我在用 :
uname -a
Linux 2.6.32-042stab108.5 #1 SMP Wed Jun 17 20:20:17 MSK 2015 x86_64 GNU/Linux
这是我的服务器配置:
cat /etc/openvpn/server.conf | egrep -v "#|;"
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server_openvpn_certificate.crt
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 127.0.0.1"
push "dhcp-option DNS 192.168.1.11"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
这是客户端配置:
cat /etc/openvpn/client.conf | egrep -v "#|;"
client
dev tun
proto udp
remote *.*.*.* 1194 #I've put server IP there.
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/my.crt
key /etc/openvpn/keys/my.key
ns-cert-type server
comp-lzo
verb 3
这是我启动 Openvpn 后得到的一些日志(注意最后连接的客户端):
openvpn /etc/openvpn/server.conf
Tue Aug 11 17:16:56 2015 us=556076 Current Parameter Settings:
Tue Aug 11 17:16:56 2015 us=556159 config = '/etc/openvpn/server.conf'
Tue Aug 11 17:16:56 2015 us=556173 mode = 1
Tue Aug 11 17:16:56 2015 us=556186 persist_config = DISABLED
Tue Aug 11 17:16:56 2015 us=556203 persist_mode = 1
Tue Aug 11 17:16:56 2015 us=556216 show_ciphers = DISABLED
Tue Aug 11 17:16:56 2015 us=556227 show_digests = DISABLED
Tue Aug 11 17:16:56 2015 us=556238 show_engines = DISABLED
Tue Aug 11 17:16:56 2015 us=556248 genkey = DISABLED
Tue Aug 11 17:16:56 2015 us=556259 key_pass_file = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=556271 show_tls_ciphers = DISABLED
Tue Aug 11 17:16:56 2015 us=556286 Connection profiles [default]:
Tue Aug 11 17:16:56 2015 us=556297 proto = udp
Tue Aug 11 17:16:56 2015 us=556336 local = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=556349 local_port = 1194
Tue Aug 11 17:16:56 2015 us=556360 remote = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=556371 remote_port = 1194
Tue Aug 11 17:16:56 2015 us=556382 remote_float = DISABLED
Tue Aug 11 17:16:56 2015 us=556398 bind_defined = DISABLED
Tue Aug 11 17:16:56 2015 us=556409 bind_local = ENABLED
Tue Aug 11 17:16:56 2015 us=556420 connect_retry_seconds = 5
Tue Aug 11 17:16:56 2015 us=556432 connect_timeout = 10
Tue Aug 11 17:16:56 2015 us=556445 connect_retry_max = 0
Tue Aug 11 17:16:56 2015 us=556457 socks_proxy_server = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=556469 socks_proxy_port = 0
Tue Aug 11 17:16:56 2015 us=556480 socks_proxy_retry = DISABLED
Tue Aug 11 17:16:56 2015 us=556491 tun_mtu = 1500
Tue Aug 11 17:16:56 2015 us=556502 tun_mtu_defined = ENABLED
Tue Aug 11 17:16:56 2015 us=556514 link_mtu = 1500
Tue Aug 11 17:16:56 2015 us=556525 link_mtu_defined = DISABLED
Tue Aug 11 17:16:56 2015 us=556536 tun_mtu_extra = 0
Tue Aug 11 17:16:56 2015 us=556547 tun_mtu_extra_defined = DISABLED
Tue Aug 11 17:16:56 2015 us=556558 mtu_discover_type = -1
Tue Aug 11 17:16:56 2015 us=556570 fragment = 0
Tue Aug 11 17:16:56 2015 us=556582 mssfix = 1450
Tue Aug 11 17:16:56 2015 us=556593 explicit_exit_notification = 0
Tue Aug 11 17:16:56 2015 us=556604 Connection profiles END
Tue Aug 11 17:16:56 2015 us=556616 remote_random = DISABLED
Tue Aug 11 17:16:56 2015 us=556628 ipchange = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=556639 dev = 'tun'
Tue Aug 11 17:16:56 2015 us=556650 dev_type = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=556661 dev_node = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=556673 lladdr = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=556684 topology = 1
Tue Aug 11 17:16:56 2015 us=556695 tun_ipv6 = DISABLED
Tue Aug 11 17:16:56 2015 us=556706 ifconfig_local = '10.8.0.1'
Tue Aug 11 17:16:56 2015 us=556718 ifconfig_remote_netmask = '10.8.0.2'
Tue Aug 11 17:16:56 2015 us=556729 ifconfig_noexec = DISABLED
Tue Aug 11 17:16:56 2015 us=556740 ifconfig_nowarn = DISABLED
Tue Aug 11 17:16:56 2015 us=556751 ifconfig_ipv6_local = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=556762 ifconfig_ipv6_netbits = 0
Tue Aug 11 17:16:56 2015 us=556774 ifconfig_ipv6_remote = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=556785 shaper = 0
Tue Aug 11 17:16:56 2015 us=556795 mtu_test = 0
Tue Aug 11 17:16:56 2015 us=556806 mlock = DISABLED
Tue Aug 11 17:16:56 2015 us=556817 keepalive_ping = 10
Tue Aug 11 17:16:56 2015 us=556829 keepalive_timeout = 120
Tue Aug 11 17:16:56 2015 us=556840 inactivity_timeout = 0
Tue Aug 11 17:16:56 2015 us=556850 ping_send_timeout = 10
Tue Aug 11 17:16:56 2015 us=556862 ping_rec_timeout = 240
Tue Aug 11 17:16:56 2015 us=556873 ping_rec_timeout_action = 2
Tue Aug 11 17:16:56 2015 us=556884 ping_timer_remote = DISABLED
Tue Aug 11 17:16:56 2015 us=556895 remap_sigusr1 = 0
Tue Aug 11 17:16:56 2015 us=556906 persist_tun = ENABLED
Tue Aug 11 17:16:56 2015 us=556917 persist_local_ip = DISABLED
Tue Aug 11 17:16:56 2015 us=556928 persist_remote_ip = DISABLED
Tue Aug 11 17:16:56 2015 us=556939 persist_key = ENABLED
Tue Aug 11 17:16:56 2015 us=556949 passtos = DISABLED
Tue Aug 11 17:16:56 2015 us=556961 resolve_retry_seconds = 1000000000
Tue Aug 11 17:16:56 2015 us=556972 username = 'nobody'
Tue Aug 11 17:16:56 2015 us=556982 groupname = 'nogroup'
Tue Aug 11 17:16:56 2015 us=556993 chroot_dir = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=557004 cd_dir = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=557015 writepid = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=557025 up_script = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=557036 down_script = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=557047 down_pre = DISABLED
Tue Aug 11 17:16:56 2015 us=557058 up_restart = DISABLED
Tue Aug 11 17:16:56 2015 us=557068 up_delay = DISABLED
Tue Aug 11 17:16:56 2015 us=557079 daemon = DISABLED
Tue Aug 11 17:16:56 2015 us=557090 inetd = 0
Tue Aug 11 17:16:56 2015 us=557101 log = DISABLED
Tue Aug 11 17:16:56 2015 us=557112 suppress_timestamps = DISABLED
Tue Aug 11 17:16:56 2015 us=557123 nice = 0
Tue Aug 11 17:16:56 2015 us=557134 verbosity = 6
Tue Aug 11 17:16:56 2015 us=557145 mute = 0
Tue Aug 11 17:16:56 2015 us=557155 gremlin = 0
Tue Aug 11 17:16:56 2015 us=557166 status_file = 'openvpn-status.log'
Tue Aug 11 17:16:56 2015 us=557178 status_file_version = 1
Tue Aug 11 17:16:56 2015 us=557193 status_file_update_freq = 60
Tue Aug 11 17:16:56 2015 us=557205 occ = ENABLED
Tue Aug 11 17:16:56 2015 us=557217 rcvbuf = 65536
Tue Aug 11 17:16:56 2015 us=557228 sndbuf = 65536
Tue Aug 11 17:16:56 2015 us=557239 mark = 0
Tue Aug 11 17:16:56 2015 us=557249 sockflags = 0
Tue Aug 11 17:16:56 2015 us=557260 fast_io = DISABLED
Tue Aug 11 17:16:56 2015 us=557272 lzo = 7
Tue Aug 11 17:16:56 2015 us=557282 route_script = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=557293 route_default_gateway = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=557304 route_default_metric = 0
Tue Aug 11 17:16:56 2015 us=557379 route_noexec = DISABLED
Tue Aug 11 17:16:56 2015 us=557391 route_delay = 0
Tue Aug 11 17:16:56 2015 us=557402 route_delay_window = 30
Tue Aug 11 17:16:56 2015 us=557413 route_delay_defined = DISABLED
Tue Aug 11 17:16:56 2015 us=557424 route_nopull = DISABLED
Tue Aug 11 17:16:56 2015 us=557435 route_gateway_via_dhcp = DISABLED
Tue Aug 11 17:16:56 2015 us=557446 max_routes = 100
Tue Aug 11 17:16:56 2015 us=557457 allow_pull_fqdn = DISABLED
Tue Aug 11 17:16:56 2015 us=557474 route 10.8.0.0/255.255.255.0/nil/nil
Tue Aug 11 17:16:56 2015 us=557485 management_addr = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=557496 management_port = 0
Tue Aug 11 17:16:56 2015 us=557507 management_user_pass = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=557519 management_log_history_cache = 250
Tue Aug 11 17:16:56 2015 us=557530 management_echo_buffer_size = 100
Tue Aug 11 17:16:56 2015 us=557542 management_write_peer_info_file = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=557556 management_client_user = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=557567 management_client_group = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=557579 management_flags = 0
Tue Aug 11 17:16:56 2015 us=557595 shared_secret_file = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=557607 key_direction = 0
Tue Aug 11 17:16:56 2015 us=557619 ciphername_defined = ENABLED
Tue Aug 11 17:16:56 2015 us=557630 ciphername = 'BF-CBC'
Tue Aug 11 17:16:56 2015 us=557641 authname_defined = ENABLED
Tue Aug 11 17:16:56 2015 us=557703 authname = 'SHA1'
Tue Aug 11 17:16:56 2015 us=557719 prng_hash = 'SHA1'
Tue Aug 11 17:16:56 2015 us=557730 prng_nonce_secret_len = 16
Tue Aug 11 17:16:56 2015 us=557741 keysize = 0
Tue Aug 11 17:16:56 2015 us=557752 engine = DISABLED
Tue Aug 11 17:16:56 2015 us=557767 replay = ENABLED
Tue Aug 11 17:16:56 2015 us=557778 mute_replay_warnings = DISABLED
Tue Aug 11 17:16:56 2015 us=557861 replay_window = 64
Tue Aug 11 17:16:56 2015 us=557956 replay_time = 15
Tue Aug 11 17:16:56 2015 us=557968 packet_id_file = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=557979 use_iv = ENABLED
Tue Aug 11 17:16:56 2015 us=557991 test_crypto = DISABLED
Tue Aug 11 17:16:56 2015 us=558002 tls_server = ENABLED
Tue Aug 11 17:16:56 2015 us=558015 tls_client = DISABLED
Tue Aug 11 17:16:56 2015 us=558026 key_method = 2
Tue Aug 11 17:16:56 2015 us=558038 ca_file = '/etc/openvpn/easy-rsa/keys/ca.crt'
Tue Aug 11 17:16:56 2015 us=558050 ca_path = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=558061 dh_file = '/etc/openvpn/easy-rsa/keys/dh2048.pem'
Tue Aug 11 17:16:56 2015 us=558072 cert_file = '/etc/openvpn/easy-rsa/keys/server_openvpn_certificate.crt'
Tue Aug 11 17:16:56 2015 us=558085 priv_key_file = '/etc/openvpn/easy-rsa/keys/server_openvpn_certificate.key'
Tue Aug 11 17:16:56 2015 us=558097 pkcs12_file = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=558108 cipher_list = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=558119 tls_verify = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=558130 tls_export_cert = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=558141 verify_x509_type = 0
Tue Aug 11 17:16:56 2015 us=558152 verify_x509_name = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=558163 crl_file = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=558175 ns_cert_type = 0
Tue Aug 11 17:16:56 2015 us=558190 remote_cert_ku[i] = 0
Tue Aug 11 17:16:56 2015 us=558203 remote_cert_ku[i] = 0
Tue Aug 11 17:16:56 2015 us=558215 remote_cert_ku[i] = 0
Tue Aug 11 17:16:56 2015 us=558226 remote_cert_ku[i] = 0
Tue Aug 11 17:16:56 2015 us=558237 remote_cert_ku[i] = 0
Tue Aug 11 17:16:56 2015 us=558248 remote_cert_ku[i] = 0
Tue Aug 11 17:16:56 2015 us=558258 remote_cert_ku[i] = 0
Tue Aug 11 17:16:56 2015 us=558400 remote_cert_ku[i] = 0
Tue Aug 11 17:16:56 2015 us=558412 remote_cert_ku[i] = 0
Tue Aug 11 17:16:56 2015 us=558510 remote_cert_ku[i] = 0
Tue Aug 11 17:16:56 2015 us=558527 remote_cert_ku[i] = 0
Tue Aug 11 17:16:56 2015 us=558538 remote_cert_ku[i] = 0
Tue Aug 11 17:16:56 2015 us=558549 remote_cert_ku[i] = 0
Tue Aug 11 17:16:56 2015 us=558559 remote_cert_ku[i] = 0
Tue Aug 11 17:16:56 2015 us=558570 remote_cert_ku[i] = 0
Tue Aug 11 17:16:56 2015 us=558581 remote_cert_ku[i] = 0
Tue Aug 11 17:16:56 2015 us=558592 remote_cert_eku = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=558602 ssl_flags = 0
Tue Aug 11 17:16:56 2015 us=558613 tls_timeout = 2
Tue Aug 11 17:16:56 2015 us=558624 renegotiate_bytes = 0
Tue Aug 11 17:16:56 2015 us=558635 renegotiate_packets = 0
Tue Aug 11 17:16:56 2015 us=558646 renegotiate_seconds = 3600
Tue Aug 11 17:16:56 2015 us=558656 handshake_window = 60
Tue Aug 11 17:16:56 2015 us=558668 transition_window = 3600
Tue Aug 11 17:16:56 2015 us=558681 single_session = DISABLED
Tue Aug 11 17:16:56 2015 us=558692 push_peer_info = DISABLED
Tue Aug 11 17:16:56 2015 us=558703 tls_exit = DISABLED
Tue Aug 11 17:16:56 2015 us=558714 tls_auth_file = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=558725 pkcs11_protected_authentication = DISABLED
Tue Aug 11 17:16:56 2015 us=558737 pkcs11_protected_authentication = DISABLED
Tue Aug 11 17:16:56 2015 us=558748 pkcs11_protected_authentication = DISABLED
Tue Aug 11 17:16:56 2015 us=558760 pkcs11_protected_authentication = DISABLED
Tue Aug 11 17:16:56 2015 us=558772 pkcs11_protected_authentication = DISABLED
Tue Aug 11 17:16:56 2015 us=558783 pkcs11_protected_authentication = DISABLED
Tue Aug 11 17:16:56 2015 us=558794 pkcs11_protected_authentication = DISABLED
Tue Aug 11 17:16:56 2015 us=558805 pkcs11_protected_authentication = DISABLED
Tue Aug 11 17:16:56 2015 us=558816 pkcs11_protected_authentication = DISABLED
Tue Aug 11 17:16:56 2015 us=558827 pkcs11_protected_authentication = DISABLED
Tue Aug 11 17:16:56 2015 us=558838 pkcs11_protected_authentication = DISABLED
Tue Aug 11 17:16:56 2015 us=558850 pkcs11_protected_authentication = DISABLED
Tue Aug 11 17:16:56 2015 us=558860 pkcs11_protected_authentication = DISABLED
Tue Aug 11 17:16:56 2015 us=558877 pkcs11_protected_authentication = DISABLED
Tue Aug 11 17:16:56 2015 us=558889 pkcs11_protected_authentication = DISABLED
Tue Aug 11 17:16:56 2015 us=558900 pkcs11_protected_authentication = DISABLED
Tue Aug 11 17:16:56 2015 us=558973 pkcs11_private_mode = 00000000
Tue Aug 11 17:16:56 2015 us=558991 pkcs11_private_mode = 00000000
Tue Aug 11 17:16:56 2015 us=559003 pkcs11_private_mode = 00000000
Tue Aug 11 17:16:56 2015 us=559014 pkcs11_private_mode = 00000000
Tue Aug 11 17:16:56 2015 us=559026 pkcs11_private_mode = 00000000
Tue Aug 11 17:16:56 2015 us=559037 pkcs11_private_mode = 00000000
Tue Aug 11 17:16:56 2015 us=559048 pkcs11_private_mode = 00000000
Tue Aug 11 17:16:56 2015 us=559059 pkcs11_private_mode = 00000000
Tue Aug 11 17:16:56 2015 us=559070 pkcs11_private_mode = 00000000
Tue Aug 11 17:16:56 2015 us=559080 pkcs11_private_mode = 00000000
Tue Aug 11 17:16:56 2015 us=559091 pkcs11_private_mode = 00000000
Tue Aug 11 17:16:56 2015 us=559102 pkcs11_private_mode = 00000000
Tue Aug 11 17:16:56 2015 us=559113 pkcs11_private_mode = 00000000
Tue Aug 11 17:16:56 2015 us=559123 pkcs11_private_mode = 00000000
Tue Aug 11 17:16:56 2015 us=559135 pkcs11_private_mode = 00000000
Tue Aug 11 17:16:56 2015 us=559146 pkcs11_private_mode = 00000000
Tue Aug 11 17:16:56 2015 us=559158 pkcs11_cert_private = DISABLED
Tue Aug 11 17:16:56 2015 us=559171 pkcs11_cert_private = DISABLED
Tue Aug 11 17:16:56 2015 us=559182 pkcs11_cert_private = DISABLED
Tue Aug 11 17:16:56 2015 us=559196 pkcs11_cert_private = DISABLED
Tue Aug 11 17:16:56 2015 us=559209 pkcs11_cert_private = DISABLED
Tue Aug 11 17:16:56 2015 us=559221 pkcs11_cert_private = DISABLED
Tue Aug 11 17:16:56 2015 us=559233 pkcs11_cert_private = DISABLED
Tue Aug 11 17:16:56 2015 us=559244 pkcs11_cert_private = DISABLED
Tue Aug 11 17:16:56 2015 us=559255 pkcs11_cert_private = DISABLED
Tue Aug 11 17:16:56 2015 us=559266 pkcs11_cert_private = DISABLED
Tue Aug 11 17:16:56 2015 us=559278 pkcs11_cert_private = DISABLED
Tue Aug 11 17:16:56 2015 us=559288 pkcs11_cert_private = DISABLED
Tue Aug 11 17:16:56 2015 us=559300 pkcs11_cert_private = DISABLED
Tue Aug 11 17:16:56 2015 us=559339 pkcs11_cert_private = DISABLED
Tue Aug 11 17:16:56 2015 us=559351 pkcs11_cert_private = DISABLED
Tue Aug 11 17:16:56 2015 us=559363 pkcs11_cert_private = DISABLED
Tue Aug 11 17:16:56 2015 us=559374 pkcs11_pin_cache_period = -1
Tue Aug 11 17:16:56 2015 us=559386 pkcs11_id = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=559397 pkcs11_id_management = DISABLED
Tue Aug 11 17:16:56 2015 us=559410 server_network = 10.8.0.0
Tue Aug 11 17:16:56 2015 us=559423 server_netmask = 255.255.255.0
Tue Aug 11 17:16:56 2015 us=559436 server_network_ipv6 = ::
Tue Aug 11 17:16:56 2015 us=559496 server_netbits_ipv6 = 0
Tue Aug 11 17:16:56 2015 us=559509 server_bridge_ip = 0.0.0.0
Tue Aug 11 17:16:56 2015 us=559521 server_bridge_netmask = 0.0.0.0
Tue Aug 11 17:16:56 2015 us=559533 server_bridge_pool_start = 0.0.0.0
Tue Aug 11 17:16:56 2015 us=559545 server_bridge_pool_end = 0.0.0.0
Tue Aug 11 17:16:56 2015 us=559556 push_entry = 'redirect-gateway def1 bypass-dhcp'
Tue Aug 11 17:16:56 2015 us=559567 push_entry = 'dhcp-option DNS 127.0.0.1'
Tue Aug 11 17:16:56 2015 us=559579 push_entry = 'dhcp-option DNS 192.168.1.11'
Tue Aug 11 17:16:56 2015 us=559590 push_entry = 'dhcp-option DNS 8.8.4.4'
Tue Aug 11 17:16:56 2015 us=559603 push_entry = 'route 10.8.0.1'
Tue Aug 11 17:16:56 2015 us=559614 push_entry = 'topology net30'
Tue Aug 11 17:16:56 2015 us=559625 push_entry = 'ping 10'
Tue Aug 11 17:16:56 2015 us=559636 push_entry = 'ping-restart 120'
Tue Aug 11 17:16:56 2015 us=559646 ifconfig_pool_defined = ENABLED
Tue Aug 11 17:16:56 2015 us=559658 ifconfig_pool_start = 10.8.0.4
Tue Aug 11 17:16:56 2015 us=559670 ifconfig_pool_end = 10.8.0.251
Tue Aug 11 17:16:56 2015 us=559682 ifconfig_pool_netmask = 0.0.0.0
Tue Aug 11 17:16:56 2015 us=559693 ifconfig_pool_persist_filename = 'ipp.txt'
Tue Aug 11 17:16:56 2015 us=559705 ifconfig_pool_persist_refresh_freq = 600
Tue Aug 11 17:16:56 2015 us=559716 ifconfig_ipv6_pool_defined = DISABLED
Tue Aug 11 17:16:56 2015 us=559727 ifconfig_ipv6_pool_base = ::
Tue Aug 11 17:16:56 2015 us=559738 ifconfig_ipv6_pool_netbits = 0
Tue Aug 11 17:16:56 2015 us=559750 n_bcast_buf = 256
Tue Aug 11 17:16:56 2015 us=559760 tcp_queue_limit = 64
Tue Aug 11 17:16:56 2015 us=559771 real_hash_size = 256
Tue Aug 11 17:16:56 2015 us=559782 virtual_hash_size = 256
Tue Aug 11 17:16:56 2015 us=559792 client_connect_script = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=559803 learn_address_script = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=559814 client_disconnect_script = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=559825 client_config_dir = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=559836 ccd_exclusive = DISABLED
Tue Aug 11 17:16:56 2015 us=559847 tmp_dir = '/tmp'
Tue Aug 11 17:16:56 2015 us=559858 push_ifconfig_defined = DISABLED
Tue Aug 11 17:16:56 2015 us=559870 push_ifconfig_local = 0.0.0.0
Tue Aug 11 17:16:56 2015 us=559882 push_ifconfig_remote_netmask = 0.0.0.0
Tue Aug 11 17:16:56 2015 us=559893 push_ifconfig_ipv6_defined = DISABLED
Tue Aug 11 17:16:56 2015 us=559905 push_ifconfig_ipv6_local = ::/0
Tue Aug 11 17:16:56 2015 us=559917 push_ifconfig_ipv6_remote = ::
Tue Aug 11 17:16:56 2015 us=559927 enable_c2c = DISABLED
Tue Aug 11 17:16:56 2015 us=559938 duplicate_cn = DISABLED
Tue Aug 11 17:16:56 2015 us=559949 cf_max = 0
Tue Aug 11 17:16:56 2015 us=559959 cf_per = 0
Tue Aug 11 17:16:56 2015 us=559970 max_clients = 1024
Tue Aug 11 17:16:56 2015 us=559981 max_routes_per_client = 256
Tue Aug 11 17:16:56 2015 us=559992 auth_user_pass_verify_script = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=560003 auth_user_pass_verify_script_via_file = DISABLED
Tue Aug 11 17:16:56 2015 us=560014 port_share_host = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=560025 port_share_port = 0
Tue Aug 11 17:16:56 2015 us=560035 client = DISABLED
Tue Aug 11 17:16:56 2015 us=560046 pull = DISABLED
Tue Aug 11 17:16:56 2015 us=560056 auth_user_pass_file = '[UNDEF]'
Tue Aug 11 17:16:56 2015 us=560069 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 1 2014
Tue Aug 11 17:16:56 2015 us=560093 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Tue Aug 11 17:16:56 2015 us=569504 Diffie-Hellman initialized with 2048 bit key
Tue Aug 11 17:16:56 2015 us=570362 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Aug 11 17:16:56 2015 us=570401 Socket Buffers: R=[133120->131072] S=[133120->131072]
Tue Aug 11 17:16:56 2015 us=570849 ROUTE_GATEWAY ON_LINK IFACE=venet0 HWADDR=00:00:00:00:00:00
Tue Aug 11 17:16:56 2015 us=571278 TUN/TAP device tun0 opened
Tue Aug 11 17:16:56 2015 us=571304 TUN/TAP TX queue length set to 100
Tue Aug 11 17:16:56 2015 us=571470 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Aug 11 17:16:56 2015 us=572164 /sbin/ip link set dev tun0 up mtu 1500
Tue Aug 11 17:16:56 2015 us=588878 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Aug 11 17:16:56 2015 us=591366 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Tue Aug 11 17:16:56 2015 us=593458 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Aug 11 17:16:56 2015 us=594254 GID set to nogroup
Tue Aug 11 17:16:56 2015 us=594283 UID set to nobody
Tue Aug 11 17:16:56 2015 us=594344 UDPv4 link local (bound): [undef]
Tue Aug 11 17:16:56 2015 us=594357 UDPv4 link remote: [undef]
Tue Aug 11 17:16:56 2015 us=594386 MULTI: multi_init called, r=256 v=256
Tue Aug 11 17:16:56 2015 us=594465 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Tue Aug 11 17:16:56 2015 us=594515 ifconfig_pool_read(), in='myHost,10.8.0.4', TODO: IPv6
Tue Aug 11 17:16:56 2015 us=594531 succeeded -> ifconfig_pool_set()
Tue Aug 11 17:16:56 2015 us=594544 IFCONFIG POOL LIST
Tue Aug 11 17:16:56 2015 us=594556 myHost,10.8.0.4
Tue Aug 11 17:16:56 2015 us=594597 Initialization Sequence Completed
Tue Aug 11 17:17:00 2015 us=445356 MULTI: multi_create_instance called
Tue Aug 11 17:17:00 2015 us=445470 87.231.96.37:40861 Re-using SSL/TLS context
Tue Aug 11 17:17:00 2015 us=445550 87.231.96.37:40861 LZO compression initialized
Tue Aug 11 17:17:00 2015 us=445788 87.231.96.37:40861 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Aug 11 17:17:00 2015 us=445809 87.231.96.37:40861 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Aug 11 17:17:00 2015 us=445858 87.231.96.37:40861 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Aug 11 17:17:00 2015 us=445872 87.231.96.37:40861 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Aug 11 17:17:00 2015 us=445922 87.231.96.37:40861 Local Options hash (VER=V4): '530fdded'
Tue Aug 11 17:17:00 2015 us=445945 87.231.96.37:40861 Expected Remote Options hash (VER=V4): '41690919'
Tue Aug 11 17:17:00 2015 us=446007 87.231.96.37:40861 UDPv4 READ [14] from [AF_INET]87.231.96.37:40861: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue Aug 11 17:17:00 2015 us=446042 87.231.96.37:40861 TLS: Initial packet from [AF_INET]87.231.96.37:40861, sid=a32d8e15 e3a80243
Tue Aug 11 17:17:00 2015 us=446097 87.231.96.37:40861 UDPv4 WRITE [26] to [AF_INET]87.231.96.37:40861: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Tue Aug 11 17:17:00 2015 us=538563 87.231.96.37:40861 UDPv4 READ [22] from [AF_INET]87.231.96.37:40861: P_ACK_V1 kid=0 [ 0 ]
Tue Aug 11 17:17:00 2015 us=542690 87.231.96.37:40861 UDPv4 READ [114] from [AF_INET]87.231.96.37:40861: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=100
Tue Aug 11 17:17:00 2015 us=542830 87.231.96.37:40861 UDPv4 WRITE [22] to [AF_INET]87.231.96.37:40861: P_ACK_V1 kid=0 [ 1 ]
Tue Aug 11 17:17:00 2015 us=546812 87.231.96.37:40861 UDPv4 READ [114] from [AF_INET]87.231.96.37:40861: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=100
Tue Aug 11 17:17:00 2015 us=546934 87.231.96.37:40861 UDPv4 WRITE [22] to [AF_INET]87.231.96.37:40861: P_ACK_V1 kid=0 [ 2 ]
服务器resolv.conf:
cat /etc/resolv.conf
search mydomain.com
domain mydomain.com
nameserver 127.0.0.1
nameserver 192.168.1.11
nameserver 8.8.4.4
IP转发:
cat /etc/sysctl.conf|grep -v "#"
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
我也尝试过:
net.ipv4.conf.all.forwarding=1
服务器NAT规则:
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 10.8.0.0/24 anywhere to:167.114.2.27
SNAT all -- 10.8.0.0/24 anywhere to:167.114.2.27
MASQUERADE all -- anywhere anywhere
MASQUERADE all -- 10.8.0.0/24 anywhere
MASQUERADE all -- 10.8.0.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
防火墙规则:
(邮件正文限制为 30000 个字符,因此请在此处查找:http://pastebin.com/j7r6yTBN)
这是 OpenVpn 客户端日志(不要介意 VPN 的 IP 地址):
sudo openvpn /etc/openvpn/client.conf
Tue Aug 11 23:29:33 2015 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Tue Aug 11 23:29:33 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Tue Aug 11 23:29:33 2015 UDPv4 link local: [undef]
Tue Aug 11 23:29:33 2015 UDPv4 link remote: [AF_INET]*.*.*.*:1194
Tue Aug 11 23:29:34 2015 TLS: Initial packet from [AF_INET]*.*.*.*:1194, sid=bdf2bcf1 928efbf8
Tue Aug 11 23:29:35 2015 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=EasyRSA, [email protected]
Tue Aug 11 23:29:35 2015 VERIFY OK: nsCertType=SERVER
Tue Aug 11 23:29:35 2015 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=myServerTun, name=EasyRSA, [email protected]
Tue Aug 11 23:29:37 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Aug 11 23:29:37 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Aug 11 23:29:37 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Aug 11 23:29:37 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Aug 11 23:29:37 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Aug 11 23:29:37 2015 [myServerTun] Peer Connection Initiated with [AF_INET]*.*.*.*:1194
Tue Aug 11 23:29:39 2015 SENT CONTROL [myServerTun]: 'PUSH_REQUEST' (status=1)
Tue Aug 11 23:29:39 2015 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 127.0.0.1,dhcp-option DNS 192.168.1.11,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Tue Aug 11 23:29:39 2015 OPTIONS IMPORT: timers and/or timeouts modified
Tue Aug 11 23:29:39 2015 OPTIONS IMPORT: --ifconfig/up options modified
Tue Aug 11 23:29:39 2015 OPTIONS IMPORT: route options modified
Tue Aug 11 23:29:39 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Aug 11 23:29:39 2015 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=wlan0 HWADDR=80:19:34:4b:47:54
Tue Aug 11 23:29:39 2015 TUN/TAP device tun0 opened
Tue Aug 11 23:29:39 2015 TUN/TAP TX queue length set to 100
Tue Aug 11 23:29:39 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Aug 11 23:29:39 2015 /sbin/ip link set dev tun0 up mtu 1500
Tue Aug 11 23:29:39 2015 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Tue Aug 11 23:29:39 2015 /sbin/ip route add *.*.*.*/32 via 192.168.0.1
Tue Aug 11 23:29:39 2015 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5
Tue Aug 11 23:29:39 2015 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
Tue Aug 11 23:29:39 2015 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Tue Aug 11 23:29:39 2015 Initialization Sequence Completed
在客户端:
nslookup yahoo.com
;; connection timed out; no servers could be reached
在服务器上我安装了fail2ban并且:
cat /etc/fail2ban/filter.d/openvpn.conf
[Definition]
failregex = <HOST>:\\d{1,5} TLS Auth Error
<HOST>:\\d{1,5} VERIFY ERROR:
<HOST>:\\d{1,5} TLS Error: TLS handshake failed
和这是服务器端的 tcpdump。
怎么了 ?