无法从 Ubuntu 13.10 访问 OpenVPN 后面的 LAN

tag-icon tag-icon openvpn
无法从 Ubuntu 13.10 访问 OpenVPN 后面的 LAN

我无法通过 VPN 访问计算机。服务器具有 TAP 配置,我可以从 Windows 7 客户端成功连接。我主要按照本指南进行设置:http://www.howtogeek.com/60774/connect-to-your-home-network-from-anywhere-with-openvpn-and-tomato/

奇怪的是,我可以连接到 VPN,服务器显示连接,但当我从 Ubuntu 执行此操作时,我无法从网络访问其他计算机。我是否需要手动修复客户端上的某种桥接,还是 Ubuntu 应该自动找到路由?我读到过某处说它可能被防火墙阻止,但我确信客户端上的防火墙已关闭,服务器上的防火墙显然配置正确,否则我将无法从 Windows 7 客户端连接。

该指南指示我在 Windows 上使用 OpenVPN 2.1.4,我就是这么做的,在 Ubuntu 上,我使用了存储库中的版本,这可能会导致一些问题,但我不明白为什么会这样。下面是我的 client.conf:

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap
#dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
proto tcp
#proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote removed.for-sake-of.security 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca "/etc/openvpn/ca.crt"
cert "/etc/openvpn/client.crt"
key "/etc/openvpn/client.key"

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
cipher AES-128-CBC

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

我还必须配置什么才能让我的 Ubuntu 客户端成为网络的一部分/可以访问其他机器吗?

更新: 这是客户端的输出,你可以看到它似乎陷入了循环,一遍又一遍地重新启动连接。我从头到尾复制了输出,直到第二次显示Initialization Sequence Completed。它有助于提供答案吗?

Thu Jan  9 18:52:37 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jul 12 2013
Thu Jan  9 18:52:37 2014 WARNING: file '/etc/openvpn/krs-niklas.key' is group or others accessible
Thu Jan  9 18:52:37 2014 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Jan  9 18:52:37 2014 Attempting to establish TCP connection with [AF_INET]85.225.217.161:1194 [nonblock]
Thu Jan  9 18:52:38 2014 TCP connection established with [AF_INET]85.225.217.161:1194
Thu Jan  9 18:52:38 2014 TCPv4_CLIENT link local: [undef]
Thu Jan  9 18:52:38 2014 TCPv4_CLIENT link remote: [AF_INET]85.225.217.161:1194
Thu Jan  9 18:52:38 2014 TLS: Initial packet from [AF_INET]85.225.217.161:1194, sid=444e38d7 ac8fcbca
Thu Jan  9 18:52:39 2014 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, CN=KRS, [email protected]
Thu Jan  9 18:52:39 2014 VERIFY OK: nsCertType=SERVER
Thu Jan  9 18:52:39 2014 VERIFY OK: depth=0, C=US, ST=CA, O=OpenVPN, CN=KRS, [email protected]
Thu Jan  9 18:52:41 2014 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Jan  9 18:52:41 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan  9 18:52:41 2014 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Jan  9 18:52:41 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan  9 18:52:41 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Jan  9 18:52:41 2014 [KRS] Peer Connection Initiated with [AF_INET]85.225.217.161:1194
Thu Jan  9 18:52:43 2014 SENT CONTROL [KRS]: 'PUSH_REQUEST' (status=1)
Thu Jan  9 18:52:43 2014 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.1.1,route-gateway dhcp,ping 15,ping-restart 60'
Thu Jan  9 18:52:43 2014 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jan  9 18:52:43 2014 OPTIONS IMPORT: route-related options modified
Thu Jan  9 18:52:43 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jan  9 18:52:43 2014 TUN/TAP device tap1 opened
Thu Jan  9 18:52:43 2014 TUN/TAP TX queue length set to 100
Thu Jan  9 18:52:43 2014 Initialization Sequence Completed
Thu Jan  9 18:52:49 2014 Connection reset, restarting [0]
Thu Jan  9 18:52:49 2014 SIGUSR1[soft,connection-reset] received, process restarting
Thu Jan  9 18:52:49 2014 Restart pause, 5 second(s)
Thu Jan  9 18:52:54 2014 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Jan  9 18:52:54 2014 Attempting to establish TCP connection with [AF_INET]85.225.217.161:1194 [nonblock]
Thu Jan  9 18:52:55 2014 TCP connection established with [AF_INET]85.225.217.161:1194
Thu Jan  9 18:52:55 2014 TCPv4_CLIENT link local: [undef]
Thu Jan  9 18:52:55 2014 TCPv4_CLIENT link remote: [AF_INET]85.225.217.161:1194
Thu Jan  9 18:52:55 2014 TLS: Initial packet from [AF_INET]85.225.217.161:1194, sid=ff99a93f 04c54987
Thu Jan  9 18:52:56 2014 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, CN=KRS, [email protected]
Thu Jan  9 18:52:56 2014 VERIFY OK: nsCertType=SERVER
Thu Jan  9 18:52:56 2014 VERIFY OK: depth=0, C=US, ST=CA, O=OpenVPN, CN=KRS, [email protected]
Thu Jan  9 18:52:58 2014 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Jan  9 18:52:58 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan  9 18:52:58 2014 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Jan  9 18:52:58 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan  9 18:52:58 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Jan  9 18:52:58 2014 [KRS] Peer Connection Initiated with [AF_INET]85.225.217.161:1194
Thu Jan  9 18:53:00 2014 SENT CONTROL [KRS]: 'PUSH_REQUEST' (status=1)
Thu Jan  9 18:53:00 2014 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.1.1,route-gateway dhcp,ping 15,ping-restart 60'
Thu Jan  9 18:53:00 2014 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jan  9 18:53:00 2014 OPTIONS IMPORT: route-related options modified
Thu Jan  9 18:53:00 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jan  9 18:53:00 2014 Preserving previous TUN/TAP instance: tap1
Thu Jan  9 18:53:00 2014 Initialization Sequence Completed

答案1

Thu Jan  9 18:52:43 2014 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.1.1,route-gateway dhcp,ping 15,ping-restart 60'

从日志中可以看出,客户端计算机未获取有效的 DHCP IP,而这通常应由服务器使用“push”语句推送。因此客户端无法与对等方(服务器)通信,然后触发重启。

您可能注意到,这里也推送了“ping 15, ping-restart 60”,这就是为什么会出现“SIGUSR1”。请参阅“man openvpn”了解更多详细信息。

   --ping-restart n
          Similar  to --ping-exit, but trigger a SIGUSR1 restart after n seconds pass without reception of a ping or other packet from remote.

          This option is useful in cases where the remote peer has a dynamic IP address and a low-TTL  DNS  name  is  used  to  track  the  IP  address  using  a service such as http://dyndns.org/ + a dynamic DNS client such as ddclient.

          If the peer cannot be reached, a restart will be triggered,  causing  the  hostname used with --remote to be re-resolved (if --resolv-retry is also specified).

答案2

连接后,您可以访问 LAN 上的单个节点,但无法访问其他节点。以下是发生的情况。您的路由器不知道如何为 OpenVPN 路由流量,因为它是一个“外部网络”。示例:

客户端 A 连接到 OpenVPN 服务器 B。

A分配的OpenVPN地址为172.19.0.2,服务器的OpenVPN地址为172.19.0.1,但其LAN地址为192.168.0.101。

A 正在尝试连接到 LAN 上的另一个盒子 192.168.0.33 (C)。为了实现这一点,流量必须从 A 发起,传输到 B,传输到 B 的网关(路由器)最后传输给C.

现在,继续前进。如果您没有 LAN 路由器的管理员权限,这些都不起作用:

因此,首先您需要在 OpenVPN 服务器上启用路由,以便它可以将数据包路由到网关。这将因您的操作系统而异,但您应该能够谷歌搜索“启用路由_“(您的操作系统名称)。这样做。

然后你需要在路由器上添加一条静态路由,以便它知道 openvpn 流量必须从 LAN 返回通过您的 openvpn 服务器。在您的路由器配置中找到静态路由部分,然后添加路由。该路由必须与您的服务器配置文件中的地址规范相匹配。因此,如果您的服务器配置文件将使用虚拟网络 10.20.0.0 和网络掩码 255.255.0.0,则您需要添加

network - 10.20.0.0
netmask - 255.255.0.0
gateway - 192.168.0.101 #replace this with your openvpn server's address on the lan)

那就可以了。

答案3

Ubuntu Server 14.04.1 如何在 LAN 网关以外的单独机器上设置 OpenVPN 服务器(可以访问服务器 LAN 上的其他机器)

确保您的 openvpn LAN 不是通常的 192.168.1.1 或 10.0.0.1。如果是,请登录您的路由器并更改第三个数字,即 192.168.(此数字).1

确保将路由器上的端口 1194 转发到 OpenVPN 服务器 IP

示例网络:

Gateway IP:            192.168.5.1
OpenVPN Server IP:     192.168.5.20

OpenVPN配置:

 port 1194
 proto udp
 dev tun0
 ca ca.crt
 cert server.crt
 key server.key
 dh dh2048.pem
 server 10.8.0.0 255.255.255.0
 ifconfig-pool-persist ipp.txt
 push "route 192.168.5.0 255.255.255.0"
 push "route 10.8.0.0 255.255.255.0"
 push "redirect-gateway def1 bypass-dhcp"
 push "dhcp-option DNS 8.8.8.8"
 push "dhcp-option DNS 8.8.4.4"
 client-to-client
 duplicate-cn
 keepalive 10 120
 tls-auth ta.key 0
 comp-lzo
 user nobody
 group nogroup
 persist-key
 persist-tun 
 status openvpn-status.log
 verb 3

编辑 /etc/network/interfaces:

 auto lo
 iface lo inet loopback

 auto eth0
 iface eth0 inet static
      address 192.168.5.20
      netmask 255.255.255.0
      broadcast 192.168.5.255
      network 192.168.5.0
      gateway 192.168.5.1
      dns-nameservers 8.8.8.8
      dns-nameservers 8.8.4.4

 post-up iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 192.168.5.20

确保注释掉 ipv6 设置

编辑/etc/sysctl.conf:

改变:

 #net.ipv4.ip_forward=1

到:

 net.ipv4.ip_forward=1

假设您的密钥和客户端配置都已整理好;重新启动服务器,您就可以开始了!

答案4

一般情况下,当您连接到 VPN 时,您可以访问远程 LAN,但您对本地 LAN 的访问将被阻止。

相关内容