可以通过测试NET-1(RFC 5735)的OpenVPN路线
背景
我有一个奇怪的用例,我的VPN不能在任何私有子网上,但也不能使用TAP接口。该机器将通过不同的子网移动,并需要通过设计访问整个专用地址空间。单个阻止的IP将被视为设计失败。
So, these are all off limits:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16
In searching for a solution, I came across RFC 5735, which defines:
- 192.0.2.0/24 TEST- net-1
- 198.51.100.0/24 test-net-2
- 203.0.113.0/24 test-net-3
AS:
用于文档和示例代码。它通常与域名一起使用 example.com或example.net中的供应商和协议文档。如[RFC5737]中所述,该块内的地址不合法地出现在公共互联网上,可以在没有与IANA或INRIENT INTENT注册表任何协调的情况下使用。
这对我和我的用例来说是一个“大奖”时刻。
config
i配置了OpenVPN服务器,因此:
local 0.0.0.0
port 443
proto tcp
dev tun
topology subnet
server 203.0.113.0 255.255.255.0 # TEST-NET-3 RFC 5735
push "route 203.0.113.0 255.255.255.0"
...[Snip]...
使用客户端:
client
nobind
dev tun
proto tcp
...[Snip]...
和UFW规则:
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 203.0.113.0/24 -o ens160 -j MASQUERADE
COMMIT
但是,运行后,我获得/sbin/ip路由添加203.0.113.0/24通过203.0.113.1 rtnetlink rtnetlink答案:文件存在:文件存在错误日志。当VPN成功完成其剩余的连接时。
没有连接
运行以下命令: 服务器:sudo python3 -m http.Server 80 客户端:curl -x get / 203.0.113.1 < / code> 结果: curl:(28)无法连接到203.0.113.1端口80:连接时间
我尝试过:
/sbin/ip路由替换203.0.113.0/24开发tun 0在客户端和服务器上。/sbin/ip路由更改客户端和服务器上的203.0.113.0/24 dev tun 0。- 将
路由203.0.113.0添加到服务器中255.255.255.0。 - 添加
按下“路由203.0.113.0 255.255.255.0 127.0.0.1”到服务器
,但似乎都没有用。
有人知道我如何强迫客户将此流量推向我的服务器上的VPN,而不是将其推向公共IP?
Background
I have a strange use-case where my VPN cannot be on any of the private subnets, but, also cannot use a TAP interface. The machine will be moving through different subnets, and requires access to the entire private address space by design. A single blocked IP would be considered a failure of design.
So, these are all off limits:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16
In searching for a solution, I came across RFC 5735, which defines:
- 192.0.2.0/24 TEST-NET-1
- 198.51.100.0/24 TEST-NET-2
- 203.0.113.0/24 TEST-NET-3
As:
For use in documentation and example code. It is often used in conjunction with domain names
example.com or example.net in vendor and protocol documentation. As described in [RFC5737], addresses within this block do not legitimately appear on the public Internet and can be used without any coordination with IANA or an Internet registry.
Which, was a "Jackpot" moment for me and my use case.
Config
I configured an OpenVPN server as such:
local 0.0.0.0
port 443
proto tcp
dev tun
topology subnet
server 203.0.113.0 255.255.255.0 # TEST-NET-3 RFC 5735
push "route 203.0.113.0 255.255.255.0"
...[Snip]...
With Client:
client
nobind
dev tun
proto tcp
...[Snip]...
And ufw rules:
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 203.0.113.0/24 -o ens160 -j MASQUERADE
COMMIT
However, upon running I get /sbin/ip route add 203.0.113.0/24 via 203.0.113.1 RTNETLINK answers: File exists in the error logs. While the VPN completes the rest of its connection successfully.
No connection
Running the following commands:
Server: sudo python3 -m http.server 80
Client: curl -X GET / 203.0.113.1
Results in:curl: (28) Failed to connect to 203.0.113.1 port 80: Connection timed out
I have tried:
/sbin/ip route replace 203.0.113.0/24 dev tun 0on client and server./sbin/ip route change 203.0.113.0/24 dev tun 0on client and server.- Adding
route 203.0.113.0 255.255.255.0to the server. - Adding
push "route 203.0.113.0 255.255.255.0 127.0.0.1"to server
And none of it seems to work.
Does anyone have any idea how I can force the client to push this traffic over the VPN to my server, instead of to the public IP?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这实际上确实有效!
只是不要忘记在防火墙内允许连接。我用以下方式修复了我的配置:
但是,分别定义为基准和共享地址空间的198.18.0.0/15和100.64.0.0/10可能是更合适的选择,因为能够将测试网络地址视为错误。
This does actually work!
Just dont forget to allow connections within your firewall. I fixed my config with:
However, 198.18.0.0/15 and 100.64.0.0/10 defined as Benchmarking and Shared address space respectively, may be more appropriate choices, since being able to forward TEST-NET addresses may be considered a bug.