我正在嘗試使用 Openvpn 設定網站到網站 VPN,初始設定已完成,我的 openvpn 用戶端節點 (201.100.0.x) 能夠與 openvpn 伺服器端節點 (192.0.0.x) 通訊)。
但是,如果我從伺服器端節點(192.0.0.32) ping 到任何客戶端節點(201.100.0.18),我不會得到回應(我在端點上新增了正確的路由)。透過 TCP dump 分析,我可以看到 ping 重播到達我的 openvpn 伺服器。
伺服器端節點:192.0.0.32(eth0)
伺服器:192.0.0.39(eth0); 10.8.0.1 (tun0)
客戶端節點:201.100.0.18 (eth0)
OpenvpnClient :201.100.0.11 (eth0) ; 10.8.0.6 (tun0)
server node> ping 201.100.0.18 -c 1
PING 201.100.0.18 (201.100.0.18) 56(84) bytes of data.
--- 201.100.0.18 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 10000ms
這是 openvpn 伺服器 eth0 的 TCP 轉儲
vpnserver> tcpdump -nni eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
09:41:00.796021 IP 192.0.0.32 > 201.100.0.18: ICMP echo request, id 47432, seq 1, length 64
09:41:00.836637 IP 201.100.0.18 > 192.0.0.32: ICMP echo reply, id 47432, seq 1, length 64
Ping 回覆直到 192.0.0.32 才返回,但沒有轉發到 192.0.0.39 ;需要知道為什麼
IP 轉送已啟用並且您可以在下方看到現有的防火牆規則
*filter
:INPUT ACCEPT [397:39519]
:FORWARD ACCEPT [6:504]
:OUTPUT ACCEPT [362:40521]
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
COMMIT
# Completed on Thu Nov 3 09:45:05 2016
# Generated by iptables-save v1.4.7 on Thu Nov 3 09:45:05 2016
*nat
:PREROUTING ACCEPT [31:3889]
:POSTROUTING ACCEPT [22:1848]
:OUTPUT ACCEPT [6:504]
-A POSTROUTING -o eth0 -j MASQUERADE << before adding this rule client sides nodes were not able to access server side nodes
COMMIT