Zrozumienie tabeli routingu z OpenVPN

2

Układ sieci: Laptop (OpenVPN client) <-> router with 192.168.1.xxx subnet <-> internet <-> Home router (running DD-WRT with OpenVPN server) with 192.168.11.xxx subnet

Serwer VPN działa w trybie warstwy 2 (most). Cały mój ruch internetowy przechodzi przez tunel VPN. Mój domowy router i VPN mają zewnętrzny adres IP 68.64.127.82.

Mój laptop (klient VPN) ma adres IP w fizycznej sieci LAN 192.168.1.40. Mój adres IP w sieci VPN to 192.168.11.50.

Oto moje pytanie: co sprawia, że ​​cały ruch internetowy przechodzi przez tunel VPN?

Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.40     20
          0.0.0.0        128.0.0.0     192.168.11.1    192.168.11.50     30

Pierwsza linia mówi, że wszystko powinno iść do routera, z którym jestem fizycznie połączony (nie router VPN). Druga linia nie ma dla mnie sensu. 192.168.11.xxxPodsieci jest na moim VPN. Jak możesz mieć 0.0.0.0cel z maską sieciową?!?

Pytanie 2: Co oznacza 128.0.0.0maska ​​sieciowa z miejscem 0.0.0.0docelowym?

Pytanie 3: Dlaczego druga linia ma pierwszeństwo przed pierwszą linią?

Dzięki za pomoc!


Oto moja pełna tabela routingu:

Oto moja pełna tabela routingu:

C:\Users\owner>route print
===========================================================================
Interface List
 19...00 ff 79 ee e1 6b ......TAP-Windows Adapter V9
 10...00 1a 4b 13 d2 92 ......Broadcom NetLink (TM) Gigabit Ethernet
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.40     20
          0.0.0.0        128.0.0.0     192.168.11.1    192.168.11.50     30
     68.64.127.82  255.255.255.255      192.168.1.1     192.168.1.40     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        128.0.0.0        128.0.0.0     192.168.11.1    192.168.11.50     30
      192.168.1.0    255.255.255.0         On-link      192.168.1.40    276
     192.168.1.40  255.255.255.255         On-link      192.168.1.40    276
    192.168.1.255  255.255.255.255         On-link      192.168.1.40    276
     192.168.11.0    255.255.255.0         On-link     192.168.11.50    286
    192.168.11.50  255.255.255.255         On-link     192.168.11.50    286
   192.168.11.255  255.255.255.255         On-link     192.168.11.50    286
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.1.40    276
        224.0.0.0        240.0.0.0         On-link     192.168.11.50    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.1.40    276
  255.255.255.255  255.255.255.255         On-link     192.168.11.50    286
===========================================================================

Oto mój ipconfig:

Windows IP Configuration

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-79-EE-E1-6B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::c1f8:5d3:e14:dba6%19(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.11.50(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, December 11, 2014 11:20:53 AM
   Lease Expires . . . . . . . . . . : Friday, December 11, 2015 11:20:53 AM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 192.168.11.0
   DHCPv6 IAID . . . . . . . . . . . : 520159097
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-A1-5A-F6-00-1A-4B-6B-D2-7C

   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-1A-4B-13-D2-92
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::61c0:c604:f3e5:498%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.40(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, December 11, 2014 11:20:35 AM
   Lease Expires . . . . . . . . . . : Friday, December 12, 2014 11:20:35 AM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 234887755
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-A1-5A-F6-00-1A-4B-13-D2-92

   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
pkSML
źródło

Odpowiedzi:

4

Rozwiązany! Dzięki eibgrad na forach DD-WRT. Oto jego odpowiedź:

(Źródło: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=277001 )

It's just a clever hack/trick. 

There’s actually TWO important extra routes the VPN adds: 

128.0.0.0/128.0.0.0 (covers 0.0.0.0 thru 127.255.255.255) 
0.0.0.0/128.0.0.0 (covers 128.0.0.0 thru 255.255.255.255) 

The reason this works is because when it comes to routing, a more specific route is always preferred over a more general route. And 0.0.0.0/0.0.0.0 (the default gateway) is as general as it gets. But if we insert the above two routes, the fact they are more specific means one of them will always be chosen before 0.0.0.0/0.0.0.0 since those two routes still cover the entire IP spectrum (0.0.0.0 thru 255.255.255.255). 

VPNs do this to avoid messing w/ existing routes. They don’t need to delete anything that was already there, or even examine the routing table. They just add their own routes when the VPN comes up, and remove them when the VPN is shutdown. Simple.
pkSML
źródło
3
Czy zakresy adresów IP nie są tutaj zamienione? 0.0.0.0/128.0.0.0okładki 0.0.0.0 - 127.255.255.255i 128.0.0.0/128.0.0.0okładki128.0.0.0 - 255.255.255.255
Bojan Komazec
1

@Bojan Komazec ma rację

format binarny 0.0.0.0/1 jest podobny do:

ip   : 00000000.00000000.00000000.00000000
mask : 10000000.00000000.00000000.00000000

result the subet like this:
01111111.00000000.00000000.00000000
01111110.00000000.00000000.00000000
01111101.00000000.00000000.00000000
....

0.0.0.0/1Obejmuje więc 0.0.0.0 - 127.255.255.255

format binarny 128.0.0.0/1 jest podobny do:

ip   : 10000000.00000000.00000000.00000000
mask : 10000000.00000000.00000000.00000000

result the subet like this:
11111111.00000000.00000000.00000000
11111110.00000000.00000000.00000000
11111101.00000000.00000000.00000000

127.0.0.0/1Obejmuje więc 128.0.0.1 - 255.255.255.255

jamlee
źródło