我的目标是将一台 PC 从互联网连接到我家里的本地 VPN,然后访问本地 LAN 中的计算机。
解释:
****** ************** ****************** *********
* PC * ----------> * ISP-ROUTER * -----> * OPENWRT ROUTER * ------> * My PC *
****** INTERNET ************** DMZ ****************** WLAN *********
OpenWRT 路由器通过 LAN 端口而不是 WAN 端口连接,因为 ISP 路由器已经提供 LAN。
OpenWRT 路由器正在运行 OpenVPN。我可以使用“全局 PC”连接到我的 VPN,但无法 ping 通“我的 PC”。
我尝试了在互联网上找到的所有方法,但总是得到相同的结果。OpenWRT 路由器是运行 OpenWRT 12.04 的 Netgear WDNR3700。
这是我尝试过的配置,但没有得到积极的结果:
/etc/config/openvpn
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /tmp/openvpn-status.log
verb 3
/etc/config/网络
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.0.0.5'
option gateway '10.0.0.4'
option broadcast '10.0.0.255'
option dns '8.8.8.8'
option ifname 'eth0.1 wlan0 radio1.network1'
option bridge 'true'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config switch
option name 'rtl8366s'
option reset '1'
option enable_vlan '1'
option blinkrate '2'
config switch_vlan
option device 'rtl8366s'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_port
option device 'rtl8366s'
option port '1'
option led '6'
config switch_port
option device 'rtl8366s'
option port '2'
option led '9'
config switch_port
option device 'rtl8366s'
option port '5'
option led '2'
config interface 'vpn'
option proto 'none'
option ifname 'tun0-00'`
/etc/config/防火墙
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
option network 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option network 'vpn'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'vpn'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option src 'vpn'
option target 'ACCEPT'
option name 'VPN'
option dest_port '1194'
option proto 'tcpudp'
option family 'ipv4'
config rule
option target 'ACCEPT'
option proto 'tcp'
option dest_port '9100'
option name 'Printer 0'
option src 'lan'
我尝试过的所有方法都得到相同的结果:连接 VPN 没问题,但 ping 本地 PC 不工作。我甚至无法 ping 路由器的内部 IP。
希望您能帮助我。提前致谢。
答案1
根据这篇文章我发现了问题: 如何以低成本方式通过互联网连接多个网络
在我的配置中,我将路由信息推送到客户端,但没有推送到服务器本身。所以我添加了这一行:route 10.0.0.0 255.255.255.0
一切正常。
新的配置文件:
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
route 10.0.0.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /tmp/openvpn-status.log
verb 3