我在pfSense 2.3.2上运行OpenVPN。现在我主要工作除了一件小事:除了 pfSense服务器本身,我可以连接到局域网上的任何东西。
一些细节:
- 我使用172.16.104.0/21配置为IP地址范围。
- 防火墙位于172.16.104.1。
- OpenVPN客户端的DHCP范围是172.16.105.10-50。
- 使用tap,UDP配置OpenVPN。
- ovpns1被分配给OPT1,OPT1和LAN被桥接(bridge0)。
我使用tap和桥接的原因是因为我有很多Apple设备,并希望Bonjour和其他基于多播/广播的东西在VPN上正常工作。
除172.16.104.1(防火墙)外,所有这些都适用于LAN网络上的任何地址。没有客户端可以ping或连接到172.16.104.1和172.16.104.1无法ping或连接到任何客户端。
使用tcpdump揭示了一些其他的怪异:
如果我从另一个会话中运行tcpdump的客户端ping服务器,似乎我收到了回复,但ping没有报告它们?
ping -c2 172.16.104.1
PING 172.16.104.1 (172.16.104.1) 56(84) bytes of data.
--- 172.16.104.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1009ms
但是在同一台机器上的tcpdump会话中:
IP 172.16.105.3 > 172.16.104.1: ICMP echo request, id 17069, seq 1, length 64
IP 172.16.104.1 > 172.16.105.3: ICMP echo reply, id 17069, seq 1, length 64
IP 172.16.105.3 > 172.16.104.1: ICMP echo request, id 17069, seq 2, length 64
IP 172.16.104.1 > 172.16.105.3: ICMP echo reply, id 17069, seq 2, length 64
从pfSense服务器:
tcpdump -n -i ovpns1 -t icmp
tcpdump: WARNING: ovpns1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ovpns1, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 172.16.105.3 > 172.16.104.1: ICMP echo request, id 17084, seq 1, length 64
IP 172.16.104.1 > 172.16.105.3: ICMP echo reply, id 17084, seq 1, length 64
IP 172.16.105.3 > 172.16.104.1: ICMP echo request, id 17084, seq 2, length 64
IP 172.16.104.1 > 172.16.105.3: ICMP echo reply, id 17084, seq 2, length 64
这是一台没有防火墙的Ubuntu Linux机器。
所以pfSense机器认为它发送回复,Linux机器认为它正在收到回复,但是ping仍然报告100%丢包?
如果我ping不同的非服务器地址,我会收到回复:
ping -c2 172.16.104.2
PING 172.16.104.2 (172.16.104.2) 56(84) bytes of data.
64 bytes from 172.16.104.2: icmp_seq=1 ttl=64 time=34.6 ms
64 bytes from 172.16.104.2: icmp_seq=2 ttl=64 time=34.1 ms
--- 172.16.104.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 34.165/34.401/34.638/0.300 ms
并在tcpdump shell中:
IP 172.16.105.3 > 172.16.104.2: ICMP echo request, id 17068, seq 1, length 64
IP 172.16.104.2 > 172.16.105.3: ICMP echo reply, id 17068, seq 1, length 64
IP 172.16.105.3 > 172.16.104.2: ICMP echo request, id 17068, seq 2, length 64
IP 172.16.104.2 > 172.16.105.3: ICMP echo reply, id 17068, seq 2, length 64
这是我从pfSense转储的OpenVPN服务器配置:
dev ovpns1
verb 1
dev-type tap
dev-node /dev/tap1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local <omitted>
tls-server
server-bridge 172.16.104.1 255.255.248.0 172.16.105.10 172.16.105.50
client-config-dir /var/etc/openvpn-csc/server1
tls-verify "/usr/local/sbin/ovpn_auth_verify tls '<omitted>' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 172.16.104.0 255.255.248.0"
client-to-client
duplicate-cn
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float
mode server
从客户端:
dev tap
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote <omitted> 1194 udp
lport 0
verify-x509-name "<omitted>" name
pkcs12 udp-1194.p12
tls-auth udp-1194-tls.key 1
ns-cert-type server
这到底是怎么回事?