Openvpn 用于同一子网中的客户端/服务器

tag-icon tag-icon vpn routing openvpn subnet
Openvpn 用于同一子网中的客户端/服务器

我正在尝试从位于同一子网(也是 192.168.1.0/24)上的客户端打开 VPN 进入办公网络(192.168.1.0/24)。它是 Linux(ubuntu 9.10)服务器和 Windows 客户端。

我关注了这个 ubuntuopenvpn 社区文档指南据我所知,基本连接工作正常。当然,我收到一堆有关 IP 地址冲突的错误/警告。

我当时正试图跟随本指南关于“使用肮脏的 NAT 技巧让 VPN 与私有地址空间中编号的客户端一起工作”,但都没有成功。虽然我对路由/伪装有理论上的了解,但我的实践经验相对较少,不确定哪里出了问题。

到目前为止,我已经到了客户端连接到服务器并被分配 IP 10.22.8.10 的阶段。但是我无法像文档建议的那样 ping 服务器 IP 10.22.8.1。

服务器配置基本与指南 1经过修改指南 2即设置 'server-bridge 10.22.8.1 255.255.255.0 10.22.8.10 10.22.8.120' 和 'push "route 10.22.0.0 255.255.0.0 10.22.8.1"'。另外我在 up.sh 中添加了 tap 接口配置命令。

客户端配置与指南 1

服务器“ifconfig tap0”(编辑:如果这看起来有点不对劲,请见谅。在编辑此帖子的预览窗格中,它看起来很好)

tap0 链路封装:以太网 HWaddr ee:ee:a8:04:8a:fc inet 地址:10.22.8.1 Bcast:0.0.0.0 掩码:255.255.255.0 inet6 地址:fe80::ecee:a8ff:fe04:8afc/64 范围:链路 UP 广播运行 PROMISC 多播 MTU:1500 度量:1 RX 数据包:610 错误:0 丢弃:0 超限:0 帧:0 TX 数据包:4533 错误:0 丢弃:0 超限:0 载波:0 冲突:0 txqueuelen:100 RX 字节:111341(111.3 KB) TX 字节:650830(650.8 KB)

客户端登录连接:

  Mon Mar 01 00:30:13 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009  
    Mon Mar 01 00:30:13 2010 WARNING: No server certificate verification method has been enabled.  See URL-REDACTED for more info.
    Mon Mar 01 00:30:13 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Mon Mar 01 00:30:13 2010 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
    Mon Mar 01 00:30:13 2010 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Mar 01 00:30:13 2010 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Mar 01 00:30:13 2010 LZO compression initialized
    Mon Mar 01 00:30:13 2010 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Mon Mar 01 00:30:13 2010 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Mon Mar 01 00:30:13 2010 Local Options hash (VER=V4): '13a273ba'
    Mon Mar 01 00:30:13 2010 Expected Remote Options hash (VER=V4): '360696c5'
    Mon Mar 01 00:30:13 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Mon Mar 01 00:30:13 2010 UDPv4 link local: [undef]
    Mon Mar 01 00:30:13 2010 UDPv4 link remote: REDACTED:1194
    Mon Mar 01 00:30:13 2010 TLS: Initial packet from REDACTED:1194, sid=11055cf2 cc0d1ea0
    Mon Mar 01 00:30:14 2010 VERIFY OK: depth=1, REDACTED
    Mon Mar 01 00:30:14 2010 VERIFY OK: depth=0, REDACTED
    Mon Mar 01 00:30:14 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Mar 01 00:30:14 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Mar 01 00:30:14 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Mar 01 00:30:14 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Mar 01 00:30:14 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Mon Mar 01 00:30:14 2010 [server] Peer Connection Initiated with REDACTED:1194
    Mon Mar 01 00:30:17 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Mon Mar 01 00:30:17 2010 PUSH: Received control message: 'PUSH_REPLY,route 10.22.0.0 255.255.0.0 10.22.8.1,route-gateway 10.22.8.1,ping 10,ping-restart 120,ifconfig 10.22.8.10 255.255.255.0'
    Mon Mar 01 00:30:17 2010 OPTIONS IMPORT: timers and/or timeouts modified
    Mon Mar 01 00:30:17 2010 OPTIONS IMPORT: --ifconfig/up options modified
    Mon Mar 01 00:30:17 2010 OPTIONS IMPORT: route options modified
    Mon Mar 01 00:30:17 2010 OPTIONS IMPORT: route-related options modified
    Mon Mar 01 00:30:17 2010 ROUTE default_gateway=192.168.1.254
    Mon Mar 01 00:30:17 2010 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{7464875E-98E9-46AF-8F86-69FF32FFB722}.tap
    Mon Mar 01 00:30:17 2010 TAP-Win32 Driver Version 9.6 
    Mon Mar 01 00:30:17 2010 TAP-Win32 MTU=1500
    Mon Mar 01 00:30:17 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.22.8.10/255.255.255.0 on interface {7464875E-98E9-46AF-8F86-69FF32FFB722} [DHCP-serv: 10.22.8.0, lease-time: 31536000]
    Mon Mar 01 00:30:17 2010 Successful ARP Flush on interface [33] {7464875E-98E9-46AF-8F86-69FF32FFB722}
    Mon Mar 01 00:30:22 2010 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
    Mon Mar 01 00:30:22 2010 C:\WINDOWS\system32\route.exe ADD 10.22.0.0 MASK 255.255.0.0 10.22.8.1
    Mon Mar 01 00:30:22 2010 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    Mon Mar 01 00:30:22 2010 Route addition via IPAPI succeeded [adaptive]
    Mon Mar 01 00:30:22 2010 Initialization Sequence Completed
    Mon Mar 01 01:30:14 2010 TLS: soft reset sec=0 bytes=648728/0 pkts=3922/0
    Mon Mar 01 01:30:14 2010 VERIFY OK: depth=1, REDACTED
    Mon Mar 01 01:30:14 2010 VERIFY OK: depth=0, REDACTED
    Mon Mar 01 01:30:15 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Mar 01 01:30:15 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Mar 01 01:30:15 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Mar 01 01:30:15 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Mar 01 01:30:15 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

客户端路由好像推送成功了(路由打印):

  Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.23     25
        10.22.0.0      255.255.0.0        10.22.8.1       10.22.8.10     30
        10.22.8.0    255.255.255.0         On-link        10.22.8.10    286
       10.22.8.10  255.255.255.255         On-link        10.22.8.10    286
      10.22.8.255  255.255.255.255         On-link        10.22.8.10    286
    ...

然而,当我尝试访问 10.22.8.1 时,它似乎仍然想跳出我的本地互联网连接:

  C:\Windows\system32>tracert 10.22.8.1
    Tracing route to 10.22.8.1 over a maximum of 30 hops
      1     1 ms     1 ms     1 ms  home.gateway [192.168.1.254]
      2  nexthop.qld.iinet.net.au [203.55.228.88]  reports: Destination net unreachable.

有人能告诉我我做错了什么吗(或者,如果有一种更简单、更可行的方法来做我想做的事情——请注意,按照解决方案#1指南 2,无法重命名任一子网)

答案1

您的默认路由度量值低于 10.22.0.0/16 路由,因此会被路由到默认路由。在解析路由时,如果多条路由与目标匹配,则度量值较低的路由优先。

通过 VPN 推送默认路由或降低 10.22.0.0/16 的度量(增加默认路由的度量)。

它看起来应该是这样的:

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
      0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.23    1000
    10.22.0.0      255.255.0.0        10.22.8.1       10.22.8.10     30
    10.22.8.0    255.255.255.0         On-link        10.22.8.10    286
   10.22.8.10  255.255.255.255         On-link        10.22.8.10    286
  10.22.8.255  255.255.255.255         On-link        10.22.8.10    286

答案2

您需要做的是删除默认路由并添加仅特定于您的 VPN 服务器的路由并将其标记为可通过本地路由器使用。

因此,你应该有 3 条路线:

vpn.example.com 255.255.255.255 网关 192.168.1.254
192.168.1.0 255.255.255.0网关 10.22.8.1
0.0.0.0 0.0.0.0 gw 1​​0.22.8.1

相关内容