Routing

為什麼我的 OpenVPN 不路由後面的網路?

  • June 12, 2022

我有一個帶有一些客戶端的 OpenVPN 網路。其中一位客戶擁有完整的列印機網路。伺服器在 Ubuntu 20.04 LTS 上執行,列印伺服器在 Debian 8.11 上執行。

Server.conf 看起來像這樣:

port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.170.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 10.133.10.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem

Printservers Client.conf 如下所示:

dev tun
proto tcp
remote 168.119.40.249 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
verb 5
pull-filter ignore redirect-gateway

儘管如此,即使是伺服器也無法 Ping 任何列印機。

我假設,可能沒有添加路由,但它是:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.178.1   0.0.0.0         UG    0      0        0 eth2
10.133.10.0     10.170.0.1      255.255.255.0   UG    0      0        0 tun0
10.133.10.0     0.0.0.0         255.255.254.0   U     0      0        0 eth1
10.170.0.0      0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.178.0   0.0.0.0         255.255.255.0   U     0      0        0 eth2

此外,我在列印伺服器 iptables 中添加了以下內容: -A INPUT -s 10.170.0.0/24 -j ACCEPT

仍然,列印伺服器可以 Ping 列印機:

ping 10.133.10.1
PING 10.133.10.1 (10.133.10.1) 56(84) bytes of data.
64 bytes from 10.133.10.1: icmp_seq=1 ttl=64 time=0.149 ms
64 bytes from 10.133.10.1: icmp_seq=2 ttl=64 time=0.139 ms
64 bytes from 10.133.10.1: icmp_seq=3 ttl=64 time=0.128 ms

但是 OpenVPN-Server(或任何客戶端)不能:

ping 10.133.10.1
PING 10.133.10.1 (10.133.10.1) 56(84) bytes of data.
^C
--- 10.133.10.1 ping statistics ---
13 packets transmitted, 0 received, 100% packet loss, time 12281ms

Client-OpenVPN的日誌:

openvpn /etc/openvpn/server.conf
Sun Jun 12 20:44:33 2022 us=251723 Current Parameter Settings:
Sun Jun 12 20:44:33 2022 us=251924   config = '/etc/openvpn/server.conf'
Sun Jun 12 20:44:33 2022 us=251980   mode = 0
Sun Jun 12 20:44:33 2022 us=252029   persist_config = DISABLED
Sun Jun 12 20:44:33 2022 us=252079   persist_mode = 1
Sun Jun 12 20:44:33 2022 us=252125   show_ciphers = DISABLED
Sun Jun 12 20:44:33 2022 us=252179   show_digests = DISABLED
Sun Jun 12 20:44:33 2022 us=252225   show_engines = DISABLED
Sun Jun 12 20:44:33 2022 us=252270   genkey = DISABLED
Sun Jun 12 20:44:33 2022 us=252318   key_pass_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=252363   show_tls_ciphers = DISABLED
Sun Jun 12 20:44:33 2022 us=252410   connect_retry_max = 0
Sun Jun 12 20:44:33 2022 us=252456 Connection profiles [0]:
Sun Jun 12 20:44:33 2022 us=252502   proto = tcp-client
Sun Jun 12 20:44:33 2022 us=252547   local = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=252592   local_port = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=252637   remote = '168.119.40.249'
Sun Jun 12 20:44:33 2022 us=252686   remote_port = '1194'
Sun Jun 12 20:44:33 2022 us=252732   remote_float = DISABLED
Sun Jun 12 20:44:33 2022 us=252776   bind_defined = DISABLED
Sun Jun 12 20:44:33 2022 us=252822   bind_local = DISABLED
Sun Jun 12 20:44:33 2022 us=252867   bind_ipv6_only = DISABLED
Sun Jun 12 20:44:33 2022 us=252914   connect_retry_seconds = 5
Sun Jun 12 20:44:33 2022 us=252959   connect_timeout = 120
Sun Jun 12 20:44:33 2022 us=253006   socks_proxy_server = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=253052   socks_proxy_port = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=253100   tun_mtu = 1500
Sun Jun 12 20:44:33 2022 us=253164   tun_mtu_defined = ENABLED
Sun Jun 12 20:44:33 2022 us=253211   link_mtu = 1500
Sun Jun 12 20:44:33 2022 us=253264   link_mtu_defined = DISABLED
Sun Jun 12 20:44:33 2022 us=253311   tun_mtu_extra = 0
Sun Jun 12 20:44:33 2022 us=253365   tun_mtu_extra_defined = DISABLED
Sun Jun 12 20:44:33 2022 us=253419   mtu_discover_type = -1
Sun Jun 12 20:44:33 2022 us=253465   fragment = 0
Sun Jun 12 20:44:33 2022 us=253519   mssfix = 1450
Sun Jun 12 20:44:33 2022 us=253573   explicit_exit_notification = 0
Sun Jun 12 20:44:33 2022 us=253626 Connection profiles END
Sun Jun 12 20:44:33 2022 us=253680   remote_random = DISABLED
Sun Jun 12 20:44:33 2022 us=253732   ipchange = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=253784   dev = 'tun'
Sun Jun 12 20:44:33 2022 us=253835   dev_type = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=253889   dev_node = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=253941   lladdr = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=253995   topology = 1
Sun Jun 12 20:44:33 2022 us=254046   ifconfig_local = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=254100   ifconfig_remote_netmask = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=254157   ifconfig_noexec = DISABLED
Sun Jun 12 20:44:33 2022 us=254210   ifconfig_nowarn = DISABLED
Sun Jun 12 20:44:33 2022 us=254264   ifconfig_ipv6_local = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=254318   ifconfig_ipv6_netbits = 0
Sun Jun 12 20:44:33 2022 us=254370   ifconfig_ipv6_remote = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=254423   shaper = 0
Sun Jun 12 20:44:33 2022 us=254470   mtu_test = 0
Sun Jun 12 20:44:33 2022 us=254514   mlock = DISABLED
Sun Jun 12 20:44:33 2022 us=254559   keepalive_ping = 0
Sun Jun 12 20:44:33 2022 us=254605   keepalive_timeout = 0
Sun Jun 12 20:44:33 2022 us=254650   inactivity_timeout = 0
Sun Jun 12 20:44:33 2022 us=254728   ping_send_timeout = 0
Sun Jun 12 20:44:33 2022 us=254774   ping_rec_timeout = 0
Sun Jun 12 20:44:33 2022 us=254819   ping_rec_timeout_action = 0
Sun Jun 12 20:44:33 2022 us=254911   ping_timer_remote = DISABLED
Sun Jun 12 20:44:33 2022 us=254963   remap_sigusr1 = 0
Sun Jun 12 20:44:33 2022 us=255007   persist_tun = ENABLED
Sun Jun 12 20:44:33 2022 us=255051   persist_local_ip = DISABLED
Sun Jun 12 20:44:33 2022 us=255106   persist_remote_ip = DISABLED
Sun Jun 12 20:44:33 2022 us=255153   persist_key = ENABLED
Sun Jun 12 20:44:33 2022 us=255201   passtos = DISABLED
Sun Jun 12 20:44:33 2022 us=255248   resolve_retry_seconds = 1000000000
Sun Jun 12 20:44:33 2022 us=255295   resolve_in_advance = DISABLED
Sun Jun 12 20:44:33 2022 us=255341   username = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=255396   groupname = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=255450   chroot_dir = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=255498   cd_dir = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=255554   writepid = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=255603   up_script = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=255648   down_script = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=255699   down_pre = DISABLED
Sun Jun 12 20:44:33 2022 us=255744   up_restart = DISABLED
Sun Jun 12 20:44:33 2022 us=255790   up_delay = DISABLED
Sun Jun 12 20:44:33 2022 us=255835   daemon = DISABLED
Sun Jun 12 20:44:33 2022 us=255882   inetd = 0
Sun Jun 12 20:44:33 2022 us=255939   log = DISABLED
Sun Jun 12 20:44:33 2022 us=256001   suppress_timestamps = DISABLED
Sun Jun 12 20:44:33 2022 us=256053   machine_readable_output = DISABLED
Sun Jun 12 20:44:33 2022 us=256111   nice = 0
Sun Jun 12 20:44:33 2022 us=256164   verbosity = 5
Sun Jun 12 20:44:33 2022 us=256210   mute = 0
Sun Jun 12 20:44:33 2022 us=256268   gremlin = 0
Sun Jun 12 20:44:33 2022 us=256318   status_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=256364   status_file_version = 1
Sun Jun 12 20:44:33 2022 us=256417   status_file_update_freq = 60
Sun Jun 12 20:44:33 2022 us=256469   occ = ENABLED
Sun Jun 12 20:44:33 2022 us=256515   rcvbuf = 0
Sun Jun 12 20:44:33 2022 us=256561   sndbuf = 0
Sun Jun 12 20:44:33 2022 us=256606   mark = 0
Sun Jun 12 20:44:33 2022 us=256656   sockflags = 0
Sun Jun 12 20:44:33 2022 us=256700   fast_io = DISABLED
Sun Jun 12 20:44:33 2022 us=256756   comp.alg = 0
Sun Jun 12 20:44:33 2022 us=256807   comp.flags = 0
Sun Jun 12 20:44:33 2022 us=256851   route_script = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=256905   route_default_gateway = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=256958   route_default_metric = 0
Sun Jun 12 20:44:33 2022 us=257009   route_noexec = DISABLED
Sun Jun 12 20:44:33 2022 us=257056   route_delay = 0
Sun Jun 12 20:44:33 2022 us=257109   route_delay_window = 30
Sun Jun 12 20:44:33 2022 us=257161   route_delay_defined = DISABLED
Sun Jun 12 20:44:33 2022 us=257212   route_nopull = DISABLED
Sun Jun 12 20:44:33 2022 us=257263   route_gateway_via_dhcp = DISABLED
Sun Jun 12 20:44:33 2022 us=257313   allow_pull_fqdn = DISABLED
Sun Jun 12 20:44:33 2022 us=257358   Pull filters:
Sun Jun 12 20:44:33 2022 us=257411     ignore "redirect-gateway"
Sun Jun 12 20:44:33 2022 us=257462   management_addr = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=257507   management_port = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=257560   management_user_pass = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=257612   management_log_history_cache = 250
Sun Jun 12 20:44:33 2022 us=257660   management_echo_buffer_size = 100
Sun Jun 12 20:44:33 2022 us=257801   management_write_peer_info_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=257849   management_client_user = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=257896   management_client_group = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=257945   management_flags = 0
Sun Jun 12 20:44:33 2022 us=257990   shared_secret_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=258036   key_direction = not set
Sun Jun 12 20:44:33 2022 us=258097   ciphername = 'AES-256-CBC'
Sun Jun 12 20:44:33 2022 us=258143   ncp_enabled = ENABLED
Sun Jun 12 20:44:33 2022 us=258189   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Sun Jun 12 20:44:33 2022 us=258235   authname = 'SHA512'
Sun Jun 12 20:44:33 2022 us=258282   prng_hash = 'SHA1'
Sun Jun 12 20:44:33 2022 us=258329   prng_nonce_secret_len = 16
Sun Jun 12 20:44:33 2022 us=258381   keysize = 0
Sun Jun 12 20:44:33 2022 us=258432   engine = DISABLED
Sun Jun 12 20:44:33 2022 us=258478   replay = ENABLED
Sun Jun 12 20:44:33 2022 us=258532   mute_replay_warnings = DISABLED
Sun Jun 12 20:44:33 2022 us=258584   replay_window = 64
Sun Jun 12 20:44:33 2022 us=258630   replay_time = 15
Sun Jun 12 20:44:33 2022 us=258674   packet_id_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=258725   use_iv = ENABLED
Sun Jun 12 20:44:33 2022 us=258776   test_crypto = DISABLED
Sun Jun 12 20:44:33 2022 us=258828   tls_server = DISABLED
Sun Jun 12 20:44:33 2022 us=258909   tls_client = ENABLED
Sun Jun 12 20:44:33 2022 us=258956   key_method = 2
Sun Jun 12 20:44:33 2022 us=259002   ca_file = '[[INLINE]]'
Sun Jun 12 20:44:33 2022 us=259058   ca_path = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259110   dh_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259161   cert_file = '[[INLINE]]'
Sun Jun 12 20:44:33 2022 us=259208   extra_certs_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259257   priv_key_file = '[[INLINE]]'
Sun Jun 12 20:44:33 2022 us=259302   pkcs12_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259347   cipher_list = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259392   cipher_list_tls13 = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259443   tls_cert_profile = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259488   tls_verify = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259544   tls_export_cert = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259595   verify_x509_type = 0
Sun Jun 12 20:44:33 2022 us=259640   verify_x509_name = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259692   crl_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259743   ns_cert_type = 0
Sun Jun 12 20:44:33 2022 us=259789   remote_cert_ku[i] = 65535
Sun Jun 12 20:44:33 2022 us=259840   remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=259886   remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=259938   remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=259989   remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260040   remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260090   remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260135   remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260184   remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260232   remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260285   remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260336   remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260381   remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260433   remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260485   remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260535   remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260580   remote_cert_eku = 'TLS Web Server Authentication'
Sun Jun 12 20:44:33 2022 us=260634   ssl_flags = 0
Sun Jun 12 20:44:33 2022 us=260684   tls_timeout = 2
Sun Jun 12 20:44:33 2022 us=260729   renegotiate_bytes = -1
Sun Jun 12 20:44:33 2022 us=260783   renegotiate_packets = 0
Sun Jun 12 20:44:33 2022 us=260835   renegotiate_seconds = 3600
Sun Jun 12 20:44:33 2022 us=260882   handshake_window = 60
Sun Jun 12 20:44:33 2022 us=260935   transition_window = 3600
Sun Jun 12 20:44:33 2022 us=260986   single_session = DISABLED
Sun Jun 12 20:44:33 2022 us=261031   push_peer_info = DISABLED
Sun Jun 12 20:44:33 2022 us=261084   tls_exit = DISABLED
Sun Jun 12 20:44:33 2022 us=261134   tls_auth_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=261185   tls_crypt_file = '[[INLINE]]'
Sun Jun 12 20:44:33 2022 us=261237   pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261284   pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261337   pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261388   pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261433   pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261483   pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261530   pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261578   pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261626   pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261684   pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261736   pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261787   pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261832   pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261885   pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261935   pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261980   pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=262036   pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262087   pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262133   pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262187   pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262238   pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262284   pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262337   pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262388   pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262439   pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262490   pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262536   pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262585   pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262632   pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262685   pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262737   pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262789   pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262840   pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=262903   pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=262952   pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263006   pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263056   pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263101   pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263153   pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263203   pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263249   pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263301   pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263352   pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263397   pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263449   pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263500   pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263546   pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263593   pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263641   pkcs11_pin_cache_period = -1
Sun Jun 12 20:44:33 2022 us=263689   pkcs11_id = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=263744   pkcs11_id_management = DISABLED
Sun Jun 12 20:44:33 2022 us=263816   server_network = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=263867   server_netmask = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=263936   server_network_ipv6 = ::
Sun Jun 12 20:44:33 2022 us=263989   server_netbits_ipv6 = 0
Sun Jun 12 20:44:33 2022 us=264048   server_bridge_ip = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=264103   server_bridge_netmask = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=264156   server_bridge_pool_start = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=264206   server_bridge_pool_end = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=264256   ifconfig_pool_defined = DISABLED
Sun Jun 12 20:44:33 2022 us=264305   ifconfig_pool_start = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=264359   ifconfig_pool_end = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=264409   ifconfig_pool_netmask = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=264459   ifconfig_pool_persist_filename = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=264507   ifconfig_pool_persist_refresh_freq = 600
Sun Jun 12 20:44:33 2022 us=264559   ifconfig_ipv6_pool_defined = DISABLED
Sun Jun 12 20:44:33 2022 us=264621   ifconfig_ipv6_pool_base = ::
Sun Jun 12 20:44:33 2022 us=264674   ifconfig_ipv6_pool_netbits = 0
Sun Jun 12 20:44:33 2022 us=264728   n_bcast_buf = 256
Sun Jun 12 20:44:33 2022 us=264779   tcp_queue_limit = 64
Sun Jun 12 20:44:33 2022 us=264830   real_hash_size = 256
Sun Jun 12 20:44:33 2022 us=264876   virtual_hash_size = 256
Sun Jun 12 20:44:33 2022 us=264928   client_connect_script = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=264975   learn_address_script = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=265028   client_disconnect_script = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=265079   client_config_dir = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=265126   ccd_exclusive = DISABLED
Sun Jun 12 20:44:33 2022 us=265176   tmp_dir = '/tmp'
Sun Jun 12 20:44:33 2022 us=265221   push_ifconfig_defined = DISABLED
Sun Jun 12 20:44:33 2022 us=265275   push_ifconfig_local = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=265325   push_ifconfig_remote_netmask = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=265375   push_ifconfig_ipv6_defined = DISABLED
Sun Jun 12 20:44:33 2022 us=265425   push_ifconfig_ipv6_local = ::/0
Sun Jun 12 20:44:33 2022 us=265479   push_ifconfig_ipv6_remote = ::
Sun Jun 12 20:44:33 2022 us=265524   enable_c2c = DISABLED
Sun Jun 12 20:44:33 2022 us=265576   duplicate_cn = DISABLED
Sun Jun 12 20:44:33 2022 us=265627   cf_max = 0
Sun Jun 12 20:44:33 2022 us=265679   cf_per = 0
Sun Jun 12 20:44:33 2022 us=265725   max_clients = 1024
Sun Jun 12 20:44:33 2022 us=265776   max_routes_per_client = 256
Sun Jun 12 20:44:33 2022 us=265827   auth_user_pass_verify_script = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=265874   auth_user_pass_verify_script_via_file = DISABLED
Sun Jun 12 20:44:33 2022 us=265925   auth_token_generate = DISABLED
Sun Jun 12 20:44:33 2022 us=265971   auth_token_lifetime = 0
Sun Jun 12 20:44:33 2022 us=266023   port_share_host = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=266068   port_share_port = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=266118   client = ENABLED
Sun Jun 12 20:44:33 2022 us=266164   pull = ENABLED
Sun Jun 12 20:44:33 2022 us=266209   auth_user_pass_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=266274 OpenVPN 2.4.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 16 2020
Sun Jun 12 20:44:33 2022 us=266338 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Sun Jun 12 20:44:33 2022 us=268773 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jun 12 20:44:33 2022 us=268919 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jun 12 20:44:33 2022 us=268984 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jun 12 20:44:33 2022 us=269048 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jun 12 20:44:33 2022 us=269273 Control Channel MTU parms [ L:1623 D:1154 EF:96 EB:0 ET:0 EL:3 ]
Sun Jun 12 20:44:33 2022 us=269401 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Sun Jun 12 20:44:33 2022 us=269514 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Sun Jun 12 20:44:33 2022 us=269568 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Sun Jun 12 20:44:33 2022 us=269655 TCP/UDP: Preserving recently used remote address: [AF_INET]168.119.40.249:1194
Sun Jun 12 20:44:33 2022 us=269754 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sun Jun 12 20:44:33 2022 us=269811 Attempting to establish TCP connection with [AF_INET]168.119.40.249:1194 [nonblock]
Sun Jun 12 20:44:34 2022 us=270392 TCP connection established with [AF_INET]168.119.40.249:1194
Sun Jun 12 20:44:34 2022 us=270551 TCP_CLIENT link local: (not bound)
Sun Jun 12 20:44:34 2022 us=270595 TCP_CLIENT link remote: [AF_INET]168.119.40.249:1194
WRSun Jun 12 20:44:34 2022 us=295598 TLS: Initial packet from [AF_INET]168.119.40.249:1194, sid=524c914c 8714a143
WWRWRSun Jun 12 20:44:34 2022 us=367225 VERIFY OK: depth=1, CN=ChangeMe
Sun Jun 12 20:44:34 2022 us=368405 VERIFY KU OK
Sun Jun 12 20:44:34 2022 us=368498 Validating certificate extended key usage
Sun Jun 12 20:44:34 2022 us=368565 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Jun 12 20:44:34 2022 us=368626 VERIFY EKU OK
Sun Jun 12 20:44:34 2022 us=368684 VERIFY OK: depth=0, CN=server
RWWWRRWRWSun Jun 12 20:44:34 2022 us=497066 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sun Jun 12 20:44:34 2022 us=497258 [server] Peer Connection Initiated with [AF_INET]168.119.40.249:1194
Sun Jun 12 20:44:35 2022 us=670987 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
WRRSun Jun 12 20:44:35 2022 us=759338 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.133.10.0 255.255.255.0,sndbuf 512000,rcvbuf 512000,route-gateway 10.170.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.170.0.19 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Sun Jun 12 20:44:35 2022 us=759756 OPTIONS IMPORT: timers and/or timeouts modified
Sun Jun 12 20:44:35 2022 us=759832 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Sun Jun 12 20:44:35 2022 us=759905 Socket Buffers: R=[372480->425984] S=[87040->425984]
Sun Jun 12 20:44:35 2022 us=759976 OPTIONS IMPORT: --ifconfig/up options modified
Sun Jun 12 20:44:35 2022 us=760030 OPTIONS IMPORT: route options modified
Sun Jun 12 20:44:35 2022 us=760083 OPTIONS IMPORT: route-related options modified
Sun Jun 12 20:44:35 2022 us=760136 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jun 12 20:44:35 2022 us=760189 OPTIONS IMPORT: peer-id set
Sun Jun 12 20:44:35 2022 us=760243 OPTIONS IMPORT: adjusting link_mtu to 1626
Sun Jun 12 20:44:35 2022 us=760308 OPTIONS IMPORT: data channel crypto options modified
Sun Jun 12 20:44:35 2022 us=760379 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Jun 12 20:44:35 2022 us=760481 Data Channel MTU parms [ L:1554 D:1450 EF:54 EB:406 ET:0 EL:3 ]
Sun Jun 12 20:44:35 2022 us=760952 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jun 12 20:44:35 2022 us=761040 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jun 12 20:44:35 2022 us=761769 ROUTE_GATEWAY 192.168.178.1/255.255.255.0 IFACE=eth2 HWADDR=00:0d:b9:3d:e8:82
Sun Jun 12 20:44:35 2022 us=762707 TUN/TAP device tun0 opened
Sun Jun 12 20:44:35 2022 us=762822 TUN/TAP TX queue length set to 100
Sun Jun 12 20:44:35 2022 us=762965 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jun 12 20:44:35 2022 us=763065 /sbin/ip link set dev tun0 up mtu 1500
Sun Jun 12 20:44:35 2022 us=767441 /sbin/ip addr add dev tun0 10.170.0.19/24 broadcast 10.170.0.255
Sun Jun 12 20:44:35 2022 us=771677 /sbin/ip route add 10.133.10.0/24 via 10.170.0.1
Sun Jun 12 20:44:35 2022 us=775371 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jun 12 20:44:35 2022 us=775477 Initialization Sequence Completed

我究竟做錯了什麼?我需要讓它為我的期末考試工作。

Edit1:我將以下內容附加到server.conf

client-config-dir /etc/openvpn/ccd
log-append /var/log/openvpn.log
route 10.133.10.0 255.255.255.0

我創建了 ccd 目錄並添加了一個名為server_hqprintservers CN is(位於日誌中)的文件。

現在包含:

ifconfig-push 10.170.0.19 255.255.255.0
iroute 10.133.10.0 255.255.255.0

server_hq(列印伺服器)的連接日誌

Sun Jun 12 21:25:36 2022 MULTI: Learn: 10.133.10.40 -> server_hq/<IP>:19295
Sun Jun 12 21:28:18 2022 server_hq/<IP>:19295 Connection reset, restarting [0]
Sun Jun 12 21:28:18 2022 server_hq/<IP>:19295 SIGUSR1[soft,connection-reset] received, client-instance restarting
Sun Jun 12 21:29:04 2022 TCP connection established with [AF_INET]<IP>:19294
Sun Jun 12 21:29:05 2022 <IP>:19294 TLS: Initial packet from [AF_INET]<IP>:19294, sid=9264ab12 043d9161
Sun Jun 12 21:29:05 2022 <IP>:19294 VERIFY OK: depth=1, CN=ChangeMe
Sun Jun 12 21:29:05 2022 <IP>:19294 VERIFY OK: depth=0, CN=server_hq
Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_VER=2.4.9
Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_PLAT=linux
Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_PROTO=2
Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_NCP=2
Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_LZ4=1
Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_LZ4v2=1
Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_LZO=1
Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_COMP_STUB=1
Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_COMP_STUBv2=1
Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_TCPNL=1
Sun Jun 12 21:29:05 2022 <IP>:19294 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sun Jun 12 21:29:05 2022 <IP>:19294 [server_hq] Peer Connection Initiated with [AF_INET]<IP>:19294
Sun Jun 12 21:29:05 2022 server_hq/<IP>:19294 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/server_hq
Sun Jun 12 21:29:05 2022 server_hq/<IP>:19294 MULTI: Learn: 10.170.0.19 -> server_hq/<IP>:19294
Sun Jun 12 21:29:05 2022 server_hq/<IP>:19294 MULTI: primary virtual IP for server_hq/<IP>:19294: 10.170.0.19
Sun Jun 12 21:29:05 2022 server_hq/<IP>:19294 MULTI: internal route 10.133.10.0/24 -> server_hq/<IP>:19294
Sun Jun 12 21:29:05 2022 server_hq/<IP>:19294 MULTI: Learn: 10.133.10.0/24 -> server_hq/<IP>:19294
Sun Jun 12 21:29:06 2022 server_hq/<IP>:19294 PUSH: Received control message: 'PUSH_REQUEST'
Sun Jun 12 21:29:06 2022 server_hq/<IP>:19294 SENT CONTROL [server_hq]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,sndbuf 512000,rcvbuf 512000,route-gateway >Sun Jun 12 21:29:06 2022 server_hq/<IP>:19294 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Jun 12 21:29:06 2022 server_hq/<IP>:19294 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jun 12 21:29:06 2022 server_hq/<IP>:19294 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jun 12 21:29:25 2022 MULTI: Learn: 10.133.10.40 -> server_hq/<IP>:19294

然後我重新啟動了兩個 OpenVPN 並嘗試對其中一台列印機執行 ping 操作……但沒有成功。

為了讓 VPN 網路上的客戶端能夠訪問您的列印機,需要以下內容:

  • route客戶廣告(您已經擁有)
  • OpenVPN 伺服器上的正確路由,指向列印機
  • 列印伺服器的iroute條目
  • 對於上述內容,您的列印伺服器網路的客戶端配置條目
  • 最後,在您的列印伺服器上正確路由

此外,從技術上講,它不是必需的,但您可能希望為 VPN 上的列印伺服器分配一個固定的 IP 地址。

因此,首先,您需要 OpenVPN 伺服器上的客戶端配置目錄。這可以在任何地方,並且可以被稱為任何東西。創建一個目錄,然後將此行添加到您的server.conf

client-config-dir /the/client-config-directory

在該目錄中,放置一個與列印伺服器的 CN 同名的文件(即列印伺服器使用的證書的 CN 欄位)。該文件應包含以下內容:

ifconfig-push 10.170.0.254 255.255.255.0
iroute 10.133.10.0 255.255.255.0

這將確保列印伺服器將始終獲得一個固定的 IP 地址 ( 10.170.0.254),並且 OpenVPN 伺服器將知道列印伺服器後面的子網。您還需要route核心路由表中的正確條目,因此也將這一行添加到您server.conf的:

route 10.133.10.0 255.255.255.0

通過此設置,您的 VPN 伺服器將知道將數據包路由到您的伺服器的位置。最後要考慮的一件事是列印伺服器和列印機的網路設置。上面的設置創建了一個路由網路,因此您的列印機將看到來自 VPN 內部的連接(即來自地址10.170.0.x)。列印機必須知道這些應該被路由回 VPN,並且他們必須有辦法這樣做。如果您的列印伺服器是他們的預設路由器,那麼您需要做的就是允許 VPN 子網和列印伺服器防火牆上的本地子網之間的流量。如果有另一台電腦充當預設網關,那麼您需要確保列印機將數據包路由回列印伺服器。在這種情況下,要麼將自定義路由添加到列印機,要麼在列印伺服器上設置 NAT。

引用自:https://serverfault.com/questions/1103131