我已经在 AWS 上的 ubuntu 16.04 上设置了 openvpn 服务器。我可以从本地主机连接它。然后我可以通过其私有 IP 访问 openvpn 服务器。但无法连接子网中的其他 ec2。
这是我的配置
服务器配置文件
local ip-10-253-254-87
port 1194
proto udp
dev tun
ca ca.crt
cert myvpn.crt
key myvpn.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.253.0.0 255.255.0.0"
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
keepalive 60 3600
comp-lzo
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 3
$ 路线-n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.253.254.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.253.254.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
$ sysctl -p
net.ipv4.ip_forward = 1
客户端连接日志
Thu Oct 12 02:02:57 2017 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
Thu Oct 12 02:02:57 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Thu Oct 12 02:02:57 2017 WARNING: file 'rahul.key' is group or others accessible
Thu Oct 12 02:02:57 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Oct 12 02:02:57 2017 UDPv4 link local: [undef]
Thu Oct 12 02:02:57 2017 UDPv4 link remote: [AF_INET]52.221.18.132:1194
Thu Oct 12 02:02:57 2017 TLS: Initial packet from [AF_INET]52.221.18.132:1194, sid=93a5928a db252cae
Thu Oct 12 02:02:58 2017 VERIFY OK: depth=1, C=SG, ST=SG, L=Singapore, O=XXXXXX, OU=XXXXXXDataEng, CN=XXXXXX CA, name=XXXXXXStatsVpn, [email protected]
Thu Oct 12 02:02:58 2017 Validating certificate key usage
Thu Oct 12 02:02:58 2017 ++ Certificate has key usage 00a0, expects 00a0
Thu Oct 12 02:02:58 2017 VERIFY KU OK
Thu Oct 12 02:02:58 2017 Validating certificate extended key usage
Thu Oct 12 02:02:58 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Oct 12 02:02:58 2017 VERIFY EKU OK
Thu Oct 12 02:02:58 2017 VERIFY OK: depth=0, C=SG, ST=SG, L=Singapore, O=XXXXXX, OU=XXXXXXDataEng, CN=XXXXXXstatsvpn, name=XXXXXXStatsVpn, [email protected]
Thu Oct 12 02:02:58 2017 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Oct 12 02:02:58 2017 WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Thu Oct 12 02:02:58 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Oct 12 02:02:58 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Oct 12 02:02:58 2017 WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Thu Oct 12 02:02:58 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Oct 12 02:02:58 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Oct 12 02:02:58 2017 [XXXXXXstatsvpn] Peer Connection Initiated with [AF_INET]52.221.18.132:1194
Thu Oct 12 02:03:00 2017 SENT CONTROL [XXXXXXstatsvpn]: 'PUSH_REQUEST' (status=1)
Thu Oct 12 02:03:00 2017 PUSH: Received control message: 'PUSH_REPLY,route 10.253.0.0 255.255.0.0,route 10.8.0.1,topology net30,ping 60,ping-restart 3600,ifconfig 10.8.0.6 10.8.0.5'
Thu Oct 12 02:03:00 2017 OPTIONS IMPORT: timers and/or timeouts modified
Thu Oct 12 02:03:00 2017 OPTIONS IMPORT: --ifconfig/up options modified
Thu Oct 12 02:03:00 2017 OPTIONS IMPORT: route options modified
Thu Oct 12 02:03:00 2017 ROUTE_GATEWAY 192.168.31.1/255.255.255.0 IFACE=wlp3s0 HWADDR=b4:6d:83:ce:88:12
Thu Oct 12 02:03:00 2017 TUN/TAP device tun0 opened
Thu Oct 12 02:03:00 2017 TUN/TAP TX queue length set to 100
Thu Oct 12 02:03:00 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Oct 12 02:03:00 2017 /sbin/ip link set dev tun0 up mtu 1500
Thu Oct 12 02:03:00 2017 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Thu Oct 12 02:03:00 2017 /sbin/ip route add 10.253.0.0/16 via 10.8.0.5
Thu Oct 12 02:03:00 2017 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Thu Oct 12 02:03:00 2017 Initialization Sequence Completed
客户端路由表
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.31.1 0.0.0.0 UG 600 0 0 wlp3s0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.253.0.0 10.8.0.5 255.255.0.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 docker0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.31.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp3s0
通过私有 IP 成功 ping 通 openvpn 服务器
$ ping 10.253.254.87
PING 10.253.254.87 (10.253.254.87) 56(84) bytes of data.
64 bytes from 10.253.254.87: icmp_seq=1 ttl=64 time=70.3 ms
64 bytes from 10.253.254.87: icmp_seq=2 ttl=64 time=70.4 ms
问题:无法 ping 子网中的任何其他机器
$ ping 10.253.2.139
PING 10.253.2.139 (10.253.2.139) 56(84) bytes of data.
路由表 (aws) 中的路由配置
10.8.0.0/24 eni-47050xxx / i-0ec7207caba88xxx Active No
答案1
您应该尝试禁用 Openvpn 实例的“源/目标检查”,方法是:亚马逊文档