我已经使用openwrt的快照版本在rapiberry pi 3b +上配置了Openwrt。我消除了iptables的所有链条,并刷新了iptables规则。路由后伪装中只有一条规则。我能够在lan设备上运行Internet(在wifi网络上运行lan,在以太网上运行wan)。然后,我安装了Strongswan(在openwrt和centos 7上)并能够建立IPSec隧道(站点到站点VPN)。当使用HDMI在树莓派3b +上连接时,我到VPN服务器的所有流量通道都意味着Internet正常运行(从curl和ping获得响应)。现在,一旦我在wifi网络上连接了设备,就没有Internet
这是我的openwrt路由器配置:ipsec.conf
conn conn-p
#strictcrlpolicy=no
authby=secret
keyexchange=ikev1
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
right=95.216.212.162
rightsubnet=0.0.0.0/0
rightid=
#ike=aes256-sha2_256-modp1024!
#esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=add
rightdns=10.10.1.1
#mark=42
strongswan.conf
charon {
install_routes=yes
install_virtual_ip=yes
ifconfig在隧道之前
eth0 Link encap:Ethernet HWaddr B8:27:EB:B0:52:8E
inet addr:192.168.0.26 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::ba27:ebff:feb0:528e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:293 errors:0 dropped:0 overruns:0 frame:0
TX packets:31 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:37560 (36.6 KiB) TX bytes:2612 (2.5 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:20 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4124 (4.0 KiB) TX bytes:4124 (4.0 KiB)
wlan0 Link encap:Ethernet HWaddr B8:27:EB:E5:07:DB
inet addr:10.10.4.1 Bcast:10.10.4.255 Mask:255.255.255.0
inet6 addr: fe80::ba27:ebff:fee5:7db/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:1614 (1.5 KiB)
创建VTI隧道
ip tunnel add ipsec0 local 10.10.0.14 remote 95.216.212.162 mode vti key 42
sysctl -w net.ipv4.conf.ipsec0.disable_policy=1
ip link set ipsec0 up
ip route add 10.0.0.0/8 dev ipsec0
ifconfig ipsec0 10.10.0.14 netmask 255.255.255.0 broadcast 10.10.0.255
连接IPSec隧道 ipsec statusall on openwrt
Status of IKE charon daemon (strongSwan 5.8.0, Linux 4.14.123, aarch64):
uptime: 7 minutes, since Jun 18 09:32:17 2019
worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0,
scheduled: 3
loaded plugins: charon addrblock af-alg agent attr blowfish ccm cmac
connmark constraints ctr curl curve25519 des dhcp dnskey duplicheck eap-
identity eap-md5 eap-mschapv2 eap-radius eap-tls farp fips-prf forecast gcm
gcrypt gmp ldap led md4 md5 mysql openssl pem pgp pkcs1 pkcs11 pkcs12 pkcs7
pkcs8 pubkey random rc2 resolve revocation smp sqlite sshkey test-vectors
unity vici whitelist x509 xauth-eap xauth-generic xcbc nonce aes sha1 sha2
hmac stroke kernel-netlink socket-default updown
Listening IP addresses:
192.168.0.26
10.10.4.1
10.10.0.14
Connections:
net-net1: %any...95.216.212.162 IKEv1, dpddelay=300s
net-net1: local: uses pre-shared key authentication
net-net1: remote: [global.safelabs.net] uses pre-shared key authentication
net-net1: child: 192.168.1.0/24 === 10.10.1.0/24 TUNNEL, dpdaction=clear
conn-ikev2: %any...95.216.212.162 IKEv2, dpddelay=300s
conn-ikev2: local: uses EAP authentication with EAP identity 'sqltest'
conn-ikev2: remote: [95.216.212.162] uses public key authentication
conn-ikev2: child: 192.168.0.0/16 === 10.10.1.0/24 TUNNEL, dpdaction=clear
conn-p: %any...95.216.212.162 IKEv1, dpddelay=30s
conn-p: local: [192.168.0.26] uses pre-shared key authentication
conn-p: remote: [global.safelabs.net] uses pre-shared key authentication
conn-p: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
IK1: %any...------ IKEv2, dpddelay=300s
IK1: local: uses public key authentication
IK1: remote: [-----] uses public key authentication
IK1: child: dynamic === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
conn-p[1]: ESTABLISHED 7 minutes ago,
192.168.0.26[192.168.0.26]...95.216.212.162[-----]
conn-p[1]: IKEv1 SPIs: 817b867c2c5d77ee_i* 5efa2029856f7577_r, rekeying
disabled
conn-p[1]: IKE proposal:
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
conn-p{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c298a5fc_i
c7b7e976_o
conn-p{1}: AES_CBC_128/HMAC_SHA2_256_128/MODP_2048, 59308 bytes_i (1111
pkts, 29s ago), 23822 bytes_o (436 pkts, 29s ago), rekeying disabled
conn-p{1}: 10.0.0.0/8 === 0.0.0.0/0
隧道后的iptables
# Generated by iptables-save v1.8.2 on Tue Jun 18 11:15:25 2019
*nat
:PREROUTING ACCEPT [3961:589682]
:INPUT ACCEPT [2445:202214]
:OUTPUT ACCEPT [443:34025]
:POSTROUTING ACCEPT [637:44128]
-A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
COMMIT
# Completed on Tue Jun 18 11:15:25 2019
# Generated by iptables-save v1.8.2 on Tue Jun 18 11:15:25 2019
*mangle
:PREROUTING ACCEPT [9598:2016471]
:INPUT ACCEPT [8548:1717666]
:FORWARD ACCEPT [44:2288]
:OUTPUT ACCEPT [1535:182929]
:POSTROUTING ACCEPT [1583:185473]
COMMIT
# Completed on Tue Jun 18 11:15:25 2019
# Generated by iptables-save v1.8.2 on Tue Jun 18 11:15:25 2019
*filter
:INPUT ACCEPT [11:2254]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:108]
-A FORWARD -d 10.0.0.0/8 -i eth0 -m policy --dir in --pol ipsec --reqid 2 -
-proto esp -j ACCEPT
-A FORWARD -s 10.0.0.0/8 -o eth0 -m policy --dir out --pol ipsec --reqid 2
--proto esp -j ACCEPT
COMMIT
# Completed on Tue Jun 18 11:15:25 2019
尽管根据我在Internet上找到的文档和教程,我们可以使用基于路由的VPN或基于策略的VPN。但是我的配置是两者的结合。在strongswan.conf上,route_install = yes,leftfirewall = yes。另一方面,创建了VTI隧道(如果我不创建它,则IPsec隧道上没有流量)并选中了mark = 42(如果我未选中它,则在连接隧道后,openwrt上没有互联网)。如果我没有使用ip命令创建隧道,则ipsec隧道上没有流量。