我是OpenVPN的新手,找不到任何类似的答案。 我有3台Linux机器(Ubuntu 16.04):
A和S在同一个networking中。 B在一个非常有限的networking中。
机器S上有一个OpenVPN服务器,启用了“客户端到客户端”指令。
A和B 通过VPN看到(ping,连接)对方和服务器,因为它们是客户端。
问题是:如何让服务器通过VPN查看(ping,连接)客户端? 路线似乎好,但我得到连接超时。
我需要每台机器都可以在我的VPN(包括服务器)中看到(ping,连接)对方。 所有这三台机器都可以单独访问互联网,只能通过VPN互相看(ping,连接),不需要LAN转发。
我用https://github.com/Nyr/openvpn-install脚本来安装。 在server.conf中增加“client-to-client”标志。
更新: tcpdump显示服务器通过默认路由使用“真实networking”来访问VPN-IP。 也许在服务器上的一些路由问题?
我目前的configuration(半工作如上所述)来自kal3v的职位:
服务器:
tls-server tls-auth ta.key 0 # This has to be added, or does not connects proto tcp port 443 dev tun ca ca.crt cert server.crt key server.key dh dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log log-append /var/log/openvpn.log verb 4 mute 20
客户:
client tls-client # This has to be added, or does not connects dev tun proto tcp-client remote [SERVER IP REDACTED] 443 resolv-retry infinite ca ca.crt cert client1.crt key client1.key nobind persist-key persist-tun comp-lzo tls-auth ta.key 1 # This has to be added, or does not connects #status openvpn-status.log #log-append /var/log/openvpn.log verb 4 mute 20 <ca> [REDACTED] </ca> <cert> [REDACTED] </cert> <key> [REDACTED] </key> <tls-auth> [REDACTED] </tls-auth>
服务器ifconfig -a:
em1 Link encap:Ethernet HWaddr [REDACTED] inet addr:[REDACTED] Bcast:[REDACTED] Mask:[REDACTED] inet6 addr: [REDACTED] Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2399844 errors:0 dropped:0 overruns:0 frame:0 TX packets:530948 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:719766790 (719.7 MB) TX bytes:435347738 (435.3 MB) Interrupt:20 Memory:f7200000-f7220000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:98881 errors:0 dropped:0 overruns:0 frame:0 TX packets:98881 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:9737053 (9.7 MB) TX bytes:9737053 (9.7 MB) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.1 PtP:10.8.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:84 errors:0 dropped:0 overruns:0 frame:0 TX packets:67 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:9634 (9.6 KB) TX bytes:13102 (13.1 KB)
服务器iptables -n -L:
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 10.8.0.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT) target prot opt source destination
服务器netstat -nr:
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 [REDACTED] 0.0.0.0 UG 0 0 0 em1 [REDACTED] 0.0.0.0 [REDACTED] U 0 0 0 em1 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
客户端ifconfig -a:
eno1 Link encap:Ethernet HWaddr [REDACTED] inet addr:[REDACTED] Bcast:[REDACTED] Mask:[REDACTED] inet6 addr: [REDACTED] Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:241633 errors:0 dropped:0 overruns:0 frame:0 TX packets:78722 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:224498248 (224.4 MB) TX bytes:10952745 (10.9 MB) Interrupt:20 Memory:fe400000-fe420000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:779 errors:0 dropped:0 overruns:0 frame:0 TX packets:779 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:73331 (73.3 KB) TX bytes:73331 (73.3 KB) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.6 PtP:10.8.0.5 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:64 errors:0 dropped:0 overruns:0 frame:0 TX packets:84 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:12922 (12.9 KB) TX bytes:9634 (9.6 KB)
客户端iptables -n -L:
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
客户端netstat -nr
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 [REDACTED] 0.0.0.0 UG 0 0 0 eno1 [REDACTED] 0.0.0.0 [REDACTED] U 0 0 0 eno1 10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0 10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
解决scheme是:
不知何故,下面的防火墙规则将服务器指向真实的局域网而不是VPN,以便到达必须删除的VPN客户端:
Server iptables -t nat -L -n -v –line-numbers:
Chain PREROUTING (policy ACCEPT 249K packets, 44M bytes) num pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 247K packets, 44M bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 3954 packets, 273K bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 3890 packets, 269K bytes) num pkts bytes target prot opt in out source destination 1 208 15001 SNAT all -- * * 10.8.0.0/24 0.0.0.0/0 to:[REDACTED SERVER_REAL_IP]
在服务器上:iptables -t nat -D POSTROUTING 1
Etvoilà! 一切正常…
要永久删除/注释/etc/rc.local中的相应行。
感谢大家的帮助!
以下是适用于以下networking设置的最小客户端到客户端SSL / TLSconfiguration的示例:
+------------------+ | | | | | | 10.132.0.2 | | Client 1 -------------| | | | +------------------+ | | | | | +------------------+ |104.199.78.27 130.211.80.223 | | /- -------------- The Internet ---------------| Client 2 | /- | | | +------------------+ /- | | | | | /- | +------------------+ | | /- | | OpenVPN server -------------- | | 10.132.0.3 | | | | +------------------+ |
104.199.78.27被NAT到OpenVPN服务器的内部10.132.0.3 。 10.8.0.0/24networking将用于所有VPN客户端。
这里是OpenVPN服务器configuration:
tls-server proto tcp port 443 dev tun ca ca.crt cert server.crt key server.key dh dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log log-append /var/log/openvpn.log verb 4 mute 20
这里是client1configuration:
client dev tun proto tcp-client remote 10.132.0.3 443 resolv-retry infinite ca ca.crt cert client1.crt key client1.key nobind persist-key persist-tun comp-lzo status openvpn-status.log log-append /var/log/openvpn.log verb 4 mute 20
这里是client2configuration:
client dev tun proto tcp-client remote 104.199.78.27 443 resolv-retry infinite ca ca.crt cert client2.crt key client2.key nobind persist-key persist-tun comp-lzo status openvpn-status.log log-append /var/log/openvpn.log verb 4 mute 20
当一切正常运行,我们得到以下的IP和路由configuration:
server% ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.1 PtP:10.8.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:27 errors:0 dropped:0 overruns:0 frame:0 TX packets:25 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:3971 (3.8 KiB) TX bytes:3051 (2.9 KiB) server% ip route show to match 10.8.0.0/24 default via 10.132.0.1 dev eth0 10.8.0.0/24 via 10.8.0.2 dev tun0
client1% ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.6 PtP:10.8.0.5 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:3 errors:0 dropped:0 overruns:0 frame:0 TX packets:3 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:252 (252.0 B) TX bytes:252 (252.0 B) client1% ip route show to match 10.8.0.1 default via 10.132.0.1 dev eth0 10.8.0.0/24 via 10.8.0.5 dev tun0
client2% ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.10 PtP:10.8.0.9 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:5 errors:0 dropped:0 overruns:0 frame:0 TX packets:5 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:420 (420.0 B) TX bytes:420 (420.0 B) client2% ip route show to match 10.8.0.1 default via 10.132.0.1 dev eth0 10.8.0.0/24 via 10.8.0.9 dev tun0
因此,我们有客户端到客户端的连接:
server% ping -c 1 10.8.0.6 PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data. 64 bytes from 10.8.0.6: icmp_seq=1 ttl=64 time=1.45 ms --- 10.8.0.6 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.456/1.456/1.456/0.000 ms root@server:/etc/openvpn# ping -c 1 10.8.0.10 PING 10.8.0.10 (10.8.0.10) 56(84) bytes of data. 64 bytes from 10.8.0.10: icmp_seq=1 ttl=64 time=0.779 ms --- 10.8.0.10 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.779/0.779/0.779/0.000 ms
client1% ping -c 1 10.8.0.10 PING 10.8.0.10 (10.8.0.10) 56(84) bytes of data. 64 bytes from 10.8.0.10: icmp_seq=1 ttl=64 time=1.39 ms --- 10.8.0.10 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.392/1.392/1.392/0.000 ms root@client1:/etc/openvpn# ping -c 1 10.8.0.1 PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=1.54 ms --- 10.8.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.540/1.540/1.540/0.000 ms
client2% ping -c 1 10.8.0.6 PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data. 64 bytes from 10.8.0.6: icmp_seq=1 ttl=64 time=1.12 ms --- 10.8.0.6 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.124/1.124/1.124/0.000 ms root@client2:/etc/openvpn# ping -c 1 10.8.0.1 PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.584 ms --- 10.8.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.584/0.584/0.584/0.000 ms