因此,我尝试在运行 CentOS 7 的云虚拟机上设置 OpenVPN 服务器。客户端(Windows)可以连接到 OpenVPN 服务器,我可以从客户端 ping 服务器,但服务器无法 ping 客户端。
我使用了这里的“road warrior”安装脚本 -https://github.com/Nyr/openvpn-install
这为我设置了基本环境。我在 server.conf 文件中添加了一些行,因为我的最终目标是使多个客户端能够通过服务器相互连接。我使用注释标记了我添加的行。
我的server.conf:
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
route 172.16.0.0 255.255.240.0 #added
client-config-dir ccd #added
client-to-client #added
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 183.60.83.19"
push "dhcp-option DNS 183.60.82.98"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
我的 ccd/客户端文件:
iroute 172.16.0.0 255.255.240.0
我的客户端.ovpn 文件:
client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote <cloudvm-publicIP> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
setenv opt block-outside-dns
key-direction 1
verb 3
<ca>
-----BEGIN CERTIFICATE-----
some-cert
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
some-cert
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
some-key
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
some-key
-----END OpenVPN Static key V1-----
</tls-auth>
我也添加了push "route 172.16.0.0 255.255.240.0"server.conf,但这也没有帮助。
输出自ifconfig:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.0.4 netmask 255.255.240.0 broadcast 172.16.15.255
ether 52:54:00:8b:c1:c8 txqueuelen 1000 (Ethernet)
RX packets 54319 bytes 32541424 (31.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 39171 bytes 8225587 (7.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1 (Local Loopback)
RX packets 12 bytes 1008 (1008.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 12 bytes 1008 (1008.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.0 destination 10.8.0.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 492 bytes 74464 (72.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 472 bytes 175631 (171.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
来自route -n:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.0.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
172.16.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
iptables --list给我:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.8.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
和 nat 表(使用iptables -t nat --list)-
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 10.8.0.0/24 !10.8.0.0/24 to:172.16.0.4
我感觉这与我设置的某条规则有关,因为我甚至无法 ping 我从命令中获取的网关 (172.16.0.1) route -n。请求超时。
我是不是遗漏了什么?这绝对是有可能的,因为这是我第一次尝试设置这种规模的东西。
这个问题有点类似于这个,我已遵循接受的答案,但我的问题尚未解决。
干杯。
答案1
这不是服务器问题。默认情况下,新版本的 Windows 会阻止传入 ping。要排除故障,您可以在 Windows 主机上运行 wireshark 来查看icmp echo request传送了哪些数据包。调整 Windows 防火墙。