服务器 Gind.cn
  1. 服务器 Gind.cn
  3. OpenVPN访问服务器:远程子网无法访​​问客户端的资源
Intereting Posts
Mysql将巨大的数据库从innodb迁移到ndbcluster Err:表已满 如何索引内容编辑器Web部件中的内容? 如何在slicehost上设置集市 如何在线查看Linux内核日志? Autofs和Samba不安装在RHEL 7上 networkingping回复:延迟交替低和高 DOS保护EX系列 DFS试图复制回源文件夹? Apache 2.4替代mod_auth_shadow? 操作方法:将RHEL的ISO / DVD添加到Gnome下的存储库列表中以安装软件包 什么是一个很好的工具来扫描一个FTP目录,并显示磁盘使用情况可视ala KDirStat / WinDirStat? 在Apache中启用gzip压缩时,不会发送Content-Length? 我如何确定哪些用户通过ftp或telnet进行身份validation? 具有证书的Windows防火墙连接安全性(2) iptables -p all –dport

OpenVPN访问服务器:远程子网无法访​​问客户端的资源

我有AWS上运行的OpenVPN访问服务器。 这里是configuration: 

 172.18.16.0/20
客户端(172.18.16.101)----- OpenVPN服务器(172.16.0.0/20)
                                      |
                                      |
                                      |
                                      |
                               私有子网(172.16.16.0/20)

客户端可以连接到OpenVPN服务器。 OpenVPN服务器可以ping和访问客户端和私有子网上的资源。 客户端也可以访问OpenVPN服务器上的所有资源以及私有子网。 另外,OpenVPN服务器也可以访问客户端上的资源。 但是,专用子网上的框似乎无法ping或访问客户端上的资源。

OpenVPN服务器networkingconfiguration: 

 as0t0链接封装:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
           inet addr:172.18.0.1 PtP:172.18.0.1掩码:255.255.248.0
           UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500公制:1
           RX数据包:18个错误:0丢弃:0超出:0帧:0
           TX包:18个错误:0丢弃:0超限:0载波:0
          碰撞:0 txqueuelen:200 
           RX字节:1223(1.2 KB)TX字节:968(968.0 B)

 as0t1链接封装:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
           inet addr:172.18.8.1 PtP:172.18.8.1掩码:255.255.248.0
           UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500公制:1
           RX包:0个错误:0个丢弃:0个超限:0个帧:0个
           TX数据包:0错误:0丢弃:0超载:0载波:0
          碰撞:0 txqueuelen:200 
           RX字节:0(0.0 B)TX字节:0(0.0 B)

 eth0 Link encap:Ethernet HWaddr 06:e2:83:cf:4f:27  
           inet addr:172.16.12.204 Bcast:172.16.15.255 Mask:255.255.240.0
           inet6地址:fe80 :: 4e2:83ff:fecf:4f27 / 64范围:链接
           UP BROADCAST RUNNING MULTICAST MTU:9001公制:1
           RX数据包:1355错误:0丢弃:0超出:0帧:0
           TX数据包:1193错误:0丢弃:0超载:0载波:0
          碰撞:0 txqueuelen:1000 
           RX字节:124194(124.1 KB)TX字节:153022(153.0 KB)

OpenVPN服务器的路由表: 

内核IP路由表
目标网关Genmask标志度量参考使用Iface
 0.0.0.0 172.16.0.1 0.0.0.0 UG 0 0 0 eth0
 172.16.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
 172.18.0.0 0.0.0.0 255.255.248.0 U 0 0 0 as0t0
 172.18.8.0 0.0.0.0 255.255.248.0 U 0 0 0 as0t1
 172.18.16.101 0.0.0.0 255.255.255.255 UH 0 0 0 as0t0

专用子网路由表中的一个框: 

内核IP路由表
目标网关Genmask标志度量参考使用Iface
 0.0.0.0 172.16.16.1 0.0.0.0 UG 0 0 0 eth0
 eth0。169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
 eth0。172.16.16.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0

我在OpenVPN服务器的as0t1接口上运行tcpdump,同时从私有子网上的一个盒子ping到客户端。 它看起来像请求被转发到客户端,客户端也发回了回应(在OpenVPN框中看到)。 但是,它似乎停在那里,并且响应从来没有回到eth0上。 我觉得路由表应该是正确的,因为OpenVPN服务器可以达到一切,客户端也可以到达私有子网。 我认为这个问题是在iptables,但花了几个小时看后,我开始放弃。 这里是表格:

过滤表 

连锁input(政策接受)
目标人select源目的地         
 AS0_ACCEPT全部 - 在任何地方状态RELATED,ESTABLISHED
 AS0_ACCEPT全部 - 任何地方            
 AS0_IN_PRE全部 - 在任何地方标记匹配0x2000000 / 0x2000000
 AS0_ACCEPT udp  - 任何地方的任何地方状态新udp dpt:openvpn
 AS0_ACCEPT tcp  - 任何地方的任何地方状态新tcp dpt:https
 AS0_WEBACCEPT全部 - 在任何地方状态RELATED,ESTABLISHED
 AS0_WEBACCEPT tcp  - 任何地方的任何地方状态NEW tcp dpt:943

连锁FORWARD(政策接受)
目标人select源目的地         
 AS0_ACCEPT全部 - 在任何地方状态RELATED,ESTABLISHED
 AS0_IN_PRE全部 - 在任何地方标记匹配0x2000000 / 0x2000000
 AS0_OUT_S2C全部 - 任何地方的任何地方            

链式输出(策略ACCEPT)
目标人select源目的地         
 AS0_OUT_LOCAL全部 - 任何地方的任何地方            

链AS0_ACCEPT(5个引用)
目标人select源目的地         
随时随地接受            

链条AS0_IN(3参考)
目标人select源目的地         
 ACCEPT icmp  - 任意位置ip-172-18-0-1.ap-southeast-1.compute.internal icmp echo-r​​equest
 ACCEPT icmp  - 任意位置ip-172-18-8-1.ap-southeast-1.compute.internal icmp echo-r​​equest
 AS0_U_TMBDLP_IN全部 -  ip-172-18-16-101.ap-southeast-1.compute.internal任何地方            
 AS0_IN_POST全部 - 任何地方            

链条AS0_IN_NAT(1个引用)
目标人select源目的地         
 MARK全部 - 在任何地方MARK或0x8000000
随时随地接受            

链AS0_IN_POST(2个引用)
目标人select源目的地         
接受所有 - 任何地方ip-172-16-0-0.ap-southeast-1.compute.internal / 16 
 AS0_OUT全部 - 任何地方            
全部放在任何地方            

链条AS0_IN_PRE(2引用)
目标人select源目的地         
 AS0_IN全部 - 任何地方ip-192-168-0-0.ap-southeast-1.compute.internal / 16 
 AS0_IN全部 - 任何地方ip-172-16-0-0.ap-southeast-1.compute.internal / 12 
 AS0_IN全部 - 任何地方ip-10-0-0-0.ap-southeast-1.compute.internal / 8 
全部放在任何地方            

链条AS0_IN_ROUTE(0引用)
目标人select源目的地         
 MARK全部 - 在任何地方MARK或0x4000000
随时随地接受            

链条AS0_OUT(2参考)
目标人select源目的地         
 AS0_U_TMBDLP_OUT all  -  ip-172-18-16-101.ap-southeast-1.compute.internal 
 AS0_OUT_POST全部 - 任何地方            

链条AS0_OUT_LOCAL(1个参考)
目标人select源目的地         
 DROP ICMP  - 任何地方icmpredirect
随时随地接受            

链AS0_OUT_POST(2个引用)
目标人select源目的地         
全部放在任何地方            

链条AS0_OUT_S2C(1个参考)
目标人select源目的地         
 AS0_OUT全部 - 任何地方            

链条AS0_U_TMBDLP_IN(1个引用)
目标人select源目的地         
 AS0_IN_NAT all  -  ip-172-16-0-0.ap-southeast-1.compute.internal / 16 
 AS0_IN_POST全部 - 任何地方            

链条AS0_U_TMBDLP_OUT(1个引用)
目标人select源目的地         
接受所有 -  ip-172-16-0-0.ap-southeast-1.compute.internal / 16任何地方            
接受所有 -  ip-172-18-0-0.ap-southeast-1.compute.internal / 20任何地方            
接受所有 -  ip-172-18-16-0.ap-southeast-1.compute.internal / 20任何地方            
 AS0_OUT_POST全部 - 任何地方            

链条AS0_WEBACCEPT(2引用)
目标人select源目的地         
随时随地接受

NAT表 

连锁PREROUTING(政策接受)
目标人select源目的地         
 AS0_NAT_PRE_REL_EST全部 - 在任何地方状态RELATED,ESTABLISHED

连锁input(政策接受)
目标人select源目的地         

链式输出(策略ACCEPT)
目标人select源目的地         

连锁POSTROUTING(政策接受)
目标人select源目的地         
 AS0_NAT_POST_REL_EST全部 - 在任何地方状态RELATED,ESTABLISHED
 AS0_NAT_PRE全部 - 在任何地方标记匹配0x2000000 / 0x2000000

链条AS0_NAT(3引用)
目标人select源目的地         
 MASQUERADE所有 - 任何地方的任何地方            

链AS0_NAT_POST_REL_EST(1个引用)
目标人select源目的地         
随时随地接受            

链AS0_NAT_PRE(1个引用)
目标人select源目的地         
 AS0_NAT全部 - 在任何地方标记匹配0x8000000 / 0x8000000
 AS0_NAT_TEST all  -  anywhere ip-192-168-0-0.ap-southeast-1.compute.internal / 16 
 AS0_NAT_TEST all  -  anywhere ip-172-16-0-0.ap-southeast-1.compute.internal / 12 
 AS0_NAT_TEST all  -  ip-10-0-0-0.ap-southeast-1.compute.internal / 8 
 AS0_NAT全部 - 任何地方            

链AS0_NAT_PRE_REL_EST(1个引用)
目标人select源目的地         
随时随地接受            

链AS0_NAT_TEST(3个参考)
目标人select源目的地         
随时随地接受            
接受所有 - 任何地方的任何地方标记匹配0x4000000 / 0x4000000
接受所有 - 任何地方ip-172-18-0-0.ap-southeast-1.compute.internal / 20 
接受所有 - 任何地方ip-172-18-16-0.ap-southeast-1.compute.internal / 20 
 AS0_NAT全部 - 任何地方

我几乎可以肯定,这个问题是在iptables的规则,但我似乎无法追查。 只是为了一些额外的乐趣,我也扔在这里的iptables跟踪输出(在OpenVPN框捕获)。

专用子网上访问客户端上的MySQL服务器(失败): 

 8月28日17:42:33 localhost kernel:[21906.075591] TRACE:raw:PREROUTING:policy:2 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2522 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A0265F60F3250188401030308) 
 8月28日17:42:33 localhost内核:[21906.075603] TRACE:mangle:PREROUTING:rule:1 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2522 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A0265F60F3250188401030308) 
 8月28日17:42:33 localhost内核:[21906.075608] TRACE:mangle:AS0_MANGLE_PRE_REL_EST:return:1 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2522 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A0265F60F3250188401030308) 
 8月28日17:42:33 localhost内核:[21906.075616] TRACE:mangle:FORWARD:policy:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2522 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A0265F60F3250188401030308) 
 8月28日17:42:33 localhost内核:[21906.075620] TRACE:filter:FORWARD:规则:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2522 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A0265F60F3250188401030308) 
 8月28日17:42:33 localhost内核:[21906.075625] TRACE:filter:AS0_ACCEPT:返回:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2522 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A0265F60F3250188401030308) 
 8月28日17:42:33 localhost内核:[21906.075629] TRACE:mangle:POSTROUTING:policy:1 IN = OUT = eth0 SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2522 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A0265F60F3250188401030308) 
 8月28日17:42:34 localhost kernel:[21907.115440] TRACE:raw:PREROUTING:policy:2 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2523 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A0265F9EE3250188401030308) 
 8月28日17:42:34 localhost kernel:[21907.115452] TRACE:mangle:PREROUTING:rule:1 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2523 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A0265F9EE3250188401030308) 
 8月28日17:42:34 localhost内核:[21907.115458] TRACE:mangle:AS0_MANGLE_PRE_REL_EST:return:1 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2523 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A0265F9EE3250188401030308) 
 8月28日17:42:34 localhost内核:[21907.115466] TRACE:mangle:FORWARD:policy:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2523 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A0265F9EE3250188401030308) 
 8月28日17:42:34 localhost内核:[21907.115470] TRACE:filter:FORWARD:规则:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2523 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A0265F9EE3250188401030308) 
 8月28日17:42:34 localhost内核:[21907.115475] TRACE:filter:AS0_ACCEPT:返回:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2523 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A0265F9EE3250188401030308) 
 8月28日17:42:34 localhost内核:[21907.115480] TRACE:mangle:POSTROUTING:policy:1 IN = OUT = eth0 SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2523 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A0265F9EE3250188401030308) 
 8月28日17:42:34 localhost内核:[21907.175467] TRACE:原始:PREROUTING:政策:2 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2524 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A0265F9F83250188401030308) 
 8月28日17:42:34 localhost内核:[21907.175474] TRACE:mangle:PREROUTING:rule:1 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2524 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A0265F9F83250188401030308) 
 8月28日17:42:34 localhost kernel:[21907.175479] TRACE:mangle:AS0_MANGLE_PRE_REL_EST:return:1 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2524 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A0265F9F83250188401030308) 
 8月28日17:42:34 localhost内核:[21907.175486] TRACE:mangle:FORWARD:policy:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2524 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A0265F9F83250188401030308) 
 8月28日17:42:34 localhost内核:[21907.175490] TRACE:filter:FORWARD:规则:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2524 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A0265F9F83250188401030308) 
 8月28日17:42:34 localhost内核:[21907.175494] TRACE:filter:AS0_ACCEPT:返回:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2524 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A0265F9F83250188401030308) 
 8月28日17:42:34 localhost内核:[21907.175498] TRACE:mangle:POSTROUTING:policy:1 IN = OUT = eth0 SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2524 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A0265F9F83250188401030308) 
 8月28日17:42:36 localhost内核:[21909.077995] TRACE:原始:PREROUTING:政策:2 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2525 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026601C23250188401030308) 
 8月28日17:42:36 localhost内核:[21909.078007] TRACE:mangle:PREROUTING:rule:1 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2525 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026601C23250188401030308) 
 8月28日17:42:36 localhost内核:[21909.078012] TRACE:mangle:AS0_MANGLE_PRE_REL_EST:return:1 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2525 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026601C23250188401030308) 
 8月28日17:42:36 localhost内核:[21909.078021] TRACE:mangle:FORWARD:policy:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2525 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026601C23250188401030308) 
 8月28日17:42:36 localhost内核:[21909.078025] TRACE:filter:FORWARD:规则:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2525 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026601C23250188401030308) 
 8月28日17:42:36 localhost内核:[21909.078030] TRACE:filter:AS0_ACCEPT:返回:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2525 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026601C23250188401030308) 
 8月28日17:42:36 localhost内核:[21909.078034] TRACE:mangle:POSTROUTING:policy:1 IN = OUT = eth0 SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2525 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026601C23250188401030308) 
 8月28日17:42:36 localhost kernel:[21909.287922] TRACE:raw:PREROUTING:policy:2 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2526 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026602903250188401030308) 
 8月28日17:42:36 localhost kernel:[21909.287932] TRACE:mangle:PREROUTING:rule:1 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2526 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026602903250188401030308) 
 8月28日17:42:36 localhost kernel:[21909.287937] TRACE:mangle:AS0_MANGLE_PRE_REL_EST:return:1 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2526 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026602903250188401030308) 
 8月28日17:42:36 localhost内核:[21909.287945] TRACE:mangle:FORWARD:policy:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2526 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026602903250188401030308) 
 8月28日17:42:36 localhost内核:[21909.287949] TRACE:filter:FORWARD:规则:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2526 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026602903250188401030308) 
 8月28日17:42:36 localhost内核:[21909.287954] TRACE:filter:AS0_ACCEPT:返回:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2526 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026602903250188401030308) 
 8月28日17:42:36 localhost内核:[21909.287958] TRACE:mangle:POSTROUTING:policy:1 IN = OUT = eth0 SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2526 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026602903250188401030308) 
 8月28日17:42:40 localhost kernel:[21913.165296] TRACE:raw:PREROUTING:policy:2 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2527 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026611653250188401030308) 
 8月28日17:42:40 localhost内核:[21913.165308] TRACE:mangle:PREROUTING:rule:1 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2527 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026611653250188401030308) 
 8月28日17:42:40 localhost kernel:[21913.165313] TRACE:mangle:AS0_MANGLE_PRE_REL_EST:return:1 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2527 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026611653250188401030308) 
 8月28日17:42:40 localhost内核:[21913.165321] TRACE:mangle:FORWARD:policy:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2527 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026611653250188401030308) 
 8月28日17:42:40 localhost内核:[21913.165326] TRACE:filter:FORWARD:规则:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2527 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026611653250188401030308) 
 8月28日17:42:40 localhost内核:[21913.165330] TRACE:filter:AS0_ACCEPT:返回:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2527 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026611653250188401030308) 
 8月28日17:42:40 localhost内核:[21913.165335] TRACE:mangle:POSTROUTING:policy:1 IN = OUT = eth0 SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2527 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026611653250188401030308) 
 8月28日17:42:40 localhost内核:[21913.285405] TRACE:raw:PREROUTING:policy:2 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2528 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026612303250188401030308) 
 8月28日17:42:40 localhost kernel:[21913.285414] TRACE:mangle:PREROUTING:rule:1 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2528 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026612303250188401030308) 
 8月28日17:42:40 localhost kernel:[21913.285419] TRACE:mangle:AS0_MANGLE_PRE_REL_EST:return:1 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2528 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026612303250188401030308) 
 8月28日17:42:40 localhost内核:[21913.285427] TRACE:mangle:FORWARD:policy:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2528 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026612303250188401030308) 
 8月28日17:42:40 localhost内核:[21913.285431] TRACE:filter:FORWARD:规则:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2528 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026612303250188401030308) 
 8月28日17:42:40 localhost kernel:[21913.285435] TRACE:filter:AS0_ACCEPT:return:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2528 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026612303250188401030308) 
 8月28日17:42:40 localhost kernel:[21913.285440] TRACE:mangle:POSTROUTING:policy:1 IN = OUT = eth0 SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2528 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026612303250188401030308) 
 8月28日17:42:48 localhost内核:[21921.097914] TRACE:raw:PREROUTING:policy:2 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2529 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026630B93250188401030308) 
 8月28日17:42:48 localhost kernel:[21921.097926] TRACE:mangle:PREROUTING:rule:1 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2529 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026630B93250188401030308) 
 8月28日17:42:48 localhost内核:[21921.097931] TRACE:mangle:AS0_MANGLE_PRE_REL_EST:return:1 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2529 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026630B93250188401030308) 
 8月28日17:42:48 localhost内核:[21921.097939] TRACE:mangle:FORWARD:policy:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2529 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026630B93250188401030308) 
 8月28日17:42:48 localhost内核:[21921.097943] TRACE:filter:FORWARD:规则:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2529 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026630B93250188401030308) 
 8月28日17:42:48 localhost内核:[21921.097948] TRACE:filter:AS0_ACCEPT:返回:1 IN = as0t1 OUT = eth0 MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2529 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026630B93250188401030308) 
 8月28日17:42:48 localhost内核:[21921.097964] TRACE:mangle:POSTROUTING:policy:1 IN = OUT = eth0 SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 63 ID = 2529 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026630B93250188401030308) 
 8月28日17:42:49 localhost kernel:[21921.527746] TRACE:raw:PREROUTING:policy:2 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2530 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026632383250188401030308) 
 8月28日17:42:49 localhost kernel:[21921.527756] TRACE:mangle:PREROUTING:rule:1 IN = as0t1 OUT = MAC = SRC = 172.18.16.101 DST = 172.16.22.22 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 2530 PROTO = TCP SPT = 3306 DPT = 47378 SEQ = 4120644767 ACK = 110803956 WINDOW = 14480 RES = 0x00 ACK SYN URGP = 0 OPT(020404F40402080A026632383250188401030308) 
 #####由于超过允许的字符数,其余部分被剪切#####

转发configuration 

 $ cat / proc / sys / net / ipv4 / ip_forward
 1

TL; DR版本:

  1. 在EC2控制面板上,select运行OpenVPN Access Server的EC2实例
  2. 点击操作 – >networking – >更改源/目标。 检查 – >是,禁用

有关更多信息: 禁用源/目标检查

事实certificate,我所有的OpenVPN和路由设置都是正确的,这是AWS特有的问题。 我偶然发现了在AWS上设置OpenVPN的问题:

连接EC2 VPC与OpenVPN,所有路由stream量都将丢失

他发生的事情(下面引用的)和我所看到的完全一样。

然而,这是踢球。 在EC2 OpenVPN服务器上执行tcpdump会显示所有stream量,因为它应该: 

 [root @ ip-10-2-0-10〜]#tcpdump -i eth0 -n host 10.1.0.3
 tcpdump:详细输出压缩,使用-v或-vv进行完整的协议解码
在eth0上监听,链路types为EN10MB(以太网),捕获大小为65535字节
 13:46:58.779826 IP 10.2.0.12> 10.1.0.3:ICMP回显请求,ID 21846,序号1,长度64
 13:46:58.852756 IP 10.1.0.3> 10.2.0.12:ICMP回显应答,ID 21846,序列1,长度64
 13:46:59.787467 IP 10.2.0.12> 10.1.0.3:ICMP回显请求,ID 21846,序列2,长度64
 13:46:59.847424 IP 10.1.0.3> 10.2.0.12:ICMP回应应答,ID 21846,序列2,长度64