服务器 Gind.cn
  1. 服务器 Gind.cn
  3. OpenVPN隧道LAN和AWS VPC之间的单向stream量故障
Intereting Posts
实例通信在AWS中非常缓慢 Windows CA:使用提供者的证书切换自签名根证书 Apt-cacher和Apt-proxy 什么Linux / Apache的主机服务器设置可能会影响我的上传速度? redis conf更改无需重新启动 我怎样才能find一个特定的守护进程启动的chroot环境的path? 无法连接到Sql Server 2008命名实例 有关Windows Server Admin帐户的2个问题 打开与崩溃的Linux崩溃转储转储? sendmail日志中的“stat = Deferred:连接被拒绝”是什么意思? 受感染的Windows文件服务器,我们应该清理还是擦除? e1kexpress事件日志条目用于连接和重新连接网卡 如何使用Ubuntu压缩VHD文件? Win 7笔记本电脑需要很长时间才能login域名 如何脚本分区调整分区在运行根文件系统?

OpenVPN隧道LAN和AWS VPC之间的单向stream量故障

我们正在尝试configuration一个OpenVPN隧道,允许我们LAN上的设备与Amazon VPC中的服务器进行通信。 我们在亚马逊上使用了交钥匙的OpenVPN访问服务器实例,并且遵循了文档来将我们的本地服务器设置为网关。

configuration的图像: http : //imgur.com/Y33PdJU

亚马逊服务器能够与我们的局域网上的路由器A进行通信,而没有问题(ping,ssh),但是当我们尝试从路由器A ping到服务器的私有IP时,它不能通过。 使用tcpdump,我们可以在网关A的eth0接口上看到回显请求,但在tun1接口上看不到任何东西。 好像没有正确转发到tun0接口。 使用OpenVPN的configuration,我们使得客户端应该能够充当网关。

我们去哪里错了? 下面更多细节。

左侧网关

netstat -rn 

Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.23.0.1 0.0.0.0 UG 0 0 0 wlan0 10.0.0.2 10.0.2.1 255.255.255.255 UGH 0 0 0 tun1 10.0.1.0 10.0.2.1 255.255.255.0 UG 0 0 0 tun1 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 tun1 10.23.0.0 0.0.0.0 255.255.240.0 U 0 0 0 wlan0 54.208.149.66 10.23.0.1 255.255.255.255 UGH 0 0 0 wlan0 172.16.0.0 172.16.0.1 255.255.0.0 UG 0 0 0 tap0 192.168.0.0 192.168.10.100 255.255.0.0 UG 0 0 0 eth0

sudo iptables –list 

 Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere

ip路由 

 default via 10.23.0.1 dev wlan0 proto static 10.0.0.2 via 10.0.2.1 dev tun1 metric 101 10.0.1.0/24 via 10.0.2.1 dev tun1 metric 101 10.0.2.0/24 dev tun1 proto kernel scope link src 10.0.2.12 10.23.0.0/20 dev wlan0 proto kernel scope link src 10.23.3.197 metric 9 54.208.149.66 via 10.23.0.1 dev wlan0 172.16.0.0/16 via 172.16.0.1 dev tap0 192.168.0.0/16 via 192.168.10.100 dev eth0

OpenVPNconfiguration 

 setenv FORWARD_COMPATIBLE 1 client proto tcp remote vpn.xxx.com port 3389 dev tun dev-type tun ns-cert-type server reneg-sec 604800 sndbuf 100000 rcvbuf 100000 # NOTE: LZO commands are pushed by the Access Server at connect time. # NOTE: The below line doesn't disable LZO. comp-lzo no verb 3 setenv PUSH_PEER_INFO

ip规则 

 0: from all lookup local 220: from all lookup 220 32766: from all lookup main 32767: from all lookup default

使用ifconfig 

 eth0 Link encap:Ethernet HWaddr 44:8a:5b:57:a7:68 inet addr:192.168.10.100 Bcast:192.168.10.255 Mask:255.255.255.0 inet6 addr: fe80::468a:5bff:fe57:a768/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:96265 errors:0 dropped:103 overruns:0 frame:0 TX packets:42772 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:15112811 (15.1 MB) TX bytes:6396552 (6.3 MB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:1420458 errors:0 dropped:0 overruns:0 frame:0 TX packets:1420458 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:339956597 (339.9 MB) TX bytes:339956597 (339.9 MB) tap0 Link encap:Ethernet HWaddr a6:0a:3c:76:bd:33 inet addr:172.16.0.1 Bcast:172.16.0.255 Mask:255.255.255.0 inet6 addr: fe80::a40a:3cff:fe76:bd33/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:138694 errors:0 dropped:1155 overruns:0 frame:0 TX packets:118026 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:49993976 (49.9 MB) TX bytes:25231042 (25.2 MB) tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.0.2.11 PtP:10.0.2.11 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:9 errors:0 dropped:0 overruns:0 frame:0 TX packets:9 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1260 (1.2 KB) TX bytes:1372 (1.3 KB) wlan0 Link encap:Ethernet HWaddr 40:f0:2f:8f:51:5c inet addr:10.23.3.197 Bcast:10.23.15.255 Mask:255.255.240.0 inet6 addr: fe80::42f0:2fff:fe8f:515c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2205804 errors:0 dropped:0 overruns:0 frame:0 TX packets:1773520 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1823901987 (1.8 GB) TX bytes:273830921 (273.8 MB)

右侧网关 

 OpenVPN Access Server Version: 2.0.8 Accepting VPN client connections on IP address: all interfaces Port for VPN client connections: tcp/3389 OSI Layer: 3 (routing/NAT) Clients access private subnets using: Routing

openvpnas @ openvpnas2:/ var / log $ netstat -rn 

 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.1.1 0.0.0.0 UG 0 0 0 eth0 10.0.1.0 10.0.1.128 255.255.255.0 UG 0 0 0 eth0 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 as0t0 172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 as0t0 192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 as0t0

我认为这是一个缺乏思想的人。 简单地说,您需要创build一个ccd文件夹并在openvpn conf文件中指定它的path,如下所示: 

 client-config-dir /path-to-ccd/ccd

进入该文件夹,你应该创build一个单独的文件,这将对应于特定的vpn conf(如果你有conf中的username-as-common-name ,那么cert的名字就是这个文件的名称),并把这个文件放到内部子网例如 

 iroute 192.168.xx 255.255.xx

在这种情况下,openvpn将知道如何到达内部子网。

更多关于这里: https : //community.openvpn.net/openvpn/wiki/RoutedLans

希望这可以帮助。