How to troubleshoot the problem that VPN server cannot forward

About how to check vpn The problem that the server cannot forward

• iptables Rule misses for
• vpn The server kernel does not enable the routing and forwarding function
• The reverse route verification failed

First, check whether the client and server are connected

tcpdump -i eth1（ adapter name ） port 1197
see vpn Log /var/log/openvpn-vpn01.log

WARNING: Failed running command (--auth-user-pass-verify): could not execute external program
TLS Auth Error: Auth Username/Password verification failed for peer

You can check whether the script cannot execute correctly , If already set script-security 2 了 , Then the probability is that the script itself cannot run （ Report errors ）

iptables The rules

First check iptables Whether the rule writes forwarding .（ For example, will FORWARD The default policy of the chain is set to DROP） The previous rule building process is as follows ：

• Empty iptables
  • iptables -F Or for nat surface iptables -t nat -F
  • iptables -X
  • iptables -Z
• For the default filter surface , Write the status module , For received packets , Receive the response package of its association or established connection .（ If not set , Then you can only receive packets , Cannot receive response packets ）
  • iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
• Write forwarding rules
  • iptables -A FORWARD -s source -d destination -i tun+ -j ACCEPT Make the source address （vpn Assign virtual ip pool ） To the destination address （155 test machine ） Can forward . The packet input network interface is tun+ It means match all of them tun network card .-s Followed by the source address ,-d Followed by the destination address ,-i It is the network card that enters .
• Set up nat surface （ Optional , I don't know if it's useful , I haven't figured it out yet ）
  • iptables -t nat -A POSTROUTING -s source -o eth0 -j MASQUERADE-o It's from here
• stay vpn Push routes to clients in the configuration file
  • push "route xx.xxx.xx.xxx 255.255.255.255" This is used here. 32 Push a little bit less

Routing forwarding is not enabled by the kernel

• Temporarily open echo 1 > /proc/sys/net/ipv4/ip_forward（ Write to memory open in memory ）
• Permanent open （ Write to the kernel ）
  • echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
  • sysctl -p load （-p yes –load）
    • sysctl Used to modify kernel parameters when the kernel is running （/proc/sys）.

linux Reverse route verification

When linux Of IP Protocol stack received IP Packet time , Find the route , The package of this machine is forwarded to the upper layer , Non native packets will be forwarded according to the route . To prevent illegal packets from being forwarded ,linux After finding the route, it will call fib_validate_source() To check the legitimacy of the source , Find out the network interface through the source address of the package , Compare whether the original input interface of the package is consistent with the found output interface , If inconsistent, query strict attributes skb->dev Of rp_filter by 1 Just when drop Packet loss .

If there are two network cards in one LAN in , If a package comes from eth0 Enter but the server is from eth1 Discovery gateway , So from eth1 You can't get out , It doesn't work . The reverse route check requires you to go back to where you come from .

Turn off reverse route check ( Replace the network card name in the second and third lines according to your own situation ), rp_filter In Chinese, it means 1, Default on . Change it to 0 Just close the check .

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter

ref

Linux Kernel Reverse route checking mechanism _changqing1234 The column -CSDN Blog _ Route reverse check