按照
here描述的步骤,我设法配置VPN服务器和客户端(我可以双向ping).他们各自的配置文件是:
服务器:
;local a.b.c.d port 1194 ;proto tcp proto udp push "redirect-gateway def1" ;dev tap dev tun ca ca.crt cert certificate_server.crt key certificate_server.key dh dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 ;server-bridge ;push "route 192.168.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0" ;client-config-dir ccd ;route 192.168.40.128 255.255.255.248 ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 ;learn-address ./script ;push "redirect-gateway def1 bypass-dhcp" ;push "dhcp-option DNS 208.67.222.222" ;push "dhcp-option DNS 208.67.220.220" ;client-to-client ;duplicate-cn keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log ;log openvpn.log ;log-append openvpn.log
客户:
client ;dev tap dev tun ;dev-node MyTap ;proto tcp proto udp remote <external_server_ip> 1194 ;remote my-server-2 1194 push "dhcp-option DNS 10.8.0.1" ;remote-random resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert certificate_client.crt key certificate_client.key ns-cert-type server ;tls-auth ta.key 1 comp-lzo
网络布局如下:我使用客户端连接到位于NAT后面的服务器.我已经在NAT设备上转发了端口1194,并成功地ping了服务器.现在我想将来自客户端eth0接口的所有流量路由到tun0接口.在客户端上运行ifconfig给出:
eth0 Link encap:Ethernet HWaddr 01:02:03:04:05:06
inet addr:172.26.0.206 Bcast:172.26.255.255 Mask:255.255.0.0
inet6 addr: fe80::3285:a9ff:fe0b:fee8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15579878 errors:0 dropped:2 overruns:0 frame:0
TX packets:3774742 errors:0 dropped:0 overruns:0 carrier:4
collisions:0 txqueuelen:1000
RX bytes:7365014496 (7.3 GB) TX bytes:349016660 (349.0 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:132571 errors:0 dropped:0 overruns:0 frame:0
TX packets:132571 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6718530 (6.7 MB) TX bytes:6718530 (6.7 MB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:1296 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:102968 (102.9 KB)
wlan0 Link encap:Ethernet HWaddr 01:01:01:01:01:01
inet addr:192.168.0.103 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::de85:deff:fe32:241f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:284664 errors:0 dropped:0 overruns:0 frame:0
TX packets:99157 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:177617284 (177.6 MB) TX bytes:32064393 (32.0 MB)
在服务器输出上运行命令时:
eth0 Link encap:Ethernet HWaddr 06:05:04:03:02:01
inet addr:192.168.2.7 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::219:d1ff:fefe:de8a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:44596 errors:0 dropped:0 overruns:0 frame:0
TX packets:22418 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9082333 (9.0 MB) TX bytes:5007949 (5.0 MB)
Interrupt:20 Memory:e3200000-e3220000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:394157 errors:0 dropped:0 overruns:0 frame:0
TX packets:394157 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:19763027 (19.7 MB) TX bytes:19763027 (19.7 MB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:7615 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:463861 (463.8 KB) TX bytes:588 (588.0 B)
在我的客户端上启用IPv4数据包转发;我在客户端计算机上的路由表是:
客户:
$netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0 0.0.0.0 172.26.0.1 0.0.0.0 UG 0 0 0 eth0 10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0 10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 <server_external_ip> 172.26.0.1 255.255.255.255 UGH 0 0 0 eth0 128.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 172.26.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
在服务器上:
服务器:
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
如何在客户端计算机上将所有流量从eth0路由到tun0?我尝试在路由表中添加一个条目:
sudo route add default gw 10.8.0.1
输出是:
SIOCADDRT: No such process
此外,在此步骤之后连接停止工作,我无法再从客户端ping服务器;无法再转发eth0上的流量.
解决方法
您的OpenVPN实例正在使用点对点模式,因此您的默认网关不是10.8.0.1.
查看您的客户端路由表,似乎OpenVPN客户端已正确设置路由,因此VPN服务器现在是您的默认网关(这由服务器配置中的redirect-gateway def1指示):
Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0 128.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0
所以你基本上已经实现了你想要的东西 – 让最初通过eth0的所有流量现在都转到tun0.
如果您想知道为什么在拨打VPN后无法访问互联网(无法访问其他网站),您可以按照@Bill说的那样:在服务器上设置NAT和IP转发.
这也很简单:
# sysctl -w net.ipv4.ip_forwarding = 1 # iptables -t nat -A POSTROUTING ! -o lo -j MASQUERADE
如果你是偏执狂,请根据@ Bill的答案更改第二行.
