Ubuntu

OpenVPN 伺服器為所有連接的客戶端分配相同的 IP 地址 (10.8.0.6)

  • February 24, 2021

我按照如何在 Ubuntu 20.04 上設置和配置 OpenVPN 伺服器來設置 OpenVPN 伺服器。我注意到,當任何客戶端連接到 OpenVPN 伺服器時,它們每個都獲得相同的 IP 地址:10.8.0.6.

/etc/openvpn/server/server.conf中,我有這些設置,以便它可以在中分配 IP 地址10.8.0.X

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0

在 ubuntu 客戶端中:

askar@ubuntu:~$ ifconfig 
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
       inet 192.168.11.23  netmask 255.255.255.0  broadcast 192.168.11.255
       inet6 240b:11:8a62:bc10:f64d:30ff:fe6c:7f6c  prefixlen 64  scopeid 0x0<global>
       inet6 fe80::f64d:30ff:fe6c:7f6c  prefixlen 64  scopeid 0x20<link>
       ether f4:4d:30:6c:7f:6c  txqueuelen 1000  (Ethernet)
       RX packets 8323  bytes 1066513 (1.0 MB)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 6078  bytes 957451 (957.4 KB)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
       device interrupt 16  memory 0xdf100000-df120000  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
       inet 127.0.0.1  netmask 255.0.0.0
       inet6 ::1  prefixlen 128  scopeid 0x10<host>
       loop  txqueuelen 1000  (Local Loopback)
       RX packets 92  bytes 6838 (6.8 KB)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 92  bytes 6838 (6.8 KB)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
       inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5
       inet6 fe80::2fa0:961f:7ba8:c04c  prefixlen 64  scopeid 0x20<link>
       unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
       RX packets 0  bytes 0 (0.0 B)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 3  bytes 144 (144.0 B)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

在我的 Mac PC 上:

~  ifconfig                                                                                          ok  00:08:23 
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
   options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
   inet 127.0.0.1 netmask 0xff000000 
   inet6 ::1 prefixlen 128 
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
   nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
   options=50b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV,CHANNEL_IO>
   ether ac:87:a3:3b:d2:32 
   inet6 fe80::1043:7119:8f77:8977%en0 prefixlen 64 secured scopeid 0x4 
   inet 192.168.11.2 netmask 0xffffff00 broadcast 192.168.11.255
   inet6 240b:11:8a62:bc10:1421:50dd:7a2:7e21 prefixlen 64 autoconf secured 
   inet6 240b:11:8a62:bc10:31ac:632d:c084:ae98 prefixlen 64 autoconf temporary 
   nd6 options=201<PERFORMNUD,DAD>
   media: autoselect (1000baseT <full-duplex,flow-control>)
   status: active
en1: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
   options=400<CHANNEL_IO>
   ether ac:29:3a:96:06:8d 
   nd6 options=201<PERFORMNUD,DAD>
   media: autoselect (<unknown type>)
   status: inactive
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
   options=460<TSO4,TSO6,CHANNEL_IO>
   ether 82:11:02:40:01:80 
   media: autoselect <full-duplex>
   status: inactive
en3: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
   options=460<TSO4,TSO6,CHANNEL_IO>
   ether 82:11:02:40:01:81 
   media: autoselect <full-duplex>
   status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
   options=63<RXCSUM,TXCSUM,TSO4,TSO6>
   ether 82:11:02:40:01:80 
   Configuration:
       id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
       maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
       root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
       ipfilter disabled flags 0x0
   member: en2 flags=3<LEARNING,DISCOVER>
           ifmaxaddr 0 port 6 priority 0 path cost 0
   member: en3 flags=3<LEARNING,DISCOVER>
           ifmaxaddr 0 port 7 priority 0 path cost 0
   nd6 options=201<PERFORMNUD,DAD>
   media: <unknown type>
   status: inactive
p2p0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2304
   options=400<CHANNEL_IO>
   ether 0e:29:3a:96:06:8d 
   media: autoselect
   status: inactive
awdl0: flags=8902<BROADCAST,PROMISC,SIMPLEX,MULTICAST> mtu 1484
   options=400<CHANNEL_IO>
   ether 26:a4:4e:7d:9d:c5 
   nd6 options=201<PERFORMNUD,DAD>
   media: autoselect
   status: inactive
llw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
   options=400<CHANNEL_IO>
   ether 26:a4:4e:7d:9d:c5 
   nd6 options=201<PERFORMNUD,DAD>
ham0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1404
   ether 7a:79:00:00:00:00 
   open (pid 93)
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
   inet6 fe80::1c90:674b:fb2:43af%utun0 prefixlen 64 scopeid 0xd 
   nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
   inet6 fe80::40a2:3ba4:1052:11a7%utun1 prefixlen 64 scopeid 0xe 
   nd6 options=201<PERFORMNUD,DAD>
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
   inet6 fe80::b950:55ea:84f4:8c39%utun2 prefixlen 64 scopeid 0xf 
   nd6 options=201<PERFORMNUD,DAD>
utun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
   inet6 fe80::c30a:1bc7:4681:81ee%utun3 prefixlen 64 scopeid 0x10 
   nd6 options=201<PERFORMNUD,DAD>
utun4: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
   inet 10.8.0.6 --> 10.8.0.5 netmask 0xffffffff 

在此處輸入圖像描述

106.73.138.98是我用https://whatismyipaddress.com/檢查的 IP 地址

Ubuntu、Mac OS 和 iPhone 落後106.73.138.98,由本地 ISP 分配。

/var/log/syslog當 3 個客戶端同時連接時:

Feb 24 15:27:47 openvpn openvpn[590]: 106.73.138.98:35783 TLS: Initial packet from [AF_INET]106.73.138.98:35783, sid=0822333e 11f09c9c
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 VERIFY OK: depth=1, CN=Easy-RSA CA
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 VERIFY OK: depth=0, CN=client1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_VER=2.4.9
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_PLAT=mac
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_PROTO=2
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_NCP=2
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_LZ4=1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_LZ4v2=1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_LZO=1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_COMP_STUB=1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_COMP_STUBv2=1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_TCPNL=1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5601_3.8.4a__build_5601)"
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 384 bit EC, curve: secp384r1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 [client1] Peer Connection Initiated with [AF_INET]106.73.138.98:35783
Feb 24 15:27:48 openvpn openvpn[590]: MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Feb 24 15:27:48 openvpn openvpn[590]: MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Feb 24 15:27:48 openvpn openvpn[590]: MULTI: Learn: 10.8.0.6 -> client1/106.73.138.98:35783
Feb 24 15:27:48 openvpn openvpn[590]: MULTI: primary virtual IP for client1/106.73.138.98:35783: 10.8.0.6
Feb 24 15:27:49 openvpn openvpn[590]: client1/106.73.138.98:35783 PUSH: Received control message: 'PUSH_REQUEST'
Feb 24 15:27:49 openvpn openvpn[590]: client1/106.73.138.98:35783 SENT CONTROL [client1]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM' (status=1)
Feb 24 15:27:49 openvpn openvpn[590]: client1/106.73.138.98:35783 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 24 15:27:49 openvpn openvpn[590]: client1/106.73.138.98:35783 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 TLS: Initial packet from [AF_INET]106.73.138.98:39883, sid=b85cdfeb 0c4565bb
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 VERIFY OK: depth=1, CN=Easy-RSA CA
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 VERIFY OK: depth=0, CN=client1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_VER=2.4.7
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_PLAT=linux
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_PROTO=2
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_NCP=2
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_LZ4=1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_LZ4v2=1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_LZO=1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_COMP_STUB=1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_COMP_STUBv2=1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_TCPNL=1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 384 bit EC, curve: secp384r1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 [client1] Peer Connection Initiated with [AF_INET]106.73.138.98:39883
Feb 24 15:27:55 openvpn openvpn[590]: MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Feb 24 15:27:55 openvpn openvpn[590]: MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Feb 24 15:27:55 openvpn openvpn[590]: MULTI: Learn: 10.8.0.6 -> client1/106.73.138.98:39883
Feb 24 15:27:55 openvpn openvpn[590]: MULTI: primary virtual IP for client1/106.73.138.98:39883: 10.8.0.6
Feb 24 15:27:56 openvpn openvpn[590]: client1/106.73.138.98:39883 PUSH: Received control message: 'PUSH_REQUEST'
Feb 24 15:27:56 openvpn openvpn[590]: client1/106.73.138.98:39883 SENT CONTROL [client1]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Feb 24 15:27:56 openvpn openvpn[590]: client1/106.73.138.98:39883 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 24 15:27:56 openvpn openvpn[590]: client1/106.73.138.98:39883 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 TLS: Initial packet from [AF_INET]106.73.138.98:43971, sid=41f8d815 33e079cb
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 VERIFY OK: depth=1, CN=Easy-RSA CA
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 VERIFY OK: depth=0, CN=client1
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_VER=3.git::58b92569
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_PLAT=ios
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_NCP=2
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_TCPNL=1
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_PROTO=2
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_AUTO_SESS=1
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_SSO=openurl
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1521'
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 384 bit EC, curve: secp384r1
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 [client1] Peer Connection Initiated with [AF_INET]106.73.138.98:43971
Feb 24 15:28:06 openvpn openvpn[590]: MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Feb 24 15:28:06 openvpn openvpn[590]: MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Feb 24 15:28:06 openvpn openvpn[590]: MULTI: Learn: 10.8.0.6 -> client1/106.73.138.98:43971
Feb 24 15:28:06 openvpn openvpn[590]: MULTI: primary virtual IP for client1/106.73.138.98:43971: 10.8.0.6
Feb 24 15:28:06 openvpn openvpn[590]: client1/106.73.138.98:43971 PUSH: Received control message: 'PUSH_REQUEST'
Feb 24 15:28:06 openvpn openvpn[590]: client1/106.73.138.98:43971 SENT CONTROL [client1]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM' (status=1)
Feb 24 15:28:06 openvpn openvpn[590]: client1/106.73.138.98:43971 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 24 15:28:06 openvpn openvpn[590]: client1/106.73.138.98:43971 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 24 15:28:12 openvpn openvpn[590]: AEAD Decrypt error: cipher final failed
Feb 24 15:28:22 openvpn openvpn[590]: AEAD Decrypt error: cipher final failed

您的日誌顯示每個客戶端都使用相同的客戶端證書進行連接,而當這種情況發生時,OpenVPN 斷開了另一個連接。

Feb 24 15:28:06 openvpn openvpn[590]: MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.

作為一般規則,不同的使用者應該有不同的證書,但是如果你想允許同一個使用者在多個設備上使用同一個證書,你可以按照它所說的來啟動 OpenVPN --duplicate-cn。在 Ubuntu 上,您可以通過編輯/etc/default/openvpn文件並將選項添加到 OPTARGS 來執行此操作。

# Optional arguments to openvpn's command line
OPTARGS=""

會成為:

# Optional arguments to openvpn's command line
OPTARGS="--duplicate-cn"

然後重新啟動 OpenVPN。

引用自:https://serverfault.com/questions/1054901