OpenWrt 上的 OpenVPN 不起作用,行为非常奇怪。,,

OpenWrt 上的 OpenVPN 不起作用,行为非常奇怪。,,

我正在尝试在 OpenWrt 上设置 OpenVPN,我相信我设置正确,但它不起作用。当我尝试使用公共 IP 从局域网连接时,我得到:

Wed Mar  1 16:51:44 2017 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016
Wed Mar  1 16:51:44 2017 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Wed Mar  1 16:51:44 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Mar  1 16:51:44 2017 UDPv4 link local (bound): [undef]
Wed Mar  1 16:51:44 2017 UDPv4 link remote: [AF_INET]IP:1194
Wed Mar  1 16:52:45 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Mar  1 16:52:45 2017 TLS Error: TLS handshake failed

服务器/客户端设置详细信息如下: cat /etc/config/network :

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fdd5:039d:3d4d::/48'

config interface 'lan'
    option type 'bridge'
    option ifname 'eth1'
    option proto 'static'
    option ipaddr '192.168.0.1'
    option netmask '255.255.255.0'
    option ip6assign '60'

config interface 'wan'
    option ifname 'eth0'
    option _orig_ifname 'eth0'
    option _orig_bridge 'false'
    option proto 'static'
    option ipaddr '10.1.100.1'
    option netmask '255.255.255.0'
    option gateway '10.1.100.254'
    option dns '8.8.8.8 8.8.4.4'
    option type 'bridge'

config interface 'wan6'
    option ifname 'eth0'
    option proto 'dhcpv6'
    option type 'bridge'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0 1 2 3 6'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '4 5'

config interface 'vpn0'
    option ifname 'tun0'
    option proto 'none'
    option auto '1'

猫/等/配置/防火墙:

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    list network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
  config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    list network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config rule
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp udp'
    option src_dport '22'
    option dest_ip '192.168.0.150'
    option dest_port '22'
    option name 'centraldb'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp udp'
    option src_dport '3306'
    option dest_ip '192.168.0.150'
    option dest_port '3306'
    option name 'centraldb'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp udp'
    option src_dport '2003'
    option dest_ip '192.168.0.150'
    option dest_port '2003'
    option name 'centraldb'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp'
    option src_dport '443'
    option dest_port '443'
    option name 'loadbalancer'
    option dest_ip '192.168.0.180'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp'
    option src_dport '80'
    option dest_port '80'
    option name 'loadbalancer'
    option dest_ip '192.168.0.180'

config rule 'Allow_OpenVPN_Inbound'
    option target 'ACCEPT'
    option src '*'
    option proto 'udp'
    option dest_port '1194'

config zone 'vpn'
    option name 'vpn'
    option network 'vpn0'
    option input 'ACCEPT'
    option forward 'REJECT'
    option output 'ACCEPT'
    option masq '1'

config forwarding 'vpn_forwarding_lan_in'
    option src 'vpn'
    option dest 'lan'

config forwarding 'vpn_forwarding_lan_out'
    option src 'lan'
    option dest 'vpn'

config forwarding 'vpn_forwarding_wan'
    option src 'vpn'
    option dest 'wan'

config include
    option path '/etc/firewall.user'

config rule
    option target 'ACCEPT'
    option name 'VPN'
    option src 'wan'
    option proto 'udp'
    option dest_port '1194'

  option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config rule
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp udp'
    option src_dport '22'
    option dest_ip '192.168.0.150'
    option dest_port '22'
    option name 'centraldb'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp udp'
    option src_dport '3306'
    option dest_ip '192.168.0.150'
    option dest_port '3306'
    option name 'centraldb'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp udp'
    option src_dport '2003'
    option dest_ip '192.168.0.150'
    option dest_port '2003'
    option name 'centraldb'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp'
    option src_dport '443'
    option dest_port '443'
    option name 'loadbalancer'
    option dest_ip '192.168.0.180'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp'
    option src_dport '80'
    option dest_port '80'
    option name 'loadbalancer'
    option dest_ip '192.168.0.180'

config rule 'Allow_OpenVPN_Inbound'
    option target 'ACCEPT'
    option src '*'
    option proto 'udp'
    option dest_port '1194'

config zone 'vpn'
    option name 'vpn'
    option network 'vpn0'
    option input 'ACCEPT'
    option forward 'REJECT'
    option output 'ACCEPT'
    option masq '1'

config forwarding 'vpn_forwarding_lan_in'
    option src 'vpn'
    option dest 'lan'

config forwarding 'vpn_forwarding_lan_out'
    option src 'lan'
    option dest 'vpn'

config forwarding 'vpn_forwarding_wan'
    option src 'vpn'
    option dest 'wan'

config include
    option path '/etc/firewall.user'

config rule
    option target 'ACCEPT'
    option name 'VPN'
    option src 'wan'
    option proto 'udp'
    option dest_port '1194'

猫/等/配置/ openvpn :

config openvpn 'myvpn'
    option enabled '1'
    option verb '3'
    option port '1194'
    option proto 'udp'
    option dev 'tun'
    option server '10.8.0.0 255.255.255.0'
    option keepalive '10 120'
    option ca '/etc/openvpn/ca.crt'
    option cert '/etc/openvpn/my-server.crt'
    option key '/etc/openvpn/my-server.key'
    option dh '/etc/openvpn/dh2048.pem'

客户端配置:

dev tun
proto udp

log openvpn.log
verb 3

ca /etc/openvpn/ca.crt
cert /etc/openvpn/my-client.crt
key /etc/openvpn/my-client.key

client
remote-cert-tls server
remote IP 1194

openvpn 配置:

ca /etc/openvpn/ca.crt
cert /etc/openvpn/my-server.crt
dev tun
dh /etc/openvpn/dh2048.pem
keepalive 10 120
key /etc/openvpn/my-server.key
port 1194
proto udp
server 10.8.0.0 255.255.255.0
verb 3

从客户端我可以执行:sudo nmap -sU -p 1194 PUBLIC_IP 并获取:1194/udp open|filtered openvpn

相关内容