opvnvpn：在 LAN-behinds 中寻址节点

Question

我已经设置了一个可以远程访问的 openvpn 服务器，一旦连接，它就会在服务器和客户端上创建一个 tun0 设备，虚拟 IP 为 10.15.119.x。openvpn 服务器本身是 10.15.119.1。

问题：我如何在 openvpn 服务器后面的局域网中寻址其他节点？我可以使用地址 10.15.119.1:(port) 访问 openvpn 服务器本身上的服务，但我不知道如何解决与 openvpn 服务器位于同一 LAN 中的不参与 openvpn 连接的其他节点：我会希望这些节点可以从客户端节点使用 10.15.119.x 范围内的其他虚拟 ip 寻址，如果是这种情况，我只需要一种方法来知道这些 ip 是什么

我很好地可以创建一些 iptables 和路由命令来将端口转发到其他特定节点，但我确信必须有更好的方法来做到这一点，直接寻址节点

服务器.conf：

dev tun
server 10.15.119.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
up ./office.up 
tls-server
dh /home/lurscher/keys/dh1024.pem
ca /home/lurscher/keys/ca.crt
cert /home/lurscher/keys/vpnCh8TestServer.crt
key /home/lurscher/keys/vpnCh8TestServer.key
status openvpn-status.log
log         openvpn.log
comp-lzo
verb 3

office.up 脚本具有：

#!/bin/sh
#route 10.15.119.0 255.255.255.0
route add -net 10.15.119.0 netmask 255.255.255.0 gw $5 #fixed the wrong 10.15.0.0 address

client.conf 反而有：

dev tun
remote my.server.com
tls-client
pull 
ca /home/chuckq/keys/ca.crt
cert /home/chuckq/keys/vpnCh8TestClient.crt
key /home/chuckq/keys/vpnCh8TestClient.key
ns-cert-type server
; port 1194
; user nobody
; group nogroup
status openvpn-status.log
log         openvpn.log
comp-lzo
verb 3

---

来自服务器的新相关日志：

Thu May 26 16:59:59 2011 vpnCh8TestClient/Y.Y.Y.Y:1194 PUSH: Received control message: 'PUSH_REQUEST'
Thu May 26 16:59:59 2011 vpnCh8TestClient/Y.Y.Y.Y:1194 SENT CONTROL [vpnCh8TestClient]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 10.15.119.1,topology net30,ifconfig 10.15.119.6 10.15.119.5' (status=1)
Thu May 26 17:02:17 2011 vpnCh8TestClient/Y.Y.Y.Y:1194 Replay-window backtrack occurred [1]

来自客户端的相关日志：

Thu May 26 16:53:30 2011 [vpnCh8TestServer] Peer Connection Initiated with [AF_INET]X.X.X.X:1194
Thu May 26 16:53:32 2011 SENT CONTROL [vpnCh8TestServer]: 'PUSH_REQUEST' (status=1)
Thu May 26 16:53:32 2011 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 10.15.119.1,topology net30,ifconfig 10.15.119.6 10.15.119.5'
Thu May 26 16:53:32 2011 OPTIONS IMPORT: --ifconfig/up options modified
Thu May 26 16:53:32 2011 OPTIONS IMPORT: route options modified
Thu May 26 16:53:32 2011 ROUTE default_gateway=10.21.2.254
Thu May 26 16:53:32 2011 TUN/TAP device tun0 opened
Thu May 26 16:53:32 2011 TUN/TAP TX queue length set to 100
Thu May 26 16:53:32 2011 /sbin/ifconfig tun0 10.15.119.6 pointopoint 10.15.119.5 mtu 1500
Thu May 26 16:53:32 2011 /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.15.119.5
Thu May 26 16:53:32 2011 /sbin/route add -net 10.15.119.1 netmask 255.255.255.255 gw 10.15.119.5
Thu May 26 16:53:32 2011 Initialization Sequence Completed

---

编辑感谢 wolfgangsz 在 office.up 中注意到一个错字，我再次尝试了 tracepath 没有任何改进：

$ tracepath 192.168.0.100
 1:  10.15.119.6                                              0.261ms pmtu 1500
 1:  10.15.119.1                                             88.989ms 
 1:  10.15.119.1                                             58.752ms 
 2:  no reply

请注意，当 IP 是来自 openvpn 服务器的 IP 时，结果有何不同

$ tracepath 192.168.0.101
 1:  10.15.119.6                                              0.308ms pmtu 1500
 1:  192.168.0.101                                       115.713ms reached
 1:  192.168.0.101                                        65.064ms reached
     Resume: pmtu 1500 hops 1 back 64 

客户端的路由条目：

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.15.119.5     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.15.119.1     10.15.119.5     255.255.255.255 UGH   0      0        0 tun0
192.168.0.0     10.15.119.5     255.255.255.0   UG    0      0        0 tun0
10.21.2.0       0.0.0.0         255.255.255.0   U     1      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
0.0.0.0         10.21.2.254     0.0.0.0         UG    0      0        0 eth0

和（openvpn）服务器上的路由条目：

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.15.119.2     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.15.119.0     10.15.119.2     255.255.255.0   UG    0      0        0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 vboxnet0
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth1
0.0.0.0         0.0.0.0         0.0.0.0         U     1002   0        0 eth0
0.0.0.0         0.0.0.0         0.0.0.0         U     1004   0        0 vboxnet0

---

编辑 2：我检查过是否启用了 ip 转发

$ cat /proc/sys/net/ipv4/ip_forward
1

这是服务器中 iptables 的输出：

$ sudo iptables -nv -L
Chain INPUT (policy DROP 1 packets, 52 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  eth0   *       127.0.0.1            0.0.0.0/0           
    0     0 DROP       all  --  eth0   *       0.0.0.0/0            127.0.0.1           
    0     0 DROP       all  --  eth0   *       192.168.0.0/16       0.0.0.0/0           
    0     0 DROP       all  --  eth0   *       172.16.0.0/12        0.0.0.0/0           
    0     0 DROP       all  --  eth0   *       10.0.0.0/8           0.0.0.0/0           
    8   416 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            127.0.0.1           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
   91  8915 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
  293 28499 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
    1  1500 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0           
   18  2010 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  eth0   *       127.0.0.1            0.0.0.0/0           
    0     0 DROP       all  --  eth0   *       0.0.0.0/0            127.0.0.1           
    0     0 DROP       all  --  eth0   *       192.168.0.0/16       0.0.0.0/0           
    0     0 DROP       all  --  eth0   *       172.16.0.0/12        0.0.0.0/0           
    0     0 DROP       all  --  eth0   *       10.0.0.0/8           0.0.0.0/0           
    0     0 DROP       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp spts:137:139 
    0     0 DROP       udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           udp spts:137:139 
    0     0 DROP       all  --  eth1   *      !10.0.0.0/24          0.0.0.0/0           
   38 57000 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

Chain OUTPUT (policy ACCEPT 306 packets, 34543 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp spts:137:139 
    0     0 DROP       udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           udp spts:137:139 
    0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           state NEW 

---

编辑 3

我想我遗漏了一条重要的信息，我不认为它可能相关，但最近的一个回答让我觉得它可能；openvpn 直接连接到路由器，在路由器配置中（在 192.168.0.1）我已经启用了 openvpn 端口 1194 到 openvpn 服务器的端口转发，这就是我目前远程连接的方式

---

编辑 4

我尝试在192.168.0.100（辅助服务器）机器上运行以下命令，以查看是否可以通过给它一个到 10.15.119.x 路由的路由来解决这个问题：

sudo route add -net 10.15.119.0 netmask 255.255.255.0 gw 192.168.0.101

（192.168.0.101 是 openvpn 服务器地址，192.168.0.100 是我想从外部访问的辅助服务器）

我试过这个并努力联系ping 10.15.119.1openvpn 服务器，但是ping 10.15.119.6（我的客户端 ip）失败了

---

编辑 5

tcpdump尝试从客户端 ping 192.168.0.100 时，我在 openvpn 服务器上添加了结果：

$ sudo tcpdump -v -i any host 192.168.0.100
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
11:10:43.675915 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 1, length 64
11:10:43.675932 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 1, length 64
11:10:43.676149 IP (tos 0x0, ttl 64, id 40127, offset 0, flags [none], proto ICMP (1), length 84)
    services-host-1.local > 10.15.119.6: ICMP echo reply, id 2494, seq 1, length 64
11:10:43.778583 IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto UDP (17), length 103)
    services-host-1.local.mdns > 224.0.0.251.mdns: 0*- [0q] 1/0/0 100.0.168.192.in-addr.arpa. (Cache flush) PTR services-host-1.local. (75)
11:10:43.778588 IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto UDP (17), length 103)
    services-host-1.local.mdns > 224.0.0.251.mdns: 0*- [0q] 1/0/0 100.0.168.192.in-addr.arpa. (Cache flush) PTR services-host-1.local. (75)
11:10:44.681801 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 2, length 64
11:10:44.681809 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 2, length 64
11:10:44.682007 IP (tos 0x0, ttl 64, id 40128, offset 0, flags [none], proto ICMP (1), length 84)
    services-host-1.local > 10.15.119.6: ICMP echo reply, id 2494, seq 2, length 64
11:10:45.689926 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 3, length 64
11:10:45.689933 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 3, length 64
11:10:45.690121 IP (tos 0x0, ttl 64, id 40129, offset 0, flags [none], proto ICMP (1), length 84)
    services-host-1.local > 10.15.119.6: ICMP echo reply, id 2494, seq 3, length 64
11:10:46.698990 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 4, length 64
11:10:46.698997 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 4, length 64
11:10:46.699190 IP (tos 0x0, ttl 64, id 40130, offset 0, flags [none], proto ICMP (1), length 84)
    services-host-1.local > 10.15.119.6: ICMP echo reply, id 2494, seq 4, length 64
11:10:47.706870 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 5, length 64
11:10:47.706878 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 5, length 64
11:10:47.707067 IP (tos 0x0, ttl 64, id 40131, offset 0, flags [none], proto ICMP (1), length 84)
    services-host-1.local > 10.15.119.6: ICMP echo reply, id 2494, seq 5, length 64
11:10:48.680540 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has services-host-1.local tell openvpnServer, length 28
11:10:48.680737 ARP, Ethernet (len 6), IPv4 (len 4), Reply services-host-1.local is-at 08:00:27:a4:e2:01 (oui Unknown), length 28
11:10:48.684812 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has dfdlinkrouter tell services-host-1.local, length 28
11:10:48.685338 ARP, Ethernet (len 6), IPv4 (len 4), Reply dfdlinkrouter is-at 00:26:5a:ae:90:88 (oui Unknown), length 46
11:10:48.716100 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 6, length 64
11:10:48.716107 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.15.119.6 > services-host-1.local: ICMP echo request, id 2494, seq 6, length 64
11:10:48.716347 IP (tos 0x0, ttl 64, id 40132, offset 0, flags [none], proto ICMP (1), length 84)
    services-host-1.local > 10.15.119.6: ICMP echo reply, id 2494, seq 6, length 64

所以看起来 ping 正在到达服务器并且他回复了，但是在进入 vpn 之前数据包被丢弃了，所以我在 iptables 中添加了一行来记录所有丢弃或拒绝的 INPUT 和 FORWARD 数据包，这里是被过滤的内容 /var/log/syslog

May 30 10:59:24 openvpnServer kernel: [40433.898392] iptables INPUT denied: IN=eth1 OUT= MAC= SRC=192.168.0.101 DST=224.0.0.251 LEN=98 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=78 
May 30 10:59:24 openvpnServer kernel: [40434.001003] iptables INPUT denied: IN=eth1 OUT= MAC=01:00:5e:00:00:fb:08:00:27:a4:e2:01:08:00 SRC=192.168.0.100 DST=224.0.0.251 LEN=62 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=42 
May 30 10:59:24 openvpnServer kernel: [40434.001102] iptables INPUT denied: IN=eth1 OUT= MAC= SRC=192.168.0.101 DST=224.0.0.251 LEN=72 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=52 
May 30 11:03:28 openvpnServer kernel: [40677.329586] iptables INPUT denied: IN=eth1 OUT= MAC= SRC=192.168.0.101 DST=224.0.0.251 LEN=67 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=47 
May 30 11:03:29 openvpnServer kernel: [40678.330065] iptables INPUT denied: IN=eth1 OUT= MAC= SRC=192.168.0.101 DST=224.0.0.251 LEN=67 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=47 

我已经注释掉了来自 iptables 的大多数 DROP 和 REJECT 命令，看看它是否有效，但我仍然遇到同样的问题，这是删除所有删除后的 iptables

$ sudo iptables -L -nv
Chain INPUT (policy ACCEPT 88 packets, 15209 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 3404 3162K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  !lo    *       0.0.0.0/0            127.0.0.0/8         reject-with icmp-port-unreachable 
 2950  249K ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
12881 6906K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
  162  9696 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    1    42 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
   60 10407 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `iptables INPUT denied: ' 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   30  2448 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `iptables FORWARD denied: ' 

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2826  857K ACCEPT     all  --  *      tun+    0.0.0.0/0            0.0.0.0/0           
17443 5842K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0      

---

编辑 6

按照 Steven 的建议，我添加了 3 个 tcpdumps，2 个在服务器上，1 个在客户端，而从客户端运行

$ ping 192.168.0.100
PING 192.168.0.100 (192.168.0.100) 56(84) bytes of data.
^C
--- 192.168.0.100 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4024ms

但首先我在 openvpn 服务器上刷新了 al iptables 规则：

$ sudo iptables -L -nv
Chain INPUT (policy ACCEPT 206 packets, 26537 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 50 packets, 7781 bytes)
 pkts bytes target     prot opt in     out     source               destination         

这是 openvpn 服务器上第一个 tcpdump 的输出

$ sudo tcpdump -vn -i tun0 '(host 192.168.0.100 or host 10.15.119.6)' and icmp
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
13:54:30.871403 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.15.119.6 > 192.168.0.100: ICMP echo request, id 3145, seq 1, length 64
13:54:31.870534 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.15.119.6 > 192.168.0.100: ICMP echo request, id 3145, seq 2, length 64
13:54:32.879562 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.15.119.6 > 192.168.0.100: ICMP echo request, id 3145, seq 3, length 64

服务器上的第二个 tcpdump：

$ sudo tcpdump -vn -i eth1 '(host 192.168.0.100 or host 10.15.119.6)' and icmp
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
13:54:30.871429 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.15.119.6 > 192.168.0.100: ICMP echo request, id 3145, seq 1, length 64
13:54:30.875508 IP (tos 0x0, ttl 64, id 28969, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.100 > 10.15.119.6: ICMP echo reply, id 3145, seq 1, length 64
13:54:31.870544 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    10.15.119.6 > 192.168.0.100: ICMP echo request, id 3145, seq 2, length 64
13:54:31.870760 IP (tos 0x0, ttl 64, id 28970, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.100 > 10.15.119.6: ICMP echo reply, id 3145, seq 2, length 64

和第三个 tcpdump，这次在客户端：

$ sudo tcpdump -vn -i eth0 host 192.168.0.100 and icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

重要的是，在我运行的客户端上，还有其他可能有用的东西ip route show

$ sudo ip route show
10.15.119.5 dev tun0  proto kernel  scope link  src 10.15.119.6 
10.15.119.1 via 

    

Answer 1

我浏览了大家的回复，我想我很了解你对这一切的看法。

让我们做一些简单的检查来缩小问题范围：

从无法 ping 192.168.0.x 主机的 OpenVPN 客户端之一： netstatn -rn 同时向我们ifconfig -a提供 *nix 或ipconfig /all ping <openvpn server external 10.21.x address> ping <openvpn 10.15.x address

从 openvpn 服务器： netstatn -rn ping <a 192.168.0.x host> ping <a 10.15.x host> ping <a 10.21.x host>

另外，您当前的 openvpn 服务器配置和客户端配置可能位于/etc/openvpn/server.conf客户端计算机上/etc/openvpn/<hostname>.conf或c:\program files\openvpn\config\<hostname.conf> or .ovpn

我有类似的设置。在我的 OpenVPN 服务器上，我有这个 iptables 规则的等效项（将主机掩码/接口更改为您的值应该是的）：

# Generated by iptables-save v1.4.4 
*nat
:PREROUTING ACCEPT [5:332]
:POSTROUTING ACCEPT [5:740]
:OUTPUT ACCEPT [5:740]
-A POSTROUTING -s 10.15.119.0/2 -o eth1 -j MASQUERADE
COMMIT

看起来你的问题肯定是因为你缺少 iptable_nat。

# lsmod | grep nat
iptable_nat             5011  1 
nf_nat                 19101  2 ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4      12548  3 iptable_nat,nf_nat
nf_conntrack           72270  4 ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4
ip_tables              17942  2 iptable_nat,iptable_filter
x_tables               21613  3 ipt_MASQUERADE,iptable_nat,ip_tables

modprobe iptable_nat或者尝试使用-a参数。