我有3个Amazon VPC(Dev – 10.100.0.0/16,QA – 10.101.0.0/16,Prod – 10.104.0.0/16)。 每个VPN都有一个OpenVPN服务器。 他们正在分发客户IP地址如下:
Dev - 10.100.0.0/16 - Tunnel 10.7.0.0/24 QA - 10.101.0.0/16 - Tunnel 10.8.0.0/24 Prod - 10.104.0.0/16 - Tunnel 10.9.0.0/24 我有一个现场运行的Ubuntu LTS 12.04服务器,并build立了3个客户端连接(每个VPC一个)。 我能够ssh到这个Ubuntu的盒子,并绕过所有三个子网(10.100,10.101,10.104)没有任何问题。
这是我的客户端configuration[DEV / 10.100.x / tun 10.7.0.x]:
client dev tun proto udp remote dev.ip.addr 1193 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/ca.crt auth-user-pass /tmp/password.txt comp-lzo verb 3 reneg-sec 0 tls-client remote-cert-tls server
这是我的客户端configuration[QA / 10.101.x / tun 10.8.0.x]:
client dev tun proto udp remote qa.ip.addr 1194 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/ca.crt auth-user-pass /tmp/password.txt comp-lzo verb 3 reneg-sec 0 tls-client remote-cert-tls server
这是我的客户端configuration[PROD / 10.104.x / tun 10.9.0.x]:
client dev tun proto udp remote prod.ip.addr 1195 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/ca.crt auth-user-pass /tmp/password.txt comp-lzo verb 3 reneg-sec 0 tls-client remote-cert-tls server
现在,我希望我的员工(在办公室内部)将VPN连接到与我的VPC有3个连接的此服务器(192.168.1.19)。 而且,我希望他们能够连接到10.100,10.101和10.104networking(通过sql cleints,telnet到memcache服务器等)。 我想通过这个vpn接口路由除80,443和3389之外的所有stream量。
Office Server的OpenVPN服务器configuration(192.168.1.19 / tun 10.10.0.x):
port 1196 proto udp dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/hqs-openvpn.mycompany.co.crt key /etc/openvpn/easy-rsa/keys/hqs-openvpn.mycompany.co.key dh /etc/openvpn/easy-rsa/keys/dh1024.pem plugin /usr/lib/openvpn/openvpn-auth-pam.so /etc/pam.d/login #plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf client-cert-not-required username-as-common-name server 10.10.0.0 255.255.255.0 push "route 10.7.0.0 255.255.255.0" push "route 10.8.0.0 255.255.255.0" push "route 10.9.0.0 255.255.255.0" push "route 10.10.0.0 255.255.255.0" push "route 10.104.0.0 255.255.0.0" push "route 10.101.0.0 255.255.0.0" push "route 10.100.0.0 255.255.0.0" push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 5 30 comp-lzo persist-key persist-tun verb 3 user nobody group nogroup log-append /var/log/openvpn status /tmp/vpn.status 10
这里是我发给员工的configuration(192.168.1.x / tun 10.10.0.x)
client dev tun proto udp remote 192.168.1.19 1196 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/ca.crt auth-user-pass /tmp/password.txt comp-lzo verb 3 reneg-sec 0 tls-client remote-cert-tls server
从服务器(通过SSH到192.168.1.19):
我能得到10 10.101
root@vpn-hqs:~# traceroute 10.104.10.104 traceroute to 10.104.10.104 (10.104.10.104), 30 hops max, 60 byte packets 1 10.9.0.1 (10.9.0.1) 86.094 ms 86.079 ms 86.079 ms 2 10.104.10.104 (10.104.10.104) 86.084 ms 86.086 ms 86.087 ms root@vpn-hqs:~# traceroute 10.100.10.168 traceroute to 10.100.10.168 (10.100.10.168), 30 hops max, 60 byte packets 1 10.7.0.1 (10.7.0.1) 87.130 ms 87.121 ms 87.121 ms 2 10.100.10.168 (10.100.10.168) 87.126 ms 87.238 ms 87.243 ms root@vpn-hqs:~# traceroute 10.101.10.168 traceroute to 10.101.10.168 (10.101.10.168), 30 hops max, 60 byte packets 1 10.8.0.1 (10.8.0.1) 87.954 ms 87.939 ms 87.937 ms 2 10.101.10.168 (10.101.10.168) 87.943 ms 87.944 ms 88.031 ms root@vpn-hqs:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 br0 10.7.0.0 10.7.0.17 255.255.0.0 UG 0 0 0 tun0 10.7.0.17 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 10.8.0.0 10.8.0.33 255.255.0.0 UG 0 0 0 tun1 10.8.0.33 0.0.0.0 255.255.255.255 UH 0 0 0 tun1 10.9.0.0 10.9.0.13 255.255.0.0 UG 0 0 0 tun2 10.9.0.13 0.0.0.0 255.255.255.255 UH 0 0 0 tun2 10.10.0.0 10.10.0.2 255.255.255.0 UG 0 0 0 tun3 10.10.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun3 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
这是我的服务器的configuration(192.168.1.19):
root@vpn-hqs:~# ifconfig -a br0 Link encap:Ethernet HWaddr 00:1d:09:26:43:3d inet addr:192.168.1.19 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::21d:9ff:fe26:433d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:17149 errors:0 dropped:0 overruns:0 frame:0 TX packets:2770 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2213528 (2.2 MB) TX bytes:286915 (286.9 KB) eth0 Link encap:Ethernet HWaddr 00:1d:09:26:43:3d inet6 addr: fe80::21d:9ff:fe26:433d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:18666 errors:0 dropped:0 overruns:0 frame:0 TX packets:2773 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2719828 (2.7 MB) TX bytes:300485 (300.4 KB) Interrupt:16 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.7.0.18 PtP:10.7.0.17 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:10 errors:0 dropped:0 overruns:0 frame:0 TX packets:18 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:876 (876.0 B) TX bytes:1104 (1.1 KB) tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.34 PtP:10.8.0.33 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:18 errors:0 dropped:0 overruns:0 frame:0 TX packets:34 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1584 (1.5 KB) TX bytes:2040 (2.0 KB) tun2 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.9.0.14 PtP:10.9.0.13 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:18 errors:0 dropped:0 overruns:0 frame:0 TX packets:34 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1584 (1.5 KB) TX bytes:2040 (2.0 KB) tun3 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.10.0.1 PtP:10.10.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:13 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:740 (740.0 B) TX bytes:0 (0.0 B)
现在,我能够从我的Windows电脑连接到192.168.1.19就好了。 而且,我得到一个IP地址10.10.0.6。 完善。
但是,我无法连接/ ping / telnet到10.104.0.0/16,10.101.0.0/16和10.100.0.0/16上的任何东西,就像我可以在192.168.1.19上sshlogin一样。 这是我的窗口框我的路由表:
IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.220 10 0.0.0.0 128.0.0.0 10.10.0.5 10.10.0.6 30 10.7.0.0 255.255.255.0 10.10.0.5 10.10.0.6 30 10.8.0.0 255.255.255.0 10.10.0.5 10.10.0.6 30 10.9.0.0 255.255.255.0 10.10.0.5 10.10.0.6 30 10.10.0.0 255.255.255.0 10.10.0.5 10.10.0.6 30 10.10.0.1 255.255.255.255 10.10.0.5 10.10.0.6 30 10.10.0.4 255.255.255.252 On-link 10.10.0.6 286 10.10.0.6 255.255.255.255 On-link 10.10.0.6 286 10.10.0.7 255.255.255.255 On-link 10.10.0.6 286 10.100.0.0 255.255.0.0 10.10.0.5 10.10.0.6 30 10.101.0.0 255.255.0.0 10.10.0.5 10.10.0.6 30 10.104.0.0 255.255.0.0 10.10.0.5 10.10.0.6 30 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 128.0.0.0 128.0.0.0 10.10.0.5 10.10.0.6 30 192.168.1.0 255.255.255.0 On-link 192.168.1.220 266 192.168.1.19 255.255.255.255 192.168.1.1 192.168.1.220 10 192.168.1.220 255.255.255.255 On-link 192.168.1.220 266 192.168.1.255 255.255.255.255 On-link 192.168.1.220 266 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.1.220 266 224.0.0.0 240.0.0.0 On-link 10.10.0.6 286 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.1.220 266 255.255.255.255 255.255.255.255 On-link 10.10.0.6 286 =========================================================================== Persistent Routes: None
让我的10.10.0.0/24 VPN客户端与10.100.0.0/16,10.101.0.0/16和10.104.0.0/16客户端交谈的任何帮助将非常感谢!
固定。 看到这里的解释: