Openvpn
重啟後無法通過 VPN 訪問伺服器上的任何內容
我在這台伺服器上使用 OpenVPN 一年半了,從來沒有遇到過任何問題。今天,我重新啟動了伺服器(我大約每月執行一次),突然我無法通過 VPN 訪問伺服器上的網頁或文件共享(但它們通過本地 192.xxx 地址工作)。如果我在伺服器本身上,那麼我可以訪問它的共享驅動器
\\10.8.0.1\Share,以及它的網站https://10.8.0.1,它似乎無法被其他任何通過 VPN 連接的人訪問。VPN 上的其他電腦可以相互通信。我查看了防火牆日誌,似乎連連接都沒有到達伺服器——伺服器日誌中也DROP沒有ALLOW與 VPN 連接相關的內容。我不確定要提供什麼資訊,所以這裡是 VPN 狀態(來自桌面)
Thu Mar 26 13:03:33 2020 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018 Thu Mar 26 13:03:33 2020 Windows version 6.2 (Windows 8 or greater) 64bit Thu Mar 26 13:03:33 2020 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10 Thu Mar 26 13:03:33 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 Thu Mar 26 13:03:33 2020 Need hold release from management interface, waiting... Thu Mar 26 13:03:34 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 Thu Mar 26 13:03:34 2020 MANAGEMENT: CMD 'state on' Thu Mar 26 13:03:34 2020 MANAGEMENT: CMD 'log all on' Thu Mar 26 13:03:34 2020 MANAGEMENT: CMD 'echo all on' Thu Mar 26 13:03:34 2020 MANAGEMENT: CMD 'bytecount 5' Thu Mar 26 13:03:34 2020 MANAGEMENT: CMD 'hold off' Thu Mar 26 13:03:34 2020 MANAGEMENT: CMD 'hold release' Thu Mar 26 13:03:34 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194 Thu Mar 26 13:03:34 2020 Socket Buffers: R=[65536->65536] S=[65536->65536] Thu Mar 26 13:03:34 2020 UDP link local: (not bound) Thu Mar 26 13:03:34 2020 UDP link remote: [AF_INET]x.x.x.x:1194 Thu Mar 26 13:03:34 2020 MANAGEMENT: >STATE:1585242214,WAIT,,,,,, Thu Mar 26 13:03:34 2020 MANAGEMENT: >STATE:1585242214,AUTH,,,,,, Thu Mar 26 13:03:34 2020 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=fda4bf51 c3904f17 Thu Mar 26 13:03:34 2020 VERIFY OK: depth=1, C=CA, ST=ON, L=xxx, O=xxx, OU=Software, CN=xxx, name=xxx, emailAddress=xxx@xxx.com Thu Mar 26 13:03:34 2020 VERIFY KU OK Thu Mar 26 13:03:34 2020 Validating certificate extended key usage Thu Mar 26 13:03:34 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Thu Mar 26 13:03:34 2020 VERIFY EKU OK Thu Mar 26 13:03:34 2020 VERIFY OK: depth=0, C=CA, ST=ON, L=xxx, O=xxx, OU=Software, CN=xxx, name=xxx, emailAddress=xxx@xxx.com Thu Mar 26 13:03:34 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Thu Mar 26 13:03:34 2020 [server] Peer Connection Initiated with [AF_INET]x.x.x.x:1194 Thu Mar 26 13:03:35 2020 MANAGEMENT: >STATE:1585242215,GET_CONFIG,,,,,, Thu Mar 26 13:03:35 2020 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Thu Mar 26 13:03:35 2020 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.22 10.8.0.21,peer-id 7,cipher AES-256-GCM' Thu Mar 26 13:03:35 2020 OPTIONS IMPORT: timers and/or timeouts modified Thu Mar 26 13:03:35 2020 OPTIONS IMPORT: --ifconfig/up options modified Thu Mar 26 13:03:35 2020 OPTIONS IMPORT: route options modified Thu Mar 26 13:03:35 2020 OPTIONS IMPORT: peer-id set Thu Mar 26 13:03:35 2020 OPTIONS IMPORT: adjusting link_mtu to 1625 Thu Mar 26 13:03:35 2020 OPTIONS IMPORT: data channel crypto options modified Thu Mar 26 13:03:35 2020 Data Channel: using negotiated cipher 'AES-256-GCM' Thu Mar 26 13:03:35 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Thu Mar 26 13:03:35 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Thu Mar 26 13:03:35 2020 interactive service msg_channel=692 Thu Mar 26 13:03:35 2020 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 I=12 HWADDR=8c:ec:4b:5e:2b:63 Thu Mar 26 13:03:35 2020 open_tun Thu Mar 26 13:03:35 2020 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{17046649-FA88-415D-90C4-F5C62416022E}.tap Thu Mar 26 13:03:35 2020 TAP-Windows Driver Version 9.21 Thu Mar 26 13:03:35 2020 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.22/255.255.255.252 on interface {17046649-FA88-415D-90C4-F5C62416022E} [DHCP-serv: 10.8.0.21, lease-time: 31536000] Thu Mar 26 13:03:35 2020 Successful ARP Flush on interface [6] {17046649-FA88-415D-90C4-F5C62416022E} Thu Mar 26 13:03:35 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Thu Mar 26 13:03:35 2020 MANAGEMENT: >STATE:1585242215,ASSIGN_IP,,10.8.0.22,,,, Thu Mar 26 13:03:41 2020 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up Thu Mar 26 13:03:41 2020 MANAGEMENT: >STATE:1585242221,ADD_ROUTES,,,,,, Thu Mar 26 13:03:41 2020 C:\WINDOWS\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.21 Thu Mar 26 13:03:41 2020 Route addition via service succeeded Thu Mar 26 13:03:41 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Thu Mar 26 13:03:41 2020 Initialization Sequence Completed Thu Mar 26 13:03:41 2020 MANAGEMENT: >STATE:1585242221,CONNECTED,SUCCESS,10.8.0.22,209.91.141.42,1194,,伺服器位於
10.8.0.1,我的桌面位於10.8.0.22伺服器的配置文件是(刪除了所有不是評論的內容):
port 1194 proto udp4 dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt # openvpn.exe --show-valid-subnets client-config-dir ccd route 10.8.0.18 255.255.255.252 # route 10.8.0.26 255.255.255.252 # route 10.8.0.38 255.255.255.252 # route 10.8.0.6 255.255.255.252 # route 10.8.0.14 255.255.255.252 # route 10.8.0.34 255.255.255.252 # route 10.8.0.10 255.255.255.252 # route 10.8.0.54 255.255.255.252 # route 10.8.0.82 255.255.255.252 # route 10.8.0.86 255.255.255.252 # route 10.8.0.22 255.255.255.252 # route 10.8.0.86 255.255.255.252 # route 10.8.0.90 255.255.255.252 # route 10.8.0.94 255.255.255.252 # route 10.8.0.98 255.255.255.252 # route 10.8.0.30 255.255.255.252 # client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log log openvpn.log verb 4 crl-verify "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\crl.pem"文件
ccd夾中的文件基本相同(IP不同):ifconfig-push 10.8.0.22 10.8.0.21路由表輸出:
IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.9 2 10.8.0.0 255.255.255.0 10.8.0.21 10.8.0.22 291 10.8.0.20 255.255.255.252 On-link 10.8.0.22 291 10.8.0.22 255.255.255.255 On-link 10.8.0.22 291 10.8.0.23 255.255.255.255 On-link 10.8.0.22 291 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331 127.255.255.255 255.255.255.255 On-link 127.0.0.1 331 192.168.0.0 255.255.255.0 On-link 192.168.0.9 281 192.168.0.9 255.255.255.255 On-link 192.168.0.9 281 192.168.0.255 255.255.255.255 On-link 192.168.0.9 281 224.0.0.0 240.0.0.0 On-link 127.0.0.1 331 224.0.0.0 240.0.0.0 On-link 192.168.0.9 281 224.0.0.0 240.0.0.0 On-link 10.8.0.22 291 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331 255.255.255.255 255.255.255.255 On-link 192.168.0.9 281 255.255.255.255 255.255.255.255 On-link 10.8.0.22 291 =========================================================================== Persistent Routes: None所有電腦都執行 Windows 10,但伺服器(執行 VPN 作為服務)是 Windows Server 2016。
如果您需要更多資訊,請告訴我。
編輯:伺服器也無法與 VPN 上的其他電腦通信;所以它似乎不太可能是防火牆問題。
來自伺服器的路由:
IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.60 35 10.8.0.0 255.255.255.0 10.8.0.2 192.168.1.60 36 10.8.0.0 255.255.255.252 On-link 10.8.0.1 291 10.8.0.1 255.255.255.255 On-link 10.8.0.1 291 10.8.0.3 255.255.255.255 On-link 10.8.0.1 291 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331 127.255.255.255 255.255.255.255 On-link 127.0.0.1 331 192.168.1.0 255.255.255.0 On-link 192.168.1.60 291 192.168.1.60 255.255.255.255 On-link 192.168.1.60 291 192.168.1.255 255.255.255.255 On-link 192.168.1.60 291 192.168.193.0 255.255.255.0 On-link 192.168.193.1 291 192.168.193.1 255.255.255.255 On-link 192.168.193.1 291 192.168.193.255 255.255.255.255 On-link 192.168.193.1 291 192.168.227.0 255.255.255.0 On-link 192.168.227.1 291 192.168.227.1 255.255.255.255 On-link 192.168.227.1 291 192.168.227.255 255.255.255.255 On-link 192.168.227.1 291 224.0.0.0 240.0.0.0 On-link 127.0.0.1 331 224.0.0.0 240.0.0.0 On-link 10.8.0.1 291 224.0.0.0 240.0.0.0 On-link 192.168.227.1 291 224.0.0.0 240.0.0.0 On-link 192.168.193.1 291 224.0.0.0 240.0.0.0 On-link 192.168.1.60 291 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331 255.255.255.255 255.255.255.255 On-link 10.8.0.1 291 255.255.255.255 255.255.255.255 On-link 192.168.227.1 291 255.255.255.255 255.255.255.255 On-link 192.168.193.1 291 255.255.255.255 255.255.255.255 On-link 192.168.1.60 291 =========================================================================== Persistent Routes: NoneEDIT2:從伺服器跟踪到 VPN 上的另一台電腦(實際上在同一建築物中)似乎很奇怪:
PS C:\Users\Administrator> TRACERT.EXE 10.8.0.18 Tracing route to 10.8.0.18 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms COMTREND [192.168.1.1] 2 1 ms <1 ms <1 ms ppp-69-171-101-1.vianet.ca [69.171.101.1] 3 6 ms 1 ms 1 ms 69.156.254.158 4 * * * Request timed out. 5 * * 69.156.254.158 reports: Destination net unreachable.不知道為什麼它試圖通過 192 連接,離開 VPN。可能是一個線索?
編輯3:好的……我設法通過執行使其工作
route add 10.8.0.0 MASK 255.255.255.0 10.8.0.2 METRIC 3 IF 17; 但是,每次伺服器重新啟動時我都必須這樣做,顯然我不想這樣做。
在
tracert對 VPN 上的其中一台電腦進行操作後,我注意到它正在通過 192 連接。回顧伺服器的路由表,它確實顯示10.8.0.0/24路由通過192.168.1.60介面,這顯然是不正確的。刪除這條路線並重新添加正確的路線確實可以解決問題;所以我製作了以下批處理文件:
route delete 10.8.0.0/24 route add 10.8.0.0 MASK 255.255.255.0 10.8.0.2 METRIC 3不幸的是,我需要在啟動時自己執行它,但至少現在是這樣。如果有人有更好的解決方案,請分享。