我有一个带 DSL 路由器的家庭网络。网络上的一台机器打开了与第三方 VPN 提供商的 OpenVPN 连接。然后,这台机器充当我网络上所有将网关设置为这台机器的机器的路由器,通过 VPN 为它们提供互联网访问。有些机器必须将 DSL 路由器设置为网关,无需 VPN 即可访问互联网。
当我不在家时,我想通过 DSL 路由器访问我的家庭网络。为此,我在提供 vpn 的机器上创建了第二个 openvpn 连接,该连接侦听端口 1194,并将该端口转发到我的 DSL 路由器上。但是,只有当第一个 vpn 关闭时,我才能访问该端口。
我怀疑存在一些我无法理解的简单路由错误。
一些基本信息:
# 192.168.178.1 is my DSL router.
# 192.168.178.8 is the machine that opens the tun0 vpn connection and routes all traffic through tun0.
# xx.xxx.xxx.xxx is the ip of my third party vpn provider.
# (not relevant but shows up below) Port 33075 is open from the vpn side and is forwarded to a specific machine on the network.
# tun1 was created on 192.168.178.8 with port 1194 for access from outside.
# Port 1194 is opened on the DSL router (192.168.178.1) and forwarded to 192.168.178.8
当 tun0 和 tun1 关闭时:
% route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.178.1 0.0.0.0 UG 0 0 0 eno1
192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eno1
% ip route
default via 192.168.178.1 dev eno1 proto static
192.168.0.0/16 dev eno1 proto kernel scope link src 192.168.178.8
% sudo iptables-save
(empty output)
仅 tun1 启动时:从外部非 vpn 转发的端口 1194 显示打开
% route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.178.1 0.0.0.0 UG 0 0 0 eno1
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun1
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eno1
% ip route
default via 192.168.178.1 dev eno1 proto static
10.8.0.0/24 via 10.8.0.2 dev tun1
10.8.0.2 dev tun1 proto kernel scope link src 10.8.0.1
192.168.0.0/16 dev eno1 proto kernel scope link src 192.168.178.8
% sudo iptables-save
(empty output)
当 tun0 和 tun1 都启动时:从非 vpn 外部转发的端口 1194 显示已关闭
% route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.28.78.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.178.1 0.0.0.0 UG 0 0 0 eno1
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun1
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
10.28.78.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
xx.xxx.xxx.xxx 192.168.178.1 255.255.255.255 UGH 0 0 0 eno1
128.0.0.0 10.28.78.1 128.0.0.0 UG 0 0 0 tun0
192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eno1
% 0.0.0.0/1 via 10.28.78.1 dev tun0
default via 192.168.178.1 dev eno1 proto static
10.8.0.0/24 via 10.8.0.2 dev tun1
10.8.0.2 dev tun1 proto kernel scope link src 10.8.0.1
10.28.78.0/24 dev tun0 proto kernel scope link src 10.28.78.159
xx.xxx.xxx.xxx via 192.168.178.1 dev eno1
128.0.0.0/1 via 10.28.78.1 dev tun0
192.168.0.0/16 dev eno1 proto kernel scope link src 192.168.178.8
% sudo iptables-save
# Generated by iptables-save v1.8.10 (nf_tables) on
*filter
:INPUT ACCEPT [44:5124]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j ACCEPT
-A FORWARD -d 192.168.178.138/32 -p tcp -m tcp --dport 33075 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.178.138/32 -p udp -m udp --dport 33075 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on
# Generated by iptables-save v1.8.10 (nf_tables) on
*nat
:PREROUTING ACCEPT [76:7067]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i tun0 -p tcp -m tcp --dport 33075 -j DNAT --to-destination 192.168.178.138:33075
-A PREROUTING -i tun0 -p udp -m udp --dport 33075 -j DNAT --to-destination 192.168.178.138:33075
-A POSTROUTING -o eno1 -j MASQUERADE
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on
因为您的
tun0
vpn 添加了默认路由“覆盖”(即,路由/1
,显然是您想要的),所以tun1
vpn 服务器发送的(封装)流量(到“远程网络”中的客户端)将被路由到隧道tun0
(而不是您的路由器),因此将使用与客户端用于连接服务器的公共 IP 不同的公共 IP 进行 NAT,而客户端无法识别该 IP。您需要为此制定策略路由:
(您可以根据 VPN 使用的协议在规则中添加
ipproto udp
或。)ipproto tcp
tun1
还要确保
rp_filter
sysctleno1
不是1
(但是0
或2
)。