From ab69631e542f71b20ed952db4f3b7e608d0da0e2 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 2 May 2021 15:55:32 -0500 Subject: [PATCH] Update docs --- README-zh.md | 15 +++++++++++++-- README.md | 16 ++++++++++++++-- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/README-zh.md b/README-zh.md index c024be7..8b3317c 100644 --- a/README-zh.md +++ b/README-zh.md @@ -382,9 +382,20 @@ iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP ### 访问 VPN 服务器的网段 -连接到 VPN 后,VPN 客户端通常可以访问与 VPN 服务器位于同一本地子网内的其他设备上运行的服务,而无需进行其他配置。 +连接到 VPN 后,VPN 客户端通常可以访问与 VPN 服务器位于同一本地子网内的其他设备上运行的服务,而无需进行其他配置。例如,如果 VPN 服务器的本地子网为 `192.168.0.0/24`,并且一个 Nginx 服务器在 IP `192.168.0.2` 上运行,则 VPN 客户端可以使用 IP `192.168.0.2`来访问 Nginx 服务器。 -例如,如果 VPN 服务器的本地子网为 `192.168.0.0/24`,并且一个 Nginx 服务器在 IP `192.168.0.2` 上运行,则 VPN 客户端可以使用 IP `192.168.0.2`来访问 Nginx 服务器。如果无法访问,请检查其他设备上的防火墙设置。 +请注意,如果 VPN 服务器具有多个网络接口(例如 `eth0` 和 `eth1`),并且你想要 VPN 客户端访问服务器上 \*不用于\* Internet 访问的网络接口后面的本地子网,则需要进行额外的配置。在此情形下,你必须运行以下命令来添加 IPTables 规则。为了在重启后仍然有效,你可以将这些命令添加到 `/etc/rc.local`。 + +```bash +# 将 eth1 替换为 VPN 服务器上你想要客户端访问的网络接口名称 +netif=eth1 +iptables -I FORWARD 2 -i "$netif" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -I FORWARD 2 -i ppp+ -o "$netif" -j ACCEPT +iptables -I FORWARD 2 -i "$netif" -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -I FORWARD 2 -s 192.168.43.0/24 -o "$netif" -j ACCEPT +iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$netif" -m policy --dir out --pol none -j MASQUERADE +iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$netif" -j MASQUERADE +``` ### 仅限 IKEv2 的 VPN diff --git a/README.md b/README.md index 70589a1..749e410 100644 --- a/README.md +++ b/README.md @@ -382,9 +382,21 @@ iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP ### Access VPN server's subnet -After connecting to the VPN, VPN clients can generally access services running on other devices that are within the same local subnet as the VPN server, without additional configuration. +After connecting to the VPN, VPN clients can generally access services running on other devices that are within the same local subnet as the VPN server, without additional configuration. For example, if the VPN server's local subnet is `192.168.0.0/24`, and an Nginx server is running on IP `192.168.0.2`, VPN clients can use IP `192.168.0.2` to access the Nginx server. -For example, if the VPN server's local subnet is `192.168.0.0/24`, and an Nginx server is running on IP `192.168.0.2`, VPN clients can use IP `192.168.0.2` to access the Nginx server. If unable to access, check the firewall settings on the other device. +Please note, additional configuration is required if the VPN server has multiple network interfaces (e.g. `eth0` and `eth1`), and you want VPN clients to access the local subnet behind the network interface that is NOT for Internet access. In this scenario, you must run the following commands to add IPTables rules. To persist after reboot, you may add these commands to `/etc/rc.local`. + +```bash +# Replace eth1 with the name of the network interface +# on the VPN server that you want VPN clients to access +netif=eth1 +iptables -I FORWARD 2 -i "$netif" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -I FORWARD 2 -i ppp+ -o "$netif" -j ACCEPT +iptables -I FORWARD 2 -i "$netif" -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -I FORWARD 2 -s 192.168.43.0/24 -o "$netif" -j ACCEPT +iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$netif" -m policy --dir out --pol none -j MASQUERADE +iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$netif" -j MASQUERADE +``` ### IKEv2 only VPN