OpenVPN 隧道出现问题

OpenVPN 隧道出现问题

刚刚重新加载我的操作系统 (Linux Mint 19),我正在尝试运行我的 VPN 连接。我使用与之前的操作系统相同的 .ovpn 配置文件(运行良好),但现在我似乎无法正确配置隧道(即使它说它已连接)。 anip a显示 tun0 的配置如下:

11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.14 peer 10.8.0.13/32 brd 10.8.0.14 scope global noprefixroute tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::492b:6fe4:1395:8619/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

我的客户端配置文件:

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote premprovsol.com 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
#   digitalSignature, keyEncipherment
# and the extendedKeyUsage to
#   serverAuth
# EasyRSA can do this for you.
remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
auth SHA256
key-direction 1

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
#certs are below

通常,我会将 NFS 共享挂载到 10.8.0.1 服务器地址上,但我对该地址唯一能做的就是对其执行 ping 操作。我有什么遗漏的吗?

日志控制--

Logs begin at Tue 2018-07-10 21:24:32 EDT, end at Wed 2018-07-11 11:25:24 EDT. --
Jul 10 21:24:43 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 10 21:24:43 Shawn-Home systemd[1]: Started OpenVPN service.
Jul 11 08:01:12 Shawn-Home systemd[1]: Stopped OpenVPN service.
-- Reboot --
Jul 11 08:04:32 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 11 08:04:32 Shawn-Home systemd[1]: Started OpenVPN service.
Jul 11 09:01:18 Shawn-Home systemd[1]: Stopped OpenVPN service.
-- Reboot --
Jul 11 09:02:11 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 11 09:02:11 Shawn-Home systemd[1]: Started OpenVPN service.

openvpn 命令日志:

Wed Jul 11 11:54:56 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018
Wed Jul 11 11:54:56 2018 library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.08
Wed Jul 11 11:54:56 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Jul 11 11:54:56 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 11 11:54:56 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 11 11:54:56 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:56 2018 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jul 11 11:54:56 2018 UDP link local: (not bound)
Wed Jul 11 11:54:56 2018 UDP link remote: [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:56 2018 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Wed Jul 11 11:54:57 2018 TLS: Initial packet from [AF_INET]97.76.87.146:1194, sid=87606e28 e67e77b4
Wed Jul 11 11:54:58 2018 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Jul 11 11:54:58 2018 VERIFY KU OK
Wed Jul 11 11:54:58 2018 Validating certificate extended key usage
Wed Jul 11 11:54:58 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jul 11 11:54:58 2018 VERIFY EKU OK
Wed Jul 11 11:54:58 2018 VERIFY OK: depth=0, CN=server
Wed Jul 11 11:54:58 2018 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Jul 11 11:54:58 2018 [server] Peer Connection Initiated with [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:59 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jul 11 11:54:59 2018 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13,peer-id 1,cipher AES-256-GCM'
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: route options modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: peer-id set
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: adjusting link_mtu to 1624
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: data channel crypto options modified
Wed Jul 11 11:54:59 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jul 11 11:54:59 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 11 11:54:59 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 11 11:54:59 2018 ROUTE_GATEWAY 10.0.10.1/255.255.255.0 IFACE=enp2s0 HWADDR=48:4d:7e:d2:08:0a
Wed Jul 11 11:54:59 2018 TUN/TAP device tun1 opened
Wed Jul 11 11:54:59 2018 TUN/TAP TX queue length set to 100
Wed Jul 11 11:54:59 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jul 11 11:54:59 2018 /sbin/ip link set dev tun1 up mtu 1500
Wed Jul 11 11:54:59 2018 /sbin/ip addr add dev tun1 local 10.8.0.14 peer 10.8.0.13
Wed Jul 11 11:54:59 2018 /etc/openvpn/update-resolv-conf tun1 1500 1552 10.8.0.14 10.8.0.13 init
Wed Jul 11 11:54:59 2018 /sbin/ip route add 10.8.0.1/32 via 10.8.0.13
Wed Jul 11 11:54:59 2018 GID set to nogroup
Wed Jul 11 11:54:59 2018 UID set to nobody
Wed Jul 11 11:54:59 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jul 11 11:54:59 2018 Initialization Sequence Completed

相关内容