各位板上大大好，最近幫朋友測試VPN使用的軟體為OpenVPN 架構圖如下： http://i.imgur.com/VlxCZxP.png 現在的問題在於測試都可以通，可透過OpenVPN Server上網，但是對公司的內網卻無法連 線 Phase 1 有兩張網卡 eth0 為對外獨立ip，配上eth1內網ip，本機設定static route 可ping 10.0.0.0網段 但是VPN Client卻不行 iptables設定檔如下 Phase 2 只有一張網卡eth0，ip為private ip，但防火牆有開一組public ip 對應到該private ip 所以外網可連至VPN Server，問題也是一樣...連不到內網主機 os：CentOS 7.1 有把firewalld 跟 selinux關閉 兩者使用設定檔如下 ======================================================= *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -i eth0 -o tun0 -j ACCEPT -A FORWARD -i tun0 -o eth0 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE COMMIT ============================================================= /etc/openvpn.conf ============================================================= port 1194 proto udp dev tun ca easy-rsa/keys/ca.crt cert easy-rsa/keys/server.crt key easy-rsa/keys/server.key dh easy-rsa/keys/dh2048.pem server 192.168.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.4.4" push "dhcp-option DNS 8.8.8.8" ;duplicate-cn keepalive 10 120 tls-auth easy-rsa/keys/ta.key 0 cipher aes-256-cbc comp-lzo max-clients 10 persist-key persist-tun status /var/log/openvpn-status.log log-append /var/log/openvpn.log verb 3 push "route 10.0.0.0 255.0.0.0" ============================================================= 在思考phase 1 是不是iptables 沒有forward到10.0.0.0的網段 但是加了以後也連不到內網，win 7 client 看routing table有顯示10.0.0.0 卻ping 不到該網段主機 以上再請各位大大一起討論了，感謝。 為了加快測試，所以寫了一個簡單的安裝腳本供大大們參考(還在修改中)： ============================================================= #!/bin/bash # Insatll packages yum install openvpn easy-rsa -y echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.conf sysctl -p cat > /etc/sysconfig/iptables << EOA *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT #開啟1194供openvpn連入 -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited #(option)使VPN用戶端可透過eth0連外上internet -A FORWARD -i eth0 -o tun0 -j ACCEPT -A FORWARD -i tun0 -o eth0 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] #加入SNAT， MASQUERADE會自動讀取eth0現在的ip地址然後做SNAT出去 -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE COMMIT EOA systemctl disable firewalld.service systemctl stop firewalld.service systemctl enable iptables.service systemctl restart iptables.service mkdir /etc/openvpn/easy-rsa cp -R /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ ln -s /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf # bulid keys cd /etc/openvpn/easy-rsa/ . ./vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server server ./pkitool client openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key cat > /etc/openvpn/server.conf << VPN port 1194 proto udp dev tun ca easy-rsa/keys/ca.crt cert easy-rsa/keys/server.crt key easy-rsa/keys/server.key # This file should be kept secret dh easy-rsa/keys/dh2048.pem server 192.168.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.4.4" push "dhcp-option DNS 8.8.8.8" # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", # UNCOMMENT THIS LINE OUT. #開啟允許多個客戶端同時連接.如果Client使用的CA的Common Name 有重複,或者說客戶 端都使用相同的CA 和keys 連接VPN,一定要打開這個選項,否則只允許一個人連接 ;duplicate-cn keepalive 10 120 tls-auth easy-rsa/keys/ta.key 0 # This file is secret #開啟tls-auth降低DDoS風 險 cipher aes-256-cbc comp-lzo max-clients 10 persist-key persist-tun status /var/log/openvpn-status.log log-append /var/log/openvpn.log verb 3 VPN systemctl -f enable [email protected] systemctl start [email protected] ============================================================= --

※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 50.117.78.152 ※ 文章網址: https://webptt.com/m.aspx?n=bbs/MIS/M.1434715694.A.414.html ※ 編輯: juliai (50.117.78.152), 06/19/2015 20:08:45 成功了，感謝大大 不用問...朋友請我幫忙的XD 感謝大大建議，不過現在只能用centos 很討厭用fortinet的ssl vpn...還要裝一堆有的沒有的，連成功過一次 之後就都連不上了，原因不明 已解決 Phase 1 除了eth0 nat還要加入eth1的 -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE forward部分也是要加入 #如有eth1連接至內網則需增加相同規則，網卡名稱需正確 -A FORWARD -i eth1 -o tun0 -j ACCEPT -A FORWARD -i tun0 -o eth1 -j ACCEPT Phase 2 的部分因為沒注意到網卡是enxxxx 把eth0換成enxxx就可以通了 兩者中間沒有動用任何設備，只有修改openvpn server 另外要注意的是vi /etc/openvpn/server.conf # VPN Server 與client 間虛擬的網段，需完全獨立且須與iptables一致 server 192.168.0.0 255.255.255.0 #這部分跟內網網段一致即可 push "route 10.0.0.0 255.0.0.0" 之後有時間再來測試site to site 另外想問一下有沒有推薦的openvpn驗證方式，雖然用憑證感覺滿安全的 但有一點點小麻煩 ※ 編輯: juliai (216.172.148.23), 06/20/2015 12:45:06