我有一个可以正常工作的 openvpn 设置,我将其从一台机器复制到另一台机器(当然,原始机器已关闭)。客户端连接到服务器(服务器未更改),设置 IP 和路由,但除此之外,什么都不起作用。
服务器局域网 192.168.123.0
客户端局域网 192.168.1.0
OpenVPN 客户端 IP 192.168.123.253
openvpn /etc/openvpn/client.conf
Tue Nov 8 09:50:53 2016 OpenVPN 2.3.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 17 2016
Tue Nov 8 09:50:53 2016 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.08
Tue Nov 8 09:50:53 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Nov 8 09:50:53 2016 Control Channel Authentication: using '/etc/openvpn/client/ta.key' as a OpenVPN static key file
Tue Nov 8 09:50:53 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 8 09:50:53 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 8 09:50:54 2016 Attempting to establish TCP connection with [AF_INET]XXX:XX940 [nonblock]
Tue Nov 8 09:50:55 2016 TCP connection established with [AF_INET]XXX:XX940
Tue Nov 8 09:50:55 2016 TCPv4_CLIENT link local: [undef]
Tue Nov 8 09:50:55 2016 TCPv4_CLIENT link remote: [AF_INET]XXX:XXXXX940
Tue Nov 8 09:50:55 2016 VERIFY OK: depth=1, C=DE, ST=Bayern, L=Munich, O=nothing, OU=private, CN=private, name=private, emailAddress=XXXX
Tue Nov 8 09:50:55 2016 VERIFY OK: depth=0, C=DE, ST=Bayern, L=Munich, O=nothing, OU=private, CN=server, name=private, emailAddress=XXX
Tue Nov 8 09:50:55 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Nov 8 09:50:55 2016 WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Tue Nov 8 09:50:55 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 8 09:50:55 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Nov 8 09:50:55 2016 WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Tue Nov 8 09:50:55 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 8 09:50:55 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Tue Nov 8 09:50:55 2016 [server] Peer Connection Initiated with [AF_INET]84.56.32.58:11940
Tue Nov 8 09:50:57 2016 TUN/TAP device tap0 opened
Tue Nov 8 09:50:57 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Nov 8 09:50:57 2016 /bin/ip link set dev tap0 up mtu 1500
Tue Nov 8 09:50:57 2016 /bin/ip addr add dev tap0 192.168.123.253/24 broadcast 192.168.123.255
Tue Nov 8 09:50:57 2016 Initialization Sequence Completed
在客户端上,IP 设置正确,可以 ping 通
ifconfig
br0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::c43:1ff:fea0:26de prefixlen 64 scopeid 0x20<link>
ether 0e:43:01:a0:26:de txqueuelen 1000 (Ethernet)
RX packets 107244 bytes 65503139 (62.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7740 bytes 2854919 (2.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::325a:3aff:fe0d:49e1 prefixlen 64 scopeid 0x20<link>
ether 30:5a:3a:0d:49:e1 txqueuelen 1000 (Ethernet)
RX packets 45013 bytes 7253888 (6.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 69966 bytes 62536816 (59.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Lokale Schleife)
RX packets 1737 bytes 155991 (152.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1737 bytes 155991 (152.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.123.253 netmask 255.255.255.0 broadcast 192.168.123.255
inet6 fe80::30ff:6bff:fe1f:8503 prefixlen 64 scopeid 0x20<link>
ether 32:ff:6b:1f:85:03 txqueuelen 100 (Ethernet)
RX packets 1060 bytes 51338 (50.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 377 bytes 39122 (38.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
~ # route
Kernel IP Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
default wan.localnet 0.0.0.0 UG 13 0 0 br0
loopback 0.0.0.0 255.0.0.0 U 0 0 0 lo
loopback localhost 255.0.0.0 UG 0 0 0 lo
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.123.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
~ # ping 192.168.123.253
PING 192.168.123.253 (192.168.123.253) 56(84) bytes of data.
64 bytes from 192.168.123.253: icmp_seq=1 ttl=64 time=0.245 ms
--- 192.168.123.253 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
~ # ping 192.168.123.150
PING 192.168.123.150 (192.168.123.150) 56(84) bytes of data.
--- 192.168.123.150 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1074ms
现在我的问题是,如果我在机器 A 上尝试此设置,一切都会正常工作,但在机器 B 上却不行。网络配置中唯一的不同点是,在机器 B 上,TAP0 接口已经从网络脚本启动并运行(这台机器还托管了 3 个使用网桥的虚拟机)
答案1
在机器B上的客户端配置文件中,更改此语句
dev tap0
到
dev tap1
重新启动 OpenVPN。另外,请记住,如果您不指示 Hypervisor 使用 Openvpn 的虚拟接口(点击1),您的虚拟机将不是通过 OpenVPN 路由。我不知道你到底想要什么……