我家里有两台机器,一台是运行 Debian Linux 的 pine64,另一台是装有 Windows 8 的台式电脑。
我已成功将 openVPN 服务器安装到 pine64,因此我有一个可运行的设置,可以通过服务器的本地 IP 地址从本地网络访问 openVPN 服务,我使用我的台式电脑测试了连接。
VPN 也通过我的路由器的 WAN IP 地址从外部网络工作,因此端口 1994 被正确转发到 openVPN 主机。
我也用我的手机(移动网络)和 openVPN 连接客户端测试了从外部网络访问的连接,一切正常。
我想从我的台式电脑模拟/测试 VPN 访问,因为它是外部网络。例如,如果我远离我的家庭网络,我想检查是否可以通过 SSH 访问网络中的其他主机。
我不太明白为什么我无法通过路由器的公共 WAN IP 从本地网络访问我的 VPN 服务器。
两台机器在同一个网络上有静态IP:
桌上型电脑:192.168.1.11
pine 64 (openVPN 服务器):192.168.1.20
让路由器的公共 WAN IP 为(为了举例):5.39.182.24
因此,我尝试使用 IP 访问 openVPN 服务器5.39.182.24:1194
,但不幸的是我无法访问。PC 上没有设置防火墙,我所知道的任何其他应用程序都可能禁止连接。尝试从本地网络使用我的手机进行同样的操作也失败了,因此这证明这并非严格意义上的台式机问题。
这是我从 openVPN 客户端应用程序获取的日志
Mon Sep 12 20:31:08 2016 OpenVPN 2.3.12 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 23 2016
Mon Sep 12 20:31:08 2016 Windows version 6.2 (Windows 8 or greater) 64bit
Mon Sep 12 20:31:08 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09
Mon Sep 12 20:31:13 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Sep 12 20:31:13 2016 Control Channel Authentication: tls-auth using INLINE static key file
Mon Sep 12 20:31:13 2016 Attempting to establish TCP connection with [AF_INET]5.39.182.24:1194 [nonblock]
Mon Sep 12 20:31:23 2016 TCP: connect to [AF_INET]5.39.182.24:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Mon Sep 12 20:31:38 2016 TCP: connect to [AF_INET]5.39.182.24:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
服务器端设置
openVPN 配置
root@pine64:/etc# cat /etc/openvpn/server.conf
local 192.168.1.20 # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
dev tun
#proto udp #Some people prefer to use tcp. Don't change it if you don't know.
proto tcp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/pine64.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/pine64.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh2048.pem # If you changed to 2048, change that here!
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.1.20 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
#push "dhcp-option DNS 192.168.2.1" # This should already match your router address and not need to be changed.
push "dhcp-option DNS 8.8.8.8" # This should already match your router address and not need to be changed.
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1
iptables
(将规则导出到文件中iptables-save
)
root@pine64:/etc# cat /etc/iptables-firewall-rules.backup
# Generated by iptables-save v1.4.21 on Sun Sep 11 21:19:15 2016
*filter
:INPUT ACCEPT [16429:2363941]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [17426:8592638]
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
COMMIT
# Completed on Sun Sep 11 21:19:15 2016
# Generated by iptables-save v1.4.21 on Sun Sep 11 21:19:15 2016
*nat
:PREROUTING ACCEPT [1172:103090]
:INPUT ACCEPT [157:31732]
:OUTPUT ACCEPT [205:14166]
:POSTROUTING ACCEPT [205:14166]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.1.20
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.1.20
COMMIT
# Completed on Sun Sep 11 21:19:15 2016
route
命令的输出
root@pine64:/etc# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default speedport.ip 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
link-local * 255.255.0.0 U 1000 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
我希望有人可以阐明这个问题,我很感激您的帮助。
答案1
您无法使用外部 IP 从局域网连接您的 VPN,因为如果您仔细想一想,VPN 的目的是连接两台(或更多)不在同一网络中的机器,但在您的情况下,它们已经在同一个网络上。