将网桥流量路由到 VPN 隧道(AWS 客户端 VPN 终端节点)
roy*_*roy 1 networking vpn routing openvpn linux-networking
我在eth0&之间创建了桥梁wlan0。以下是ifconfig
root@ubuntu:~ $ ifconfig
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.24.11.15 netmask 255.255.255.0 broadcast 10.24.11.255
inet6 fe80::1fd4:f47a:59d2:1de8 prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:8e:38:ee txqueuelen 1000 (Ethernet)
RX packets 2571 bytes 308138 (300.9 KiB)
RX errors 0 dropped 230 overruns 0 frame 0
TX packets 2511 bytes 289807 (283.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether b8:27:eb:db:6d:bb txqueuelen 1000 (Ethernet)
RX packets 6268 bytes 1641477 (1.5 MiB)
RX errors 0 dropped 39 overruns 0 frame 0
TX packets 7141 bytes 1630895 (1.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 454 bytes 30843 (30.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 454 bytes 30843 (30.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.20.1.226 netmask 255.255.255.224 destination 10.20.1.226
inet6 fe80::ea4d:bb87:d649:5308 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1407 bytes 94382 (92.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether b8:27:eb:8e:38:ee txqueuelen 1000 (Ethernet)
RX packets 5095 bytes 1401614 (1.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5124 bytes 1660553 (1.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
路线表:
root@ubuntu:~ $ sudo ip route
0.0.0.0/1 via 10.20.1.225 dev tun0
default via 10.24.11.1 dev br0 src 10.24.11.15 metric 204
10.20.1.224/27 dev tun0 proto kernel scope link src 10.20.1.226
10.24.11.0/24 dev br0 proto kernel scope link src 10.24.11.15 metric 204
52.36.18.24 via 10.24.11.1 dev br0
128.0.0.0/1 via 10.20.1.225 dev tun0
和
root@ubuntu:~ $ sudo route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.20.1.225 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 10.24.11.1 0.0.0.0 UG 204 0 0 br0
10.20.1.224 0.0.0.0 255.255.255.224 U 0 0 0 tun0
10.24.11.0 0.0.0.0 255.255.255.0 U 204 0 0 br0
52.36.18.24 10.24.11.1 255.255.255.255 UGH 0 0 0 br0
128.0.0.0 10.20.1.225 128.0.0.0 UG 0 0 0 tun0
子网10.2.0.0/16可通过隧道访问,tun0可以10.2.1.145从这个盒子ping IP 。但是无法10.2.1.145从连接到此框的设备上 ping 通wlan0。也能够10.24.11.15从连接到此框的设备上 pingwlan0
如果我在 上执行traceroute 10.2.1.145连接到此框的设备wlan0,则连接将eth0通过公共 ip 进行。
eth0有10.24.11.15,但在创建桥梁后,它转移到br0
我在这里缺少什么路线来推动10.2.0.0/16交通tun0?
这是更多的输出:
root@ubuntu:~ $ ip route get 10.2.1.145 from 10.24.11.23 iif br0
10.2.1.145 from 10.24.11.23 via 10.20.0.225 dev tun0
cache iif br0
root@ubuntu:~ $ sudo ip netconf show dev tun0
ipv4 dev tun0 forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
root@ubuntu:~ $
root@ubuntu:~ $ sudo ip netconf show dev br0
ipv4 dev br0 forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
从 WiFi 客户端和tcpdumpubuntu ping :
root@client:~# ping 10.2.1.145
root@ubuntu:~ $ sudo tcpdump -ni br0 'icmp and ip host 10.2.1.145'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:30:56.903893 IP 10.24.11.23 > 10.2.1.145: ICMP echo request, id 34567, seq 8, length 64
15:30:57.904278 IP 10.24.11.23 > 10.2.1.145: ICMP echo request, id 34567, seq 9, length 64
15:30:58.904826 IP 10.24.11.23 > 10.2.1.145: ICMP echo request, id 34567, seq 10, length 64
root@client:~# ping 10.2.1.145
root@ubuntu:~ $ sudo tcpdump -nei eth0 'icmp and ip host 10.2.1.145'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:26:55.356091 ac:bc:32:bf:ad:57 > 18:b1:69:75:7a:f4, ethertype IPv4 (0x0800), length 98: 10.24.11.147 > 10.2.1.145: ICMP echo request, id 5646, seq 169, length 64
iptables 保存:
root@ubuntu:~ $ sudo iptables-save
# Generated by iptables-save v1.6.0 on Mon May 6 15:37:25 2019
*nat
:PREROUTING ACCEPT [1299:221082]
:INPUT ACCEPT [290:32450]
:OUTPUT ACCEPT [4762:319088]
:POSTROUTING ACCEPT [680:45560]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Mon May 6 15:37:25 2019
root@ubuntu:~ $ uname -a
Linux raspberrypi 4.14.98-v7+ #1200 SMP Tue Feb 12 20:27:48 GMT 2019 armv7l GNU/Linux
root@ubuntu:~ $ sudo ip rule ls
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@ubuntu:~ $ sudo ip route ls table all
0.0.0.0/1 via 10.20.2.129 dev tun0
default via 10.24.11.1 dev br0 src 10.24.11.15 metric 204
10.20.2.128/27 dev tun0 proto kernel scope link src 10.20.2.130
10.24.11.0/24 dev br0 proto kernel scope link src 10.24.11.15 metric 204
52.37.118.218 via 10.24.11.1 dev br0
128.0.0.0/1 via 10.20.2.129 dev tun0
broadcast 10.20.2.128 dev tun0 table local proto kernel scope link src 10.20.2.130
local 10.20.2.130 dev tun0 table local proto kernel scope host src 10.20.2.130
broadcast 10.20.2.159 dev tun0 table local proto kernel scope link src 10.20.2.130
broadcast 10.24.11.0 dev br0 table local proto kernel scope link src 10.24.11.15
local 10.24.11.15 dev br0 table local proto kernel scope host src 10.24.11.15
broadcast 10.24.11.255 dev br0 table local proto kernel scope link src 10.24.11.15
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
fe80::/64 dev br0 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::1fd4:f47a:59d2:1de8 dev br0 table local proto kernel metric 0 pref medium
local fe80::54bf:cf69:4385:4b1c dev tun0 table local proto kernel metric 0 pref medium
ff00::/8 dev br0 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
root@ubuntu:~ $ sudo ip -4 a ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 10.24.11.15/24 brd 10.24.11.255 scope global br0
valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
inet 10.20.2.130/27 brd 10.20.2.159 scope global tun0
valid_lft forever preferred_lft forever
root@ubuntu:~ $
VPN 的另一面不是openvpn server,因为我在这里尝试使用AWS Client VPN Endpoint。我确实sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE在 ubuntu 主机上运行过。无权访问 VPN 服务器。
更新 :
在 wifi 客户端
root@client:~ $ ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether b8:27:eb:d2:02:8c txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.24.11.201 netmask 255.255.255.0 broadcast 10.24.11.255
inet6 fe80::f9e2:e7af:ab5f:7865 prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:87:57:d9 txqueuelen 1000 (Ethernet)
RX packets 86 bytes 7978 (7.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 97 bytes 16637 (16.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@client:~ $ ip -4 route list
default via 10.24.11.1 dev wlan0 src 10.24.11.201 metric 303
10.24.11.0/24 dev wlan0 proto kernel scope link src 10.24.11.201 metric 303
我在wifi客户端上删除sudo route del default gw 10.24.11.1 wlan0并添加sudo route add default gw 10.24.11.15 wlan0了
root@client:~ $ ip -4 route list
default via 10.24.11.15 dev wlan0
10.24.11.0/24 dev wlan0 proto kernel scope link src 10.24.11.201 metric 303
然后试过
root@client:~# ping 10.2.1.145
PING 10.2.1.145 (10.2.1.145): 56 data bytes
root@ubuntu:~ $ sudo tcpdump -ni br0 'icmp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:40:03.832209 IP 10.24.11.201 > 10.2.1.145: ICMP echo request, id 614, seq 121, length 64
13:40:04.879329 IP 10.24.11.201 > 10.2.1.145: ICMP echo request, id 614, seq 122, length 64
13:40:05.911833 IP 10.24.11.201 > 10.2.1.145: ICMP echo request, id 614, seq 123, length 64
root@ubuntu:~ $ sudo tcpdump -ni tun0 'icmp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
13:40:49.539044 IP 10.24.11.201 > 10.2.1.145: ICMP echo request, id 618, seq 1, length 64
13:40:50.553286 IP 10.24.11.201 > 10.2.1.145: ICMP echo request, id 618, seq 2, length 64
13:40:51.597073 IP 10.24.11.201 > 10.2.1.145: ICMP echo request, id 618, seq 3, length 64
在 Ubuntu 上运行
1 iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
2 sudo iptables -A FORWARD -i br0 -o tun0 -j ACCEPT
3 sudo iptables -A FORWARD -i tun0 -o br0 -j ACCEPT
root@ubuntu:~ $ sudo iptables-save -c
# Generated by iptables-save v1.6.0 on Mon May 13 20:30:31 2019
*filter
:INPUT ACCEPT [32:2202]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [49:4174]
[0:0] -A FORWARD -i br0 -o tun0 -j ACCEPT
[0:0] -A FORWARD -i tun0 -o br0 -j ACCEPT
COMMIT
# Completed on Mon May 13 20:30:31 2019
# Generated by iptables-save v1.6.0 on Mon May 13 20:30:31 2019
*nat
:PREROUTING ACCEPT [7:1109]
:INPUT ACCEPT [2:144]
:OUTPUT ACCEPT [20:1340]
:POSTROUTING ACCEPT [4:268]
[0:0] -A POSTROUTING -o eth0 -j MASQUERADE
[16:1072] -A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Mon May 13 20:30:31 2019
root@client:~ $ ping 10.2.1.145
PING 10.2.1.145 (10.2.1.145) 56(84) bytes of data.
root@ubuntu:~ $ sudo iptables-save -c
# Generated by iptables-save v1.6.0 on Mon May 13 20:31:24 2019
*filter
:INPUT ACCEPT [119:7998]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [218:19046]
[0:0] -A FORWARD -i br0 -o tun0 -j ACCEPT
[0:0] -A FORWARD -i tun0 -o br0 -j ACCEPT
COMMIT
# Completed on Mon May 13 20:31:24 2019
# Generated by iptables-save v1.6.0 on Mon May 13 20:31:24 2019
*nat
:PREROUTING ACCEPT [10:1331]
:INPUT ACCEPT [5:366]
:OUTPUT ACCEPT [45:3015]
:POSTROUTING ACCEPT [9:603]
[0:0] -A POSTROUTING -o eth0 -j MASQUERADE
[36:2412] -A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Mon May 13 20:31:24 2019
然后 :
root@client:~ $ ping 10.20.1.225
root@ubuntu:~ $ sudo tcpdump -ni br0 'icmp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:42:07.498023 IP 10.24.11.201 > 10.20.1.225: ICMP echo request, id 15212, seq 208, length 64
09:42:08.537648 IP 10.24.11.201 > 10.20.1.225: ICMP echo request, id 15212, seq 209, length 64
09:42:09.577700 IP 10.24.11.201 > 10.20.1.225: ICMP echo request, id 15212, seq 210, length 64
root@ubuntu:~ $ sudo tcpdump -ni tun0 'icmp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
和
root@client:~ $ ping 10.2.1.145
root@ubuntu:~ $ sudo tcpdump -ni br0 'icmp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:43:32.055291 IP 10.24.11.201 > 10.2.1.145: ICMP echo request, id 15215, seq 12, length 64
09:43:33.099422 IP 10.24.11.201 > 10.2.1.145: ICMP echo request, id 15215, seq 13, length 64
09:43:34.135264 IP 10.24.11.201 > 10.2.1.145: ICMP echo request, id 15215, seq 14, length 64
root@ubuntu:~ $ sudo tcpdump -ni tun0 'icmp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
看起来ICMP echo request包裹没有被转发到tun0.
因此,让我们尝试解决您的问题。为了更好地理解,我绘制了网络拓扑图。为了澄清会发生什么,我在您的 ubuntu 主机中以图形方式拆分了 l2 和 l3 处理 - 这将有助于进一步推理。
检查以下步骤:
检查 wifi 客户端上的路由(此处和进一步 -
10.24.11.X- 替换为此设备的实际 IP 地址)。您的计划需要两种可能性之一:default route via 10.24.11.15或更好(我认为)10.2.0.0/16 via 10.24.11.15。使用
ip route get 10.2.1.145 from 10.24.11.X iif br0和ip route get 10.24.11.X from 10.2.1.145 iif tun0命令检查 ubuntu 主机上的转发。它应该返回类似10.2.1.145 from 10.24.11.X via 10.20.1.225 dev tun0(有效路线)的内容。如果它返回类似的内容RTNETLINK answers: No route to host,则表示您尚未启用 ip 转发(全局或每个接口)。使用sysctl命令启用它。还要使用命令检查tun0和br0接口上的转发ip netconf show dev ...(应该有forwarding on字符串)。ping 10.2.1.145在wifi客户端上运行命令,在ubuntu主机上运行tcpdump -ni br0 'icmp and ip host 10.24.11.X'和tcpdump -ni tun0 'icmp'。您应该会看到一些icmp echo request从 wifi 客户端到10.2.1.145主机的数据包。如果您没有看到它,请使用iptables-save命令检查防火墙(并将输出粘贴到问题中以获取有关您案例的帮助)。如果您看到icmp echo request,但icmp echo reply在 tcpdump 中没有看到,那么您需要检查远程站点。您的方案还需要在远程端(在 上
openvpn server)进行一些路由设置。10.24.11.0/24 via 10.20.1.226openvpn 服务器本身应该有路由,并且some remote host通过openvpn server. 建立连接的其他方法 - 在 ubuntu 主机上使用 NAT(但稍后会描述)。在 openvpn 服务器上运行
ip route get 10.2.1.145 from 10.24.11.X iif tunXandip route get 10.24.11.X from 10.2.1.145 iif ethZ命令(其中tunX和ethZ是打开 vpn 服务器的相应接口)。两个命令都应该显示有效的路由,否则检查使用ip netconf show命令转发的启用(并使用启用它sysctl)。tcpdump -ni tunX 'icmp and ip host 10.2.1.145'在 openvpn 服务器上运行该命令。您应该看到icmp echo requests从远程 wifi 客户端传入和icmp echo reply从10.2.1.145主机传出。如果您没有看到icmp echo reply,请在 上运行 tcpdump(或wireshark)some remote host并检查其上的防火墙设置。如果您没有对另一端的管理访问权限并且无法在其上设置路由,那么您应该在 ubuntu 主机上使用 NAT。您应该在防火墙规则集中添加下一条规则(更好地使用
iptables-save和iptables-apply命令以确保安全):
iptables -t nat -A POSTROUTING \
-o tun0 \
-j MASQUERADE
- 最后一步是检查防火墙。您的设置需要允许通过 ubuntu 主机转发数据包。简化规则:
iptables -A FORWARD -i br0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o br0 -j ACCEPT
然后检查
iptables-save -c命令输出中的防火墙规则计数器。方括号中的数字是格式中规则的匹配计数器[packets:bytes]。重新启动ping并检查它。至少应该命中 NAT 规则。规则顺序很重要!如果上述步骤没有帮助解决您的问题,请将附加信息添加到问题中,我将提供一些附加步骤来解决问题。