我无法通过 VPN 访问计算机。服务器具有 TAP 配置,我可以从 Windows 7 客户端成功连接。我主要按照本指南进行设置:http://www.howtogeek.com/60774/connect-to-your-home-network-from-anywhere-with-openvpn-and-tomato/
奇怪的是,我可以连接到 VPN,服务器显示连接,但当我从 Ubuntu 执行此操作时,我无法从网络访问其他计算机。我是否需要手动修复客户端上的某种桥接,还是 Ubuntu 应该自动找到路由?我读到过某处说它可能被防火墙阻止,但我确信客户端上的防火墙已关闭,服务器上的防火墙显然配置正确,否则我将无法从 Windows 7 客户端连接。
该指南指示我在 Windows 上使用 OpenVPN 2.1.4,我就是这么做的,在 Ubuntu 上,我使用了存储库中的版本,这可能会导致一些问题,但我不明白为什么会这样。下面是我的 client.conf:
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap
#dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
#proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote removed.for-sake-of.security 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca "/etc/openvpn/ca.crt"
cert "/etc/openvpn/client.crt"
key "/etc/openvpn/client.key"
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
cipher AES-128-CBC
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
我还必须配置什么才能让我的 Ubuntu 客户端成为网络的一部分/可以访问其他机器吗?
更新:
这是客户端的输出,你可以看到它似乎陷入了循环,一遍又一遍地重新启动连接。我从头到尾复制了输出,直到第二次显示Initialization Sequence Completed
。它有助于提供答案吗?
Thu Jan 9 18:52:37 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jul 12 2013
Thu Jan 9 18:52:37 2014 WARNING: file '/etc/openvpn/krs-niklas.key' is group or others accessible
Thu Jan 9 18:52:37 2014 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Jan 9 18:52:37 2014 Attempting to establish TCP connection with [AF_INET]85.225.217.161:1194 [nonblock]
Thu Jan 9 18:52:38 2014 TCP connection established with [AF_INET]85.225.217.161:1194
Thu Jan 9 18:52:38 2014 TCPv4_CLIENT link local: [undef]
Thu Jan 9 18:52:38 2014 TCPv4_CLIENT link remote: [AF_INET]85.225.217.161:1194
Thu Jan 9 18:52:38 2014 TLS: Initial packet from [AF_INET]85.225.217.161:1194, sid=444e38d7 ac8fcbca
Thu Jan 9 18:52:39 2014 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, CN=KRS, [email protected]
Thu Jan 9 18:52:39 2014 VERIFY OK: nsCertType=SERVER
Thu Jan 9 18:52:39 2014 VERIFY OK: depth=0, C=US, ST=CA, O=OpenVPN, CN=KRS, [email protected]
Thu Jan 9 18:52:41 2014 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Jan 9 18:52:41 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan 9 18:52:41 2014 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Jan 9 18:52:41 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan 9 18:52:41 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Jan 9 18:52:41 2014 [KRS] Peer Connection Initiated with [AF_INET]85.225.217.161:1194
Thu Jan 9 18:52:43 2014 SENT CONTROL [KRS]: 'PUSH_REQUEST' (status=1)
Thu Jan 9 18:52:43 2014 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.1.1,route-gateway dhcp,ping 15,ping-restart 60'
Thu Jan 9 18:52:43 2014 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jan 9 18:52:43 2014 OPTIONS IMPORT: route-related options modified
Thu Jan 9 18:52:43 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jan 9 18:52:43 2014 TUN/TAP device tap1 opened
Thu Jan 9 18:52:43 2014 TUN/TAP TX queue length set to 100
Thu Jan 9 18:52:43 2014 Initialization Sequence Completed
Thu Jan 9 18:52:49 2014 Connection reset, restarting [0]
Thu Jan 9 18:52:49 2014 SIGUSR1[soft,connection-reset] received, process restarting
Thu Jan 9 18:52:49 2014 Restart pause, 5 second(s)
Thu Jan 9 18:52:54 2014 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Jan 9 18:52:54 2014 Attempting to establish TCP connection with [AF_INET]85.225.217.161:1194 [nonblock]
Thu Jan 9 18:52:55 2014 TCP connection established with [AF_INET]85.225.217.161:1194
Thu Jan 9 18:52:55 2014 TCPv4_CLIENT link local: [undef]
Thu Jan 9 18:52:55 2014 TCPv4_CLIENT link remote: [AF_INET]85.225.217.161:1194
Thu Jan 9 18:52:55 2014 TLS: Initial packet from [AF_INET]85.225.217.161:1194, sid=ff99a93f 04c54987
Thu Jan 9 18:52:56 2014 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, CN=KRS, [email protected]
Thu Jan 9 18:52:56 2014 VERIFY OK: nsCertType=SERVER
Thu Jan 9 18:52:56 2014 VERIFY OK: depth=0, C=US, ST=CA, O=OpenVPN, CN=KRS, [email protected]
Thu Jan 9 18:52:58 2014 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Jan 9 18:52:58 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan 9 18:52:58 2014 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Jan 9 18:52:58 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan 9 18:52:58 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Jan 9 18:52:58 2014 [KRS] Peer Connection Initiated with [AF_INET]85.225.217.161:1194
Thu Jan 9 18:53:00 2014 SENT CONTROL [KRS]: 'PUSH_REQUEST' (status=1)
Thu Jan 9 18:53:00 2014 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.1.1,route-gateway dhcp,ping 15,ping-restart 60'
Thu Jan 9 18:53:00 2014 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jan 9 18:53:00 2014 OPTIONS IMPORT: route-related options modified
Thu Jan 9 18:53:00 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jan 9 18:53:00 2014 Preserving previous TUN/TAP instance: tap1
Thu Jan 9 18:53:00 2014 Initialization Sequence Completed
答案1
Thu Jan 9 18:52:43 2014 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.1.1,route-gateway dhcp,ping 15,ping-restart 60'
从日志中可以看出,客户端计算机未获取有效的 DHCP IP,而这通常应由服务器使用“push”语句推送。因此客户端无法与对等方(服务器)通信,然后触发重启。
您可能注意到,这里也推送了“ping 15, ping-restart 60”,这就是为什么会出现“SIGUSR1”。请参阅“man openvpn”了解更多详细信息。
--ping-restart n
Similar to --ping-exit, but trigger a SIGUSR1 restart after n seconds pass without reception of a ping or other packet from remote.
This option is useful in cases where the remote peer has a dynamic IP address and a low-TTL DNS name is used to track the IP address using a service such as http://dyndns.org/ + a dynamic DNS client such as ddclient.
If the peer cannot be reached, a restart will be triggered, causing the hostname used with --remote to be re-resolved (if --resolv-retry is also specified).
答案2
连接后,您可以访问 LAN 上的单个节点,但无法访问其他节点。以下是发生的情况。您的路由器不知道如何为 OpenVPN 路由流量,因为它是一个“外部网络”。示例:
客户端 A 连接到 OpenVPN 服务器 B。
A分配的OpenVPN地址为172.19.0.2,服务器的OpenVPN地址为172.19.0.1,但其LAN地址为192.168.0.101。
A 正在尝试连接到 LAN 上的另一个盒子 192.168.0.33 (C)。为了实现这一点,流量必须从 A 发起,传输到 B,传输到 B 的网关(路由器)最后传输给C.
现在,继续前进。如果您没有 LAN 路由器的管理员权限,这些都不起作用:
因此,首先您需要在 OpenVPN 服务器上启用路由,以便它可以将数据包路由到网关。这将因您的操作系统而异,但您应该能够谷歌搜索“启用路由_“(您的操作系统名称)。这样做。
然后你需要在路由器上添加一条静态路由,以便它知道 openvpn 流量必须从 LAN 返回通过您的 openvpn 服务器。在您的路由器配置中找到静态路由部分,然后添加路由。该路由必须与您的服务器配置文件中的地址规范相匹配。因此,如果您的服务器配置文件将使用虚拟网络 10.20.0.0 和网络掩码 255.255.0.0,则您需要添加
network - 10.20.0.0
netmask - 255.255.0.0
gateway - 192.168.0.101 #replace this with your openvpn server's address on the lan)
那就可以了。
答案3
Ubuntu Server 14.04.1 如何在 LAN 网关以外的单独机器上设置 OpenVPN 服务器(可以访问服务器 LAN 上的其他机器)
确保您的 openvpn LAN 不是通常的 192.168.1.1 或 10.0.0.1。如果是,请登录您的路由器并更改第三个数字,即 192.168.(此数字).1
确保将路由器上的端口 1194 转发到 OpenVPN 服务器 IP
示例网络:
Gateway IP: 192.168.5.1
OpenVPN Server IP: 192.168.5.20
OpenVPN配置:
port 1194
proto udp
dev tun0
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.5.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth ta.key 0
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
编辑 /etc/network/interfaces:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.5.20
netmask 255.255.255.0
broadcast 192.168.5.255
network 192.168.5.0
gateway 192.168.5.1
dns-nameservers 8.8.8.8
dns-nameservers 8.8.4.4
post-up iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 192.168.5.20
确保注释掉 ipv6 设置
编辑/etc/sysctl.conf:
改变:
#net.ipv4.ip_forward=1
到:
net.ipv4.ip_forward=1
假设您的密钥和客户端配置都已整理好;重新启动服务器,您就可以开始了!
答案4
一般情况下,当您连接到 VPN 时,您可以访问远程 LAN,但您对本地 LAN 的访问将被阻止。