【问题标题】:openbsd npppd pppx0 VPN Client can access wan but cannot access lanopenbsd npppd pppx0 VPN Client 可以访问 wan 但不能访问 lan
【发布时间】:2015-12-15 20:11:22
【问题描述】:

我正在运行 OpenBSD 5.8、npppd、mpath,并在 5.7 和 5.3 上尝试过相同的操作。 npppd 工作正常,客户端可以使用 windows pptp 客户端进行连接。 客户端将pptp连接设置为默认网关,可以通过vpn网关访问互联网,但无法访问局域网 流量到达 pppx0 接口,但从未转发到 LAN ip 地址。 我一直在寻找和尝试超过 2 周,但无法弄清楚这一点。 将所有内容设置为通过 pf.conf 并仅启用 nat - 仍然没有结果。

设置: OpenBSD 5.8 与 npppd 使用 pppx0 或 tun0 和 pf 2个WAN接口等价路由(net.inet.ip.multipath=1), 1个局域网接口

sysctl.conf

net.inet.ip.forwarding=1
net.inet.ip.multipath=1
net.inet.gre.allow=1
net.pipex.enable=1

npptp.conf:

set max-session 20
set user-max-session 5
authentication LOCAL type local {
    users-file "/etc/npppd/npppd-users"
}
tunnel VPN protocol pptp {
    listen on 0.0.0.0
}
ipcp IPCP {
    pool-address 10.219.219.2-10.219.219.100
    dns-servers 192.168.0.189 192.168.0.19
    nbns-servers 192.168.0.189 192.168.0.19
}
interface pppx0 address 10.219.219.1 ipcp IPCP 
bind tunnel from VPN authenticated by LOCAL to pppx0

pf.conf

### NAT
    match out log on $ext1_if from $int_net nat-to ($ext1_if)
    match out log on $ext2_if from $int_net nat-to ($ext2_if)

  ## vpn
    pass quick log on pppx
    match out log on $ext1_if from $vpn_net nat-to ($ext1_if)
    match out log on $ext2_if from $vpn_net nat-to ($ext2_if)
    match out log on $int_if from $vpn_net nat-to ($int_if)

### FILTER RULES
    block log quick inet6
    block in log on $ext1_if
    block in log on $ext2_if

  ## allow ping, traceroute and echo
    pass in log inet proto icmp all icmp-type $icmp_types

  ## pass connections to vpn server
    pass log proto { gre } from any to any keep state
    pass in log on $ext1_if proto tcp from any to $ext1_if port 1723
    pass in log on $ext2_if proto tcp from any to $ext2_if port 1723
    pass in  on enc0 from $vpn_net to $int_net keep state (if-bound)
    pass out on enc0 from $int_net to $vpn_net keep state (if-bound)
    pass in  on pppx from $vpn_net to $int_net keep state (if-bound)
    pass out on pppx from $int_net to $vpn_net keep state (if-bound)

netstat -rn 路由表

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            a.a.a.113          UGSP       0  1073494     -     8 em0
default            b.b.b.97           UGSP       4    10294     -     8 em1
10.219.219.1       10.219.219.1       UHl        0        0     -     1 lo0
10.219.219.14      10.219.219.1       UH         0      679     -     8 pppx0
127/8              127.0.0.1          UGRS       0        0 32768     8 lo0
127.0.0.1          127.0.0.1          UHl        1        4 32768     1 lo0
b.b.b.96/28        b.b.b.110          UC         1        0     -     8 em1
b.b.b.97           bc:16:65:34:33:81  UHLc       1        0     -     8 em1
b.b.b.110          00:15:17:48:7b:23  HLl        0        0     -     1 lo0
b.b.b.111          b.b.b.110      UHb        0        0     -     1 em1
192.168.0/22       192.168.0.238      UC         9        0     -     8 em3
192.168.0.4        00:25:90:7c:40:cf  UHLc       0        4     -     8 em3
192.168.0.5        00:30:48:7d:7c:64  UHLc       0        1     -     8 em3
192.168.0.6        00:25:90:3c:30:67  UHLc       0        2     -     8 em3
192.168.0.10       f4:6d:04:29:ea:f7  UHLc       0        4     -     8 em3
192.168.0.19       00:25:90:72:89:1a  UHLc       0     8388     -     8 em3
192.168.0.189      00:30:48:d8:f0:0b  UHLc       0     9661     -     8 em3
192.168.0.238      00:25:90:d0:17:10  HLl        0        0     -     1 lo0
192.168.0.253      00:25:90:af:5d:0a  UHLc       0      154     -     8 em3
192.168.2.167      50:e5:49:e6:c3:3c  UHLc       0     2048     -     8 em3
192.168.3.202      00:25:90:af:5d:0a  UHLc       1     9329     - L   8 em3
192.168.3.255      192.168.0.238      UHb        0        0     -     1 em3
a.a.a.112/28       a.a.a.126          UC         2        0     -     8 em0
a.a.a.113          00:00:5e:00:01:0c  UHLc       1        0     -     8 em0
a.a.a.116          00:25:90:af:5d:0b  UHLc       2    34417     - L   8 em0
a.a.a.126          00:15:17:48:7b:22  HLl        0        0     -     1 lo0
a.a.a.127          a.a.a.126          UHb        0        0     -     1 em0
224/4              127.0.0.1          URS        0        0 32768     8 lo0

【问题讨论】:

    标签: networking openbsd pptp


    【解决方案1】:

    我习惯于在 FreeBSD 上使用 pf,看起来 OpenBSD 上的 pf 或内核在 pf.conf 中没有使用跳过或通过规则定义角色的任何接口上设置了“全部阻止”,这是一个好事,因为这可以关闭意外的安全漏洞。

    这台机器是 Internet 的网关,用作 VPN 服务器,并正在对 2 条租用线路进行负载平衡。我发现的另一个问题是网络上每个 NPPPD 教程都提到的规则。

    pass log proto { gre } from any to any keep state
    

    我将其更改为以下内容,以确保不会干扰任何 nat'ed 传出连接。

    pass log inet proto gre from any to $ext1_if modulate state
    

    此规则不是必需的,它只会阻止本地网络上的客户端通过 OpenBSD 防火墙访问 Internet 上的 vpn 服务器。 GRE 是在客户端和服务器上的 vpn 服务器软件之间协商的,无论如何都会通过。只有端口 1723 需要为传入连接打开,并且仅在外部接口上打开 ($ext_if)

    下面是openbsd/NPPTP的相关pf.conf

    ### NAT
      ## int net
        match out log on $ext1_if from $int_net nat-to ($ext1_if) static-port
        match out log on $ext2_if from $int_net nat-to ($ext2_if) static-port
    
      ## vpn
        match out log on $ext1_if from $vpn_net nat-to ($ext1_if) static-port
        match out log on $ext2_if from $vpn_net nat-to ($ext2_if) static-port
        match out log on $int_if from $vpn_net nat-to ($int_if) static-port
    
    ### FILTER RULES
        block drop quick inet6
        block log all
        pass out log
    
      ## allow ping, traceroute and echo
        pass in log inet proto icmp all icmp-type $icmp_types
    
      ## internal network
        pass in log on $int_if
    
      ## pass connections to vpn server
        pass in log on pppx
        pass log inet proto gre from any to $ext1_if modulate state
        pass log inet proto gre from any to $ext2_if modulate state
        pass out log inet proto gre from any to any modulate state
        pass in log on $ext1_if proto tcp from any to $ext1_if port 1723
        pass in log on $ext2_if proto tcp from any to $ext2_if port 1723
    

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2019-09-12
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2016-10-05
      • 1970-01-01
      • 2018-01-28
      相关资源
      最近更新 更多