Server1 (общедоступный IP-172.263.23.2): хостинг сервера OpenVPN на 10.8.0.1 Client1 (общедоступный IP-None): подключен к серверу OpenVPN на 10.8.0.2
Я пытаюсь сделать это так, если я пойду http://172.263.23.2:8652, будет похоже, что он работает, но на самом деле перейдите к 10.8.0.2:8652 на другом компьютере. Другими словами, я пытаюсь сделать так, чтобы машина с непубличным IP-адресом могла использоваться публично, используя общедоступный IP-адрес хоста openvpn.
Я пробовал (на хост-машине 10.8.0.1)
sysctl net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -p tcp --dport 8141 -j DNAT --to-destination 10.8.0.2:8141
Но ничего не перенаправили.
ifconfig:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 172.31.15.183 netmask 255.255.240.0 broadcast 172.31.15.255
inet6 fe80::44d:45ff:fed2:845f prefixlen 64 scopeid 0x20<link>
ether 06:4d:45:d2:84:5f txqueuelen 1000 (Ethernet)
RX packets 28479 bytes 29352358 (29.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11810 bytes 2115574 (2.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 362 bytes 33754 (33.7 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 362 bytes 33754 (33.7 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.0 destination 10.8.0.1
inet6 fe80::7baa:4728:4923:e916 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 4 bytes 288 (288.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9 bytes 564 (564.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Обновление (также безрезультатно пробовали эти правила iptable):
root@ip-172-31-15-183:~/client-configs/files# sudo iptables -A FORWARD -i eth0 -o tun0 -p tcp --syn --dport 11780 -m conntrack --ctstate NEW -j ACCEPT
root@ip-172-31-15-183:~/client-configs/files# sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 11780 -j DNAT --to-destination 10.8.0.2:11780
root@ip-172-31-15-183:~/client-configs/files# sudo iptables -t nat -A POSTROUTING -o tun0 -p tcp --dport 11780 -d 10.8.0.2 -j SNAT --to-source 10.8.0.1
root@ip-172-31-15-183:~/client-configs/files# sudo iptables -A FORWARD -i eth0 -o tun0 -p tcp --syn --dport 8123 -m conntrack --ctstate NEW -j ACCEPT
root@ip-172-31-15-183:~/client-configs/files# sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8123 -j DNAT --to-destination 10.8.0.2:8123
root@ip-172-31-15-183:~/client-configs/files# sudo iptables -t nat -A POSTROUTING -o tun0 -p tcp --dport 8123 -d 10.8.0.2 -j SNAT --to-source 10.8.0.1
Server.conf:
local 192.168.1.149
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/iconnect.crt # SWAP XX WITH YOUR SERVER NAME
key /etc/openvpn/easy-rsa/keys/iconnect.key # SWAP XX WITH YOUR SERVER NAME
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # IF YOU CHANGED YOUR ENCRYPTION TO 2048, CHANGE THAT HERE
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2 # i tried deleting this as previously suggested but still doesn't work
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255" # …. #
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0" # …. #
# your local subnet
push "route 192.168.1.0 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8 # originally I tried my own router address, but changed to it 8.8.8.8
push "dhcp-option DNS 8.8.8.8" # THIS SHOULD ALREADY MATCH YOUR OWN ROUTER ADDRESS AND SHOULD NOT NEED TO BE CHANGED
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 6