Blog·Tanky WooABOUTTAGSRSS

今天看到 vpn 服务端有日志疯狂刷屏:

office-A/2.2.2.2:51159 MULTI: Learn FAILED: 10.15.0.100 -> office-A/2.2.2.2:51159
office-A/2.2.2.2:51159 MULTI ROUTE: route quota (256) exceeded for office-A/2.2.2.2:51159 (see --max-routes-per-client option)
office-A/2.2.2.2:51159 MULTI: Learn FAILED: 10.15.0.100 -> office-A/2.2.2.2:51159
office-B/3.3.3.3:34020 MULTI ROUTE: route quota (256) exceeded for office-A/2.2.2.2:51159 (see --max-routes-per-client option)
office-B/3.3.3.3:34020 MULTI: Learn FAILED: 10.15.0.100 -> office-A/2.2.2.2:51159
office-B/3.3.3.3:34020 MULTI ROUTE: route quota (256) exceeded for office-A/2.2.2.2:51159 (see --max-routes-per-client option)
office-B/3.3.3.3:34020 MULTI: Learn FAILED: 10.15.0.100 -> office-A/2.2.2.2:51159
...

大致的背景架构如下,内网通过 vpn 通信,10.15.0.0/16 是 office-A 的内网网段,两个 office 之间通过 vpn 中心服务器互联。

office-A          vpn-server          office-B

2.2.2.2 <--------> 1.1.1.1 <--------> 3.3.3.3

看了下 --max-routes-per-client 的手册,大致意思就是为了防止从已认证的客户端发送到 vpn 服务端的包有大量不同的 mac 地址,导致内部路由表扩张耗尽内存,所以加上这个默认限制。

--max-routes-per-client n
    Allow a maximum of n internal routes per client (default=256). This is designed to help contain DoS attacks where an authenticated client floods the server with packets appearing to come from many unique MAC addresses, forcing the server to deplete virtual memory as its internal routing table expands. This directive can be used in a --client-config-dir file or auto-generated by a --client-connect script to override the global value for a particular client.

    Note that this directive affects OpenVPN's internal routing table, not the kernel routing table.

office-A 内部有很多主机和IP,当它们和 office-B 的主机互联时,就需要经过 vpn-server 进行通信。

最初想看 OpenVPN 内部的路由标信息,没找到方法,于是通过对 tun 网卡抓包,评估通信的 IP,因为上面分配的是一个 /16 掩码的网段,当时有多个网段,随便抓了一会包统计就有 300+ IP。

按照文档,这里不做全局级的变更,仅在 --client-config-dir 中 office-B 定义的文件中配置 max-routes-per-client:

max-routes-per-client 1024

默认值 256 应该也是考虑一般分配一个 C 段,最大也就 255 个。

最后在继续研究时,发现通过管理口的 status 命令可以看到内部路由表,确实是一个客户端 IP 一条:

$ nc -U /var/run/vpn-server.sock
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
status
OpenVPN CLIENT LIST
Updated,Mon Dec 21 22:46:04 2020
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
office-B,2.2.2.2:12345,1234567890,123456789,Mon Dec 21 17:30:45 2020
...
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.15.0.100C,office-B,2.2.2.2:12345,Mon Dec 21 22:45:22 2020
10.15.1.200C,office-B,2.2.2.2:12345,Mon Dec 21 22:46:00 2020
...
GLOBAL STATS
Max bcast/mcast queue length,1
END