我的 OpenVPN 服务器配置两年来一直都是一样的,每次升级服务器时我都只是复制粘贴。但这次它不再起作用了。
我可以连接我的客户,也可以 ping 外部互联网:使用域名或 IP 地址(这意味着域名解析有效)。我还可以 ping 到 vpn 服务器 IP,或服务器网络中的路由器。
但我无法浏览外部互联网或 openvpn 网络内部。我唯一可以浏览的网站是 openvpn 路由器(位于 192.168.45.1)。
我的 openvpn 配置:
dev tun
#dev tap0
client-config-dir ccd
local 192.168.45.5 # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
proto udp #Some people prefer to use tcp. Don't change it if you don't know.
port 1194
crl-verify /etc/openvpn/crl.pem
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/pki/private/server.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/pki/dh2048.pem # If you changed to 2048, change that here!
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.45.5 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
push "dhcp-option DNS 192.168.45.1" # This should already match your router address and not need to be changed.
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 5 30
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 3
我有一个文件/etc/firewall-openvpn-rules.sh
:
#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.45.5
并且/etc/network/interfaces
:
# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d
auto eth0
allow-hotplug eth0
iface eth0 inet static
pre-up /etc/firewall-openvpn-rules.sh
address 192.168.45.5
gateway 192.168.45.1
netmask 255.255.255.0
network 192.168.45.0
broadcast 192.168.0.255
并iptables -L -v
返回:
Chain INPUT (policy ACCEPT 18750 packets, 4000K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 14757 packets, 6103K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 dns0 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- dns0 eth0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 20662 packets, 8124K bytes)
pkts bytes target prot opt in out source destination
提前致谢!