Skip to content

Commit

Permalink
Update docs
Browse files Browse the repository at this point in the history
  • Loading branch information
hwdsl2 committed Nov 6, 2022
1 parent 46640c0 commit 4835154
Show file tree
Hide file tree
Showing 4 changed files with 48 additions and 0 deletions.
1 change: 1 addition & 0 deletions README-zh.md
Original file line number Diff line number Diff line change
Expand Up @@ -346,6 +346,7 @@ https://gitlab.com/hwdsl2/setup-ipsec-vpn/-/raw/master/extras/vpnupgrade.sh
- [转发端口到 VPN 客户端](docs/advanced-usage-zh.md#转发端口到-vpn-客户端)
- [VPN 分流](docs/advanced-usage-zh.md#vpn-分流)
- [访问 VPN 服务器的网段](docs/advanced-usage-zh.md#访问-vpn-服务器的网段)
- [VPN 服务器网段访问 VPN 客户端](docs/advanced-usage-zh.md#vpn-服务器网段访问-vpn-客户端)
- [更改 IPTables 规则](docs/advanced-usage-zh.md#更改-iptables-规则)
- [部署 Google BBR 拥塞控制](docs/advanced-usage-zh.md#部署-google-bbr-拥塞控制)

Expand Down
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -346,6 +346,7 @@ See [Advanced usage](docs/advanced-usage.md).
- [Port forwarding to VPN clients](docs/advanced-usage.md#port-forwarding-to-vpn-clients)
- [Split tunneling](docs/advanced-usage.md#split-tunneling)
- [Access VPN server's subnet](docs/advanced-usage.md#access-vpn-servers-subnet)
- [Access VPN clients from server's subnet](docs/advanced-usage.md#access-vpn-clients-from-servers-subnet)
- [Modify IPTables rules](docs/advanced-usage.md#modify-iptables-rules)
- [Deploy Google BBR congestion control](docs/advanced-usage.md#deploy-google-bbr-congestion-control)

Expand Down
23 changes: 23 additions & 0 deletions docs/advanced-usage-zh.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
* [转发端口到 VPN 客户端](#转发端口到-vpn-客户端)
* [VPN 分流](#vpn-分流)
* [访问 VPN 服务器的网段](#访问-vpn-服务器的网段)
* [VPN 服务器网段访问 VPN 客户端](#vpn-服务器网段访问-vpn-客户端)
* [更改 IPTables 规则](#更改-iptables-规则)
* [部署 Google BBR 拥塞控制](#部署-google-bbr-拥塞控制)

Expand Down Expand Up @@ -295,6 +296,28 @@ iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$netif" -m policy --dir ou
iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$netif" -j MASQUERADE
```

## VPN 服务器网段访问 VPN 客户端

在某些情况下,你可能需要从 VPN 服务器位于同一本地子网内的其他设备访问 VPN 客户端上的服务。这可以通过以下几个步骤实现。

假设 VPN 服务器 IP 是 `10.1.0.2`,你想要访问 VPN 客户端的设备的 IP 是 `10.1.0.3`

1. 在 VPN 服务器上添加 IPTables 规则以允许该流量。例如:
```
# 获取默认网络接口名称
netif=$(route 2>/dev/null | grep -m 1 '^default' | grep -o '[^ ]*$')
iptables -I FORWARD 2 -i "$netif" -o ppp+ -s 10.1.0.3 -j ACCEPT
iptables -I FORWARD 2 -i "$netif" -d 192.168.43.0/24 -s 10.1.0.3 -j ACCEPT
```
2. 在你想要访问 VPN 客户端的设备上添加路由规则。例如:
```
# 将 eth0 替换为设备的本地子网的网络接口名称
route add -net 192.168.42.0 netmask 255.255.255.0 gw 10.1.0.2 dev eth0
route add -net 192.168.43.0 netmask 255.255.255.0 gw 10.1.0.2 dev eth0
```

[VPN 内网 IP 和流量](#vpn-内网-ip-和流量) 小节了解 VPN 内网 IP 的更多信息。

## 更改 IPTables 规则

如果你想要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。然后重启服务器。
Expand Down
23 changes: 23 additions & 0 deletions docs/advanced-usage.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
* [Port forwarding to VPN clients](#port-forwarding-to-vpn-clients)
* [Split tunneling](#split-tunneling)
* [Access VPN server's subnet](#access-vpn-servers-subnet)
* [Access VPN clients from server's subnet](#access-vpn-clients-from-servers-subnet)
* [Modify IPTables rules](#modify-iptables-rules)
* [Deploy Google BBR congestion control](#deploy-google-bbr-congestion-control)

Expand Down Expand Up @@ -296,6 +297,28 @@ iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$netif" -m policy --dir ou
iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$netif" -j MASQUERADE
```

## Access VPN clients from server's subnet

In certain circumstances, you may need to access services on VPN clients from other devices that are on the same local subnet as the VPN server. This can be done using the following steps.

Assume that the VPN server IP is `10.1.0.2`, and the IP of the device from which you want to access VPN clients is `10.1.0.3`.

1. Add IPTables rules on the VPN server to allow this traffic. For example:
```
# Get default network interface name
netif=$(route 2>/dev/null | grep -m 1 '^default' | grep -o '[^ ]*$')
iptables -I FORWARD 2 -i "$netif" -o ppp+ -s 10.1.0.3 -j ACCEPT
iptables -I FORWARD 2 -i "$netif" -d 192.168.43.0/24 -s 10.1.0.3 -j ACCEPT
```
2. Add routing rules on the device you want to access VPN clients. For example:
```
# Replace eth0 with the network interface name of the device's local subnet
route add -net 192.168.42.0 netmask 255.255.255.0 gw 10.1.0.2 dev eth0
route add -net 192.168.43.0 netmask 255.255.255.0 gw 10.1.0.2 dev eth0
```

Learn more about internal VPN IPs in [Internal VPN IPs and traffic](#internal-vpn-ips-and-traffic).

## Modify IPTables rules

If you want to modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS/RHEL). Then reboot your server.
Expand Down

0 comments on commit 4835154

Please sign in to comment.