Routing
為什麼我的 OpenVPN 不路由後面的網路?
我有一個帶有一些客戶端的 OpenVPN 網路。其中一位客戶擁有完整的列印機網路。伺服器在 Ubuntu 20.04 LTS 上執行,列印伺服器在 Debian 8.11 上執行。
Server.conf 看起來像這樣:
port 1194 proto tcp dev tun ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-crypt tc.key topology subnet server 10.170.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" ifconfig-pool-persist ipp.txt push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" push "route 10.133.10.0 255.255.255.0" keepalive 10 120 cipher AES-256-CBC user nobody group nogroup persist-key persist-tun verb 3 crl-verify crl.pemPrintservers Client.conf 如下所示:
dev tun proto tcp remote 168.119.40.249 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server auth SHA512 cipher AES-256-CBC verb 5 pull-filter ignore redirect-gateway儘管如此,即使是伺服器也無法 Ping 任何列印機。
我假設,可能沒有添加路由,但它是:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.178.1 0.0.0.0 UG 0 0 0 eth2 10.133.10.0 10.170.0.1 255.255.255.0 UG 0 0 0 tun0 10.133.10.0 0.0.0.0 255.255.254.0 U 0 0 0 eth1 10.170.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 192.168.178.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2此外,我在列印伺服器 iptables 中添加了以下內容:
-A INPUT -s 10.170.0.0/24 -j ACCEPT仍然,列印伺服器可以 Ping 列印機:
ping 10.133.10.1 PING 10.133.10.1 (10.133.10.1) 56(84) bytes of data. 64 bytes from 10.133.10.1: icmp_seq=1 ttl=64 time=0.149 ms 64 bytes from 10.133.10.1: icmp_seq=2 ttl=64 time=0.139 ms 64 bytes from 10.133.10.1: icmp_seq=3 ttl=64 time=0.128 ms但是 OpenVPN-Server(或任何客戶端)不能:
ping 10.133.10.1 PING 10.133.10.1 (10.133.10.1) 56(84) bytes of data. ^C --- 10.133.10.1 ping statistics --- 13 packets transmitted, 0 received, 100% packet loss, time 12281msClient-OpenVPN的日誌:
openvpn /etc/openvpn/server.conf Sun Jun 12 20:44:33 2022 us=251723 Current Parameter Settings: Sun Jun 12 20:44:33 2022 us=251924 config = '/etc/openvpn/server.conf' Sun Jun 12 20:44:33 2022 us=251980 mode = 0 Sun Jun 12 20:44:33 2022 us=252029 persist_config = DISABLED Sun Jun 12 20:44:33 2022 us=252079 persist_mode = 1 Sun Jun 12 20:44:33 2022 us=252125 show_ciphers = DISABLED Sun Jun 12 20:44:33 2022 us=252179 show_digests = DISABLED Sun Jun 12 20:44:33 2022 us=252225 show_engines = DISABLED Sun Jun 12 20:44:33 2022 us=252270 genkey = DISABLED Sun Jun 12 20:44:33 2022 us=252318 key_pass_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=252363 show_tls_ciphers = DISABLED Sun Jun 12 20:44:33 2022 us=252410 connect_retry_max = 0 Sun Jun 12 20:44:33 2022 us=252456 Connection profiles [0]: Sun Jun 12 20:44:33 2022 us=252502 proto = tcp-client Sun Jun 12 20:44:33 2022 us=252547 local = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=252592 local_port = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=252637 remote = '168.119.40.249' Sun Jun 12 20:44:33 2022 us=252686 remote_port = '1194' Sun Jun 12 20:44:33 2022 us=252732 remote_float = DISABLED Sun Jun 12 20:44:33 2022 us=252776 bind_defined = DISABLED Sun Jun 12 20:44:33 2022 us=252822 bind_local = DISABLED Sun Jun 12 20:44:33 2022 us=252867 bind_ipv6_only = DISABLED Sun Jun 12 20:44:33 2022 us=252914 connect_retry_seconds = 5 Sun Jun 12 20:44:33 2022 us=252959 connect_timeout = 120 Sun Jun 12 20:44:33 2022 us=253006 socks_proxy_server = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=253052 socks_proxy_port = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=253100 tun_mtu = 1500 Sun Jun 12 20:44:33 2022 us=253164 tun_mtu_defined = ENABLED Sun Jun 12 20:44:33 2022 us=253211 link_mtu = 1500 Sun Jun 12 20:44:33 2022 us=253264 link_mtu_defined = DISABLED Sun Jun 12 20:44:33 2022 us=253311 tun_mtu_extra = 0 Sun Jun 12 20:44:33 2022 us=253365 tun_mtu_extra_defined = DISABLED Sun Jun 12 20:44:33 2022 us=253419 mtu_discover_type = -1 Sun Jun 12 20:44:33 2022 us=253465 fragment = 0 Sun Jun 12 20:44:33 2022 us=253519 mssfix = 1450 Sun Jun 12 20:44:33 2022 us=253573 explicit_exit_notification = 0 Sun Jun 12 20:44:33 2022 us=253626 Connection profiles END Sun Jun 12 20:44:33 2022 us=253680 remote_random = DISABLED Sun Jun 12 20:44:33 2022 us=253732 ipchange = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=253784 dev = 'tun' Sun Jun 12 20:44:33 2022 us=253835 dev_type = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=253889 dev_node = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=253941 lladdr = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=253995 topology = 1 Sun Jun 12 20:44:33 2022 us=254046 ifconfig_local = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=254100 ifconfig_remote_netmask = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=254157 ifconfig_noexec = DISABLED Sun Jun 12 20:44:33 2022 us=254210 ifconfig_nowarn = DISABLED Sun Jun 12 20:44:33 2022 us=254264 ifconfig_ipv6_local = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=254318 ifconfig_ipv6_netbits = 0 Sun Jun 12 20:44:33 2022 us=254370 ifconfig_ipv6_remote = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=254423 shaper = 0 Sun Jun 12 20:44:33 2022 us=254470 mtu_test = 0 Sun Jun 12 20:44:33 2022 us=254514 mlock = DISABLED Sun Jun 12 20:44:33 2022 us=254559 keepalive_ping = 0 Sun Jun 12 20:44:33 2022 us=254605 keepalive_timeout = 0 Sun Jun 12 20:44:33 2022 us=254650 inactivity_timeout = 0 Sun Jun 12 20:44:33 2022 us=254728 ping_send_timeout = 0 Sun Jun 12 20:44:33 2022 us=254774 ping_rec_timeout = 0 Sun Jun 12 20:44:33 2022 us=254819 ping_rec_timeout_action = 0 Sun Jun 12 20:44:33 2022 us=254911 ping_timer_remote = DISABLED Sun Jun 12 20:44:33 2022 us=254963 remap_sigusr1 = 0 Sun Jun 12 20:44:33 2022 us=255007 persist_tun = ENABLED Sun Jun 12 20:44:33 2022 us=255051 persist_local_ip = DISABLED Sun Jun 12 20:44:33 2022 us=255106 persist_remote_ip = DISABLED Sun Jun 12 20:44:33 2022 us=255153 persist_key = ENABLED Sun Jun 12 20:44:33 2022 us=255201 passtos = DISABLED Sun Jun 12 20:44:33 2022 us=255248 resolve_retry_seconds = 1000000000 Sun Jun 12 20:44:33 2022 us=255295 resolve_in_advance = DISABLED Sun Jun 12 20:44:33 2022 us=255341 username = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=255396 groupname = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=255450 chroot_dir = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=255498 cd_dir = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=255554 writepid = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=255603 up_script = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=255648 down_script = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=255699 down_pre = DISABLED Sun Jun 12 20:44:33 2022 us=255744 up_restart = DISABLED Sun Jun 12 20:44:33 2022 us=255790 up_delay = DISABLED Sun Jun 12 20:44:33 2022 us=255835 daemon = DISABLED Sun Jun 12 20:44:33 2022 us=255882 inetd = 0 Sun Jun 12 20:44:33 2022 us=255939 log = DISABLED Sun Jun 12 20:44:33 2022 us=256001 suppress_timestamps = DISABLED Sun Jun 12 20:44:33 2022 us=256053 machine_readable_output = DISABLED Sun Jun 12 20:44:33 2022 us=256111 nice = 0 Sun Jun 12 20:44:33 2022 us=256164 verbosity = 5 Sun Jun 12 20:44:33 2022 us=256210 mute = 0 Sun Jun 12 20:44:33 2022 us=256268 gremlin = 0 Sun Jun 12 20:44:33 2022 us=256318 status_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=256364 status_file_version = 1 Sun Jun 12 20:44:33 2022 us=256417 status_file_update_freq = 60 Sun Jun 12 20:44:33 2022 us=256469 occ = ENABLED Sun Jun 12 20:44:33 2022 us=256515 rcvbuf = 0 Sun Jun 12 20:44:33 2022 us=256561 sndbuf = 0 Sun Jun 12 20:44:33 2022 us=256606 mark = 0 Sun Jun 12 20:44:33 2022 us=256656 sockflags = 0 Sun Jun 12 20:44:33 2022 us=256700 fast_io = DISABLED Sun Jun 12 20:44:33 2022 us=256756 comp.alg = 0 Sun Jun 12 20:44:33 2022 us=256807 comp.flags = 0 Sun Jun 12 20:44:33 2022 us=256851 route_script = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=256905 route_default_gateway = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=256958 route_default_metric = 0 Sun Jun 12 20:44:33 2022 us=257009 route_noexec = DISABLED Sun Jun 12 20:44:33 2022 us=257056 route_delay = 0 Sun Jun 12 20:44:33 2022 us=257109 route_delay_window = 30 Sun Jun 12 20:44:33 2022 us=257161 route_delay_defined = DISABLED Sun Jun 12 20:44:33 2022 us=257212 route_nopull = DISABLED Sun Jun 12 20:44:33 2022 us=257263 route_gateway_via_dhcp = DISABLED Sun Jun 12 20:44:33 2022 us=257313 allow_pull_fqdn = DISABLED Sun Jun 12 20:44:33 2022 us=257358 Pull filters: Sun Jun 12 20:44:33 2022 us=257411 ignore "redirect-gateway" Sun Jun 12 20:44:33 2022 us=257462 management_addr = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=257507 management_port = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=257560 management_user_pass = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=257612 management_log_history_cache = 250 Sun Jun 12 20:44:33 2022 us=257660 management_echo_buffer_size = 100 Sun Jun 12 20:44:33 2022 us=257801 management_write_peer_info_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=257849 management_client_user = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=257896 management_client_group = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=257945 management_flags = 0 Sun Jun 12 20:44:33 2022 us=257990 shared_secret_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=258036 key_direction = not set Sun Jun 12 20:44:33 2022 us=258097 ciphername = 'AES-256-CBC' Sun Jun 12 20:44:33 2022 us=258143 ncp_enabled = ENABLED Sun Jun 12 20:44:33 2022 us=258189 ncp_ciphers = 'AES-256-GCM:AES-128-GCM' Sun Jun 12 20:44:33 2022 us=258235 authname = 'SHA512' Sun Jun 12 20:44:33 2022 us=258282 prng_hash = 'SHA1' Sun Jun 12 20:44:33 2022 us=258329 prng_nonce_secret_len = 16 Sun Jun 12 20:44:33 2022 us=258381 keysize = 0 Sun Jun 12 20:44:33 2022 us=258432 engine = DISABLED Sun Jun 12 20:44:33 2022 us=258478 replay = ENABLED Sun Jun 12 20:44:33 2022 us=258532 mute_replay_warnings = DISABLED Sun Jun 12 20:44:33 2022 us=258584 replay_window = 64 Sun Jun 12 20:44:33 2022 us=258630 replay_time = 15 Sun Jun 12 20:44:33 2022 us=258674 packet_id_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=258725 use_iv = ENABLED Sun Jun 12 20:44:33 2022 us=258776 test_crypto = DISABLED Sun Jun 12 20:44:33 2022 us=258828 tls_server = DISABLED Sun Jun 12 20:44:33 2022 us=258909 tls_client = ENABLED Sun Jun 12 20:44:33 2022 us=258956 key_method = 2 Sun Jun 12 20:44:33 2022 us=259002 ca_file = '[[INLINE]]' Sun Jun 12 20:44:33 2022 us=259058 ca_path = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259110 dh_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259161 cert_file = '[[INLINE]]' Sun Jun 12 20:44:33 2022 us=259208 extra_certs_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259257 priv_key_file = '[[INLINE]]' Sun Jun 12 20:44:33 2022 us=259302 pkcs12_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259347 cipher_list = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259392 cipher_list_tls13 = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259443 tls_cert_profile = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259488 tls_verify = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259544 tls_export_cert = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259595 verify_x509_type = 0 Sun Jun 12 20:44:33 2022 us=259640 verify_x509_name = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259692 crl_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259743 ns_cert_type = 0 Sun Jun 12 20:44:33 2022 us=259789 remote_cert_ku[i] = 65535 Sun Jun 12 20:44:33 2022 us=259840 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=259886 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=259938 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=259989 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260040 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260090 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260135 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260184 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260232 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260285 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260336 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260381 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260433 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260485 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260535 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260580 remote_cert_eku = 'TLS Web Server Authentication' Sun Jun 12 20:44:33 2022 us=260634 ssl_flags = 0 Sun Jun 12 20:44:33 2022 us=260684 tls_timeout = 2 Sun Jun 12 20:44:33 2022 us=260729 renegotiate_bytes = -1 Sun Jun 12 20:44:33 2022 us=260783 renegotiate_packets = 0 Sun Jun 12 20:44:33 2022 us=260835 renegotiate_seconds = 3600 Sun Jun 12 20:44:33 2022 us=260882 handshake_window = 60 Sun Jun 12 20:44:33 2022 us=260935 transition_window = 3600 Sun Jun 12 20:44:33 2022 us=260986 single_session = DISABLED Sun Jun 12 20:44:33 2022 us=261031 push_peer_info = DISABLED Sun Jun 12 20:44:33 2022 us=261084 tls_exit = DISABLED Sun Jun 12 20:44:33 2022 us=261134 tls_auth_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=261185 tls_crypt_file = '[[INLINE]]' Sun Jun 12 20:44:33 2022 us=261237 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261284 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261337 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261388 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261433 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261483 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261530 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261578 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261626 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261684 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261736 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261787 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261832 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261885 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261935 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261980 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=262036 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262087 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262133 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262187 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262238 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262284 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262337 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262388 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262439 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262490 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262536 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262585 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262632 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262685 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262737 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262789 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262840 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=262903 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=262952 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263006 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263056 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263101 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263153 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263203 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263249 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263301 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263352 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263397 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263449 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263500 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263546 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263593 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263641 pkcs11_pin_cache_period = -1 Sun Jun 12 20:44:33 2022 us=263689 pkcs11_id = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=263744 pkcs11_id_management = DISABLED Sun Jun 12 20:44:33 2022 us=263816 server_network = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=263867 server_netmask = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=263936 server_network_ipv6 = :: Sun Jun 12 20:44:33 2022 us=263989 server_netbits_ipv6 = 0 Sun Jun 12 20:44:33 2022 us=264048 server_bridge_ip = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=264103 server_bridge_netmask = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=264156 server_bridge_pool_start = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=264206 server_bridge_pool_end = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=264256 ifconfig_pool_defined = DISABLED Sun Jun 12 20:44:33 2022 us=264305 ifconfig_pool_start = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=264359 ifconfig_pool_end = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=264409 ifconfig_pool_netmask = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=264459 ifconfig_pool_persist_filename = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=264507 ifconfig_pool_persist_refresh_freq = 600 Sun Jun 12 20:44:33 2022 us=264559 ifconfig_ipv6_pool_defined = DISABLED Sun Jun 12 20:44:33 2022 us=264621 ifconfig_ipv6_pool_base = :: Sun Jun 12 20:44:33 2022 us=264674 ifconfig_ipv6_pool_netbits = 0 Sun Jun 12 20:44:33 2022 us=264728 n_bcast_buf = 256 Sun Jun 12 20:44:33 2022 us=264779 tcp_queue_limit = 64 Sun Jun 12 20:44:33 2022 us=264830 real_hash_size = 256 Sun Jun 12 20:44:33 2022 us=264876 virtual_hash_size = 256 Sun Jun 12 20:44:33 2022 us=264928 client_connect_script = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=264975 learn_address_script = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=265028 client_disconnect_script = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=265079 client_config_dir = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=265126 ccd_exclusive = DISABLED Sun Jun 12 20:44:33 2022 us=265176 tmp_dir = '/tmp' Sun Jun 12 20:44:33 2022 us=265221 push_ifconfig_defined = DISABLED Sun Jun 12 20:44:33 2022 us=265275 push_ifconfig_local = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=265325 push_ifconfig_remote_netmask = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=265375 push_ifconfig_ipv6_defined = DISABLED Sun Jun 12 20:44:33 2022 us=265425 push_ifconfig_ipv6_local = ::/0 Sun Jun 12 20:44:33 2022 us=265479 push_ifconfig_ipv6_remote = :: Sun Jun 12 20:44:33 2022 us=265524 enable_c2c = DISABLED Sun Jun 12 20:44:33 2022 us=265576 duplicate_cn = DISABLED Sun Jun 12 20:44:33 2022 us=265627 cf_max = 0 Sun Jun 12 20:44:33 2022 us=265679 cf_per = 0 Sun Jun 12 20:44:33 2022 us=265725 max_clients = 1024 Sun Jun 12 20:44:33 2022 us=265776 max_routes_per_client = 256 Sun Jun 12 20:44:33 2022 us=265827 auth_user_pass_verify_script = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=265874 auth_user_pass_verify_script_via_file = DISABLED Sun Jun 12 20:44:33 2022 us=265925 auth_token_generate = DISABLED Sun Jun 12 20:44:33 2022 us=265971 auth_token_lifetime = 0 Sun Jun 12 20:44:33 2022 us=266023 port_share_host = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=266068 port_share_port = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=266118 client = ENABLED Sun Jun 12 20:44:33 2022 us=266164 pull = ENABLED Sun Jun 12 20:44:33 2022 us=266209 auth_user_pass_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=266274 OpenVPN 2.4.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 16 2020 Sun Jun 12 20:44:33 2022 us=266338 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08 Sun Jun 12 20:44:33 2022 us=268773 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sun Jun 12 20:44:33 2022 us=268919 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sun Jun 12 20:44:33 2022 us=268984 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sun Jun 12 20:44:33 2022 us=269048 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sun Jun 12 20:44:33 2022 us=269273 Control Channel MTU parms [ L:1623 D:1154 EF:96 EB:0 ET:0 EL:3 ] Sun Jun 12 20:44:33 2022 us=269401 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ] Sun Jun 12 20:44:33 2022 us=269514 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client' Sun Jun 12 20:44:33 2022 us=269568 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server' Sun Jun 12 20:44:33 2022 us=269655 TCP/UDP: Preserving recently used remote address: [AF_INET]168.119.40.249:1194 Sun Jun 12 20:44:33 2022 us=269754 Socket Buffers: R=[87380->87380] S=[16384->16384] Sun Jun 12 20:44:33 2022 us=269811 Attempting to establish TCP connection with [AF_INET]168.119.40.249:1194 [nonblock] Sun Jun 12 20:44:34 2022 us=270392 TCP connection established with [AF_INET]168.119.40.249:1194 Sun Jun 12 20:44:34 2022 us=270551 TCP_CLIENT link local: (not bound) Sun Jun 12 20:44:34 2022 us=270595 TCP_CLIENT link remote: [AF_INET]168.119.40.249:1194 WRSun Jun 12 20:44:34 2022 us=295598 TLS: Initial packet from [AF_INET]168.119.40.249:1194, sid=524c914c 8714a143 WWRWRSun Jun 12 20:44:34 2022 us=367225 VERIFY OK: depth=1, CN=ChangeMe Sun Jun 12 20:44:34 2022 us=368405 VERIFY KU OK Sun Jun 12 20:44:34 2022 us=368498 Validating certificate extended key usage Sun Jun 12 20:44:34 2022 us=368565 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sun Jun 12 20:44:34 2022 us=368626 VERIFY EKU OK Sun Jun 12 20:44:34 2022 us=368684 VERIFY OK: depth=0, CN=server RWWWRRWRWSun Jun 12 20:44:34 2022 us=497066 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Sun Jun 12 20:44:34 2022 us=497258 [server] Peer Connection Initiated with [AF_INET]168.119.40.249:1194 Sun Jun 12 20:44:35 2022 us=670987 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) WRRSun Jun 12 20:44:35 2022 us=759338 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.133.10.0 255.255.255.0,sndbuf 512000,rcvbuf 512000,route-gateway 10.170.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.170.0.19 255.255.255.0,peer-id 0,cipher AES-256-GCM' Sun Jun 12 20:44:35 2022 us=759756 OPTIONS IMPORT: timers and/or timeouts modified Sun Jun 12 20:44:35 2022 us=759832 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified Sun Jun 12 20:44:35 2022 us=759905 Socket Buffers: R=[372480->425984] S=[87040->425984] Sun Jun 12 20:44:35 2022 us=759976 OPTIONS IMPORT: --ifconfig/up options modified Sun Jun 12 20:44:35 2022 us=760030 OPTIONS IMPORT: route options modified Sun Jun 12 20:44:35 2022 us=760083 OPTIONS IMPORT: route-related options modified Sun Jun 12 20:44:35 2022 us=760136 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Sun Jun 12 20:44:35 2022 us=760189 OPTIONS IMPORT: peer-id set Sun Jun 12 20:44:35 2022 us=760243 OPTIONS IMPORT: adjusting link_mtu to 1626 Sun Jun 12 20:44:35 2022 us=760308 OPTIONS IMPORT: data channel crypto options modified Sun Jun 12 20:44:35 2022 us=760379 Data Channel: using negotiated cipher 'AES-256-GCM' Sun Jun 12 20:44:35 2022 us=760481 Data Channel MTU parms [ L:1554 D:1450 EF:54 EB:406 ET:0 EL:3 ] Sun Jun 12 20:44:35 2022 us=760952 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Jun 12 20:44:35 2022 us=761040 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Jun 12 20:44:35 2022 us=761769 ROUTE_GATEWAY 192.168.178.1/255.255.255.0 IFACE=eth2 HWADDR=00:0d:b9:3d:e8:82 Sun Jun 12 20:44:35 2022 us=762707 TUN/TAP device tun0 opened Sun Jun 12 20:44:35 2022 us=762822 TUN/TAP TX queue length set to 100 Sun Jun 12 20:44:35 2022 us=762965 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Sun Jun 12 20:44:35 2022 us=763065 /sbin/ip link set dev tun0 up mtu 1500 Sun Jun 12 20:44:35 2022 us=767441 /sbin/ip addr add dev tun0 10.170.0.19/24 broadcast 10.170.0.255 Sun Jun 12 20:44:35 2022 us=771677 /sbin/ip route add 10.133.10.0/24 via 10.170.0.1 Sun Jun 12 20:44:35 2022 us=775371 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Sun Jun 12 20:44:35 2022 us=775477 Initialization Sequence Completed我究竟做錯了什麼?我需要讓它為我的期末考試工作。
Edit1:我將以下內容附加到
server.confclient-config-dir /etc/openvpn/ccd log-append /var/log/openvpn.log route 10.133.10.0 255.255.255.0我創建了 ccd 目錄並添加了一個名為
server_hqprintservers CN is(位於日誌中)的文件。現在包含:
ifconfig-push 10.170.0.19 255.255.255.0 iroute 10.133.10.0 255.255.255.0server_hq(列印伺服器)的連接日誌
Sun Jun 12 21:25:36 2022 MULTI: Learn: 10.133.10.40 -> server_hq/<IP>:19295 Sun Jun 12 21:28:18 2022 server_hq/<IP>:19295 Connection reset, restarting [0] Sun Jun 12 21:28:18 2022 server_hq/<IP>:19295 SIGUSR1[soft,connection-reset] received, client-instance restarting Sun Jun 12 21:29:04 2022 TCP connection established with [AF_INET]<IP>:19294 Sun Jun 12 21:29:05 2022 <IP>:19294 TLS: Initial packet from [AF_INET]<IP>:19294, sid=9264ab12 043d9161 Sun Jun 12 21:29:05 2022 <IP>:19294 VERIFY OK: depth=1, CN=ChangeMe Sun Jun 12 21:29:05 2022 <IP>:19294 VERIFY OK: depth=0, CN=server_hq Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_VER=2.4.9 Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_PLAT=linux Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_PROTO=2 Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_NCP=2 Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_LZ4=1 Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_LZ4v2=1 Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_LZO=1 Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_COMP_STUB=1 Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_COMP_STUBv2=1 Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_TCPNL=1 Sun Jun 12 21:29:05 2022 <IP>:19294 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Sun Jun 12 21:29:05 2022 <IP>:19294 [server_hq] Peer Connection Initiated with [AF_INET]<IP>:19294 Sun Jun 12 21:29:05 2022 server_hq/<IP>:19294 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/server_hq Sun Jun 12 21:29:05 2022 server_hq/<IP>:19294 MULTI: Learn: 10.170.0.19 -> server_hq/<IP>:19294 Sun Jun 12 21:29:05 2022 server_hq/<IP>:19294 MULTI: primary virtual IP for server_hq/<IP>:19294: 10.170.0.19 Sun Jun 12 21:29:05 2022 server_hq/<IP>:19294 MULTI: internal route 10.133.10.0/24 -> server_hq/<IP>:19294 Sun Jun 12 21:29:05 2022 server_hq/<IP>:19294 MULTI: Learn: 10.133.10.0/24 -> server_hq/<IP>:19294 Sun Jun 12 21:29:06 2022 server_hq/<IP>:19294 PUSH: Received control message: 'PUSH_REQUEST' Sun Jun 12 21:29:06 2022 server_hq/<IP>:19294 SENT CONTROL [server_hq]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,sndbuf 512000,rcvbuf 512000,route-gateway >Sun Jun 12 21:29:06 2022 server_hq/<IP>:19294 Data Channel: using negotiated cipher 'AES-256-GCM' Sun Jun 12 21:29:06 2022 server_hq/<IP>:19294 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Jun 12 21:29:06 2022 server_hq/<IP>:19294 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Jun 12 21:29:25 2022 MULTI: Learn: 10.133.10.40 -> server_hq/<IP>:19294然後我重新啟動了兩個 OpenVPN 並嘗試對其中一台列印機執行 ping 操作……但沒有成功。
為了讓 VPN 網路上的客戶端能夠訪問您的列印機,需要以下內容:
route客戶廣告(您已經擁有)- OpenVPN 伺服器上的正確路由,指向列印機
- 列印伺服器的
iroute條目- 對於上述內容,您的列印伺服器網路的客戶端配置條目
- 最後,在您的列印伺服器上正確路由
此外,從技術上講,它不是必需的,但您可能希望為 VPN 上的列印伺服器分配一個固定的 IP 地址。
因此,首先,您需要 OpenVPN 伺服器上的客戶端配置目錄。這可以在任何地方,並且可以被稱為任何東西。創建一個目錄,然後將此行添加到您的
server.conf:client-config-dir /the/client-config-directory在該目錄中,放置一個與列印伺服器的 CN 同名的文件(即列印伺服器使用的證書的 CN 欄位)。該文件應包含以下內容:
ifconfig-push 10.170.0.254 255.255.255.0 iroute 10.133.10.0 255.255.255.0這將確保列印伺服器將始終獲得一個固定的 IP 地址 (
10.170.0.254),並且 OpenVPN 伺服器將知道列印伺服器後面的子網。您還需要route核心路由表中的正確條目,因此也將這一行添加到您server.conf的:route 10.133.10.0 255.255.255.0通過此設置,您的 VPN 伺服器將知道將數據包路由到您的伺服器的位置。最後要考慮的一件事是列印伺服器和列印機的網路設置。上面的設置創建了一個路由網路,因此您的列印機將看到來自 VPN 內部的連接(即來自地址
10.170.0.x)。列印機必須知道這些應該被路由回 VPN,並且他們必須有辦法這樣做。如果您的列印伺服器是他們的預設路由器,那麼您需要做的就是允許 VPN 子網和列印伺服器防火牆上的本地子網之間的流量。如果有另一台電腦充當預設網關,那麼您需要確保列印機將數據包路由回列印伺服器。在這種情況下,要麼將自定義路由添加到列印機,要麼在列印伺服器上設置 NAT。