“Including multiple machines on the client side when using a routed VPN (dev tun)” 的说明
配置局域网共享 OpenVPN 连接
网络如下:
代码: 全选
Host 192.168.0.26 ----> (192.168.0.4) Gateway -----> Internet
\__ (20.8.0.5) _____ OpenVPN Server (20.8.0.6) ----> Internet通过 Host ping 199.59.148.10,在 Gateway 上通过 ipset 把报文路由到 OpenVPN 上,
Ping 的 Request 通过 OpenVPN 发送出去了,并且响应已经收到,但是响应没有转发到 Host 上,下面是网关上抓包
但是只要增加一条 ip route add 199.59.148.10 dev tun1,之后响应就会转发到 Host 上
网关上抓包
# tcpdump -ni tun1 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun1, link-type RAW (Raw IP), capture size 65535 bytes
17:29:13.569594 IP 192.168.0.26 > 199.59.148.10: ICMP echo request, id 44075, seq 14, length 64
17:29:13.761310 IP 199.59.148.10 > 192.168.0.26: ICMP echo reply, id 44075, seq 14, length 64
17:29:14.570779 IP 192.168.0.26 > 199.59.148.10: ICMP echo request, id 44075, seq 15, length 64
17:29:14.763149 IP 199.59.148.10 > 192.168.0.26: ICMP echo reply, id 44075, seq 15, length 64
17:29:15.568342 IP 192.168.0.26 > 199.59.148.10: ICMP echo request, id 44075, seq 16, length 64
17:29:15.761056 IP 199.59.148.10 > 192.168.0.26: ICMP echo reply, id 44075, seq 16, length 64
root@Juphoon-Gateway:/home/bob# tcpdump -ni eth1 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
17:29:21.575493 IP 192.168.0.26 > 199.59.148.10: ICMP echo request, id 44075, seq 22, length 64
17:29:22.576836 IP 192.168.0.26 > 199.59.148.10: ICMP echo request, id 44075, seq 23, length 64
17:29:23.576758 IP 192.168.0.26 > 199.59.148.10: ICMP echo request, id 44075, seq 24, length 64
root@Juphoon-Gateway:/proc/sys/net/netfilter# conntrack -L -p icmp
icmp 1 29 src=192.168.0.26 dst=199.59.148.10 type=8 code=0 id=44075 src=199.59.148.10 dst=192.168.0.26 type=0 code=0 id=44075 mark=0 use=1
有没有人可以探讨一下原因?
我感觉从现象上看 OpenVPN 已经正确把响应报文解码出来,但是经过 conntrack 之后不知道报文跑到哪里去了?
另外为什么会在 Main 表里面增加一条路由就可以正确的转发,这个又是因为什么原因?
画了一个图来描述
不错!学习了