Networking

OpenVPN 客戶端請求 255.255.255.252 子網,伺服器拒絕 /29 以下的任何內容

  • May 18, 2019

我已經使用以下網路設置設置了 OpenVPN 伺服器:

topology subnet
server 192.168.123.0 255.255.255.0
push "dhcp-option DNS 192.168.123.1"      # DNS to server VPN IP
push "route 192.168.2.0 255.255.255.0"    # Workstations addresses via VPN
keepalive 10 120

所以:

  • 192.168.2.* = company LAN
  • 192.168.123.* = VPN 區域網路

Linux 客戶端能夠連接,但 Windows 7 系統失敗並出現以下錯誤:

您選擇的 –ifconfig 端點有問題

$$ local=192.168.123.2, remote=255.255.255.248 $$. 本地和遠端 VPN 端點必須存在於同一 255.255.255.252 子網中。這是與 TAP-WIN32 驅動程序一起使用時 –dev tun 的限制。嘗試’openvpn –show-valid-subnets’ ….

這是連接初始化時的完整輸出:

Thu Jul 01 09:36:55 2010 [server.FOOBAR] Peer Connection Initiated with 84.80.YYY.ZZZ
Thu Jul 01 09:36:56 2010 SENT CONTROL [server.FOOBAR]: 'PUSH_REQUEST' (status=1)
Thu Jul 01 09:36:56 2010 PUSH: Received control message: 'PUSH_REPLY,route 192.168.2.0 255.255.255.252,dhcp-option DNS 192.168.123.1,route-gateway 192.168.123.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.123.2 255.255.255.248'
Thu Jul 01 09:36:56 2010 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: topology (2.0.9)
Thu Jul 01 09:36:56 2010 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jul 01 09:36:56 2010 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jul 01 09:36:56 2010 OPTIONS IMPORT: route options modified< al>Thu Jul 01 09:36:56 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jul 01 09:36:56 2010 WARNING: Since you are using --dev tun, the second argument to --ifconfig must be an IP address.  You are using something (255.255.255.
248) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
Thu Jul 01 09:36:56 2010 There is a problem in your selection of --ifconfig endpoints [local=192.168.123.2, remote=255.255.255.248].  The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet.  This is a limitation of --dev tun when used with the TAP-WIN32 driver.  Try 'openvpn --show-valid-subnets' ....

任何將伺服器設置更改為 252 範圍的嘗試都會導致以下錯誤:

選項錯誤:與 –dev tun 一起使用時 –server 指令必須定義 255.255.255.248 (/29) 或更低的子網

我需要設置哪些伺服器設置才能使此客戶端連接?伺服器執行 OpenVPN 2.1.1,Windows 7 客戶端執行 OpenVPN 2.0.9(來自http://openvpn.se的最新穩定版)


@Evan:這是我的客戶端配置,不是很令人興奮:

client
dev tun

proto tcp
remote 84.80.203.199 1194
resolv-retry 2
nobind

# Server keys
ca SERVER-ca.crt
tls-auth SERVER-ta.key 1

# Client key
cert SOMEONE.crt
key SOMEONE.key

# Server settings to copy
comp-lzo

# Downgrade privileges after initialization (non-Windows only)
user nobody
group guest

# Try to preserve some state across restarts.
persist-key
persist-tun

# Verify server
ns-cert-type server

verb 3

;cipher x
;mute 20
;mute-replay-warnings

我首先將 Windows Vista 客戶端更新到最新的OpenVPN Windows 版本,尤其是 2.1.x 行。2.0.x 和 2.1.x 之間有*很多重大變化。*我並不是說這絕對是問題所在,但我不想嘗試。特別是當連接的完整輸出顯示“選項錯誤”和警告時。

更新 Windows 客戶端后,如果這不能解決問題,我會嘗試同時執行伺服器和客戶端,verb 4或者verb 6增加日誌詳細程度。這可能會幫助您查明問題所在。

引用自:https://serverfault.com/questions/156609