我已经在此服务器上使用 OpenVPN 一年半了,从未遇到过任何问题。今天,我重新启动了服务器(我大约每月重新启动一次),突然我无法通过 VPN 访问服务器上的网页或文件共享(但它们可以通过本地 192.xxx 地址工作)。如果我在服务器上,那么我可以访问它的共享驱动器\\10.8.0.1\Share,以及它的网站https://10.8.0.1,但其他通过 VPN 连接的人似乎无法访问它。但是 VPN 上的其他计算机可以相互通信。我查看了防火墙日志,似乎连接根本无法到达服务器——服务器日志中没有与DROPVPNALLOW连接相关的记录。
我不确定要提供什么信息,所以这是 VPN 状态(来自桌面)
Thu Mar 26 13:03:33 2020 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Thu Mar 26 13:03:33 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Mar 26 13:03:33 2020 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Thu Mar 26 13:03:33 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu Mar 26 13:03:33 2020 Need hold release from management interface, waiting...
Thu Mar 26 13:03:34 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu Mar 26 13:03:34 2020 MANAGEMENT: CMD 'state on'
Thu Mar 26 13:03:34 2020 MANAGEMENT: CMD 'log all on'
Thu Mar 26 13:03:34 2020 MANAGEMENT: CMD 'echo all on'
Thu Mar 26 13:03:34 2020 MANAGEMENT: CMD 'bytecount 5'
Thu Mar 26 13:03:34 2020 MANAGEMENT: CMD 'hold off'
Thu Mar 26 13:03:34 2020 MANAGEMENT: CMD 'hold release'
Thu Mar 26 13:03:34 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Thu Mar 26 13:03:34 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Mar 26 13:03:34 2020 UDP link local: (not bound)
Thu Mar 26 13:03:34 2020 UDP link remote: [AF_INET]x.x.x.x:1194
Thu Mar 26 13:03:34 2020 MANAGEMENT: >STATE:1585242214,WAIT,,,,,,
Thu Mar 26 13:03:34 2020 MANAGEMENT: >STATE:1585242214,AUTH,,,,,,
Thu Mar 26 13:03:34 2020 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=fda4bf51 c3904f17
Thu Mar 26 13:03:34 2020 VERIFY OK: depth=1, C=CA, ST=ON, L=xxx, O=xxx, OU=Software, CN=xxx, name=xxx, [email protected]
Thu Mar 26 13:03:34 2020 VERIFY KU OK
Thu Mar 26 13:03:34 2020 Validating certificate extended key usage
Thu Mar 26 13:03:34 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Mar 26 13:03:34 2020 VERIFY EKU OK
Thu Mar 26 13:03:34 2020 VERIFY OK: depth=0, C=CA, ST=ON, L=xxx, O=xxx, OU=Software, CN=xxx, name=xxx, [email protected]
Thu Mar 26 13:03:34 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Thu Mar 26 13:03:34 2020 [server] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Thu Mar 26 13:03:35 2020 MANAGEMENT: >STATE:1585242215,GET_CONFIG,,,,,,
Thu Mar 26 13:03:35 2020 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Mar 26 13:03:35 2020 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.22 10.8.0.21,peer-id 7,cipher AES-256-GCM'
Thu Mar 26 13:03:35 2020 OPTIONS IMPORT: timers and/or timeouts modified
Thu Mar 26 13:03:35 2020 OPTIONS IMPORT: --ifconfig/up options modified
Thu Mar 26 13:03:35 2020 OPTIONS IMPORT: route options modified
Thu Mar 26 13:03:35 2020 OPTIONS IMPORT: peer-id set
Thu Mar 26 13:03:35 2020 OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Mar 26 13:03:35 2020 OPTIONS IMPORT: data channel crypto options modified
Thu Mar 26 13:03:35 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Mar 26 13:03:35 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Mar 26 13:03:35 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Mar 26 13:03:35 2020 interactive service msg_channel=692
Thu Mar 26 13:03:35 2020 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 I=12 HWADDR=8c:ec:4b:5e:2b:63
Thu Mar 26 13:03:35 2020 open_tun
Thu Mar 26 13:03:35 2020 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{17046649-FA88-415D-90C4-F5C62416022E}.tap
Thu Mar 26 13:03:35 2020 TAP-Windows Driver Version 9.21
Thu Mar 26 13:03:35 2020 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.22/255.255.255.252 on interface {17046649-FA88-415D-90C4-F5C62416022E} [DHCP-serv: 10.8.0.21, lease-time: 31536000]
Thu Mar 26 13:03:35 2020 Successful ARP Flush on interface [6] {17046649-FA88-415D-90C4-F5C62416022E}
Thu Mar 26 13:03:35 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Mar 26 13:03:35 2020 MANAGEMENT: >STATE:1585242215,ASSIGN_IP,,10.8.0.22,,,,
Thu Mar 26 13:03:41 2020 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Thu Mar 26 13:03:41 2020 MANAGEMENT: >STATE:1585242221,ADD_ROUTES,,,,,,
Thu Mar 26 13:03:41 2020 C:\WINDOWS\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.21
Thu Mar 26 13:03:41 2020 Route addition via service succeeded
Thu Mar 26 13:03:41 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Mar 26 13:03:41 2020 Initialization Sequence Completed
Thu Mar 26 13:03:41 2020 MANAGEMENT: >STATE:1585242221,CONNECTED,SUCCESS,10.8.0.22,209.91.141.42,1194,,
服务器位于10.8.0.1,我的桌面位于10.8.0.22
服务器的配置文件是(删除了所有非注释的内容):
port 1194
proto udp4
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# openvpn.exe --show-valid-subnets
client-config-dir ccd
route 10.8.0.18 255.255.255.252 #
route 10.8.0.26 255.255.255.252 #
route 10.8.0.38 255.255.255.252 #
route 10.8.0.6 255.255.255.252 #
route 10.8.0.14 255.255.255.252 #
route 10.8.0.34 255.255.255.252 #
route 10.8.0.10 255.255.255.252 #
route 10.8.0.54 255.255.255.252 #
route 10.8.0.82 255.255.255.252 #
route 10.8.0.86 255.255.255.252 #
route 10.8.0.22 255.255.255.252 #
route 10.8.0.86 255.255.255.252 #
route 10.8.0.90 255.255.255.252 #
route 10.8.0.94 255.255.255.252 #
route 10.8.0.98 255.255.255.252 #
route 10.8.0.30 255.255.255.252 #
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 4
crl-verify "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\crl.pem"
文件夹中的文件ccd基本都一样(只是IP不同):ifconfig-push 10.8.0.22 10.8.0.21
路由表输出:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.9 2
10.8.0.0 255.255.255.0 10.8.0.21 10.8.0.22 291
10.8.0.20 255.255.255.252 On-link 10.8.0.22 291
10.8.0.22 255.255.255.255 On-link 10.8.0.22 291
10.8.0.23 255.255.255.255 On-link 10.8.0.22 291
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.0.0 255.255.255.0 On-link 192.168.0.9 281
192.168.0.9 255.255.255.255 On-link 192.168.0.9 281
192.168.0.255 255.255.255.255 On-link 192.168.0.9 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.0.9 281
224.0.0.0 240.0.0.0 On-link 10.8.0.22 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.0.9 281
255.255.255.255 255.255.255.255 On-link 10.8.0.22 291
===========================================================================
Persistent Routes:
None
所有计算机都运行 Windows 10,但服务器(运行 VPN 作为服务)除外,而是 Windows Server 2016。
如果您需要更多信息,请告诉我。
编辑:服务器也无法与 VPN 上的其他计算机通信;所以这不太可能是防火墙问题。
来自服务器的路线:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.60 35
10.8.0.0 255.255.255.0 10.8.0.2 192.168.1.60 36
10.8.0.0 255.255.255.252 On-link 10.8.0.1 291
10.8.0.1 255.255.255.255 On-link 10.8.0.1 291
10.8.0.3 255.255.255.255 On-link 10.8.0.1 291
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.1.0 255.255.255.0 On-link 192.168.1.60 291
192.168.1.60 255.255.255.255 On-link 192.168.1.60 291
192.168.1.255 255.255.255.255 On-link 192.168.1.60 291
192.168.193.0 255.255.255.0 On-link 192.168.193.1 291
192.168.193.1 255.255.255.255 On-link 192.168.193.1 291
192.168.193.255 255.255.255.255 On-link 192.168.193.1 291
192.168.227.0 255.255.255.0 On-link 192.168.227.1 291
192.168.227.1 255.255.255.255 On-link 192.168.227.1 291
192.168.227.255 255.255.255.255 On-link 192.168.227.1 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 10.8.0.1 291
224.0.0.0 240.0.0.0 On-link 192.168.227.1 291
224.0.0.0 240.0.0.0 On-link 192.168.193.1 291
224.0.0.0 240.0.0.0 On-link 192.168.1.60 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 10.8.0.1 291
255.255.255.255 255.255.255.255 On-link 192.168.227.1 291
255.255.255.255 255.255.255.255 On-link 192.168.193.1 291
255.255.255.255 255.255.255.255 On-link 192.168.1.60 291
===========================================================================
Persistent Routes:
None
EDIT2:从服务器到 VPN 上的另一台计算机(物理上位于同一栋建筑物内)的 Tracert 似乎很奇怪:
PS C:\Users\Administrator> TRACERT.EXE 10.8.0.18
Tracing route to 10.8.0.18 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms COMTREND [192.168.1.1]
2 1 ms <1 ms <1 ms ppp-69-171-101-1.vianet.ca [69.171.101.1]
3 6 ms 1 ms 1 ms 69.156.254.158
4 * * * Request timed out.
5 * * 69.156.254.158 reports: Destination net unreachable.
不确定它为什么尝试通过 192 连接,从而离开 VPN。可能有点线索?
编辑 3:好吧...我设法通过运行使其工作route add 10.8.0.0 MASK 255.255.255.0 10.8.0.2 METRIC 3 IF 17;但是,每次服务器重启时我都必须这样做,显然我宁愿不这样做。
答案1
在对 VPN 上的其中一台计算机执行操作后tracert,我注意到它正在通过 192 连接。回顾服务器的路由表,它确实显示路由是10.8.0.0/24通过接口进行的192.168.1.60,这显然是不正确的。
删除此路线并重新添加正确的路线确实可以解决问题;所以我制作了以下批处理文件:
route delete 10.8.0.0/24
route add 10.8.0.0 MASK 255.255.255.0 10.8.0.2 METRIC 3
不幸的是,我需要在启动时自己运行它,但至少现在这样。如果有人有更好的解决方案,请分享。