我的家庭网络位于 CG-NAT 设置后面,因此我有一个在 VPS 上运行的 OpenVPN 服务器,我将路由器设置为通过该服务器进行端口转发。路由器运行 dd-wrt build 53396,通过 OpenVPN 客户端连接到 VPS OpenVPN 服务器,并运行以下防火墙脚本来打开我的端口:
#!/bin/sh
# Web server rules
iptables -A FORWARD -i tun1 -d 192.168.1.195/32 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i tun1 -d 192.168.1.195/32 -p udp -m udp --dport 80 -j ACCEPT
iptables -A FORWARD -i tun1 -d 192.168.1.193/32 -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A FORWARD -i tun1 -d 192.168.1.193/32 -p udp -m udp --dport 8080 -j ACCEPT
iptables -t nat -A PREROUTING -i tun1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.195:80
iptables -t nat -A PREROUTING -i tun1 -p udp --dport 80 -j DNAT --to-destination 192.168.1.195:80
iptables -t nat -A PREROUTING -i tun1 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.193:8080
iptables -t nat -A PREROUTING -i tun1 -p udp --dport 8080 -j DNAT --to-destination 192.168.1.193:8080
然后在 VPS 上,重新启动时通过 crontab 运行:
#!/bin/sh
# Web server rules
sudo iptables -A FORWARD -d 10.8.0.2/32 -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -A FORWARD -d 10.8.0.2/32 -p udp -m udp --dport 80 -j ACCEPT
sudo iptables -A FORWARD -d 10.8.0.2/32 -p tcp -m tcp --dport 8080 -j ACCEPT
sudo iptables -A FORWARD -d 10.8.0.2/32 -p udp -m udp --dport 8080 -j ACCEPT
# Web server rules
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2:80
sudo iptables -t nat -A PREROUTING -p udp --dport 80 -j DNAT --to-destination 10.8.0.2:80
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 10.8.0.2:8080
sudo iptables -t nat -A PREROUTING -p udp --dport 8080 -j DNAT --to-destination 10.8.0.2:8080
其中
10.8.0.2
是 OpenVPN 分配给我的路由器的 IP 地址。
端口转发工作正常,因为我能够访问我在网络上托管的网站,但是我注意到了一些事情。
首先,dd-wrt 通过端口 80 运行它的 Web UI,所以我不确定这里如何没有发生冲突 - 我仍然能够访问在
192.168.1.195
上运行的预期网站,并且它不会将我定向到路由器,即使 OpenVPN 的路由器 IP 是 10.8.0.2
。我显然不希望它被路由到路由器,但我只是指出我不确定它是如何工作的。是因为我路由器里有iptable规则吗?
其次也是最重要的是,我现在无法运行
sudo apt update
,因为它超时了:
nginx@nginx-proxy:~$ sudo apt update
Hit:1 https://packages.openvpn.net/openvpn3/debian jammy InRelease
Ign:2 http://us.archive.ubuntu.com/ubuntu jammy InRelease
Ign:3 http://us.archive.ubuntu.com/ubuntu jammy-updates InRelease
Ign:4 http://us.archive.ubuntu.com/ubuntu jammy-backports InRelease
Ign:5 http://us.archive.ubuntu.com/ubuntu jammy-security InRelease
Ign:2 http://us.archive.ubuntu.com/ubuntu jammy InRelease
Ign:3 http://us.archive.ubuntu.com/ubuntu jammy-updates InRelease
Ign:4 http://us.archive.ubuntu.com/ubuntu jammy-backports InRelease
Ign:5 http://us.archive.ubuntu.com/ubuntu jammy-security InRelease
Ign:2 http://us.archive.ubuntu.com/ubuntu jammy InRelease
Ign:3 http://us.archive.ubuntu.com/ubuntu jammy-updates InRelease
Ign:4 http://us.archive.ubuntu.com/ubuntu jammy-backports InRelease
Ign:5 http://us.archive.ubuntu.com/ubuntu jammy-security InRelease
Err:2 http://us.archive.ubuntu.com/ubuntu jammy InRelease
Could not connect to kazooie.canonical.com:80 (91.189.91.39), connection timed out
Could not connect to banjo.canonical.com:80 (91.189.91.38), connection timed out
Cannot initiate the connection to us.archive.ubuntu.com:80 (2620:2d:4002:1::102). - connect (101: Network is unreachable)
Cannot initiate the connection to us.archive.ubuntu.com:80 (2620:2d:4002:1::101). - connect (101: Network is unreachable)
Cannot initiate the connection to us.archive.ubuntu.com:80 (2620:2d:4002:1::103). - connect (101: Network is unreachable)
Could not connect to us.archive.ubuntu.com:80 (91.189.91.81), connection timed out
Could not connect to us.archive.ubuntu.com:80 (91.189.91.83), connection timed out
Could not connect to us.archive.ubuntu.com:80 (91.189.91.82), connection timed out
但是我能够 ping 通该地址:
nginx@nginx-proxy:~$ ping us.archive.ubuntu.com
PING us.archive.ubuntu.com (91.189.91.82) 56(84) bytes of data.
64 bytes from ubuntu-mirror-2.ps6.canonical.com (91.189.91.82): icmp_seq=1 ttl=43 time=137 ms
64 bytes from ubuntu-mirror-2.ps6.canonical.com (91.189.91.82): icmp_seq=2 ttl=43 time=202 ms
64 bytes from ubuntu-mirror-2.ps6.canonical.com (91.189.91.82): icmp_seq=3 ttl=43 time=145 ms
^C
--- us.archive.ubuntu.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
但是 wget 超时:
nginx@nginx-proxy:~$ wget us.archive.ubuntu.com
--2023-12-21 05:08:05-- http://us.archive.ubuntu.com/
Resolving us.archive.ubuntu.com (us.archive.ubuntu.com)... 91.189.91.83, 91.189.91.82, 91.189.91.81, ...
Connecting to us.archive.ubuntu.com (us.archive.ubuntu.com)|91.189.91.83|:80... ^C
我发现,如果我从 VPS 脚本中删除与端口 80 相关的所有规则并重新启动它,我就可以连接:
nginx@nginx-proxy:~$ sudo apt update
Hit:1 http://us.archive.ubuntu.com/ubuntu jammy InRelease
Hit:2 https://packages.openvpn.net/openvpn3/debian jammy InRelease
Get:3 http://us.archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB]
Hit:4 http://us.archive.ubuntu.com/ubuntu jammy-backports InRelease
Get:5 http://us.archive.ubuntu.com/ubuntu jammy-security InRelease [110 kB]
Fetched 229 kB in 2s (146 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
92 packages can be upgraded. Run 'apt list --upgradable' to see them.
似乎任何尝试使用端口 80 的东西都不起作用。我是否需要在路由器或 VPS 上设置其他规则来防止这种情况发生?我是否误解了我是如何配置的?传入流量达到 80 有效,我尝试直接从 nginx-proxy 虚拟机运行 openvpn 客户端,获得一个
10.8.0.3
IP 地址,该地址现在与路由器不同,但仍然无法更新或获取任何内容。
任何有关尝试的建议将不胜感激,谢谢!
可以通过将
-i ens3
添加到 VPS 规则来修复