我试图build立一个使用OpenVPN的站点到站点VPN,初始设置已经完成,我的openvpn客户端节点(201.100.0.x)能够与openvpn服务器端节点(192.0.0.x )。 但是,如果我从服务器端节点(192.0.0.32)ping任何客户端节点(201.100.0.18),我没有得到答复,(我在端点上添加了正确的路由)。 通过使用TCP转储进行分析,我可以看到ping重播到达我的openvpn服务器。
服务器节点:192.0.0.32(eth0)
服务器:192.0.0.39(eth0); 10.8.0.1(tun0)
客户端节点:201.100.0.18(eth0)
OpenvpnClient:201.100.0.11(eth0); 10.8.0.6(tun0)
server node> ping 201.100.0.18 -c 1 PING 201.100.0.18 (201.100.0.18) 56(84) bytes of data. --- 201.100.0.18 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 10000ms 这是openvpn服务器的TCP转储格式eth0
vpnserver> tcpdump -nni eth0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 09:41:00.796021 IP 192.0.0.32 > 201.100.0.18: ICMP echo request, id 47432, seq 1, length 64 09:41:00.836637 IP 201.100.0.18 > 192.0.0.32: ICMP echo reply, id 47432, seq 1, length 64
Ping回复回到192.0.0.32,但是没有转发到192.0.0.39; 需要知道为什么?
IP转发已启用您可以在下面看到现有的防火墙规则
*filter :INPUT ACCEPT [397:39519] :FORWARD ACCEPT [6:504] :OUTPUT ACCEPT [362:40521] -A FORWARD -i tun0 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i tun0 -o eth0 -j ACCEPT COMMIT # Completed on Thu Nov 3 09:45:05 2016 # Generated by iptables-save v1.4.7 on Thu Nov 3 09:45:05 2016 *nat :PREROUTING ACCEPT [31:3889] :POSTROUTING ACCEPT [22:1848] :OUTPUT ACCEPT [6:504] -A POSTROUTING -o eth0 -j MASQUERADE << before adding this rule client sides nodes were not able to access server side nodes COMMIT