我有两个 openvpn 客户端和一个使用共享密钥的服务器。我在 ccd 目录中为这两个客户端指定了内部路由,但当它们连接时,服务器只为其中一个创建内部路由,尽管日志显示它正在创建两个路由。客户端和服务器都使用“--script-security 2”命令行选项。有人能想到为什么它会这样做吗?
我的 ccd 文件是:
客户端1:
iroute 192.168.0.0 255.255.255.0
客户端2:
iroute 10.0.1.0 255.255.255.0
我的日志文件显示以下内容(已裁剪):
May 3 17:22:59 kino openvpn[2416]: 118.208.58.60:48730 [client1] Peer Connection Initiated with 118.208.58.60:48730
May 3 17:22:59 kino openvpn[2416]: client1/118.208.58.60:48730 OPTIONS IMPORT: reading client specific options from: ccd/client1
May 3 17:22:59 kino openvpn[2416]: client1/118.208.58.60:48730 MULTI: Learn: 192.168.150.10 -> client1/118.208.58.60:48730
May 3 17:22:59 kino openvpn[2416]: client1/118.208.58.60:48730 MULTI: primary virtual IP for client1/118.208.58.60:48730: 192.168.150.10
May 3 17:22:59 kino openvpn[2416]: client1/118.208.58.60:48730 MULTI: internal route 192.168.0.0/24 -> client1/118.208.58.60:48730
May 3 17:22:59 kino openvpn[2416]: client1/118.208.58.60:48730 MULTI: Learn: 192.168.0.0/24 -> client1/118.208.58.60:48730
May 3 17:23:01 kino openvpn[2416]: client1/118.208.58.60:48730 PUSH: Received control message: 'PUSH_REQUEST'
May 3 17:23:01 kino openvpn[2416]: client1/118.208.58.60:48730 SENT CONTROL [client1]: 'PUSH_REPLY,route 192.168.150.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.150.10 192.168.150.9' (status=1)
May 3 17:21:36 kino openvpn[2416]: 124.148.1.90:59277 [client2] Peer Connection Initiated with 124.148.1.90:59277
May 3 17:21:36 kino openvpn[2416]: client2/124.148.1.90:59277 OPTIONS IMPORT: reading client specific options from: ccd/client2
May 3 17:21:36 kino openvpn[2416]: client2/124.148.1.90:59277 MULTI: Learn: 192.168.150.14 -> client2/124.148.1.90:59277
May 3 17:21:36 kino openvpn[2416]: client2/124.148.1.90:59277 MULTI: primary virtual IP for client2/124.148.1.90:59277: 192.168.150.14
May 3 17:21:36 kino openvpn[2416]: client2/124.148.1.90:59277 MULTI: internal route 10.0.1.0/24 -> client2/124.148.1.90:59277
May 3 17:21:36 kino openvpn[2416]: client2/124.148.1.90:59277 MULTI: Learn: 10.0.1.0/24 -> client2/124.148.1.90:59277
May 3 17:21:39 kino openvpn[2416]: client2/124.148.1.90:59277 PUSH: Received control message: 'PUSH_REQUEST'
May 3 17:21:39 kino openvpn[2416]: client2/124.148.1.90:59277 SENT CONTROL [client2]: 'PUSH_REPLY,route 192.168.150.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.150.14 192.168.150.13' (status=1)
两个客户端连接后,路由表如下所示:
192.168.150.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
203.209.167.192 0.0.0.0 255.255.255.224 U 0 0 0 eth0
192.168.150.0 192.168.150.2 255.255.255.0 UG 0 0 0 tun0
192.168.0.0 192.168.150.2 255.255.255.0 UG 0 0 0 tun0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 203.209.167.193 0.0.0.0 UG 0 0 0 eth0
如您所见,它创建了到 192.168.0.0/24(客户端 1)的路由,但没有创建到 10.0.1.0/24(客户端 2)的路由,尽管日志显示它已创建。有什么建议吗?
答案1
IRC 上有人指出,我也需要在服务器配置文件中手动声明路由。我照做了,它在启动时创建了路由。我想我不太明白 iroute 的用途。
答案2
我认为范围文档的部分对此进行了详细解释。
答案3
我也为此苦恼过。在我的设置中,OpenVPN 服务器是一台独立于路由器的机器,无论我做了什么配置,我都无法让 ping 正确地传输到网络上的其他机器。最后我找到了这个帖子: http://ubuntuforums.org/archive/index.php/t-951733.html
这表明实际需要的是路由器上的静态路由,以允许试图找到返回 OVPN 服务器的数据包被路由到该机器。
例如:
Router: 192.168.9.1
OVPN Server: 192.168.9.254
OVPN subnet: 10.101.1.0/24
Client Subnet: 192.168.231.0/24
为了让 192.168.231.x 能够 ping 到 192.168.9.x(254 除外),我需要确保完成以下三件事:
- 在 OVPN server.conf 中创建“路由 192.168.231.0 255.255.255.0”。
在 OVPN ccd/client.conf 中创建“iroute 192.168.231.0 255.255.255.0”。 (另请参见:在 OVPN server.conf 中“推送”路由 192.168.9.0 255.255.255.0“
(缺少的成分)添加静态路由10.101.1.0/24 网关 192.168.9.254在路由器上。