我家里有两台机器，一台是运行 Debian Linux 的 pine64，另一台是装有 Windows 8 的台式电脑。

我已成功将 openVPN 服务器安装到 pine64，因此我有一个可运行的设置，可以通过服务器的本地 IP 地址从本地网络访问 openVPN 服务，我使用我的台式电脑测试了连接。

VPN 也通过我的路由器的 WAN IP 地址从外部网络工作，因此端口 1994 被正确转发到 openVPN 主机。

我也用我的手机（移动网络）和 openVPN 连接客户端测试了从外部网络访问的连接，一切正常。

我想从我的台式电脑模拟/测试 VPN 访问，因为它是外部网络。例如，如果我远离我的家庭网络，我想检查是否可以通过 SSH 访问网络中的其他主机。

我不太明白为什么我无法通过路由器的公共 WAN IP 从本地网络访问我的 VPN 服务器。

两台机器在同一个网络上有静态IP：

桌上型电脑：192.168.1.11

pine 64 (openVPN 服务器):192.168.1.20

让路由器的公共 WAN IP 为（为了举例）：5.39.182.24

因此，我尝试使用 IP 访问 openVPN 服务器5.39.182.24:1194，但不幸的是我无法访问。PC 上没有设置防火墙，我所知道的任何其他应用程序都可能禁止连接。尝试从本地网络使用我的手机进行同样的操作也失败了，因此这证明这并非严格意义上的台式机问题。

这是我从 openVPN 客户端应用程序获取的日志

Mon Sep 12 20:31:08 2016 OpenVPN 2.3.12 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 23 2016
Mon Sep 12 20:31:08 2016 Windows version 6.2 (Windows 8 or greater) 64bit
Mon Sep 12 20:31:08 2016 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.09
Mon Sep 12 20:31:13 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Sep 12 20:31:13 2016 Control Channel Authentication: tls-auth using INLINE static key file
Mon Sep 12 20:31:13 2016 Attempting to establish TCP connection with [AF_INET]5.39.182.24:1194 [nonblock]
Mon Sep 12 20:31:23 2016 TCP: connect to [AF_INET]5.39.182.24:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Mon Sep 12 20:31:38 2016 TCP: connect to [AF_INET]5.39.182.24:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)

服务器端设置

openVPN 配置

root@pine64:/etc# cat /etc/openvpn/server.conf
local 192.168.1.20 # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
dev tun
#proto udp #Some people prefer to use tcp. Don't change it if you don't know.
proto tcp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/pine64.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/pine64.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh2048.pem # If you changed to 2048, change that here!
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.1.20 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
#push "dhcp-option DNS 192.168.2.1" # This should already match your router address and not need to be changed.
push "dhcp-option DNS 8.8.8.8" # This should already match your router address and not need to be changed.
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1

iptables

（将规则导出到文件中iptables-save）

root@pine64:/etc# cat /etc/iptables-firewall-rules.backup
# Generated by iptables-save v1.4.21 on Sun Sep 11 21:19:15 2016
*filter
:INPUT ACCEPT [16429:2363941]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [17426:8592638]
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
COMMIT
# Completed on Sun Sep 11 21:19:15 2016
# Generated by iptables-save v1.4.21 on Sun Sep 11 21:19:15 2016
*nat
:PREROUTING ACCEPT [1172:103090]
:INPUT ACCEPT [157:31732]
:OUTPUT ACCEPT [205:14166]
:POSTROUTING ACCEPT [205:14166]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.1.20
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.1.20
COMMIT
# Completed on Sun Sep 11 21:19:15 2016

route命令的输出

root@pine64:/etc# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         speedport.ip    0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
link-local      *               255.255.0.0     U     1000   0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0

我希望有人可以阐明这个问题，我很感激您的帮助。