openvpn的安装和证书这些,这里不详细讲解,这里假设朋友们,已经安装了openvpn,并已经弄好相关的配置,openvpn成功跑起来了,客户端也成功跑起来,并且连接到了openvpn服务器端
server.conf的配置如下:
port 3028
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
;tls-auth /etc/openvpn/server/ta.key 0
proto tcp
server 10.120.0.0 255.255.0.0
push "route 10.60.0.0 255.255.0.0"
client-config-dir /etc/openvpn/clients
ifconfig-pool-persist ipp.txt
client-to-client
comp-lzo
persist-key
persist-tun
verb 3
# 最多允许连接1000个客户端
max-clients 1000
log /data/openvpn/logs/openvpn.log
log-append /data/openvpn/logs/openvpn.log
status /data/openvpn/logs/openvpn-status.log
script-security 4
duplicate-cn
其中server和push两个相当重要,而且server配置的ip段,要与服务器端的ip端不同,其实server配置的ip段,是openvpn的tun ip段,连接到本openvpn服务器的客户端也会是这个ip段。
客户端的配置如下:
remote 117.xx.yy.136 3028
client
dev tun
proto tcp
comp-lzo
ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/client.crt
key /etc/openvpn/client/client.key
;tls-auth /etc/openvpn/client/ta.key 0
log /data/openvpn/logs/openvpn.log
log-append /data/openvpn/logs/openvpn.log
status /data/openvpn/logs/openvpn-status.log
好简单,这里不解释了。
客户端跑起来,至此,能ping通openvpn所在主机的内网ip了,但是,想ping通与它同一子段的内网其他主机,却ping不通!百度找了好久,说要加iptables转发规则,好的,也加一条转发规则吧
如下:
iptables -t nat -A POSTROUTING -s 10.120.0.0/16 -o eth0 -j MASQUERADE
这里的10.120.0.0,是server.conf配置里配置的vpn的网段。
查看加成功了没有
[root@server]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.120.0.0/16 anywhere
有了,再来ping,依然是ping不通,查看路由,是否有问题,openvpn服务器端的路由如下:
[root@server]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.60.0.1 0.0.0.0 UG 0 0 0 eth0
10.60.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
10.120.0.0 10.120.0.2 255.255.0.0 UG 0 0 0 tun0
10.120.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
[root@server]# netstat -ar
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default gateway 0.0.0.0 UG 0 0 0 eth0
10.60.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
10.120.0.0 10.120.0.2 255.255.0.0 UG 0 0 0 tun0
10.120.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
link-local 0.0.0.0 255.255.0.0 U 0 0 0 eth0
openvpn客户端的路由如下:
[root@8d200 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.8.254 0.0.0.0 UG 100 0 0 eth0
10.60.0.0 10.120.0.5 255.255.0.0 UG 0 0 0 tun0
10.120.0.0 10.120.0.5 255.255.0.0 UG 0 0 0 tun0
10.120.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
172.19.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-abe310fb4706
192.168.8.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
其实,想想既然客户端能ping通openvpn服务器的内网ip了,那说明,客户端到达服务器端的网络是正常了的,那为什么依然到达不了服务器端同网段的其他主机呢?
再百度了一下,有人说,可能是openvpn服务器端的ip转发功能没开启,那就开启一下试试
vim /etc/sysctl.conf
在文件最后加上
net.ipv4.ip_forward = 1
sysctl -p,使其生效
[root@server]# sysctl -p
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
net.nf_conntrack_max = 655350
vm.overcommit_memory = 1
vm.max_map_count = 262144
net.ipv4.ip_forward = 1
接着再来ping其他主机,果然,终于可以ping通了!!!
参考资料:
https://www.ilanni.com/?p=5221 (这里有提到ip转发功能)
网友评论