需要帮助在 Ubuntu 服务器上设置 OpenVPN

需要帮助在 Ubuntu 服务器上设置 OpenVPN

编辑:

好的,感谢大家的帮助,我取得了一些进展。我通过在接口文件中手动设置桥接器并编辑桥接启动和桥接停止脚本以仅添加/删除分接器接口来解决了桥接器的连接问题(请参阅下文了解这些文件的当前版本。)

现在我可以连接到服务器,但连接不断断开。这是密钥问题吗?我尝试重新生成密钥,但没有用。

尝试连接到我的服务器时来自 Tunnelbrick 的日志:

2010-09-19 10:08:05 *Tunnelblick: OS X 10.6.4; Tunnelblick 3.0 (build 1437); OpenVPN 2.1.1
2010-09-19 10:08:07 *Tunnelblick: Attempting connection with evan's apartment.conf; Set nameserver = 1; monitoring connection
2010-09-19 10:08:07 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start evan's\ apartment.conf 1338 1 0 0 0
2010-09-19 10:08:07 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpn --management-query-passwords --cd /Users/evan/Library/Application Support/Tunnelblick/Configurations --daemon --management-hold --management 127.0.0.1 1338 --config /Users/evan/Library/Application Support/Tunnelblick/Configurations/evan's apartment.conf --script-security 2 --up "/Applications/Tunnelblick.app/Contents/Resources/client.up.osx.sh" --down "/Applications/Tunnelblick.app/Contents/Resources/client.down.osx.sh" --up-restart
2010-09-19 10:08:07 SUCCESS: pid=2376
2010-09-19 10:08:07 SUCCESS: real-time state notification set to ON
2010-09-19 10:08:07 SUCCESS: real-time log notification set to ON
2010-09-19 10:08:07 OpenVPN 2.1.1 i386-apple-darwin10.2.0 [SSL] [LZO2] [PKCS11] built on Feb 24 2010
2010-09-19 10:08:07 MANAGEMENT: TCP Socket listening on 127.0.0.1:1338
2010-09-19 10:08:07  waiting...
2010-09-19 10:08:07 MANAGEMENT: Client connected from 127.0.0.1:1338
2010-09-19 10:08:07 MANAGEMENT: CMD 'pid'
2010-09-19 10:08:07 MANAGEMENT: CMD 'state on'
2010-09-19 10:08:07 MANAGEMENT: CMD 'log on all'
2010-09-19 10:08:07 END
2010-09-19 10:08:07 MANAGEMENT: CMD 'hold release'
2010-09-19 10:08:07 SUCCESS: hold release succeeded
2010-09-19 10:08:07 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2010-09-19 10:08:07 Control Channel Authentication: using '/Users/evan/VPN/ta.key' as a OpenVPN static key file
2010-09-19 10:08:07 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2010-09-19 10:08:07 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2010-09-19 10:08:07 LZO compression initialized
2010-09-19 10:08:07 Control Channel MTU parms [ L:1576 D:168 EF:68 EB:0 ET:0 EL:0 ]
2010-09-19 10:08:07 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
2010-09-19 10:08:07 Local Options hash (VER=V4): 'e39a3273'
2010-09-19 10:08:07 Expected Remote Options hash (VER=V4): '3c14feac'
2010-09-19 10:08:07  or --up-delay
2010-09-19 10:08:07 Attempting to establish TCP connection with 192.168.0.2:1194 [nonblock]
2010-09-19 10:08:07 
2010-09-19 10:08:08 TCP connection established with 192.168.0.2:1194
2010-09-19 10:08:08 Socket Buffers: R=[525624->65536] S=[131768->65536]
2010-09-19 10:08:08 TCPv4_CLIENT link local: [undef]
2010-09-19 10:08:08 TCPv4_CLIENT link remote: 192.168.0.2:1194
2010-09-19 10:08:08 
2010-09-19 10:08:08  restarting [0]
2010-09-19 10:08:08 TCP/UDP: Closing socket
2010-09-19 10:08:08  process restarting
2010-09-19 10:08:08 
2010-09-19 10:08:08 MANAGEMENT: CMD 'hold release'
2010-09-19 10:08:08 SUCCESS: hold release succeeded
2010-09-19 10:08:08 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2010-09-19 10:08:08 Re-using SSL/TLS context
2010-09-19 10:08:08 LZO compression initialized
2010-09-19 10:08:08 Control Channel MTU parms [ L:1576 D:168 EF:68 EB:0 ET:0 EL:0 ]
2010-09-19 10:08:08 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
2010-09-19 10:08:08 Local Options hash (VER=V4): 'e39a3273'
2010-09-19 10:08:08 Expected Remote Options hash (VER=V4): '3c14feac'
2010-09-19 10:08:08 Attempting to establish TCP connection with 192.168.0.2:1194 [nonblock]
2010-09-19 10:08:08 
2010-09-19 10:08:09 TCP connection established with 192.168.0.2:1194
2010-09-19 10:08:09 Socket Buffers: R=[525624->65536] S=[131768->65536]
2010-09-19 10:08:09 TCPv4_CLIENT link local: [undef]
2010-09-19 10:08:09 TCPv4_CLIENT link remote: 192.168.0.2:1194
2010-09-19 10:08:09 
2010-09-19 10:08:09  restarting [0] ... (just keeps repeating from here)

以下是我更改的更新文件:

接口

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.2
netmask 255.255.255.0
gateway 192.168.0.1

# Bridge for OpenVPN
auto br0
iface br0 inet static
address 192.168.0.2
netmask 255.255.255.0
gateway 192.168.0.1
bridge_ports eth0

桥接启动

#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.0.2"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"
eth_gateway="192.168.0.1"
eth_network="192.168.0.0"

for t in $tap; do
    openvpn --mktun --dev $t
done

#brctl addbr $br
#brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

#ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast gateway $eth_gateway

桥站

#!/bin/bash

####################################
# Tear Down Ethernet bridge on Linux
####################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

#ifconfig $br down
#brctl delbr $br

for t in $tap; do
    openvpn --rmtun --dev $t
done

我的 server.conf 文件看起来像 aleroot 建议的那样。

感谢您迄今为止的所有帮助,我想我现在已经很接近了:)。

原始问题:

我正在尝试让我的 Ubuntu 10.04 服务器充当 OpenVPN 服务器,这样我最终可以在工作时通过 samba 将数据挂载到我的笔记本电脑上。我已按照说明操作这里已经尝试过几次了,但都没有成功。

我相当确定问题与设置桥接器和 tap 接口有关。我之所以这么想,是因为一旦我设置了桥接器(使用这些脚本 - http openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernetbridging.html#linuxscript - 抱歉,我目前只能建立一个链接 :))并启动服务器(启动时没有错误),我就会丢失我的 eth0 连接(当我运行 ifconfig 时,只有新的 br0 有 IP 地址)。此外,在启用桥接器后,我无法再通过 ssh 连接到我的服务器,当我停止 openvpn 服务器并运行 bridge-stop 脚本时,服务器会再次开始工作。

我觉得我对于哪个 IP 地址应该放在哪里感到困惑。

我的路由器有公共 IP 地址,假设它是 25.25.25.25,而我的 Ubuntu 服务器有静态 IP 地址 192.168.0.2(端口转发和一切工作正常,我可以从任何地方 ssh 进入,直到我运行桥接脚本或尝试 :))。以下是我在上面指定的文件中使用的值,它们看起来正确吗?

从 bridge-start (完整文件链接至上方)

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.0.2"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"

来自 server.conf

local 192.168.0.2
dev tap0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
;server 10.8.0.0 255.255.255.0
server-bridge 192.168.0.2 255.255.255.0 192.168.0.50 192.168.100
push "route 192.168.0.2 255.255.255.0"
push "dhcp-option DNS 192.168.0.1"
;push "dhcp-option DOMAIN example.com" <- commented not sure what i should use, the value is resolve.conf?
tls-auth ta.key 0 # This file is secret
user nobody
group nogroup

感谢您的帮助!!

答案1

关于上述配置我实际上无法提供太多信息,但我可以建议几种替代方案:

您可能需要考虑安装OpenVPN-AS服务器——我们在 Ubuntu 上运行它,它很棒。它安装快速、轻松,并具有直观的 Web 界面用于配置和监控。它透明地处理接口设置,甚至为您配置适当的 iptables 规则。最多 2 个并发用户是免费的,更多则很便宜(5 美元/用户/年)。客户端可以从 Web 界面下载预配置的自定义配置文件 (*.nix) 或安装包 (Windows)。

或者你可以运行普富思在虚拟机中(在 Ubuntu 的 KVM 下运行良好)或将其放在单独的盒子上(不需要太多硬件)并利用内置的 L2TP、OpenVPN 或 PPTP VPN 服务器。同样,这将减轻配置和设置的一些麻烦,尽管您需要设置 KVM如果你走那条路。

答案2

我认为您不需要使用网桥来实现您想要的功能。您是否尝试过设置普通的 OpenVPN 服务器?

答案3

适合您情况的 Server.cfg 示例:

port 1194
proto tcp
dev tap
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/Server-VPN.crt
key /etc/openvpn/easy-rsa/keys/Server-VPN.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.0.2 255.255.255.0 192.168.0.50 192.168.0.100
push "route 192.0.0.0 255.0.0.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3

您还需要在系统启动时运行此脚本(在您的 ubuntu 发行版中将其插入到 /etc/init.d/ 中并将符号链接插入到 /etc/rcX.d/ 中)来设置您的桥接器:

#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.0.2"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

相关内容