0

我正在运行 OpenBSD 5.8、npppd、mpath,并在 5.7 和 5.3 上尝试过相同的操作。npppd 工作正常,客户端可以使用 windows pptp 客户端进行连接。客户端将 pptp 连接设置为默认网关,可以通过 vpn 网关访问互联网,但无法访问 LAN 网络流量到达 pppx0 接口但永远不会转发到 LAN ip 地址。我一直在寻找和尝试超过 2 周,但无法弄清楚这一点。将所有内容设置为传入 pf.conf 并仅启用 nat - 仍然没有结果。

设置:OpenBSD 5.8 和 npppd 使用 pppx0 或 tun0 和 pf 2 个 WAN 接口等价路由 (net.inet.ip.multipath=1),1 个 LAN 接口

sysctl.conf

net.inet.ip.forwarding=1
net.inet.ip.multipath=1
net.inet.gre.allow=1
net.pipex.enable=1

npptp.conf:

set max-session 20
set user-max-session 5
authentication LOCAL type local {
    users-file "/etc/npppd/npppd-users"
}
tunnel VPN protocol pptp {
    listen on 0.0.0.0
}
ipcp IPCP {
    pool-address 10.219.219.2-10.219.219.100
    dns-servers 192.168.0.189 192.168.0.19
    nbns-servers 192.168.0.189 192.168.0.19
}
interface pppx0 address 10.219.219.1 ipcp IPCP 
bind tunnel from VPN authenticated by LOCAL to pppx0

pf.conf

### NAT
    match out log on $ext1_if from $int_net nat-to ($ext1_if)
    match out log on $ext2_if from $int_net nat-to ($ext2_if)

  ## vpn
    pass quick log on pppx
    match out log on $ext1_if from $vpn_net nat-to ($ext1_if)
    match out log on $ext2_if from $vpn_net nat-to ($ext2_if)
    match out log on $int_if from $vpn_net nat-to ($int_if)

### FILTER RULES
    block log quick inet6
    block in log on $ext1_if
    block in log on $ext2_if

  ## allow ping, traceroute and echo
    pass in log inet proto icmp all icmp-type $icmp_types

  ## pass connections to vpn server
    pass log proto { gre } from any to any keep state
    pass in log on $ext1_if proto tcp from any to $ext1_if port 1723
    pass in log on $ext2_if proto tcp from any to $ext2_if port 1723
    pass in  on enc0 from $vpn_net to $int_net keep state (if-bound)
    pass out on enc0 from $int_net to $vpn_net keep state (if-bound)
    pass in  on pppx from $vpn_net to $int_net keep state (if-bound)
    pass out on pppx from $int_net to $vpn_net keep state (if-bound)

netstat -rn 路由表

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            a.a.a.113          UGSP       0  1073494     -     8 em0
default            b.b.b.97           UGSP       4    10294     -     8 em1
10.219.219.1       10.219.219.1       UHl        0        0     -     1 lo0
10.219.219.14      10.219.219.1       UH         0      679     -     8 pppx0
127/8              127.0.0.1          UGRS       0        0 32768     8 lo0
127.0.0.1          127.0.0.1          UHl        1        4 32768     1 lo0
b.b.b.96/28        b.b.b.110          UC         1        0     -     8 em1
b.b.b.97           bc:16:65:34:33:81  UHLc       1        0     -     8 em1
b.b.b.110          00:15:17:48:7b:23  HLl        0        0     -     1 lo0
b.b.b.111          b.b.b.110      UHb        0        0     -     1 em1
192.168.0/22       192.168.0.238      UC         9        0     -     8 em3
192.168.0.4        00:25:90:7c:40:cf  UHLc       0        4     -     8 em3
192.168.0.5        00:30:48:7d:7c:64  UHLc       0        1     -     8 em3
192.168.0.6        00:25:90:3c:30:67  UHLc       0        2     -     8 em3
192.168.0.10       f4:6d:04:29:ea:f7  UHLc       0        4     -     8 em3
192.168.0.19       00:25:90:72:89:1a  UHLc       0     8388     -     8 em3
192.168.0.189      00:30:48:d8:f0:0b  UHLc       0     9661     -     8 em3
192.168.0.238      00:25:90:d0:17:10  HLl        0        0     -     1 lo0
192.168.0.253      00:25:90:af:5d:0a  UHLc       0      154     -     8 em3
192.168.2.167      50:e5:49:e6:c3:3c  UHLc       0     2048     -     8 em3
192.168.3.202      00:25:90:af:5d:0a  UHLc       1     9329     - L   8 em3
192.168.3.255      192.168.0.238      UHb        0        0     -     1 em3
a.a.a.112/28       a.a.a.126          UC         2        0     -     8 em0
a.a.a.113          00:00:5e:00:01:0c  UHLc       1        0     -     8 em0
a.a.a.116          00:25:90:af:5d:0b  UHLc       2    34417     - L   8 em0
a.a.a.126          00:15:17:48:7b:22  HLl        0        0     -     1 lo0
a.a.a.127          a.a.a.126          UHb        0        0     -     1 em0
224/4              127.0.0.1          URS        0        0 32768     8 lo0
4

1 回答 1

0

我习惯于在 FreeBSD 上使用 pf,看起来 OpenBSD 上的 pf 或内核在 pf.conf 中没有使用跳过或通过规则定义角色的任何接口上设置了“全部阻止”,这是一件好事,因为这可以关闭意外的安全漏洞。

该机器是 Internet 的网关,用作 VPN 服务器,并正在对 2 条租用线路进行负载平衡。我发现的另一个问题是网络上每个 NPPPD 教程中都提到的规则。

pass log proto { gre } from any to any keep state

我将其更改为以下内容,以确保任何 nat'ed 传出连接都不会受到干扰。

pass log inet proto gre from any to $ext1_if modulate state

此规则不是必需的,它只会阻止本地网络上的客户端通过 OpenBSD 防火墙访问 Internet 上的 vpn 服务器。GRE 是在客户端和服务器上的 vpn 服务器软件之间协商的,无论如何都会通过。只有端口 1723 需要为传入连接打开,并且仅在外部接口上打开 ($ext_if)

以下是 openbsd/NPPTP 的相关 pf.conf

### NAT
  ## int net
    match out log on $ext1_if from $int_net nat-to ($ext1_if) static-port
    match out log on $ext2_if from $int_net nat-to ($ext2_if) static-port

  ## vpn
    match out log on $ext1_if from $vpn_net nat-to ($ext1_if) static-port
    match out log on $ext2_if from $vpn_net nat-to ($ext2_if) static-port
    match out log on $int_if from $vpn_net nat-to ($int_if) static-port

### FILTER RULES
    block drop quick inet6
    block log all
    pass out log

  ## allow ping, traceroute and echo
    pass in log inet proto icmp all icmp-type $icmp_types

  ## internal network
    pass in log on $int_if

  ## pass connections to vpn server
    pass in log on pppx
    pass log inet proto gre from any to $ext1_if modulate state
    pass log inet proto gre from any to $ext2_if modulate state
    pass out log inet proto gre from any to any modulate state
    pass in log on $ext1_if proto tcp from any to $ext1_if port 1723
    pass in log on $ext2_if proto tcp from any to $ext2_if port 1723
于 2015-12-20T22:02:41.660 回答