路由表有问题,无法解决这个问题:(需要提示,不知道从哪里开始挖掘。
我有两个 openVPN 客户端 - 一个在 Win10 下运行良好,第二个(DD-WRT)甚至无法 ping 服务器。
OpenVPN 服务器(TAP)
- 本地网络 10.1.0.1/24
- VPN 网络 10.7.0.1/24
Windows10(10.7.0.9)
C:\Users>route print
0.0.0.0 0.0.0.0 10.144.78.1 10.144.78.171 35
10.1.0.0 255.255.255.0 10.7.0.1 10.7.0.9 35
10.7.0.0 255.255.255.0 On-link 10.7.0.9 291
10.7.0.9 255.255.255.255 On-link 10.7.0.9 291
10.7.0.255 255.255.255.255 On-link 10.7.0.9 291
10.144.78.0 255.255.255.0 On-link 10.144.78.171 291
10.144.78.171 255.255.255.255 On-link 10.144.78.171 291
10.144.78.255 255.255.255.255 On-link 10.144.78.171 291
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
DD-WRT(10.7.0.2)
root@gw2:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.33.93.1 0.0.0.0 UG 0 0 0 vlan2
10.1.0.0 10.7.0.1 255.255.255.0 UG 0 0 0 tap1
10.2.0.0 * 255.255.255.0 U 0 0 0 br0
10.7.0.0 * 255.255.255.0 U 0 0 0 tap1
10.7.0.2 * 255.255.255.255 UH 0 0 0 tap1 < (this one I just added by myself to make routing table is similar to Win. Normally, openVPN does not generate this route — anyway does not help)
10.33.93.0 * 255.255.255.0 U 0 0 0 vlan2
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
169.254.0.0 * 255.255.0.0 U 0 0 0 br0
root@gw2:~# traceroute 10.1.0.1
traceroute to 10.1.0.1 (10.1.0.1), 30 hops max, 38 byte packets
1 10.7.0.2 (10.7.0.2) 2990.779 ms !H 2989.172 ms !H 2996.663 ms !H
root@gw2:~# traceroute 10.7.0.1
traceroute to 10.7.0.1 (10.7.0.1), 30 hops max, 38 byte packets
1 10.7.0.2 (10.7.0.2) 2999.152 ms !H 2996.294 ms !H 2996.662 ms !H
root@gw2:~# traceroute 10.7.0.9
traceroute to 10.7.0.9 (10.7.0.9), 30 hops max, 38 byte packets
1 10.7.0.2 (10.7.0.2) 2993.690 ms !H 2995.924 ms !H 2996.669 ms !H
Windows10 OpenVPN 配置
proto tcp-client
remote XXX 1194
dev tap
nobind
persist-key
tls-client
ca ca.crt
cert da2.crt
key da2.key
verb 3
ns-cert-type server
cipher AES-256-CBC
auth SHA1
pull
auth-user-pass auth.cfg
route 10.1.0.0 255.255.255.0
DD-WRT OpenVPN 配置
root@gw2:~# ps w | grep openvpn
31434 root 3448 S openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down-pre /tmp/openvpncl/route-down.sh --daemon
root@gw2:~# cat /tmp/openvpncl/openvpn.conf
ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
management 127.0.0.1 16
management-log-cache 100
verb 3
mute 3
syslog
writepid /var/run/openvpncl.pid
client
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 2
dev tap1
proto tcp-client
cipher aes-128-cbc
auth sha1
auth-user-pass /tmp/openvpncl/credentials
remote XXX 1194
comp-lzo no
tun-mtu 1500
mtu-disc yes
route 10.1.0.0 255.255.255.0
#ping 20
#ping-restart 60
root@gw2:~# cat /tmp/openvpncl/route-up.sh
#!/bin/sh
iptables -D POSTROUTING -t nat -o tap1 -j MASQUERADE
iptables -I POSTROUTING -t nat -o tap1 -j MASQUERADE
iptables -D INPUT -i tap1 -j ACCEPT
iptables -I INPUT -i tap1 -j ACCEPT
UPD1 使用 tcpdump 观察:
root@gw2:~# tcpdump -i lo icmp
15:42:14.922679 IP 10.7.0.2 > 10.7.0.2: ICMP host 10.1.0.1 unreachable, length 46
15:42:17.920105 IP 10.7.0.2 > 10.7.0.2: ICMP host 10.1.0.1 unreachable, length 46
15:42:20.917525 IP 10.7.0.2 > 10.7.0.2: ICMP host 10.1.0.1 unreachable, length 46
由于某种原因,看起来像是无限循环。从 10.7.0.2 跳转到 10.7.0.2。下一个跳转地址是哪一跳?10.7.0.1?
答案1
这是有原因的。
comp-lzo no
任何关于 lzo 的提及都必须删除,因为 Mikrotik 根本不支持此功能。
答案2
您有两个网络:一个用于服务器/局域网,一个用于 openvpn 客户端。如果您想在网络层之间路由流量,则必须使用 dev-tun 而不是 dev-tap。