我已经设置了 OpenVPN 服务器(Windows Server 2008 R2)和客户端(Windows 7)。两者都可以互相 ping 通,我可以看到共享文件等,但 VPN 子网无法访问 Internet。我知道(或我认为)我必须添加路由,但我不知道要添加什么路由,也不知道在哪里添加。
这是我的网络适配器配置的屏幕截图:
这是 ipconfig:
C:\Users\Administrator.OWNEROR-0BE67KN>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::7c23:a:ec4e:2cfc%14
IPv4 Address. . . . . . . . . . . : 10.0.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::bd18:6249:9f7d:89a2%11
IPv4 Address. . . . . . . . . . . : 176.9.99.180
Subnet Mask . . . . . . . . . . . : 255.255.255.224
Default Gateway . . . . . . . . . : 176.9.99.161
Tunnel adapter Local Area Connection* 9:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:cd2:137f:4ff6:9c4b
Link-local IPv6 Address . . . . . : fe80::cd2:137f:4ff6:9c4b%10
Default Gateway . . . . . . . . . : ::
Tunnel adapter 6TO4 Adapter:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
路由表如下:
C:\Users\Administrator.OWNEROR-0BE67KN>netstat -r
===========================================================================
Interface List
14...00 ff e4 70 31 16 ......TAP-Win32 Adapter V9
11...54 04 a6 7e ee ae ......Realtek PCIe GBE Family Controller
1...........................Software Loopback Interface 1
10...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
12...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 176.9.99.161 176.9.99.180 11
10.0.0.0 255.255.255.252 On-link 10.0.0.1 286
10.0.0.1 255.255.255.255 On-link 10.0.0.1 286
10.0.0.3 255.255.255.255 On-link 10.0.0.1 286
10.8.0.0 255.255.255.0 10.8.0.2 176.9.99.180 11
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
176.9.99.160 255.255.255.224 On-link 176.9.99.180 266
176.9.99.180 255.255.255.255 On-link 176.9.99.180 266
176.9.99.191 255.255.255.255 On-link 176.9.99.180 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 176.9.99.180 266
224.0.0.0 240.0.0.0 On-link 10.0.0.1 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 176.9.99.180 266
255.255.255.255 255.255.255.255 On-link 10.0.0.1 286
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 176.9.99.161 1
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
10 58 ::/0 On-link
1 306 ::1/128 On-link
10 58 2001::/32 On-link
10 306 2001:0:5ef5:73b8:1c21:1dc8:4ff6:9c4b/128
On-link
11 266 fe80::/64 On-link
14 286 fe80::/64 On-link
10 306 fe80::/64 On-link
10 306 fe80::1c21:1dc8:4ff6:9c4b/128
On-link
14 286 fe80::7c23:a:ec4e:2cfc/128
On-link
11 266 fe80::bd18:6249:9f7d:89a2/128
On-link
1 306 ff00::/8 On-link
10 306 ff00::/8 On-link
11 266 ff00::/8 On-link
14 286 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
更新 1
这是我的客户端和服务器配置文件:
服务器:
#server config file start
port 1194
proto udp
dev tun
server 10.0.0.0 255.255.255.224 #you may choose any subnet. 10.0.0.x is used for this example.
ca "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\server.crt"
key "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\server.key"
dh "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
#the following commands are optional
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 5
#config file ends
客户:
#client config file start
client
dev tun
proto udp
remote 176.9.99.180 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\client1.crt"
key "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\client1.key"
ns-cert-type server
comp-lzo
verb 5
explicit-exit-notify 2
ping 10
ping-restart 60
route-method exe
route-delay 2
# end of client config file
答案1
这是一个典型的 VPN 问题。大多数 VPN 都是为了加密源和目标特定网络之间的流量而创建的。
但是,这里的要求是有一个特定的源,但可以是任意的目的地。要让来自客户端的所有流量都通过 VPN 路由,您需要使用以下指令:
push "redirect-gateway def1"
如果您的 VPN 网关位于您的网络内部或 DMZ 中,那么从这里开始一切都应该很顺利,您的 VPN 服务器默认网关应该通向互联网。在网络的外围,您可以执行 PAT(或隐藏 nat,或伪装 NAT,因为它也被称为)来为流量提供公共源地址。响应数据包将返回,并被取消 NAT 到它们来自的 VPN 客户端地址,因此您的外围防火墙或路由器将需要为指向 VPN 服务器的 VPN 客户端子网提供静态路由。
参见参考这里。