Open Jamlee opened 5 years ago
Hi Jamlee,
The missing piece is that the operating system on the server (a Linux feature called IPTables Masquerade) is modifying the packets for us if needed.
Consider these two scenarios, where the VPN network has a netmask of 255.255.255.0
with a network address space of 192.168.69.1-255
:
Client on the VPN (with address 192.168.69.3
) is sending packet to another VPN client with address 192.168.69.8
:
192.168.69.8
matches the mask of the VPN interface, so the OS sends the packet down the VPN (TUN) interface.192.168.69.8
, it knows the packet is for itself, and accepts the packet into its network stack.Client on the VPN (with address 192.168.69.3
) is sending packet to 8.8.8.8
:
192.168.69.X
address space). If the sending OS is configured to use the VPN as the default gateway (the -gw
flag), this packet will be sent down the VPN (TUN) interface to the VPN server.192.168.69.X
address. As such, it sends it out on its own (TUN) interface.sysctl net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -j MASQUERADE
Packets coming out of a network interface on the server with a private address space (like 192.168.69.X
) have their source packets rewritten, and the packet forwarded upstream. The OS also makes a note of the packet information, so it can rewrite the destination address of any replies (otherwise 2-way communication would not work).
Does that help?
yeah, it is really really helpul to me. cloud i tranlate your answer
to chinese for helping more people from your nice work ?
你好, Jamlee。
这里错过的一点是在linux系统中 iptables 的 IPTables Masquerade 会在有必要的时候修改发送的IP包
。
考虑下面两个场景,前提是 vpn 的网段是 192.168.69.1-255, 子网掩码为 255.255.255.0:
VPN 的客户端(地址 192.168.69.3)发送了 ip packet 到 另外一个 vpn 客户端 (地址 192.168.69.8):
Ip raw packet
处理后写入到 tun 设备, tun 是本地设备,会被监听 192.168.69.8 的 app 获取到 tcp 信息。
+---------------------+ +--------------------+ +---------------------+--------------------------------------+
| | | src 192.168.69.3 | | | |
| | | dst 192.168.69.8 | | | +---------------------------+ |
| +---------------+ | +--------------------+ | +---------------+ | | | |
| | vpn client | | ip packet on tcp tunel | | vpn server | | | | |
| | | | +-----------------------------+--> | | | | |
| +-------+-------+ | | | +-------+-------+ | | app behind on vpn | |
| | | | | | | | listening on | |
| +-------v-------+ | | | +-------v-------+ | | 192.168.69.8 | |
| | tun0 ++--+-----+ | | tun0 | | | | |
| | 192.168.69.3 | + | | 192.168.69.8 +--+------> | |
| +---------------+ | | +---------------+ | +---------------------------+ |
+---------------------+ +---------------------+--------------------------------------+
VPN 的客户端(地址 192.168.69.3)发送了 ip packet 到地址 8.8.8.8
:
Ip raw packet
处理后写入到 tun 设备, 由于 ip packet 不是本地设备,会被 linux 进行 源地址改写(也就是NAT功能啦)
+---------------------+ +--------------------+ +---------------------+----------------------+
| | | src 192.168.69.3 | | | |
| | | dst 8.8.8.8 | | | |
| +---------------+ | +--------------------+ | +---------------+ | |
| | vpn client | | ip packet on tcp tunel | | vpn server | | |
| | | | +-----------------------------+--> | | |
| +-------+-------+ | | | +-------+-------+ | | dst 8.8.8.8
| | | | | | | | src 192.168.69.8
| +-------v-------+ | | | +-------v-------+ | | NAT
| | tun0 ++--+-----+ | | tun0 | | NAT by linux |------------->
| | 192.168.69.3 | + | | 192.168.69.8 +--+----> route by default|<-------------
| +---------------+ | | +---------------+ | gw | dst 192.168.69.8
+---------------------+ +---------------------+----------------------+ src 8.8.8.8
node A node B
Yes thankyou! I can link to this from the readme, or feel free to submit a PR.
Thanks again!
Hi, budy. i have read source code, somewhere i could not understand. ^_^.
why does not the
raw packet
sent by client need modified ?for example, changing source ip etc.
Is the non-modify
raw packet
sent to tun0 directly always routed back correctly ?