Linux
OpenVPN - 客戶端連接到伺服器,但無法 ping 伺服器或伺服器的 LAN
我正在嘗試從 Windows 7(客戶端)ping Ubuntu 伺服器的網路。Ubuntu 和 Windows 都是另一個具有選項的 OpenVPN 伺服器上的客戶端
client-to-client
。客戶端可以連接到伺服器(獲取 IP 地址 10.0.0.50),但無法 ping 伺服器網路上的任何地址。我試過這個伺服器選項:push "route 10.0.0.0 255.255.255.0 10.2.0.21"
,但它不起作用。我在這裡想念什麼?謝謝你。Windows 7,客戶端,配置
# client config remote 10.2.0.21 1723 client proto udp dev tap dev-node OpenVPN_Route1 reneg-sec 28800 resolv-retry infinite # security remote-cert-tls server tls-auth "PC71_hamsing_server\\ta.key" 1 ca "PC71_hamsing_server\\ca.crt" cert "PC71_hamsing_server\\PC71_hamsing_server.crt" key "PC71_hamsing_server\\PC71_hamsing_server.key" # connection nobind persist-key persist-tun # logging status "C:\\Program Files\\OpenVPN\\log\\Hamsing_Server.log" log "C:\\Program Files\\OpenVPN\\log\\Hamsing_Server.log" verb 3 mute 20
Ubuntu 18.04,伺服器,配置
# server config (10.0.0.2 is the IP address of br0) server-bridge 10.0.0.2 255.255.255.0 10.0.0.50 10.0.0.99 ;push "route 10.0.0.0 255.255.255.0 10.2.0.21" # LAN, LAN subnet, OpenVPN IP, metric port 1723 proto udp dev tap reneg-sec 28800 keepalive 10 120 # security remote-cert-tls client ca server/ca.crt tls-auth server/ta.key 0 # 0 on server, 1 on clients, generate with "openvpn --genkey --secret ta.key" cert server/hamsing_server.crt key server/hamsing_server.key dh server/dh2048.pem # connection persist-key persist-tun # logging status /var/www/html/logs/vpn/server-status.log log /var/www/html/logs/vpn/server.log verb 3 management 127.0.0.1 7656 mute 20
客戶端連接到伺服器日誌
Tue Jul 23 17:02:21 2019 TLS: Initial packet from [AF_INET]10.2.0.21:1723, sid=9bc321ea 96ec878d Tue Jul 23 17:02:21 2019 VERIFY OK: depth=1, C=US, ST=IL, L=Aurora, O=EleMech, OU=Portalogic-Field, CN=EleMech CA, name=EasyRSA, emailAddress=sales@elemechinc.com Tue Jul 23 17:02:21 2019 VERIFY KU OK Tue Jul 23 17:02:21 2019 Validating certificate extended key usage Tue Jul 23 17:02:21 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Tue Jul 23 17:02:21 2019 VERIFY EKU OK Tue Jul 23 17:02:21 2019 VERIFY OK: depth=0, C=US, ST=IL, L=Aurora, O=EleMech, OU=Portalogic-Field, CN=hamsing_server, name=EasyRSA, emailAddress=sales@elemechinc.com Tue Jul 23 17:02:21 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Tue Jul 23 17:02:21 2019 [hamsing_server] Peer Connection Initiated with [AF_INET]10.2.0.21:1723 Tue Jul 23 17:02:22 2019 MANAGEMENT: >STATE:1563919342,GET_CONFIG,,,,,, Tue Jul 23 17:02:22 2019 SENT CONTROL [hamsing_server]: 'PUSH_REQUEST' (status=1) Tue Jul 23 17:02:22 2019 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.0.0.2,ping 10,ping-restart 120,ifconfig 10.0.0.50 255.255.255.0,peer-id 0,cipher AES-256-GCM' Tue Jul 23 17:02:22 2019 OPTIONS IMPORT: timers and/or timeouts modified Tue Jul 23 17:02:22 2019 OPTIONS IMPORT: --ifconfig/up options modified Tue Jul 23 17:02:22 2019 OPTIONS IMPORT: route-related options modified Tue Jul 23 17:02:22 2019 OPTIONS IMPORT: peer-id set Tue Jul 23 17:02:22 2019 OPTIONS IMPORT: adjusting link_mtu to 1656 Tue Jul 23 17:02:22 2019 OPTIONS IMPORT: data channel crypto options modified Tue Jul 23 17:02:22 2019 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Tue Jul 23 17:02:22 2019 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Tue Jul 23 17:02:22 2019 Preserving previous TUN/TAP instance: OpenVPN_Route1 Tue Jul 23 17:02:22 2019 Initialization Sequence Completed Tue Jul 23 17:02:22 2019 MANAGEMENT: >STATE:1563919342,CONNECTED,SUCCESS,10.0.0.50,10.2.0.21,1723,,
來自客戶端的伺服器日誌
Tue Jul 23 14:56:10 2019 WARNING: file 'server/hamsing_server.key' is group or others accessible Tue Jul 23 14:56:10 2019 WARNING: file 'server/ta.key' is group or others accessible Tue Jul 23 14:56:10 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019 Tue Jul 23 14:56:10 2019 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08 Tue Jul 23 14:56:10 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:7656 Tue Jul 23 14:56:10 2019 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to Tue Jul 23 14:56:10 2019 Diffie-Hellman initialized with 2048 bit key Tue Jul 23 14:56:10 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Jul 23 14:56:10 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Jul 23 14:56:10 2019 TUN/TAP device tap0 opened Tue Jul 23 14:56:10 2019 TUN/TAP TX queue length set to 100 Tue Jul 23 14:56:10 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET Tue Jul 23 14:56:10 2019 Socket Buffers: R=[212992->212992] S=[212992->212992] Tue Jul 23 14:56:10 2019 UDPv4 link local (bound): [AF_INET][undef]:1723 Tue Jul 23 14:56:10 2019 UDPv4 link remote: [AF_UNSPEC] Tue Jul 23 14:56:10 2019 MULTI: multi_init called, r=256 v=256 Tue Jul 23 14:56:10 2019 IFCONFIG POOL: base=10.0.0.50 size=50, ipv6=0 Tue Jul 23 14:56:10 2019 Initialization Sequence Completed Tue Jul 23 14:56:21 2019 10.2.0.15:61917 TLS: Initial packet from [AF_INET]10.2.0.15:61917, sid=35913f44 fa1e7a5f Tue Jul 23 14:56:22 2019 10.2.0.15:61917 VERIFY OK: depth=1, C=US, ST=IL, L=Aurora, O=EleMech, OU=Portalogic-Field, CN=EleMech CA, name=EasyRSA, emailAddress=sales@elemechinc.com Tue Jul 23 14:56:22 2019 10.2.0.15:61917 VERIFY KU OK Tue Jul 23 14:56:22 2019 10.2.0.15:61917 Validating certificate extended key usage Tue Jul 23 14:56:22 2019 10.2.0.15:61917 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication Tue Jul 23 14:56:22 2019 10.2.0.15:61917 VERIFY EKU OK Tue Jul 23 14:56:22 2019 10.2.0.15:61917 VERIFY OK: depth=0, C=US, ST=IL, L=Aurora, O=EleMech, OU=Portalogic-Field, CN=PC71_hamsing_server, name=EasyRSA, emailAddress=sales@elemechinc.com Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_VER=2.4.1 Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_PLAT=win Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_PROTO=2 Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_NCP=2 Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_LZ4=1 Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_LZ4v2=1 Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_LZO=1 Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_COMP_STUB=1 Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_COMP_STUBv2=1 Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_TCPNL=1 Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_GUI_VER=OpenVPN_GUI_11 Tue Jul 23 14:56:22 2019 10.2.0.15:61917 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Tue Jul 23 14:56:22 2019 10.2.0.15:61917 [PC71_hamsing_server] Peer Connection Initiated with [AF_INET]10.2.0.15:61917 Tue Jul 23 14:56:22 2019 PC71_hamsing_server/10.2.0.15:61917 MULTI_sva: pool returned IPv4=10.0.0.50, IPv6=(Not enabled) Tue Jul 23 14:56:23 2019 PC71_hamsing_server/10.2.0.15:61917 PUSH: Received control message: 'PUSH_REQUEST' Tue Jul 23 14:56:23 2019 PC71_hamsing_server/10.2.0.15:61917 SENT CONTROL [PC71_hamsing_server]: 'PUSH_REPLY,route-gateway 10.0.0.2,ping 10,ping-restart 120,ifconfig 10.0.0.50 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1) Tue Jul 23 14:56:23 2019 PC71_hamsing_server/10.2.0.15:61917 Data Channel: using negotiated cipher 'AES-256-GCM' Tue Jul 23 14:56:23 2019 PC71_hamsing_server/10.2.0.15:61917 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Tue Jul 23 14:56:23 2019 PC71_hamsing_server/10.2.0.15:61917 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Tue Jul 23 14:56:23 2019 PC71_hamsing_server/10.2.0.15:61917 MULTI: Learn: 00:ff:11:98:b7:4f -> PC71_hamsing_server/10.2.0.15:61917
Ubuntu 伺服器網路
root@pal7687-1:/etc/openvpn# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP group default qlen 1000 link/ether 00:e0:67:13:94:cc brd ff:ff:ff:ff:ff:ff 3: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP group default qlen 1000 link/ether 00:e0:67:13:94:cd brd ff:ff:ff:ff:ff:ff 4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 00:e0:67:13:94:cc brd ff:ff:ff:ff:ff:ff inet 10.0.0.2/24 brd 10.0.0.255 scope global noprefixroute br0 valid_lft forever preferred_lft forever inet6 fe80::2e0:67ff:fe13:94cc/64 scope link valid_lft forever preferred_lft forever 17: tap0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 100 link/ether f6:13:27:e8:94:89 brd ff:ff:ff:ff:ff:ff 18: tun2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 link/none inet 10.2.0.21/16 brd 10.2.255.255 scope global tun2 valid_lft forever preferred_lft forever inet6 fe80::4fb5:d60d:e798:58a6/64 scope link stable-privacy valid_lft forever preferred_lft forever
我需要做的就是在 OpenVPN 服務啟動後在 Linux 上執行這些命令:
brctl addif br0 tap0 ifconfig tap0 0.0.0.0 promisc up
您可以在 OpenVPN 的指南中看到它們:乙太網橋接、Windows 客戶端、Linux 伺服器
還要確保您的 Windows TAP 適配器在 DHCP 上,我的出於某種原因喜歡使用空白靜態地址。
在我的 OpenVPN 伺服器上,我的推送線路只有網路和遮罩。最後嘗試刪除 10.2.0.21 :
push "route 10.0.0.0 255.255.255.0"
PS:我看到您已將推送行註釋掉。也許你正在嘗試一些事情並且正在切換它。確保取消註釋。