主页 / server / 问题 / 103251
Accepted
Sunny
Asked: 2010-01-16 17:00:11 +0800 CST

openvpn双重安装(客户端和服务器)路由问题

  • 772

我有以下安装:

生产网 (10.88.88.0/24)

办公网 (192.168.2.0/24)

在 PROD 上我有 openvpn 服务器 (vpnprod),所以 OFFICE 可以连接。

在 OFFICE 我有 openvpn 机器 (vpnoffice),它同时运行 openvpn 服务器以允许外部用户以及客户端连接到 PROD。

vpnprod 和 vpnoffice 都在运行 linux。

一切正常,即从OFFICE(任何机器),我可以连接到PROD(任何) - 有一些限制。

我已经正确设置了所有路由。

此外,我可以将客户端连接到 OFFICE,并且他们可以访问 OFFICE 机器 - 没问题。

如果客户端(远程,连接到 OFFICE)尝试访问某些 PROD 机器,则会失败。它超时。

我已经在 vpnoffice 的两个 tun 接口上运行了 tcpdump,它显示了连接的客户端发送的数据包。我猜这意味着那里的路由没问题。

但是在 vpnprod 上的 tun0 上,我根本看不到这些数据包——它们根本没有到达那里。

所以,回顾一下:

officemachine -> vpnoffice -> vpnprod -> prodmachine - WORKS
remote -> vpnoffice -> officemachine - WORKS
remote -> vpnoffice -> vpnprod -> prodmachine - FAILS!!!

我对 tcpdump 或类似工具的了解不是很好。知道如何解决这个问题以及如何调查它吗?

我还需要检查什么?

我检查了防火墙规则 (IPTABLES) 和每条规则,这些规则会删除日志中的任何请求写入。但是我没有看到从远程客户端通过 vpnoffice 到 vpmprod 发出的这个特定请求的任何条目。

根据@Andrew McGregor 的要求(我在括号中做了一些解释):

ip 地址 (vpnprod):

> ip addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2(DMZ): eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:60:cf:20:bb:54 brd ff:ff:ff:ff:ff:ff
    inet 10.88.8.1/24 brd 10.88.8.255 scope global eth2
    inet6 fe80::260:cfff:fe20:bb54/64 scope link
       valid_lft forever preferred_lft forever
3(internal): eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:10:18:02:30:c4 brd ff:ff:ff:ff:ff:ff
    inet 10.88.88.1/24 brd 10.88.88.255 scope global eth1
    inet6 fe80::210:18ff:fe02:30c4/64 scope link
       valid_lft forever preferred_lft forever
4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:02:b3:25:94:7d brd ff:ff:ff:ff:ff:ff
    inet MY_EXT_NET/28 brd EXT_IP_BCAST scope global eth0
    inet EXT_IP_1/28 brd EXT_IP_BCAST scope global secondary eth0:FWB1
    inet EXT_IP_2/28 brd EXT_IP_BCAST scope global secondary eth0:FWB2
    inet EXT_IP_3/28 brd EXT_IP_BCAST scope global secondary eth0:FWB3
    inet EXT_IP_4/28 brd EXT_IP_BCAST scope global secondary eth0:FWB4
    inet6 MY::PROD:EXT:NET:XXXX/64 scope link
       valid_lft forever preferred_lft forever
5(OTHER_INT_NET): eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:b0:d0:b0:bd:94 brd ff:ff:ff:ff:ff:ff
    inet 172.19.2.193/27 brd 172.19.2.223 scope global eth3
    inet 172.19.2.194/27 brd 172.19.2.223 scope global secondary eth3:FWB5
    inet 172.19.2.195/27 brd 172.19.2.223 scope global secondary eth3:FWB6
    inet6 fe80::2b0:d0ff:feb0:bd94/64 scope link
       valid_lft forever preferred_lft forever
6: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
7(PRODVPN server): tun0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/[65534]
    inet 10.136.136.1 peer 10.136.136.2/32 scope global tun0

因此,tun0 是 prod 上的 vpn 服务器,它绑定到 EXT_IP_1 ip 地址。

ip 路由 prodvpn:

10.136.136.2 dev tun0  proto kernel  scope link  src 10.136.136.1
EXT_NET/28 dev eth0  proto kernel  scope link  src EXT_NET_IP0
172.19.2.192/27 dev eth3  proto kernel  scope link  src 172.19.2.193
10.136.135.0/24 via 10.136.136.2 dev tun0
192.168.2.0/24 (office_int) via 10.136.136.2 dev tun0
192.168.1.0/24 (office_DMZ) via 10.136.136.2 dev tun0
10.39.3.0/24 via 172.19.2.222 dev eth3
10.88.88.0/24 dev eth1  proto kernel  scope link  src 10.88.88.1
10.39.12.0/24 via 172.19.2.222 dev eth3
10.88.8.0/24 dev eth2  proto kernel  scope link  src 10.88.8.1
10.136.136.0/24 via 10.136.136.2 dev tun0
10.176.0.0/16 (OTHER_INT_NET) via 172.19.2.222 dev eth3
169.254.0.0/16 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via EXT_IP_ISP_GATEWAY dev eth0

ip 地址 officevpn:

1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0(officeDMZ): <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:d0:b7:84:ab:a2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
3: eth1(office external IPs): <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:06:5b:39:c4:21 brd ff:ff:ff:ff:ff:ff
    inet OFF_EXT_IP1/29 brd 216.17.90.95 scope global eth1
    inet OFF_EXT_IP2/29 brd 216.17.90.95 scope global secondary eth1:FWB1
    inet OFF_EXT_IP3/29 brd 216.17.90.95 scope global secondary eth1:FWB2
    inet OFF_EXT_IP4/29 brd 216.17.90.95 scope global secondary eth1:FWB3
4: eth2(office_internal): <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:da:d7:14:77 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.254/24 brd 192.168.2.255 scope global eth2
11: tun1(officevpn_server): <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc pfifo_fast qlen 100
    link/[65534]
    inet 10.136.135.1 peer 10.136.135.2/32 scope global tun1
12: tun0(officevpn-client-to-prod): <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc pfifo_fast qlen 100
    link/[65534]
    inet 10.136.136.6 peer 10.136.136.5/32 scope global tun0

tun1 绑定到 OFF_EXT_IP1 以服务连接客户端。

ip 路由 officevpn:

10.136.135.2 dev tun1  proto kernel  scope link  src 10.136.135.1
10.136.136.5 dev tun0  proto kernel  scope link  src 10.136.136.6
10.136.136.1 via 10.136.136.5 dev tun0
EXT_IP_NET/29 dev eth1  proto kernel  scope link  src EXT_IP1
172.19.2.192/27 via 10.136.136.5 dev tun0
10.135.137.0/24 via 10.136.135.2 dev tun1
10.136.135.0/24 via 10.136.135.2 dev tun1
192.168.2.0/24 dev eth2  proto kernel  scope link  src 192.168.2.254
10.39.3.0/24 via 10.136.136.5 dev tun0
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1
10.88.88.0/24 via 10.136.136.5 dev tun0
10.39.12.0/24 via 10.136.136.5 dev tun0
10.88.8.0/24 via 10.136.136.5 dev tun0
10.176.0.0/16 via 10.136.136.5 dev tun0
169.254.0.0/16 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via EXT_IP0(ISP GW) dev eth1

总结一下:在 prod env 上,我有 4 个外部 IP 地址,绑定到一个接口。我有 1 个内部网络(绑定到 2 个接口)和一个 DMZ(第四个接口):

  • PROD_INT_ZONE1 - 10.88.88.x
  • PROD_INT_ZONE2 - 172.xxx(后面是 10.176.xx - 它有自己的路由器)
  • PROD_DMZ - 10.88.8.x
  • EXTERNAP_IPs - EXT_IPxx
  • openvpnserver (绑定到 EXT_IP) - tun0

在办公室:

  • OFFICE_INT_ZONE - 192.168.2.x
  • OFFICE_DMZ - 192.168.1.x
  • OFFICE_EXT_IPs - OFF_EXT_IPx
  • openvpn 服务器 - tun1
  • openvpn 客户端(连接到产品)- tun0
firewall routing openvpn tcpdump

1 个回答

  1. Best Answer

    我的猜测是远程客户端不知道 PROD 网络。通过OFFICE服务器推送路由。will之类的东西 push "route 10.88.88.0 255.255.255.0" 应该这样做。

    • 0

相关问题