VPN 服务器 (Linux) 位于路由器后面。我想从外部网络连接到我的 VPN 服务器并访问服务器本地网络中的设备(以及服务器本身)。
本地网络的地址范围是 192.168.178.0/24
我也将一些端口转发到了我的 VPN 服务器:1194、80、21、443、1723
!!由于已达到体量限制,我删除了之前的信息!!
编辑4:当前设置的完整列表:这是我的服务器配置:
port 1194
proto udp
dev tap
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/VPNServer.crt
key /etc/openvpn/easy-rsa/keys/VPNServer.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server-bridge 192.168.178.1 255.255.255.0 192.168.178.111 192.168.178.120
push "route-gateway 192.168.178.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 192.168.178.1"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 3
我的客户端配置如下所示。
port 1194
client
dev tap
proto udp
remote mydyndns
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
我的服务器接口配置如下:
auto lo
iface lo inet loopback
allow-hotplug eth0
auto br0
iface br0 inet static
address 192.168.178.123
netmask 255.255.255.0
gateway 192.168.178.1
bridge_ports eth0
dns-nameservers 192.168.178.1
iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down
还有我的 rc.local
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
我的 sysctl net.ipv4.ip_forward 输出是 net.ipv4.ip_forward = 1
我的客户端日志输出如下:
Fri Sep 12 13:03:58 2014 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 7 2014
Fri Sep 12 13:03:58 2014 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.05
Enter Management Password:
Fri Sep 12 13:03:58 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Sep 12 13:03:58 2014 Need hold release from management interface, waiting...
Fri Sep 12 13:03:59 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Sep 12 13:03:59 2014 MANAGEMENT: CMD 'state on'
Fri Sep 12 13:03:59 2014 MANAGEMENT: CMD 'log all on'
Fri Sep 12 13:03:59 2014 MANAGEMENT: CMD 'hold off'
Fri Sep 12 13:03:59 2014 MANAGEMENT: CMD 'hold release'
Fri Sep 12 13:03:59 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Sep 12 13:03:59 2014 MANAGEMENT: >STATE:1410519839,RESOLVE,,,
Fri Sep 12 13:04:00 2014 UDPv4 link local: [undef]
Fri Sep 12 13:04:00 2014 UDPv4 link remote: [AF_INET]86.103.178.165:1194
Fri Sep 12 13:04:00 2014 MANAGEMENT: >STATE:1410519840,WAIT,,,
Fri Sep 12 13:04:00 2014 MANAGEMENT: >STATE:1410519840,AUTH,,,
Fri Sep 12 13:04:00 2014 TLS: Initial packet from [AF_INET]86.103.178.165:1194, sid=bebc894c 68e04336
Fri Sep 12 13:04:02 2014 VERIFY OK: depth=1, C=DE, ST=SH, L=Kiel, OU=changeme, CN=j0chn.spdns.de, name=changeme, [email protected]
Fri Sep 12 13:04:02 2014 VERIFY OK: nsCertType=SERVER
Fri Sep 12 13:04:02 2014 VERIFY OK: depth=0, C=DE, ST=SH, L=Kiel, OU=changeme, CN=j0chn.spdns.de, name=changeme, [email protected]
Fri Sep 12 13:04:05 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 12 13:04:05 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 12 13:04:05 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 12 13:04:05 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 12 13:04:05 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Sep 12 13:04:05 2014 [j0chn.spdns.de] Peer Connection Initiated with [AF_INET]86.103.178.165:1194
Fri Sep 12 13:04:06 2014 MANAGEMENT: >STATE:1410519846,GET_CONFIG,,,
Fri Sep 12 13:04:08 2014 SENT CONTROL [j0chn.spdns.de]: 'PUSH_REQUEST' (status=1)
Fri Sep 12 13:04:08 2014 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.178.1,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 192.168.178.1,route-gateway 192.168.178.1,ping 10,ping-restart 120,ifconfig 192.168.178.112 255.255.255.0'
Fri Sep 12 13:04:08 2014 OPTIONS IMPORT: timers and/or timeouts modified
Fri Sep 12 13:04:08 2014 OPTIONS IMPORT: --ifconfig/up options modified
Fri Sep 12 13:04:08 2014 OPTIONS IMPORT: route options modified
Fri Sep 12 13:04:08 2014 OPTIONS IMPORT: route-related options modified
Fri Sep 12 13:04:08 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Sep 12 13:04:08 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Sep 12 13:04:08 2014 MANAGEMENT: >STATE:1410519848,ASSIGN_IP,,192.168.178.112,
Fri Sep 12 13:04:08 2014 open_tun, tt->ipv6=0
Fri Sep 12 13:04:08 2014 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{4DD19686-B673-493E-99DB-23F3D1AF7239}.tap
Fri Sep 12 13:04:08 2014 TAP-Windows Driver Version 9.21
Fri Sep 12 13:04:08 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.178.112/255.255.255.0 on interface {4DD19686-B673-493E-99DB-23F3D1AF7239} [DHCP-serv: 192.168.178.0, lease-time: 31536000]
Fri Sep 12 13:04:08 2014 Successful ARP Flush on interface [25] {4DD19686-B673-493E-99DB-23F3D1AF7239}
Fri Sep 12 13:04:13 2014 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Fri Sep 12 13:04:13 2014 C:\WINDOWS\system32\route.exe ADD 86.103.178.165 MASK 255.255.255.255 192.168.42.129
Fri Sep 12 13:04:13 2014 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Fri Sep 12 13:04:13 2014 Route addition via IPAPI succeeded [adaptive]
Fri Sep 12 13:04:13 2014 C:\WINDOWS\system32\route.exe ADD 192.168.42.129 MASK 255.255.255.255 192.168.42.129 IF 24
Fri Sep 12 13:04:13 2014 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Fri Sep 12 13:04:13 2014 Route addition via IPAPI succeeded [adaptive]
Fri Sep 12 13:04:13 2014 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.178.1
Fri Sep 12 13:04:13 2014 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Fri Sep 12 13:04:13 2014 Route addition via IPAPI succeeded [adaptive]
Fri Sep 12 13:04:13 2014 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.178.1
Fri Sep 12 13:04:13 2014 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Fri Sep 12 13:04:13 2014 Route addition via IPAPI succeeded [adaptive]
Fri Sep 12 13:04:13 2014 Initialization Sequence Completed
Fri Sep 12 13:04:13 2014 MANAGEMENT: >STATE:1410519853,CONNECTED,SUCCESS,192.168.178.112,86.103.178.165
编辑 5:新的服务器日志。
Fri Sep 12 17:15:07 2014 MULTI: multi_create_instance called
Fri Sep 12 17:15:07 2014 109.47.193.65:62284 Re-using SSL/TLS context
Fri Sep 12 17:15:07 2014 109.47.193.65:62284 LZO compression initialized
Fri Sep 12 17:15:07 2014 109.47.193.65:62284 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Sep 12 17:15:07 2014 109.47.193.65:62284 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Sep 12 17:15:07 2014 109.47.193.65:62284 Local Options hash (VER=V4): 'f7df56b8'
Fri Sep 12 17:15:07 2014 109.47.193.65:62284 Expected Remote Options hash (VER=V4): 'd79ca330'
Fri Sep 12 17:15:07 2014 109.47.193.65:62284 TLS: Initial packet from [AF_INET]109.47.193.65:62284, sid=c07bdc21 48d01394
Fri Sep 12 17:15:08 2014 109.47.193.65:62284 VERIFY OK: depth=1, /C=DE/ST=SH/L=Kiel/OU=changeme/CN=j0chn.spdns.de/name=changeme/ema$
Fri Sep 12 17:15:08 2014 109.47.193.65:62284 VERIFY OK: depth=0, /C=DE/ST=SH/L=Kiel/OU=changeme/CN=j0chns/name=changeme/emailAddres$
Fri Sep 12 17:15:09 2014 109.47.193.65:62284 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 12 17:15:09 2014 109.47.193.65:62284 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 12 17:15:09 2014 109.47.193.65:62284 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 12 17:15:09 2014 109.47.193.65:62284 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 12 17:15:09 2014 109.47.193.65:62284 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Sep 12 17:15:09 2014 109.47.193.65:62284 [j0chns] Peer Connection Initiated with [AF_INET]109.47.193.65:62284
Fri Sep 12 17:15:09 2014 j0chns/109.47.193.65:62284 MULTI_sva: pool returned IPv4=192.168.178.111, IPv6=bccd:800:8ced:200:14c2:700:$
Fri Sep 12 17:15:11 2014 j0chns/109.47.193.65:62284 PUSH: Received control message: 'PUSH_REQUEST'
Fri Sep 12 17:15:11 2014 j0chns/109.47.193.65:62284 send_push_reply(): safe_cap=960
Fri Sep 12 17:15:11 2014 j0chns/109.47.193.65:62284 SENT CONTROL [j0chns]: 'PUSH_REPLY,route-gateway 192.168.178.1,redirect-gateway$
Fri Sep 12 17:15:11 2014 j0chns/109.47.193.65:62284 MULTI: Learn: 00:ff:4d:d1:96:86 -> j0chns/109.47.193.65:62284
Fri Sep 12 17:18:14 2014 MULTI: multi_create_instance called
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Re-using SSL/TLS context
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 LZO compression initialized
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Local Options hash (VER=V4): 'f7df56b8'
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Expected Remote Options hash (VER=V4): 'd79ca330'
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 TLS: Initial packet from [AF_INET]86.103.178.165:57350, sid=25abeaaa 58473451
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 VERIFY OK: depth=1, /C=DE/ST=SH/L=Kiel/OU=changeme/CN=j0chn.spdns.de/name=changeme/em$
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 VERIFY OK: depth=0, /C=DE/ST=SH/L=Kiel/OU=changeme/CN=j0chns/name=changeme/emailAddre$
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 [j0chns] Peer Connection Initiated with [AF_INET]86.103.178.165:57350
Fri Sep 12 17:18:14 2014 j0chns/86.103.178.165:57350 MULTI_sva: pool returned IPv4=192.168.178.112, IPv6=bccd:800:8ced:200:14c2:700$
Fri Sep 12 17:18:17 2014 j0chns/86.103.178.165:57350 PUSH: Received control message: 'PUSH_REQUEST'
Fri Sep 12 17:18:17 2014 j0chns/86.103.178.165:57350 send_push_reply(): safe_cap=960
Fri Sep 12 17:18:17 2014 j0chns/86.103.178.165:57350 SENT CONTROL [j0chns]: 'PUSH_REPLY,route-gateway 192.168.178.1,redirect-gatewa$
Fri Sep 12 17:18:18 2014 j0chns/86.103.178.165:57350 MULTI: Learn: 00:ff:4d:d1:96:86 -> j0chns/86.103.178.165:57350
还有另一项编辑:
我将详细级别从 3 增加到 9 并获得了新信息:
Sat Sep 13 17:36:11 2014 us=76111 TLS State Error: No TLS state for client [AF_INET]86.103.202.242:55140, opcode=6
Sat Sep 13 17:36:11 2014 us=76308 GET INST BY REAL: 86.103.202.242:55140 [failed]
也许这能有帮助!?
答案1
您的客户端文件缺少远程服务器的 IP 地址以及用于联系服务器本身的端口指示。换句话说,您缺少:
port 1194
remote IP.ADDRESS.OF.SERVER
另外,我不明白为什么您要为客户端使用子网 10.8.0.0/24。您已经选择了轻敲桥接 OpenVPN 的接口(不错的选择,可以更轻松地访问 LAN 上的所有 PC,且无需额外付费),因此无需使用不同的子网。您的服务器文件应包含以下语句
server-bridge 192.168.178.1 255.255.255.0 192.168.178.111 192.168.178.120
push "route-gateway 192.168.178.1"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.178.1"
push "dhcp-option DNS 208.67.222.222"
第一条语句指示服务器在 192.168.178.(111-120) 池中为远程客户端提取 IP 地址。只需确保您的 LAN 上的 DHCP 服务器不会尝试自己使用这些地址,在这种情况下,您必须为 OpenVPN 池选择不同的池。其他语句显而易见。
最后,除了上述声明之外,没有必要定义单独的路线。
编辑:
您需要更改 iptables 并在服务器上建立桥接。
将您的 /etc/netorking/interfaces 文件更改为如下所示:
自动 lo iface lo inet 环回
自动 br0 iface br0 inet 静态地址 192.168.178.123 网络掩码 255.255.255.0 网关 192.168.178.1 bridge_ports eth0 dns-nameservers 192.168.178.1
iface eth0 inet manual 启动 ifconfig $IFACE 0.0.0.0 启动 启动 ip 链路设置 $IFACE promisc on 停止 ip 链路设置 $IFACE promisc off 停止 ifconfig $IFACE down
重新启动服务器以使此操作生效。检查服务器是否正确连接到互联网。然后按如下方式更改 iptables 规则:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat –A POSTROUTING -o br0 -j MASQUERADE
启动 OpenVPN 服务器,并将 tap0 接口添加到网桥,
sudo brctl addif br0 tap0
现在尝试从客户端连接。
编辑2:
此 iptables 规则
iptables -t nat -A POSTROUTING -j MASQUERADE
应该
iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
另外,请使用tap0代替轻敲在服务器配置文件中。请重新启动并通知我。