我为这个问题挣扎了两天,但问题仍然存在。希望有人能提供建议或诊断方法。
我想要的是让所有客户端都通过 OpenVPN 服务器访问互联网。因此,我首先按照说明通过 VPN 路由所有客户端流量(包括网络流量)。配置完毕,设置好iptables,VPN服务器和客户端连接成功,但客户端无法访问任何网站(浏览器挂了)。服务器ping和客户端都正常。
我检查了服务器日志,发现有一些记录,例如:
Oct 3 09:16:21 iZbp15fejv9adv7o3izfm1Z ovpn-delta[1827]: laptop/131.202.XX.XX:59701 UDPv4 READ [93] from [AF_INET]131.202.XX.XX:59701: P_DATA_V1 kid=0 DATA len=92
Oct 3 09:16:21 iZbp15fejv9adv7o3izfm1Z ovpn-delta[1827]: laptop/131.202.XX.XX:59701 MULTI: bad source address from client [131.202.XX.XX], packet dropped
其中 IP:131.202.XX.XX 是我的笔记本电脑 IP 地址。此记录的解释如下“MULTI:来自客户端的错误源地址,数据包丢失”或“GET INST BY VIRT:[失败]”,为什么我的笔记本上这个IP不是10.8.0.6(tun0),具体实现方式是什么?我的笔记本是用WIFI连接网络的,是一个运行的设备openvpn --config client.conf。
由于这是一个非常简单的例子,我有没有办法避免这个错误,或者任何示例来配置client-config-dir and create a ccd file
在/etc/openvpn/delta.conf服务器上:
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
port 1194
proto udp
dev tun
;dev-node MyTap
ca ca.crt
cert delta.crt
key delta.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nogroup
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 3
;mute 20
而client.conf是:
client
dev tun
proto udp
remote 116.62.193.49 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert laptop.crt
key laptop.key
ns-cert-type server
;tls-auth ta.key 1
comp-lzo
verb 3
;mute 20
对于 IP 路由器配置,我将 iptables 添加到/etc/rc.local,以便可以在服务器启动时更改 iptables。
root@iZbp15fejv9adv7o3izfm1Z:/var/log# cat /etc/rc.local
#!/bin/sh -e
#
# rc.local
#I also tried comment out first three instructions, but still does not work
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service dnsmasq restart
exit 0
和/etc/sysctl.conf
net.ipv4.ip_forward=1
telnet serverIP 80没问题。在服务器中:/var/logs/syslog:
有什么解决办法吗?