我目前在 Ubuntu Server 24.04.1 LTS 上运行 OpenVPN 和 Stunnel,该服务器在具有以太网直通功能的虚拟化 Proxmox 环境中运行。我的 OpenVPN 在 TCP 端口 1443 上运行,Stunnel 在 TCP 端口 443 上运行,OpenVPN DNS 连接到我的 Pihole。我的 OpenVPN 服务器在 192.168.1.0/24 子网上运行,IP 地址为 192.168.1.124,OpenVPN 的子网为 10.8.0.0/24。
我尝试了多种方法来配置防火墙,使用 UFW 和 IPtables 来路由我的 OpenVPN 互联网。我想完全阻止我的 LAN 网络(例如 192.168.1.150),以防止我的客户端访问我家的网络,但也允许 DNS 等重要互联网端口畅通无阻,以确保 vpn 正常运行。以下是我的 Iptables 和 UFW 配置:
Iptables:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 621 packets, 46979 bytes)
pkts bytes target prot opt in out source destination
44 12691 MASQUERADE 0 -- * ens18 10.8.0.0/24 0.0.0.0/0
联合工会:
To Action From
-- ------ ----
[ 1] 1443/tcp ALLOW IN Anywhere
[ 2] 443/tcp ALLOW IN Anywhere
[ 3] 192.168.1.123 DENY IN 10.8.0.0/24
[ 4] 192.168.1.150 DENY OUT 10.8.0.0/24 (out)
[ 5] 10.8.0.0/24 REJECT IN 192.168.1.150
[ 6] 192.168.1.127 DENY OUT 10.8.0.0/24 (out)
[ 7] 192.168.1.123 DENY OUT 10.8.0.0/24 (out)
[ 8] 192.168.1.150 8006 DENY IN 10.8.0.0/24
以下是我的 OpenVPN 服务器和客户端配置:
OpenVPN服务器:
port 1443
proto tcp
dev tun
tun-mtu 1320
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 192.168.1.127"
push "route 192.168.1.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
management 127.0.0.1 5555
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_qs2L2DYUaw22IfhA.crt
key server_qs2L2DYUaw22IfhA.key
auth SHA256
cipher AES-256-GCM
ncp-ciphers AES-256-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
OpenVPN 客户端:
client
proto tcp-client
remote 127.0.0.1 1443
dev tun
tun-mtu 1320
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_qs2L2DYUaw22IfhA name
auth SHA256
auth-nocache
cipher AES-256-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
连接到 VPN 客户端时,我仍然可以访问 192.168.1.150 等 IP 地址。这是由于子网不同吗?
任何帮助都将不胜感激。谢谢。
1
iptables-save
。–
|