我的环境:
- 主机 PC 采用 Windows 11 操作系统,带有 VM Ware。
- VM Ware 中有一个虚拟机(Ubuntu 22.04.3 LTS),带有桥接虚拟网卡。该虚拟机上的网络和互联网一切正常。
- VM 在我的内部网络中有 IP 192.168.0.101
- OpenVPN 在 VM 中运行,位于 1194
- 我的路由器上设置了外部 1194 的端口转发到 IP 192.168.0.101 端口 1194
- OpenVPN 配置是:
;local a.b.c.d
port 1194
proto tcp
;proto udp
dev tap1
;dev tun
;dev-node MyTap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh.pem
topology subnet
;server 192.168.1.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
server-bridge 192.168.0.101 255.255.255.0 192.168.0.10 192.168.0.80
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.0.0 255.255.255.0
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
tls-crypt ta.key
cipher AES-256-CBC
;compress lz4-v2
;push "compress lz4-v2"
;comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
;log-append /var/log/openvpn/openvpn.log
verb 3
;mute 20
;explicit-exit-notify 1
- Bridge 由 OpenVPN 文档中的脚本设置https://openvpn.net/community-resources/ethernet-bridging/#linuxscript。
当我启动没有桥接的 OpenVPN(bridge-start)时,客户端(Windows 10 笔记本)可以连接,但无法 ping 通内部 IP,例如 192.168.0.101 或 192.168.0.1。此时服务器的 ifconfig 是
ens33: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet 192.168.0.101 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::20c:29ff:feb0:e3db prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:b0:e3:db txqueuelen 1000 (Ethernet)
RX packets 253076 bytes 31066696 (31.0 MB)
RX errors 0 dropped 44 overruns 0 frame 0
TX packets 36565 bytes 4552858 (4.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 9652 bytes 9347692 (9.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9652 bytes 9347692 (9.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
客户端连接日志是
2023-08-30 00:11:46 NOTE: --user option is not implemented on Windows
2023-08-30 00:11:46 NOTE: --group option is not implemented on Windows
2023-08-30 00:11:46 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). OpenVPN ignores --cipher for cipher negotiations.
2023-08-30 00:11:46 Note: dev-type not tun, disabling data channel offload.
2023-08-30 00:11:46 OpenVPN 2.6.6 [git:v2.6.6/c9540130121bfc21] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Aug 15 2023
2023-08-30 00:11:46 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-08-30 00:11:46 library versions: OpenSSL 3.1.2 1 Aug 2023, LZO 2.10
2023-08-30 00:11:46 DCO version: v0
2023-08-30 00:11:46 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2023-08-30 00:11:46 Need hold release from management interface, waiting...
2023-08-30 00:11:46 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:64082
2023-08-30 00:11:46 MANAGEMENT: CMD 'state on'
2023-08-30 00:11:46 MANAGEMENT: CMD 'log on all'
2023-08-30 00:11:46 MANAGEMENT: CMD 'echo on all'
2023-08-30 00:11:46 MANAGEMENT: CMD 'bytecount 5'
2023-08-30 00:11:46 MANAGEMENT: CMD 'state'
2023-08-30 00:11:46 MANAGEMENT: CMD 'hold off'
2023-08-30 00:11:46 MANAGEMENT: CMD 'hold release'
2023-08-30 00:11:46 MANAGEMENT: >STATE:1693343506,RESOLVE,,,,,,
2023-08-30 00:11:47 TCP/UDP: Preserving recently used remote address: [AF_INET]178.204.152.65:1194
2023-08-30 00:11:47 Socket Buffers: R=[65536->65536] S=[65536->65536]
2023-08-30 00:11:47 Attempting to establish TCP connection with [AF_INET]178.204.152.65:1194
2023-08-30 00:11:47 MANAGEMENT: >STATE:1693343507,TCP_CONNECT,,,,,,
2023-08-30 00:11:47 TCP connection established with [AF_INET]178.204.152.65:1194
2023-08-30 00:11:47 TCPv4_CLIENT link local: (not bound)
2023-08-30 00:11:47 TCPv4_CLIENT link remote: [AF_INET]178.204.152.65:1194
2023-08-30 00:11:47 MANAGEMENT: >STATE:1693343507,WAIT,,,,,,
2023-08-30 00:11:47 MANAGEMENT: >STATE:1693343507,AUTH,,,,,,
2023-08-30 00:11:47 TLS: Initial packet from [AF_INET]178.204.152.65:1194, sid=cbb3d817 e15dfba7
2023-08-30 00:11:47 VERIFY OK: depth=1, CN=Easy-RSA CA
2023-08-30 00:11:47 VERIFY KU OK
2023-08-30 00:11:47 Validating certificate extended key usage
2023-08-30 00:11:47 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-08-30 00:11:47 VERIFY EKU OK
2023-08-30 00:11:47 VERIFY OK: depth=0, CN=server
2023-08-30 00:11:47 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-08-30 00:11:47 [server] Peer Connection Initiated with [AF_INET]178.204.152.65:1194
2023-08-30 00:11:47 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-08-30 00:11:47 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-08-30 00:11:47 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.0.101,ping 10,ping-restart 120,ifconfig 192.168.0.10 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2023-08-30 00:11:47 OPTIONS IMPORT: --ifconfig/up options modified
2023-08-30 00:11:47 OPTIONS IMPORT: route-related options modified
2023-08-30 00:11:47 interactive service msg_channel=760
2023-08-30 00:11:47 open_tun
2023-08-30 00:11:47 tap-windows6 device [Local Area Connection] opened
2023-08-30 00:11:47 TAP-Windows Driver Version 9.26
2023-08-30 00:11:47 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.0.10/255.255.255.0 on interface {4E7E51BA-DA46-4527-9AAB-37CD543B55E9} [DHCP-serv: 192.168.0.0, lease-time: 31536000]
2023-08-30 00:11:47 Successful ARP Flush on interface [12] {4E7E51BA-DA46-4527-9AAB-37CD543B55E9}
2023-08-30 00:11:47 MANAGEMENT: >STATE:1693343507,ASSIGN_IP,,192.168.0.10,,,,
2023-08-30 00:11:47 IPv4 MTU set to 1500 on interface 12 using service
2023-08-30 00:11:47 Data Channel: cipher 'AES-256-GCM', peer-id: 0
2023-08-30 00:11:47 Timers: ping 10, ping-restart 120
2023-08-30 00:11:52 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
2023-08-30 00:11:52 Initialization Sequence Completed
2023-08-30 00:11:52 MANAGEMENT: >STATE:1693343512,CONNECTED,SUCCESS,192.168.0.10,178.204.152.65,1194,192.168.8.102,64083
此刻来自客户端的路线:
C:\Windows\system32>route print
===========================================================================
Interface List
17...a0 48 1c 11 ee 19 ......Realtek PCIe FE Family Controller
10...........................Wintun Userspace Tunnel
12...00 ff 4e 7e 51 ba ......TAP-Windows Adapter V9
24...........................OpenVPN Data Channel Offload
15...ae 15 a2 5c 31 dc ......Microsoft Wi-Fi Direct Virtual Adapter
7...ac 15 a2 5c 31 dc ......Microsoft Wi-Fi Direct Virtual Adapter #2
20...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
6...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
23...ac 15 a2 5c 31 dc ......TP-Link Wireless MU-MIMO USB Adapter
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.8.1 192.168.8.102 55
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.0.0 255.255.255.0 On-link 192.168.0.10 281
192.168.0.10 255.255.255.255 On-link 192.168.0.10 281
192.168.0.255 255.255.255.255 On-link 192.168.0.10 281
192.168.8.0 255.255.255.0 On-link 192.168.8.102 311
192.168.8.102 255.255.255.255 On-link 192.168.8.102 311
192.168.8.255 255.255.255.255 On-link 192.168.8.102 311
192.168.137.0 255.255.255.0 On-link 192.168.137.1 291
192.168.137.1 255.255.255.255 On-link 192.168.137.1 291
192.168.137.255 255.255.255.255 On-link 192.168.137.1 291
192.168.159.0 255.255.255.0 On-link 192.168.159.1 291
192.168.159.1 255.255.255.255 On-link 192.168.159.1 291
192.168.159.255 255.255.255.255 On-link 192.168.159.1 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.137.1 291
224.0.0.0 240.0.0.0 On-link 192.168.159.1 291
224.0.0.0 240.0.0.0 On-link 192.168.0.10 281
224.0.0.0 240.0.0.0 On-link 192.168.8.102 311
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.137.1 291
255.255.255.255 255.255.255.255 On-link 192.168.159.1 291
255.255.255.255 255.255.255.255 On-link 192.168.0.10 281
255.255.255.255 255.255.255.255 On-link 192.168.8.102 311
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
23 71 ::/0 fe80::80fe:5cff:fe1a:6b7e
1 331 ::1/128 On-link
20 291 fe80::/64 On-link
6 291 fe80::/64 On-link
12 281 fe80::/64 On-link
23 311 fe80::/64 On-link
20 291 fe80::4c1d:375c:cbea:5ad7/128
On-link
12 281 fe80::5544:4ad8:c313:3fa1/128
On-link
23 311 fe80::cd04:f255:5713:496b/128
On-link
6 291 fe80::e8d0:ed33:cc54:3fb0/128
On-link
1 331 ff00::/8 On-link
20 291 ff00::/8 On-link
6 291 ff00::/8 On-link
12 281 ff00::/8 On-link
23 311 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
C:\Windows\system32>
在我的例子中,bridge-start 脚本是
#!/bin/bash
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap1"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="ens33"
eth_ip="192.168.0.101"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"
for t in $tap; do
openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
但是当我启用桥接时
sudo systemctl stop openvpn@server
sudo ./bridge-start
sudo systemctl start openvpn@server
我的客户端无法连接到我的 OpenVPN 服务器。此时服务器的 ifconfig 是
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.101 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::6063:77ff:fed1:c82c prefixlen 64 scopeid 0x20<link>
ether 62:63:77:d1:c8:2c txqueuelen 1000 (Ethernet)
RX packets 699 bytes 65111 (65.1 KB)
RX errors 0 dropped 1 overruns 0 frame 0
TX packets 264 bytes 26276 (26.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet6 fe80::20c:29ff:feb0:e3db prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:b0:e3:db txqueuelen 1000 (Ethernet)
RX packets 266676 bytes 32685829 (32.6 MB)
RX errors 0 dropped 47 overruns 0 frame 0
TX packets 38148 bytes 4725224 (4.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 9652 bytes 9347692 (9.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9652 bytes 9347692 (9.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tap1: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet6 fe80::f064:fdff:fe0b:edde prefixlen 64 scopeid 0x20<link>
ether f2:64:fd:0b:ed:de txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 33 bytes 13177 (13.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
并且客户端卡在
2023-08-30 00:20:27 NOTE: --user option is not implemented on Windows
2023-08-30 00:20:27 NOTE: --group option is not implemented on Windows
2023-08-30 00:20:27 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). OpenVPN ignores --cipher for cipher negotiations.
2023-08-30 00:20:27 Note: dev-type not tun, disabling data channel offload.
2023-08-30 00:20:27 OpenVPN 2.6.6 [git:v2.6.6/c9540130121bfc21] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Aug 15 2023
2023-08-30 00:20:27 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-08-30 00:20:27 library versions: OpenSSL 3.1.2 1 Aug 2023, LZO 2.10
2023-08-30 00:20:27 DCO version: v0
2023-08-30 00:20:27 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2023-08-30 00:20:27 Need hold release from management interface, waiting...
2023-08-30 00:20:27 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:49309
2023-08-30 00:20:27 MANAGEMENT: CMD 'state on'
2023-08-30 00:20:27 MANAGEMENT: CMD 'log on all'
2023-08-30 00:20:27 MANAGEMENT: CMD 'echo on all'
2023-08-30 00:20:27 MANAGEMENT: CMD 'bytecount 5'
2023-08-30 00:20:27 MANAGEMENT: CMD 'state'
2023-08-30 00:20:27 MANAGEMENT: CMD 'hold off'
2023-08-30 00:20:27 MANAGEMENT: CMD 'hold release'
2023-08-30 00:20:27 MANAGEMENT: >STATE:1693344027,RESOLVE,,,,,,
2023-08-30 00:20:28 TCP/UDP: Preserving recently used remote address: [AF_INET]178.204.152.65:1194
2023-08-30 00:20:28 Socket Buffers: R=[65536->65536] S=[65536->65536]
2023-08-30 00:20:28 Attempting to establish TCP connection with [AF_INET]178.204.152.65:1194
2023-08-30 00:20:28 MANAGEMENT: >STATE:1693344028,TCP_CONNECT,,,,,,
看起来我已经按照文档进行了设置,但启用桥接客户端后无法连接到 OpenVPN。请告诉我我遗漏了什么?
答案1
解决了。
首先,检查您的服务器上是否安装了 bridge-utils。
之后将 /etc/openvpn/server.conf 更改为
port 1194
proto tcp
dev tap0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
remote-cert-tls client
server-bridge 192.168.0.101 255.255.255.0 192.168.0.151 192.168.0.170
client-to-client
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
例如,Linux VM 的免费 IP 地址:192.168.5.100
子网掩码(netmask):255.255.255.0(CIDR 表示法中空闲 IP 地址后面的 /24)
广播地址:192.168.5.255
路由器的 IP 地址:192.168.5.1
VM 的 MAC 地址:08:00:27:e7:0e:0a(在 VM 的网络设置中找到)
创建文件 /etc/openvpn/openvpn-bridge,内容如下
#!/bin/sh
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="ens33"
eth_ip_netmask="192.168.5.100/24"
eth_broadcast="192.168.5.255"
eth_gateway="192.168.5.1"
eth_mac="08:00:27:e7:0e:0a"
case "$1" in
start)
for t in $tap; do
openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ip addr flush dev $t
ip link set $t promisc on up
done
ip addr flush dev $eth
ip link set $eth promisc on up
ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $br
ip link set $br address $eth_mac
ip link set $br up
ip route add default via $eth_gateway
;;
stop)
ip link set $br down
brctl delbr $br
for t in $tap; do
openvpn --rmtun --dev $t
done
ip link set $eth promisc off up
ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $eth
ip route add default via $eth_gateway
;;
*)
echo "Usage: openvpn-bridge {start|stop}"
exit 1
;;
esac
exit 0
编辑以 eth_ip_netmask、eth_broadcast、eth_gateway 和 eth_mac 开头的四行。这四个变量必须分别设置为 Linux VM 的可用 IP 地址及其子网掩码、广播地址、路由器的 IP 地址和 VM 的 Mac 地址,并用引号括起来,如图所示。
通过输入使脚本可执行
chmod 744 /etc/openvpn/openvpn-bridge
我们需要告诉 OpenVPN 使用我们的“openvpn-bridge”脚本。输入
nano /lib/systemd/system/[email protected]
复制这两行:
ExecStartPre=/etc/openvpn/openvpn-bridge start
ExecStopPost=/etc/openvpn/openvpn-bridge stop
并粘贴在底部[服务]部分。
退出并保存。输入以下命令重启虚拟机
reboot
OpenVPN服务器将在启动时运行,即无需用户登录。
来源:https://www.emaculation.com/doku.php/bridged_openvpn_server_setup