Linux
無法將 Mikrotik OpenVPN 客戶端連接到 Linux 伺服器
問候!
我真的很感激任何幫助!
在過去的兩天裡,我無法讓 Mikrotik 路由器連接到 Debian 10 OpenVPN 伺服器。
對於每次連接嘗試,路由器都會顯示以下錯誤消息:
Status: terminating... - could not add address: netmask cannot be /0 (6)
這是我的配置:
客戶端: Mikrotik RB2011UiAS-2HnD-IN / RouterOS:7.1b2 / 6.46.8(兩種韌體都試過)
"White" IP: 195.111.111.2/30 Gateway: 195.111.111.1 [admin@MikroTik] > /interface print Flags: R - RUNNING; S - SLAVE # NAME TYPE ACTU L2MT MAX- MAC-ADDRESS 0 R ether1-gateway ether 1500 1598 4074 D4:CA:6D:00:E0:03 1 RS ether2 ether 1500 1598 4074 D4:CA:6D:00:E0:04 2 RS ether3 ether 1500 1598 4074 D4:CA:6D:00:E0:05 3 RS ether4 ether 1500 1598 4074 D4:CA:6D:00:E0:06 4 S ether5 ether 1500 1598 4074 D4:CA:6D:00:E0:07 5 S ether6 ether 1500 1598 2028 D4:CA:6D:00:E0:08 6 S ether7 ether 1500 1598 2028 D4:CA:6D:00:E0:09 7 S ether8 ether 1500 1598 2028 D4:CA:6D:00:E0:0A 8 S ether9 ether 1500 1598 2028 D4:CA:6D:00:E0:0B 9 S ether10 ether 1500 1598 2028 D4:CA:6D:00:E0:0C 10 sfp1 ether 1500 1598 4074 D4:CA:6D:00:E0:02 11 RS wlan1 wlan 1500 1600 2290 D4:CA:6D:00:E0:0D 12 office ovpn-out 02:FF:F4:DF:C3:9A 13 R bridge1 bridge 1500 1598 D4:CA:6D:00:E0:0D [admin@MikroTik] > /interface ovpn-client print Flags: X - disabled; R - running 0 name="office" mac-address=02:F2:F2:2F:CC:1A max-mtu=1500 connect-to=195.222.222.2 port=1198 mode=ip protocol=tcp user="mikrotik" password="" profile=default certificate=cert_2 verify-server-certificate=no auth=sha1 cipher=aes256 use-peer-dns=no add-default-route=no [admin@MikroTik] > /ip route print Flags: D - DYNAMIC; X - DISABLED, I - INACTIVE, A - ACTIVE; C - CONNECT, S - STATIC, m - MODEM # DST-ADDRESS GATEWAY D AS 0.0.0.0/0 195.111.111.1 1 DAC 192.168.47.0/24 bridge1 0 DAC 195.111.111.2/30 ether1-gateway 0 [admin@MikroTik] > /ip firewall nat print Flags: X - disabled, I - invalid; D - dynamic 0 chain=srcnat action=masquerade dst-address=0.0.0.0 out-interface=ether1-gateway log=no log-prefix=""
伺服器: Debian 10 + Xen 4.11 橋接
# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master xenbr0 state UP group default qlen 1000 link/ether 2c:2f:6b:20:2e:24 brd ff:ff:ff:ff:ff:ff 3: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 2c:2f:2b:20:2e:25 brd ff:ff:ff:ff:ff:ff inet 195.222.222.2/30 brd 195.222.222.1 scope global eno2 valid_lft forever preferred_lft forever 4: xenbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 2c:2f:2b:20:2e:24 brd ff:ff:ff:ff:ff:ff inet 192.168.48.1/24 brd 192.168.48.255 scope global xenbr0 valid_lft forever preferred_lft forever 5: vif1.0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master xenbr0 state UP group default qlen 32 link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff 6: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500 link/none inet 10.101.0.1/24 scope global tun1 valid_lft forever preferred_lft forever # cat /etc/openvpn/server.conf: local 195.222.222.2 port 1198 proto tcp dev tun1 ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh.pem data-ciphers AES-256-CBC cipher AES-256-CBC auth SHA1 topology subnet server 10.101.0.0 255.255.255.0 ifconfig-pool-persist ipp_tcp.txt client-config-dir ccd push "route 192.168.48.0 255.255.255.0" push "route 192.168.47.0 255.255.255.0" route 192.168.47.0/24 255.255.255.0 client-to-client keepalive 10 120 ;comp-lzo ;max-clients 100 user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log verb 6 ;mute 20 #/etc/openvpn/ccd/mikrotik iroute 192.168.47.0 255.255.255.0 10.101.0.2 ifconfig-push 10.101.0.2 10.101.0.1 255.255.255.252 # iptables -S -P INPUT DROP -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -p tcp -m tcp --dport 1198 -m state --state NEW -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i xenbr0 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o xenbr0 -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables -t nat -S -P PREROUTING ACCEPT -P INPUT ACCEPT -P POSTROUTING ACCEPT -P OUTPUT ACCEPT -A POSTROUTING -s 192.168.48.0/24 -d 192.168.48.0/24 -j ACCEPT -A POSTROUTING -s 192.168.48.0/24 -d 10.0.0.0/8 -j ACCEPT -A POSTROUTING -s 192.168.48.0/24 -j SNAT --to-source 195.222.222.2
OpenVPN 伺服器日誌:
2020-11-17 01:53:40 us=127869 MULTI: multi_create_instance called 2020-11-17 01:53:40 us=127918 Re-using SSL/TLS context 2020-11-17 01:53:40 us=127965 Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ] 2020-11-17 01:53:40 us=127977 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ] 2020-11-17 01:53:40 us=128002 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,key$ 2020-11-17 01:53:40 us=128010 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,aut$ 2020-11-17 01:53:40 us=128035 TCP connection established with [AF_INET]195.111.111.2:34720 2020-11-17 01:53:40 us=128045 TCPv4_SERVER link local: (not bound) 2020-11-17 01:53:40 us=128053 TCPv4_SERVER link remote: [AF_INET]195.111.111.2:34720 2020-11-17 01:53:40 us=132062 195.111.111.2:34720 TCPv4_SERVER READ [14] from [AF_INET]195.111.111.2:34720: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0$ 2020-11-17 01:53:40 us=132100 195.111.111.2:34720 TLS: Initial packet from [AF_INET]195.111.111.2:34720, sid=d0dc4e5c 860c785f 2020-11-17 01:53:40 us=132124 195.111.111.2:34720 TCPv4_SERVER WRITE [26] to [AF_INET]195.111.111.2:34720: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=$ 2020-11-17 01:53:40 us=136840 195.111.111.2:34720 TCPv4_SERVER READ [22] from [AF_INET]195.111.111.2:34720: P_ACK_V1 kid=0 [ 0 ] 2020-11-17 01:53:40 us=183931 195.111.111.2:34720 TCPv4_SERVER READ [116] from [AF_INET]195.111.111.2:34720: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=102 2020-11-17 01:53:40 us=184699 195.111.111.2:34720 TCPv4_SERVER WRITE [1196] to [AF_INET]195.111.111.2:34720: P_CONTROL_V1 kid=0 [ 1 ] pid=1 DATA len=1170 2020-11-17 01:53:40 us=184741 195.111.111.2:34720 TCPv4_SERVER WRITE [1078] to [AF_INET]195.111.111.2:34720: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=1064 2020-11-17 01:53:40 us=190449 195.111.111.2:34720 TCPv4_SERVER READ [22] from [AF_INET]195.111.111.2:34720: P_ACK_V1 kid=0 [ 1 ] 2020-11-17 01:53:40 us=235548 195.111.111.2:34720 TCPv4_SERVER READ [22] from [AF_INET]195.111.111.2:34720: P_ACK_V1 kid=0 [ 2 ] 2020-11-17 01:53:40 us=841342 195.111.111.2:34720 TCPv4_SERVER READ [1282] from [AF_INET]195.111.111.2:34720: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=1268 2020-11-17 01:53:40 us=841519 195.111.111.2:34720 VERIFY OK: depth=1, CN=Easy-RSA CA 2020-11-17 01:53:40 us=841600 195.111.111.2:34720 VERIFY OK: depth=0, CN=mikrotik 2020-11-17 01:53:40 us=841809 195.111.111.2:34720 TCPv4_SERVER WRITE [77] to [AF_INET]195.111.111.2:34720: P_CONTROL_V1 kid=0 [ 2 ] pid=3 DATA len=51 2020-11-17 01:53:40 us=846294 195.111.111.2:34720 TCPv4_SERVER READ [22] from [AF_INET]195.111.111.2:34720: P_ACK_V1 kid=0 [ 3 ] 2020-11-17 01:53:40 us=891974 195.111.111.2:34720 TCPv4_SERVER READ [303] from [AF_INET]195.111.111.2:34720: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=289 2020-11-17 01:53:40 us=892064 195.111.111.2:34720 TCPv4_SERVER WRITE [259] to [AF_INET]195.111.111.2:34720: P_CONTROL_V1 kid=0 [ 3 ] pid=4 DATA len=233 2020-11-17 01:53:40 us=896730 195.111.111.2:34720 TCPv4_SERVER READ [22] from [AF_INET]195.111.111.2:34720: P_ACK_V1 kid=0 [ 4 ] 2020-11-17 01:53:40 us=896755 195.111.111.2:34720 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA 2020-11-17 01:53:40 us=896771 195.111.111.2:34720 [mikrotik] Peer Connection Initiated with [AF_INET]195.111.111.2:34720 2020-11-17 01:53:40 us=896788 mikrotik/195.111.111.2:34720 MULTI_sva: pool returned IPv4=10.101.0.2, IPv6=(Not enabled) 2020-11-17 01:53:40 us=896826 mikrotik/195.111.111.2:34720 OPTIONS IMPORT: reading client specific options from: ccd-tcp/mikrotik 2020-11-17 01:53:40 us=896884 mikrotik/195.111.111.2:34720 MULTI: Learn: 10.101.0.2 -> mikrotik/195.111.111.2:34720 2020-11-17 01:53:40 us=896894 mikrotik/195.111.111.2:34720 MULTI: primary virtual IP for mikrotik/195.111.111.2:34720: 10.101.0.2 2020-11-17 01:53:40 us=896902 mikrotik/195.111.111.2:34720 MULTI: internal route 192.168.47.0/24 -> mikrotik/195.111.111.2:34720 2020-11-17 01:53:40 us=896911 mikrotik/195.111.111.2:34720 MULTI: Learn: 192.168.47.0/24 -> mikrotik/195.111.111.2:34720 2020-11-17 01:53:40 us=896967 mikrotik/195.111.111.2:34720 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key 2020-11-17 01:53:40 us=896978 mikrotik/195.111.111.2:34720 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication 2020-11-17 01:53:40 us=896987 mikrotik/195.111.111.2:34720 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key 2020-11-17 01:53:40 us=896995 mikrotik/195.111.111.2:34720 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication 2020-11-17 01:53:40 us=943781 mikrotik/195.111.111.2:34720 TCPv4_SERVER READ [56] from [AF_INET]195.111.111.2:34720: P_CONTROL_V1 kid=0 [ ] pid=4 DATA len$ 2020-11-17 01:53:40 us=943836 mikrotik/195.111.111.2:34720 PUSH: Received control message: 'PUSH_REQUEST' 2020-11-17 01:53:40 us=943858 mikrotik/195.111.111.2:34720 SENT CONTROL [mikrotik]: 'PUSH_REPLY,route-gateway 10.101.0.1,topology subnet,ping 10,ping-resta$ 2020-11-17 01:53:40 us=943876 mikrotik/195.111.111.2:34720 TCPv4_SERVER WRITE [22] to [AF_INET]195.111.111.2:34720: P_ACK_V1 kid=0 [ 4 ] 2020-11-17 01:53:40 us=943918 mikrotik/195.111.111.2:34720 TCPv4_SERVER WRITE [156] to [AF_INET]195.111.111.2:34720: P_CONTROL_V1 kid=0 [ ] pid=5 DATA len$ 2020-11-17 01:53:41 us=251 mikrotik/195.111.111.2:34720 TCPv4_SERVER READ [22] from [AF_INET]195.111.111.2:34720: P_ACK_V1 kid=0 [ 5 ] 2020-11-17 01:53:41 us=76161 mikrotik/195.111.111.2:34720 Connection reset, restarting [0] 2020-11-17 01:53:41 us=76196 mikrotik/195.111.111.2:34720 SIGUSR1[soft,connection-reset] received, client-instance restarting 2020-11-17 01:53:41 us=76272 TCP/UDP: Closing socket
提前致謝!
我簡單地解決了這個問題。但是我花了兩天時間。
只需在伺服器的 OpenVPN 配置文件中刪除這一行:
topology subnet