重启后无法通过 VPN 访问服务器上的任何内容

重启后无法通过 VPN 访问服务器上的任何内容

我已经在此服务器上使用 OpenVPN 一年半了,从未遇到过任何问题。今天,我重新启动了服务器(我大约每月重新启动一次),突然我无法通过 VPN 访问服务器上的网页或文件共享(但它们可以通过本地 192.xxx 地址工作)。如果我在服务器上,那么我可以访问它的共享驱动器\\10.8.0.1\Share,以及它的网站https://10.8.0.1,但其他通过 VPN 连接的人似乎无法访问它。但是 VPN 上的其他计算机可以相互通信。我查看了防火墙日志,似乎连接根本无法到达服务器——服务器日志中没有与DROPVPNALLOW连接相关的记录。

我不确定要提供什么信息,所以这是 VPN 状态(来自桌面)

Thu Mar 26 13:03:33 2020 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Thu Mar 26 13:03:33 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Mar 26 13:03:33 2020 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Thu Mar 26 13:03:33 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu Mar 26 13:03:33 2020 Need hold release from management interface, waiting...
Thu Mar 26 13:03:34 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu Mar 26 13:03:34 2020 MANAGEMENT: CMD 'state on'
Thu Mar 26 13:03:34 2020 MANAGEMENT: CMD 'log all on'
Thu Mar 26 13:03:34 2020 MANAGEMENT: CMD 'echo all on'
Thu Mar 26 13:03:34 2020 MANAGEMENT: CMD 'bytecount 5'
Thu Mar 26 13:03:34 2020 MANAGEMENT: CMD 'hold off'
Thu Mar 26 13:03:34 2020 MANAGEMENT: CMD 'hold release'
Thu Mar 26 13:03:34 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Thu Mar 26 13:03:34 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Mar 26 13:03:34 2020 UDP link local: (not bound)
Thu Mar 26 13:03:34 2020 UDP link remote: [AF_INET]x.x.x.x:1194
Thu Mar 26 13:03:34 2020 MANAGEMENT: >STATE:1585242214,WAIT,,,,,,
Thu Mar 26 13:03:34 2020 MANAGEMENT: >STATE:1585242214,AUTH,,,,,,
Thu Mar 26 13:03:34 2020 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=fda4bf51 c3904f17
Thu Mar 26 13:03:34 2020 VERIFY OK: depth=1, C=CA, ST=ON, L=xxx, O=xxx, OU=Software, CN=xxx, name=xxx, [email protected]
Thu Mar 26 13:03:34 2020 VERIFY KU OK
Thu Mar 26 13:03:34 2020 Validating certificate extended key usage
Thu Mar 26 13:03:34 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Mar 26 13:03:34 2020 VERIFY EKU OK
Thu Mar 26 13:03:34 2020 VERIFY OK: depth=0, C=CA, ST=ON, L=xxx, O=xxx, OU=Software, CN=xxx, name=xxx, [email protected]
Thu Mar 26 13:03:34 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Thu Mar 26 13:03:34 2020 [server] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Thu Mar 26 13:03:35 2020 MANAGEMENT: >STATE:1585242215,GET_CONFIG,,,,,,
Thu Mar 26 13:03:35 2020 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Mar 26 13:03:35 2020 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.22 10.8.0.21,peer-id 7,cipher AES-256-GCM'
Thu Mar 26 13:03:35 2020 OPTIONS IMPORT: timers and/or timeouts modified
Thu Mar 26 13:03:35 2020 OPTIONS IMPORT: --ifconfig/up options modified
Thu Mar 26 13:03:35 2020 OPTIONS IMPORT: route options modified
Thu Mar 26 13:03:35 2020 OPTIONS IMPORT: peer-id set
Thu Mar 26 13:03:35 2020 OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Mar 26 13:03:35 2020 OPTIONS IMPORT: data channel crypto options modified
Thu Mar 26 13:03:35 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Mar 26 13:03:35 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Mar 26 13:03:35 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Mar 26 13:03:35 2020 interactive service msg_channel=692
Thu Mar 26 13:03:35 2020 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 I=12 HWADDR=8c:ec:4b:5e:2b:63
Thu Mar 26 13:03:35 2020 open_tun
Thu Mar 26 13:03:35 2020 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{17046649-FA88-415D-90C4-F5C62416022E}.tap
Thu Mar 26 13:03:35 2020 TAP-Windows Driver Version 9.21 
Thu Mar 26 13:03:35 2020 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.22/255.255.255.252 on interface {17046649-FA88-415D-90C4-F5C62416022E} [DHCP-serv: 10.8.0.21, lease-time: 31536000]
Thu Mar 26 13:03:35 2020 Successful ARP Flush on interface [6] {17046649-FA88-415D-90C4-F5C62416022E}
Thu Mar 26 13:03:35 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Mar 26 13:03:35 2020 MANAGEMENT: >STATE:1585242215,ASSIGN_IP,,10.8.0.22,,,,
Thu Mar 26 13:03:41 2020 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Thu Mar 26 13:03:41 2020 MANAGEMENT: >STATE:1585242221,ADD_ROUTES,,,,,,
Thu Mar 26 13:03:41 2020 C:\WINDOWS\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.21
Thu Mar 26 13:03:41 2020 Route addition via service succeeded
Thu Mar 26 13:03:41 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Mar 26 13:03:41 2020 Initialization Sequence Completed
Thu Mar 26 13:03:41 2020 MANAGEMENT: >STATE:1585242221,CONNECTED,SUCCESS,10.8.0.22,209.91.141.42,1194,,

服务器位于10.8.0.1,我的桌面位于10.8.0.22

服务器的配置文件是(删除了所有非注释的内容):

port 1194
proto udp4
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# openvpn.exe --show-valid-subnets
client-config-dir ccd
route 10.8.0.18 255.255.255.252     # 
route 10.8.0.26 255.255.255.252     # 
route 10.8.0.38 255.255.255.252     # 
route 10.8.0.6 255.255.255.252      # 
route 10.8.0.14 255.255.255.252     # 
route 10.8.0.34 255.255.255.252     # 
route 10.8.0.10 255.255.255.252     # 
route 10.8.0.54 255.255.255.252     # 
route 10.8.0.82 255.255.255.252     # 
route 10.8.0.86 255.255.255.252     # 
route 10.8.0.22 255.255.255.252     # 
route 10.8.0.86 255.255.255.252     # 
route 10.8.0.90 255.255.255.252     # 
route 10.8.0.94 255.255.255.252     # 
route 10.8.0.98 255.255.255.252     # 
route 10.8.0.30 255.255.255.252     # 
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
verb 4
crl-verify "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\crl.pem"

文件夹中的文件ccd基本都一样(只是IP不同):ifconfig-push 10.8.0.22 10.8.0.21

路由表输出:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1      192.168.0.9     2
         10.8.0.0    255.255.255.0        10.8.0.21        10.8.0.22    291
        10.8.0.20  255.255.255.252         On-link         10.8.0.22    291
        10.8.0.22  255.255.255.255         On-link         10.8.0.22    291
        10.8.0.23  255.255.255.255         On-link         10.8.0.22    291
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.0.0    255.255.255.0         On-link       192.168.0.9    281
      192.168.0.9  255.255.255.255         On-link       192.168.0.9    281
    192.168.0.255  255.255.255.255         On-link       192.168.0.9    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link       192.168.0.9    281
        224.0.0.0        240.0.0.0         On-link         10.8.0.22    291
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link       192.168.0.9    281
  255.255.255.255  255.255.255.255         On-link         10.8.0.22    291
===========================================================================
Persistent Routes:
  None

所有计算机都运行 Windows 10,但服务器(运行 VPN 作为服务)除外,而是 Windows Server 2016。

如果您需要更多信息,请告诉我。

编辑:服务器也无法与 VPN 上的其他计算机通信;所以这不太可能是防火墙问题。

来自服务器的路线:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.60     35
         10.8.0.0    255.255.255.0         10.8.0.2     192.168.1.60     36
         10.8.0.0  255.255.255.252         On-link          10.8.0.1    291
         10.8.0.1  255.255.255.255         On-link          10.8.0.1    291
         10.8.0.3  255.255.255.255         On-link          10.8.0.1    291
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.1.0    255.255.255.0         On-link      192.168.1.60    291
     192.168.1.60  255.255.255.255         On-link      192.168.1.60    291
    192.168.1.255  255.255.255.255         On-link      192.168.1.60    291
    192.168.193.0    255.255.255.0         On-link     192.168.193.1    291
    192.168.193.1  255.255.255.255         On-link     192.168.193.1    291
  192.168.193.255  255.255.255.255         On-link     192.168.193.1    291
    192.168.227.0    255.255.255.0         On-link     192.168.227.1    291
    192.168.227.1  255.255.255.255         On-link     192.168.227.1    291
  192.168.227.255  255.255.255.255         On-link     192.168.227.1    291
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link          10.8.0.1    291
        224.0.0.0        240.0.0.0         On-link     192.168.227.1    291
        224.0.0.0        240.0.0.0         On-link     192.168.193.1    291
        224.0.0.0        240.0.0.0         On-link      192.168.1.60    291
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link          10.8.0.1    291
  255.255.255.255  255.255.255.255         On-link     192.168.227.1    291
  255.255.255.255  255.255.255.255         On-link     192.168.193.1    291
  255.255.255.255  255.255.255.255         On-link      192.168.1.60    291
===========================================================================
Persistent Routes:
  None

EDIT2:从服务器到 VPN 上的另一台计算机(物理上位于同一栋建筑物内)的 Tracert 似乎很奇怪:

PS C:\Users\Administrator> TRACERT.EXE 10.8.0.18
Tracing route to 10.8.0.18 over a maximum of 30 hops
  1    <1 ms    <1 ms    <1 ms  COMTREND [192.168.1.1]
  2     1 ms    <1 ms    <1 ms  ppp-69-171-101-1.vianet.ca [69.171.101.1]
  3     6 ms     1 ms     1 ms  69.156.254.158
  4     *        *        *     Request timed out.
  5     *        *     69.156.254.158  reports: Destination net unreachable.

不确定它为什么尝试通过 192 连接,从而离开 VPN。可能有点线索?

编辑 3:好吧...我设法通过运行使其工作route add 10.8.0.0 MASK 255.255.255.0 10.8.0.2 METRIC 3 IF 17;但是,每次服务器重启时我都必须这样做,显然我宁愿不这样做。

答案1

在对 VPN 上的其中一台计算机执行操作后tracert,我注意到它正在通过 192 连接。回顾服务器的路由表,它确实显示路由是10.8.0.0/24通过接口进行的192.168.1.60,这显然是不正确的。

删除此路线并重新添加正确的路线确实可以解决问题;所以我制作了以下批处理文件:

route delete 10.8.0.0/24
route add 10.8.0.0 MASK 255.255.255.0 10.8.0.2 METRIC 3

不幸的是,我需要在启动时自己运行它,但至少现在这样。如果有人有更好的解决方案,请分享。

相关内容