OpenVPN 服务器为所有连接的客户端分配相同的 IP 地址 (10.8.0.6)

OpenVPN 服务器为所有连接的客户端分配相同的 IP 地址 (10.8.0.6)

我跟着如何在 Ubuntu 20.04 上设置和配置 OpenVPN 服务器设置 OpenVPN 服务器。我注意到,当任何客户端连接到 OpenVPN 服务器时,每个客户端都会获得相同的 IP 地址:10.8.0.6

在 中/etc/openvpn/server/server.conf,我有这些设置,以便它可以分配 IP 地址10.8.0.X

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0

在 ubuntu 客户端中:

askar@ubuntu:~$ ifconfig 
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.11.23  netmask 255.255.255.0  broadcast 192.168.11.255
        inet6 240b:11:8a62:bc10:f64d:30ff:fe6c:7f6c  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::f64d:30ff:fe6c:7f6c  prefixlen 64  scopeid 0x20<link>
        ether f4:4d:30:6c:7f:6c  txqueuelen 1000  (Ethernet)
        RX packets 8323  bytes 1066513 (1.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6078  bytes 957451 (957.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16  memory 0xdf100000-df120000  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 92  bytes 6838 (6.8 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 92  bytes 6838 (6.8 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5
        inet6 fe80::2fa0:961f:7ba8:c04c  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 144 (144.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

在我的 Mac PC 上:

~  ifconfig                                                                                          ok  00:08:23 
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
    options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
    inet 127.0.0.1 netmask 0xff000000 
    inet6 ::1 prefixlen 128 
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
    nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    options=50b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV,CHANNEL_IO>
    ether ac:87:a3:3b:d2:32 
    inet6 fe80::1043:7119:8f77:8977%en0 prefixlen 64 secured scopeid 0x4 
    inet 192.168.11.2 netmask 0xffffff00 broadcast 192.168.11.255
    inet6 240b:11:8a62:bc10:1421:50dd:7a2:7e21 prefixlen 64 autoconf secured 
    inet6 240b:11:8a62:bc10:31ac:632d:c084:ae98 prefixlen 64 autoconf temporary 
    nd6 options=201<PERFORMNUD,DAD>
    media: autoselect (1000baseT <full-duplex,flow-control>)
    status: active
en1: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
    options=400<CHANNEL_IO>
    ether ac:29:3a:96:06:8d 
    nd6 options=201<PERFORMNUD,DAD>
    media: autoselect (<unknown type>)
    status: inactive
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    options=460<TSO4,TSO6,CHANNEL_IO>
    ether 82:11:02:40:01:80 
    media: autoselect <full-duplex>
    status: inactive
en3: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    options=460<TSO4,TSO6,CHANNEL_IO>
    ether 82:11:02:40:01:81 
    media: autoselect <full-duplex>
    status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    options=63<RXCSUM,TXCSUM,TSO4,TSO6>
    ether 82:11:02:40:01:80 
    Configuration:
        id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
        maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
        root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
        ipfilter disabled flags 0x0
    member: en2 flags=3<LEARNING,DISCOVER>
            ifmaxaddr 0 port 6 priority 0 path cost 0
    member: en3 flags=3<LEARNING,DISCOVER>
            ifmaxaddr 0 port 7 priority 0 path cost 0
    nd6 options=201<PERFORMNUD,DAD>
    media: <unknown type>
    status: inactive
p2p0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2304
    options=400<CHANNEL_IO>
    ether 0e:29:3a:96:06:8d 
    media: autoselect
    status: inactive
awdl0: flags=8902<BROADCAST,PROMISC,SIMPLEX,MULTICAST> mtu 1484
    options=400<CHANNEL_IO>
    ether 26:a4:4e:7d:9d:c5 
    nd6 options=201<PERFORMNUD,DAD>
    media: autoselect
    status: inactive
llw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    options=400<CHANNEL_IO>
    ether 26:a4:4e:7d:9d:c5 
    nd6 options=201<PERFORMNUD,DAD>
ham0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1404
    ether 7a:79:00:00:00:00 
    open (pid 93)
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
    inet6 fe80::1c90:674b:fb2:43af%utun0 prefixlen 64 scopeid 0xd 
    nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
    inet6 fe80::40a2:3ba4:1052:11a7%utun1 prefixlen 64 scopeid 0xe 
    nd6 options=201<PERFORMNUD,DAD>
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
    inet6 fe80::b950:55ea:84f4:8c39%utun2 prefixlen 64 scopeid 0xf 
    nd6 options=201<PERFORMNUD,DAD>
utun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
    inet6 fe80::c30a:1bc7:4681:81ee%utun3 prefixlen 64 scopeid 0x10 
    nd6 options=201<PERFORMNUD,DAD>
utun4: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
    inet 10.8.0.6 --> 10.8.0.5 netmask 0xffffffff 

在此处输入图片描述

106.73.138.98我检查过的 IP 地址是https://whatismyipaddress.com/

Ubuntu、Mac OS 和 iPhone 排在后面106.73.138.98,由当地 ISP 分配。

/var/log/syslog当3个客户端同时连接时:

Feb 24 15:27:47 openvpn openvpn[590]: 106.73.138.98:35783 TLS: Initial packet from [AF_INET]106.73.138.98:35783, sid=0822333e 11f09c9c
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 VERIFY OK: depth=1, CN=Easy-RSA CA
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 VERIFY OK: depth=0, CN=client1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_VER=2.4.9
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_PLAT=mac
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_PROTO=2
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_NCP=2
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_LZ4=1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_LZ4v2=1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_LZO=1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_COMP_STUB=1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_COMP_STUBv2=1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_TCPNL=1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5601_3.8.4a__build_5601)"
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 384 bit EC, curve: secp384r1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 [client1] Peer Connection Initiated with [AF_INET]106.73.138.98:35783
Feb 24 15:27:48 openvpn openvpn[590]: MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Feb 24 15:27:48 openvpn openvpn[590]: MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Feb 24 15:27:48 openvpn openvpn[590]: MULTI: Learn: 10.8.0.6 -> client1/106.73.138.98:35783
Feb 24 15:27:48 openvpn openvpn[590]: MULTI: primary virtual IP for client1/106.73.138.98:35783: 10.8.0.6
Feb 24 15:27:49 openvpn openvpn[590]: client1/106.73.138.98:35783 PUSH: Received control message: 'PUSH_REQUEST'
Feb 24 15:27:49 openvpn openvpn[590]: client1/106.73.138.98:35783 SENT CONTROL [client1]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM' (status=1)
Feb 24 15:27:49 openvpn openvpn[590]: client1/106.73.138.98:35783 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 24 15:27:49 openvpn openvpn[590]: client1/106.73.138.98:35783 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 TLS: Initial packet from [AF_INET]106.73.138.98:39883, sid=b85cdfeb 0c4565bb
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 VERIFY OK: depth=1, CN=Easy-RSA CA
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 VERIFY OK: depth=0, CN=client1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_VER=2.4.7
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_PLAT=linux
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_PROTO=2
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_NCP=2
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_LZ4=1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_LZ4v2=1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_LZO=1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_COMP_STUB=1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_COMP_STUBv2=1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_TCPNL=1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 384 bit EC, curve: secp384r1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 [client1] Peer Connection Initiated with [AF_INET]106.73.138.98:39883
Feb 24 15:27:55 openvpn openvpn[590]: MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Feb 24 15:27:55 openvpn openvpn[590]: MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Feb 24 15:27:55 openvpn openvpn[590]: MULTI: Learn: 10.8.0.6 -> client1/106.73.138.98:39883
Feb 24 15:27:55 openvpn openvpn[590]: MULTI: primary virtual IP for client1/106.73.138.98:39883: 10.8.0.6
Feb 24 15:27:56 openvpn openvpn[590]: client1/106.73.138.98:39883 PUSH: Received control message: 'PUSH_REQUEST'
Feb 24 15:27:56 openvpn openvpn[590]: client1/106.73.138.98:39883 SENT CONTROL [client1]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Feb 24 15:27:56 openvpn openvpn[590]: client1/106.73.138.98:39883 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 24 15:27:56 openvpn openvpn[590]: client1/106.73.138.98:39883 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 TLS: Initial packet from [AF_INET]106.73.138.98:43971, sid=41f8d815 33e079cb
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 VERIFY OK: depth=1, CN=Easy-RSA CA
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 VERIFY OK: depth=0, CN=client1
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_VER=3.git::58b92569
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_PLAT=ios
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_NCP=2
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_TCPNL=1
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_PROTO=2
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_AUTO_SESS=1
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_SSO=openurl
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1521'
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 384 bit EC, curve: secp384r1
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 [client1] Peer Connection Initiated with [AF_INET]106.73.138.98:43971
Feb 24 15:28:06 openvpn openvpn[590]: MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Feb 24 15:28:06 openvpn openvpn[590]: MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Feb 24 15:28:06 openvpn openvpn[590]: MULTI: Learn: 10.8.0.6 -> client1/106.73.138.98:43971
Feb 24 15:28:06 openvpn openvpn[590]: MULTI: primary virtual IP for client1/106.73.138.98:43971: 10.8.0.6
Feb 24 15:28:06 openvpn openvpn[590]: client1/106.73.138.98:43971 PUSH: Received control message: 'PUSH_REQUEST'
Feb 24 15:28:06 openvpn openvpn[590]: client1/106.73.138.98:43971 SENT CONTROL [client1]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM' (status=1)
Feb 24 15:28:06 openvpn openvpn[590]: client1/106.73.138.98:43971 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 24 15:28:06 openvpn openvpn[590]: client1/106.73.138.98:43971 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 24 15:28:12 openvpn openvpn[590]: AEAD Decrypt error: cipher final failed
Feb 24 15:28:22 openvpn openvpn[590]: AEAD Decrypt error: cipher final failed

答案1

您的日志显示每个客户端都使用相同的客户端证书进行连接,当这种情况发生时,OpenVPN 会断开另一个连接。

Feb 24 15:28:06 openvpn openvpn[590]: MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.

一般而言,不同的用户应该拥有不同的证书,但如果您想允许同一用户在多台设备上使用同一证书,您可以按照说明操作,使用选项启动 OpenVPN 。在 Ubuntu 上,您可以通过编辑文件并将选项添加到 OPTARGS 来--duplicate-cn执行此操作。/etc/default/openvpn

# Optional arguments to openvpn's command line
OPTARGS=""

会成为:

# Optional arguments to openvpn's command line
OPTARGS="--duplicate-cn"

然后重新启动 OpenVPN。

相关内容