openvpn 不会将流量路由到客户端子网

问题描述 投票:0回答:1

我已经在我的 ubuntu 服务器上配置了 openvpn (

OpenVPN 2.4.12 x86_64-pc-linux-gnu
)。 我的 openvpn 客户端(使用 openwrt 路由器)能够使用我的 openvpn 服务器设置 VPN。 问题是我无法从 openvpn 服务器访问我的客户端专用网络 (192.168.8.0/24)。

openvpn 服务器:IP

192.168.2.12
(tun0
10.8.0.1
) openvpn 客户端: IP
192.168.8.1
(tun0
10.8.0.4
)

从我的 openvpn 服务器我可以 ping 到

10.8.0.4
,但不能 ping 到
192.168.8.1

在我的 openvpn 服务器上使用

tcpdump -i tun0
,我发现当我 ping
192.168.8.1
时,我的
tun0
接口上看不到 ping 流量。所以它没有将
192.168.8.1
路由到我的隧道。 Traceroute 也证实了这一点,它显示它将
192.168.8.1
发送到我的路由器 (
192.168.2.1
):

root@nuc2:~# traceroute 192.168.8.1
traceroute to 192.168.8.1 (192.168.8.1), 64 hops max
  1   192.168.2.1  0,210ms  0,226ms  * 
  2   *  *  * 

仅供参考,从我的 openvpn 服务器到我的 vpn 客户端的 VPN IP 地址的跟踪路由给出以下内容:

traceroute to 10.8.0.4 (10.8.0.4), 64 hops max
  1   10.8.0.4  7,268ms  7,170ms  6,670ms 
root@nuc2:~# 

这是我的

/etc/openvpn/server/server.conf
文件:

ocal 192.168.2.12
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
route 192.168.8.0 255.255.255.0
push "route 192.168.2.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 192.168.2.1"
push "dhcp-option DOMAIN lan"
push "dhcp-option DOMAIN-SEARCH lan"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
client-config-dir /etc/openvpn/client

我还创建了一个文件

/etc/openvpn/client/gl-inet.conf
,其中包含以下内容,我认为这可以确保将我的 openvpn 服务器上的子网 192.168.8.0/24 流量路由到 VPN:

iroute 192.168.8.0 255.255.255.0

请注意,在 openvpn 服务器上的日志文件(使用命令

tail -f /var/log/syslog | grep -i vpn
)中,我没有看到任何指示该文件 (
gl-inet.conf
) 已被读取或该路由已被处理。因此,名称
gl-inet.conf
可能不正确,或者需要执行一些额外操作来确保处理客户端配置文件。

仅供参考

tail -f /var/log/syslog | grep -i vpn
的摘录:

Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 TLS: Initial packet from [AF_INET]192.168.2.1:44409, sid=577f0ed8 416e3b2c
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 VERIFY OK: depth=1, CN=ChangeMe
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 VERIFY OK: depth=0, CN=gl-inet
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_VER=2.5.2
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_PLAT=linux
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_PROTO=6
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_NCP=2
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_LZ4=1
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_LZ4v2=1
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_LZO_STUB=1
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_COMP_STUB=1
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_COMP_STUBv2=1
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_TCPNL=1
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 [gl-inet] Peer Connection Initiated with [AF_INET]192.168.2.1:44409
Jan 21 10:38:23 nuc2 openvpn[5147]: MULTI: new connection by client 'gl-inet' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Jan 21 10:38:23 nuc2 openvpn[5147]: MULTI_sva: pool returned IPv4=10.8.0.4, IPv6=(Not enabled)
Jan 21 10:38:23 nuc2 openvpn[5147]: MULTI: Learn: 10.8.0.4 -> gl-inet/192.168.2.1:44409
Jan 21 10:38:23 nuc2 openvpn[5147]: MULTI: primary virtual IP for gl-inet/192.168.2.1:44409: 10.8.0.4
Jan 21 10:38:25 nuc2 openvpn[5147]: gl-inet/192.168.2.1:44409 PUSH: Received control message: 'PUSH_REQUEST'
Jan 21 10:38:25 nuc2 openvpn[5147]: gl-inet/192.168.2.1:44409 SENT CONTROL [gl-inet]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 192.168.2.1,dhcp-option DOMAIN lan,dhcp-option DOMAIN-SEARCH lan,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.4 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Jan 21 10:38:25 nuc2 openvpn[5147]: gl-inet/192.168.2.1:44409 Data Channel: using negotiated cipher 'AES-256-GCM'
Jan 21 10:38:25 nuc2 openvpn[5147]: gl-inet/192.168.2.1:44409 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 21 10:38:25 nuc2 openvpn[5147]: gl-inet/192.168.2.1:44409 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

我还在我的 openvpn 服务器网络的路由器上定义了到我的 openvpn 服务器的静态路由。

routes openvpn subnet
1个回答
0
投票

似乎到 192.168.8.0/24 的路由被忽略了。

路线显示什么?

© www.soinside.com 2019 - 2024. All rights reserved.