各位板上大大好，最近帮朋友测试VPN使用的软体为OpenVPN 架构图如下： http://i.imgur.com/VlxCZxP.png 现在的问题在於测试都可以通，可透过OpenVPN Server上网，但是对公司的内网却无法连 线 Phase 1 有两张网卡 eth0 为对外独立ip，配上eth1内网ip，本机设定static route 可ping 10.0.0.0网段 但是VPN Client却不行 iptables设定档如下 Phase 2 只有一张网卡eth0，ip为private ip，但防火墙有开一组public ip 对应到该private ip 所以外网可连至VPN Server，问题也是一样...连不到内网主机 os：CentOS 7.1 有把firewalld 跟 selinux关闭 两者使用设定档如下 ======================================================= *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -i eth0 -o tun0 -j ACCEPT -A FORWARD -i tun0 -o eth0 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE COMMIT ============================================================= /etc/openvpn.conf ============================================================= port 1194 proto udp dev tun ca easy-rsa/keys/ca.crt cert easy-rsa/keys/server.crt key easy-rsa/keys/server.key dh easy-rsa/keys/dh2048.pem server 192.168.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.4.4" push "dhcp-option DNS 8.8.8.8" ;duplicate-cn keepalive 10 120 tls-auth easy-rsa/keys/ta.key 0 cipher aes-256-cbc comp-lzo max-clients 10 persist-key persist-tun status /var/log/openvpn-status.log log-append /var/log/openvpn.log verb 3 push "route 10.0.0.0 255.0.0.0" ============================================================= 在思考phase 1 是不是iptables 没有forward到10.0.0.0的网段 但是加了以後也连不到内网，win 7 client 看routing table有显示10.0.0.0 却ping 不到该网段主机 以上再请各位大大一起讨论了，感谢。 为了加快测试，所以写了一个简单的安装脚本供大大们参考(还在修改中)： ============================================================= #!/bin/bash # Insatll packages yum install openvpn easy-rsa -y echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.conf sysctl -p cat > /etc/sysconfig/iptables << EOA *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT #开启1194供openvpn连入 -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited #(option)使VPN用户端可透过eth0连外上internet -A FORWARD -i eth0 -o tun0 -j ACCEPT -A FORWARD -i tun0 -o eth0 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] #加入SNAT， MASQUERADE会自动读取eth0现在的ip地址然後做SNAT出去 -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE COMMIT EOA systemctl disable firewalld.service systemctl stop firewalld.service systemctl enable iptables.service systemctl restart iptables.service mkdir /etc/openvpn/easy-rsa cp -R /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ ln -s /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf # bulid keys cd /etc/openvpn/easy-rsa/ . ./vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server server ./pkitool client openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key cat > /etc/openvpn/server.conf << VPN port 1194 proto udp dev tun ca easy-rsa/keys/ca.crt cert easy-rsa/keys/server.crt key easy-rsa/keys/server.key # This file should be kept secret dh easy-rsa/keys/dh2048.pem server 192.168.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.4.4" push "dhcp-option DNS 8.8.8.8" # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", # UNCOMMENT THIS LINE OUT. #开启允许多个客户端同时连接.如果Client使用的CA的Common Name 有重复,或者说客户 端都使用相同的CA 和keys 连接VPN,一定要打开这个选项,否则只允许一个人连接 ;duplicate-cn keepalive 10 120 tls-auth easy-rsa/keys/ta.key 0 # This file is secret #开启tls-auth降低DDoS风 险 cipher aes-256-cbc comp-lzo max-clients 10 persist-key persist-tun status /var/log/openvpn-status.log log-append /var/log/openvpn.log verb 3 VPN systemctl -f enable [email protected] systemctl start [email protected] ============================================================= --

※ 发信站: 批踢踢实业坊(ptt.cc), 来自: 50.117.78.152 ※ 文章网址: https://webptt.com/cn.aspx?n=bbs/MIS/M.1434715694.A.414.html ※ 编辑: juliai (50.117.78.152), 06/19/2015 20:08:45 成功了，感谢大大 不用问...朋友请我帮忙的XD 感谢大大建议，不过现在只能用centos 很讨厌用fortinet的ssl vpn...还要装一堆有的没有的，连成功过一次 之後就都连不上了，原因不明 已解决 Phase 1 除了eth0 nat还要加入eth1的 -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE forward部分也是要加入 #如有eth1连接至内网则需增加相同规则，网卡名称需正确 -A FORWARD -i eth1 -o tun0 -j ACCEPT -A FORWARD -i tun0 -o eth1 -j ACCEPT Phase 2 的部分因为没注意到网卡是enxxxx 把eth0换成enxxx就可以通了 两者中间没有动用任何设备，只有修改openvpn server 另外要注意的是vi /etc/openvpn/server.conf # VPN Server 与client 间虚拟的网段，需完全独立且须与iptables一致 server 192.168.0.0 255.255.255.0 #这部分跟内网网段一致即可 push "route 10.0.0.0 255.0.0.0" 之後有时间再来测试site to site 另外想问一下有没有推荐的openvpn验证方式，虽然用凭证感觉满安全的 但有一点点小麻烦 ※ 编辑: juliai (216.172.148.23), 06/20/2015 12:45:06