如何在單個樹莓派上結合使用 OpenVPN 和 hostapd？

Question

我將我的 Pi 配置為 OpenVPN 服務器，以便在不在家時訪問我的 local.network。 它就像一個魅力:-)

現在我也想用我的 Pi 作為接入點。

為此，我使用了以下說明： 設置橋接無線接入點

（幾乎）一切似乎都運行良好。 “接入點”function 應該是這樣，我還可以設置一個 OpenVPN 隧道。

我可以通過該隧道與我的客戶端一起訪問我的本地設備。 但是，一旦 VPN 隧道處於活動狀態，我就無法再使用該客戶端訪問“the inte.net”。 我無法加載web頁，但我也無法ping通。 Ping 到 142.250.179.163 (= www.google.nl ) 只會返回超時。

路由流量似乎有問題，但我對解決問題的知識有點缺乏。 希望有人能幫助我。

這是我的配置：

打開VPN：

/etc/openvpn/server.conf

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/raspberrypi_foo-foo.crt
key /etc/openvpn/easy-rsa/pki/private/raspberrypi_foo-foo.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device. 
#duplicate-cn
# Generated for use by PiVPN.io

主機：

/etc/systemd.network/bridge-br0.netdev

[NetDev]
Name=br0
Kind=bridge

/etc/systemd.network/br0-member-eth0.network

[Match]
Name=eth0

[Network]
Bridge=br0

/etc/dhcpcd.conf

# A sample configuration for dhcpcd.
# See dhcpcd.conf(5) for details.

# Allow users of this group to interact with dhcpcd via the control socket.
#controlgroup wheel

# Inform the DHCP server of our hostname for DDNS.
hostname

# Use the hardware address of the interface for the Client ID.
clientid
# or
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as per RFC4361.
# Some non-RFC compliant DHCP servers do not reply with this set.
# In this case, comment out duid and enable clientid above.
#duid

# Stop dhcpcd (to bridge wlan0 to eth0)
denyinterfaces wlan0 eth0

# Persist interface configuration when dhcpcd exits.
persistent

# Rapid commit support.
# Safe to enable by default because it requires the equivalent option set
# on the server to actually work.
option rapid_commit

# A list of options to request from the DHCP server.
option domain_name_servers, domain_name, domain_search, host_name
option classless_static_routes
# Respect the network MTU. This is applied to DHCP routes.
option interface_mtu

# Most distributions have NTP support.
#option ntp_servers

# A ServerID is required by RFC2131.
require dhcp_server_identifier

# Generate SLAAC address using the Hardware Address of the interface
#slaac hwaddr
# OR generate Stable Private IPv6 Addresses based from the DUID
slaac private

# Example static IP configuration:
#interface eth0
#static ip_address=192.168.0.10/24
#static ip6_address=fd51:42f8:caae:d92e::ff/64
#static routers=192.168.0.1
#static domain_name_servers=192.168.0.1 8.8.8.8 fd51:42f8:caae:d92e::1

# It is possible to fall back to a static IP if DHCP fails:
# define static profile
#profile static_eth0
#static ip_address=192.168.1.23/24
#static routers=192.168.1.1
#static domain_name_servers=192.168.1.1

# fallback to static profile on eth0
#interface eth0
#fallback static_eth0

# Connect to bridge 
interface br0

/etc/hostapd/hostapd.conf

country_code=NL
interface=wlan0
bridge=br0
ssid=Charon
hw_mode=g
channel=3
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=foo-foo
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

Answer 1

最后它很簡單......（它總是！）

只需在接口 br0 處添加到路由器的默認路由：

/etc/dhcpcd.conf

(...)
# Connect to bridge 
interface br0
# Default route
static routers=192.168.1.254