets:28 errors:0 dropped:0 overruns:0 frame:0 TX packets:28 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2034 (1.9 KiB) TX bytes:2034 (1.9 KiB) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:192.168.66.6 PtP:192.168.66.5 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:56 errors:0 dropped:0 overruns:0 frame:0 TX packets:62 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:4734 (4.6 KiB) TX bytes:4428 (4.3 KiB) vlan0 Link encap:Ethernet HWaddr 00:1D:73:55:1C:A4 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:13135 errors:0 dropped:0 overruns:0 frame:0 TX packets:10847 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1944080 (1.8 MiB) TX bytes:5466622 (5.2 MiB)
这里我假设服务器上的lan和vpn接口分别是br0和tun0。
# Enable IP forwarding. echo 1 > /proc/sys/net/ipv4/ip_forward # Allow postrouting to tun0. You may want to use "-s" here to strictly limit forwarding to IPs on your LAN. iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE # Enable forwarding from the LAN to the VPN (and back via related and established connections). # Again, you may want to use "-s". iptables -A FORWARD -i br0 -o tun0 -j ACCEPT iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
它在openwrt rotuer上适用于我,来自@Xyne https://bbs.archlinux.org/viewtopic.php?pid=1208721#p1208721