通过VPN隧道路由Internet流量

分享于 

6分钟阅读

互联网

 

问题:

我拥有一个树莓派3B,并安装并配置了一个OpenVPN服务器,我遵循此openvpn社区指南:https://openvpn.net/community-resources/how-to/,我正在使用Windows机器连接到这个服务器,它工作得很好。我试图配置服务器,以便IPv4 internet流量通过隧道路由,问题是,在连接到VPN服务器时,根本不加载IPv4的网站,但是IPv6的流量仍然在走,因此IPv6网站可以正常加载,我使用命令根据社区指南配置了NAT


iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE



补充:192.168.2.1是W-Lan路由器的IP Pi通过以太网连接。

服务器配置

port 1194


proto udp


dev tun


ca /etc/openvpn/server/ca.crt


cert /etc/openvpn/server/server.crt


key /etc/openvpn/server/server.key


dh /etc/openvpn/server/dh.pem


server 10.8.0.0 255.255.255.0


ifconfig-pool-persist /var/log/openvpn/ipp.txt


keepalive 10 120


tls-auth /etc/openvpn/server/ta.key 0 


cipher AES-256-CBC


user nobody


group nogroup


persist-key


persist-tun


status /var/log/openvpn/openvpn-status.log


verb 3


push"redirect-gateway local def1"


push"dhcp-options DNS 10.8.0.1"



客户端配置

client


dev tun


proto udp


remote 192.168.2.129 1194


resolv-retry infinite


nobind


persist-key


persist-tun


ca ca.crt


cert client.crt


key client.key


remote-cert-tls server


tls-auth ta.key 1


cipher AES-256-CBC


verb 3


redirect-gateway local def1



IPv4规则

*filter


:INPUT ACCEPT [0:0]


:FORWARD ACCEPT [0:0]


:OUTPUT ACCEPT [0:0]


-A INPUT -i lo -j ACCEPT


-A INPUT -s 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable


-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT


-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT


-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT


-A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 1194 -j ACCEPT


-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 1194 -j ACCEPT


-A INPUT -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT


-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 80 -j ACCEPT


-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 443 -j ACCEPT


-A INPUT -i tun0 -j ACCEPT


-A INPUT -m limit --limit 3/min -j LOG --log-prefix"iptables_INPUT_denied:"


-A INPUT -j REJECT --reject-with icmp-port-unreachable


-A FORWARD -m limit --limit 3/min -j LOG --log-prefix"iptables_FORWARD_denied:"


-A FORWARD -j REJECT --reject-with icmp-port-unreachable


-A OUTPUT -o lo -j ACCEPT


-A OUTPUT -p icmp -j ACCEPT


-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 22 -j ACCEPT


-A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED -m udp --sport 1194 -j ACCEPT


-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 1194 -j ACCEPT


-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT


-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT


-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443 -j ACCEPT


-A OUTPUT -o tun0 -j ACCEPT


-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix"iptables_OUTPUT_denied:"


-A OUTPUT -j REJECT --reject-with icmp-port-unreachable


COMMIT



IPv6规则

*filter


:INPUT ACCEPT [0:0]


:FORWARD ACCEPT [0:0]


:OUTPUT ACCEPT [0:0]


-A INPUT -j REJECT --reject-with icmp6-port-unreachable


-A FORWARD -j REJECT --reject-with icmp6-port-unreachable


-A OUTPUT -j REJECT --reject-with icmp6-port-unreachable


COMMIT



IP路由表

Target Router Genmask Flags MSS Window irtt Iface


0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0


10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0


10.8.0.0.2 0.0.0.0 255.255.255.225 UH 0 0 0 tun0


192.168.2.1 0.0.0.0 255.255.255.0 U 0 0 0 eth0




答案1:

你的问题相当简单,你的Windows客户端和VPN服务器都在192.168.2.0/24gw 192.168.2.1上,你最好将默认gw设置为隧道内VPN服务器的虚拟IP,检查

 
ip addr



或者简单地将log /var/ovpn.log添加到你的配置,再看一下真正的IP,然后,将192.168.2.1设置为net 192.168.2.0/24的gw,一旦设置了这个路由表,Windows机器就会发现192.168.2.1是要到达VPN服务器,而192.168.2.0/24之外的其他流量都会进入该服务器的虚拟IP进行路由。


答案2:


-N WHATEVER


-A WHATEVER -j LOG --log-prefix"iptables_FORWARD_denied:"


-A WHATEVER -j REJECT --reject-with icmp-port-unreachable


-A FORWARD -m limit --limit 3/min -g WHATEVER




INT  Intern  VPN  TUN  流量  Tunnel  
相关文章