diff --git a/README-zh.md b/README-zh.md index 932afcd..341ae1d 100644 --- a/README-zh.md +++ b/README-zh.md @@ -346,6 +346,7 @@ https://gitlab.com/hwdsl2/setup-ipsec-vpn/-/raw/master/extras/vpnupgrade.sh - [转发端口到 VPN 客户端](docs/advanced-usage-zh.md#转发端口到-vpn-客户端) - [VPN 分流](docs/advanced-usage-zh.md#vpn-分流) - [访问 VPN 服务器的网段](docs/advanced-usage-zh.md#访问-vpn-服务器的网段) +- [VPN 服务器网段访问 VPN 客户端](docs/advanced-usage-zh.md#vpn-服务器网段访问-vpn-客户端) - [更改 IPTables 规则](docs/advanced-usage-zh.md#更改-iptables-规则) - [部署 Google BBR 拥塞控制](docs/advanced-usage-zh.md#部署-google-bbr-拥塞控制) diff --git a/README.md b/README.md index 53f8f05..2b748dd 100644 --- a/README.md +++ b/README.md @@ -346,6 +346,7 @@ See [Advanced usage](docs/advanced-usage.md). - [Port forwarding to VPN clients](docs/advanced-usage.md#port-forwarding-to-vpn-clients) - [Split tunneling](docs/advanced-usage.md#split-tunneling) - [Access VPN server's subnet](docs/advanced-usage.md#access-vpn-servers-subnet) +- [Access VPN clients from server's subnet](docs/advanced-usage.md#access-vpn-clients-from-servers-subnet) - [Modify IPTables rules](docs/advanced-usage.md#modify-iptables-rules) - [Deploy Google BBR congestion control](docs/advanced-usage.md#deploy-google-bbr-congestion-control) diff --git a/docs/advanced-usage-zh.md b/docs/advanced-usage-zh.md index 8884481..0e2c936 100644 --- a/docs/advanced-usage-zh.md +++ b/docs/advanced-usage-zh.md @@ -10,6 +10,7 @@ * [转发端口到 VPN 客户端](#转发端口到-vpn-客户端) * [VPN 分流](#vpn-分流) * [访问 VPN 服务器的网段](#访问-vpn-服务器的网段) +* [VPN 服务器网段访问 VPN 客户端](#vpn-服务器网段访问-vpn-客户端) * [更改 IPTables 规则](#更改-iptables-规则) * [部署 Google BBR 拥塞控制](#部署-google-bbr-拥塞控制) @@ -295,6 +296,28 @@ iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$netif" -m policy --dir ou iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$netif" -j MASQUERADE ``` +## VPN 服务器网段访问 VPN 客户端 + +在某些情况下,你可能需要从 VPN 服务器位于同一本地子网内的其他设备访问 VPN 客户端上的服务。这可以通过以下几个步骤实现。 + +假设 VPN 服务器 IP 是 `10.1.0.2`,你想要访问 VPN 客户端的设备的 IP 是 `10.1.0.3`。 + +1. 在 VPN 服务器上添加 IPTables 规则以允许该流量。例如: + ``` + # 获取默认网络接口名称 + netif=$(route 2>/dev/null | grep -m 1 '^default' | grep -o '[^ ]*$') + iptables -I FORWARD 2 -i "$netif" -o ppp+ -s 10.1.0.3 -j ACCEPT + iptables -I FORWARD 2 -i "$netif" -d 192.168.43.0/24 -s 10.1.0.3 -j ACCEPT + ``` +2. 在你想要访问 VPN 客户端的设备上添加路由规则。例如: + ``` + # 将 eth0 替换为设备的本地子网的网络接口名称 + route add -net 192.168.42.0 netmask 255.255.255.0 gw 10.1.0.2 dev eth0 + route add -net 192.168.43.0 netmask 255.255.255.0 gw 10.1.0.2 dev eth0 + ``` + +在 [VPN 内网 IP 和流量](#vpn-内网-ip-和流量) 小节了解 VPN 内网 IP 的更多信息。 + ## 更改 IPTables 规则 如果你想要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。然后重启服务器。 diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index f176a0b..6e0abfa 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -10,6 +10,7 @@ * [Port forwarding to VPN clients](#port-forwarding-to-vpn-clients) * [Split tunneling](#split-tunneling) * [Access VPN server's subnet](#access-vpn-servers-subnet) +* [Access VPN clients from server's subnet](#access-vpn-clients-from-servers-subnet) * [Modify IPTables rules](#modify-iptables-rules) * [Deploy Google BBR congestion control](#deploy-google-bbr-congestion-control) @@ -296,6 +297,28 @@ iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$netif" -m policy --dir ou iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$netif" -j MASQUERADE ``` +## Access VPN clients from server's subnet + +In certain circumstances, you may need to access services on VPN clients from other devices that are on the same local subnet as the VPN server. This can be done using the following steps. + +Assume that the VPN server IP is `10.1.0.2`, and the IP of the device from which you want to access VPN clients is `10.1.0.3`. + +1. Add IPTables rules on the VPN server to allow this traffic. For example: + ``` + # Get default network interface name + netif=$(route 2>/dev/null | grep -m 1 '^default' | grep -o '[^ ]*$') + iptables -I FORWARD 2 -i "$netif" -o ppp+ -s 10.1.0.3 -j ACCEPT + iptables -I FORWARD 2 -i "$netif" -d 192.168.43.0/24 -s 10.1.0.3 -j ACCEPT + ``` +2. Add routing rules on the device you want to access VPN clients. For example: + ``` + # Replace eth0 with the network interface name of the device's local subnet + route add -net 192.168.42.0 netmask 255.255.255.0 gw 10.1.0.2 dev eth0 + route add -net 192.168.43.0 netmask 255.255.255.0 gw 10.1.0.2 dev eth0 + ``` + +Learn more about internal VPN IPs in [Internal VPN IPs and traffic](#internal-vpn-ips-and-traffic). + ## Modify IPTables rules If you want to modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS/RHEL). Then reboot your server.