我有一个包含一些客户端的 OpenVPN 网络。其中一个客户端拥有一个包含打印机的完整网络。服务器在 Ubuntu 20.04 LTS 上运行,打印服务器在 Debian 8.11 上运行。
Server.conf 如下所示:
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.170.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 10.133.10.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
Printservers Client.conf 如下所示:
dev tun
proto tcp
remote 168.119.40.249 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
verb 5
pull-filter ignore redirect-gateway
但是,服务器仍然无法 Ping 任何打印机。
我假设可能没有添加路由,但事实是:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.178.1 0.0.0.0 UG 0 0 0 eth2
10.133.10.0 10.170.0.1 255.255.255.0 UG 0 0 0 tun0
10.133.10.0 0.0.0.0 255.255.254.0 U 0 0 0 eth1
10.170.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.178.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
另外,我在打印服务器 iptables 中添加了以下内容:
-A INPUT -s 10.170.0.0/24 -j ACCEPT
打印服务器仍然可以 Ping 打印机:
ping 10.133.10.1
PING 10.133.10.1 (10.133.10.1) 56(84) bytes of data.
64 bytes from 10.133.10.1: icmp_seq=1 ttl=64 time=0.149 ms
64 bytes from 10.133.10.1: icmp_seq=2 ttl=64 time=0.139 ms
64 bytes from 10.133.10.1: icmp_seq=3 ttl=64 time=0.128 ms
但是 OpenVPN 服务器(或任何客户端)不能:
ping 10.133.10.1
PING 10.133.10.1 (10.133.10.1) 56(84) bytes of data.
^C
--- 10.133.10.1 ping statistics ---
13 packets transmitted, 0 received, 100% packet loss, time 12281ms
客户端OpenVPN的日志:
openvpn /etc/openvpn/server.conf
Sun Jun 12 20:44:33 2022 us=251723 Current Parameter Settings:
Sun Jun 12 20:44:33 2022 us=251924 config = '/etc/openvpn/server.conf'
Sun Jun 12 20:44:33 2022 us=251980 mode = 0
Sun Jun 12 20:44:33 2022 us=252029 persist_config = DISABLED
Sun Jun 12 20:44:33 2022 us=252079 persist_mode = 1
Sun Jun 12 20:44:33 2022 us=252125 show_ciphers = DISABLED
Sun Jun 12 20:44:33 2022 us=252179 show_digests = DISABLED
Sun Jun 12 20:44:33 2022 us=252225 show_engines = DISABLED
Sun Jun 12 20:44:33 2022 us=252270 genkey = DISABLED
Sun Jun 12 20:44:33 2022 us=252318 key_pass_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=252363 show_tls_ciphers = DISABLED
Sun Jun 12 20:44:33 2022 us=252410 connect_retry_max = 0
Sun Jun 12 20:44:33 2022 us=252456 Connection profiles [0]:
Sun Jun 12 20:44:33 2022 us=252502 proto = tcp-client
Sun Jun 12 20:44:33 2022 us=252547 local = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=252592 local_port = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=252637 remote = '168.119.40.249'
Sun Jun 12 20:44:33 2022 us=252686 remote_port = '1194'
Sun Jun 12 20:44:33 2022 us=252732 remote_float = DISABLED
Sun Jun 12 20:44:33 2022 us=252776 bind_defined = DISABLED
Sun Jun 12 20:44:33 2022 us=252822 bind_local = DISABLED
Sun Jun 12 20:44:33 2022 us=252867 bind_ipv6_only = DISABLED
Sun Jun 12 20:44:33 2022 us=252914 connect_retry_seconds = 5
Sun Jun 12 20:44:33 2022 us=252959 connect_timeout = 120
Sun Jun 12 20:44:33 2022 us=253006 socks_proxy_server = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=253052 socks_proxy_port = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=253100 tun_mtu = 1500
Sun Jun 12 20:44:33 2022 us=253164 tun_mtu_defined = ENABLED
Sun Jun 12 20:44:33 2022 us=253211 link_mtu = 1500
Sun Jun 12 20:44:33 2022 us=253264 link_mtu_defined = DISABLED
Sun Jun 12 20:44:33 2022 us=253311 tun_mtu_extra = 0
Sun Jun 12 20:44:33 2022 us=253365 tun_mtu_extra_defined = DISABLED
Sun Jun 12 20:44:33 2022 us=253419 mtu_discover_type = -1
Sun Jun 12 20:44:33 2022 us=253465 fragment = 0
Sun Jun 12 20:44:33 2022 us=253519 mssfix = 1450
Sun Jun 12 20:44:33 2022 us=253573 explicit_exit_notification = 0
Sun Jun 12 20:44:33 2022 us=253626 Connection profiles END
Sun Jun 12 20:44:33 2022 us=253680 remote_random = DISABLED
Sun Jun 12 20:44:33 2022 us=253732 ipchange = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=253784 dev = 'tun'
Sun Jun 12 20:44:33 2022 us=253835 dev_type = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=253889 dev_node = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=253941 lladdr = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=253995 topology = 1
Sun Jun 12 20:44:33 2022 us=254046 ifconfig_local = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=254100 ifconfig_remote_netmask = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=254157 ifconfig_noexec = DISABLED
Sun Jun 12 20:44:33 2022 us=254210 ifconfig_nowarn = DISABLED
Sun Jun 12 20:44:33 2022 us=254264 ifconfig_ipv6_local = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=254318 ifconfig_ipv6_netbits = 0
Sun Jun 12 20:44:33 2022 us=254370 ifconfig_ipv6_remote = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=254423 shaper = 0
Sun Jun 12 20:44:33 2022 us=254470 mtu_test = 0
Sun Jun 12 20:44:33 2022 us=254514 mlock = DISABLED
Sun Jun 12 20:44:33 2022 us=254559 keepalive_ping = 0
Sun Jun 12 20:44:33 2022 us=254605 keepalive_timeout = 0
Sun Jun 12 20:44:33 2022 us=254650 inactivity_timeout = 0
Sun Jun 12 20:44:33 2022 us=254728 ping_send_timeout = 0
Sun Jun 12 20:44:33 2022 us=254774 ping_rec_timeout = 0
Sun Jun 12 20:44:33 2022 us=254819 ping_rec_timeout_action = 0
Sun Jun 12 20:44:33 2022 us=254911 ping_timer_remote = DISABLED
Sun Jun 12 20:44:33 2022 us=254963 remap_sigusr1 = 0
Sun Jun 12 20:44:33 2022 us=255007 persist_tun = ENABLED
Sun Jun 12 20:44:33 2022 us=255051 persist_local_ip = DISABLED
Sun Jun 12 20:44:33 2022 us=255106 persist_remote_ip = DISABLED
Sun Jun 12 20:44:33 2022 us=255153 persist_key = ENABLED
Sun Jun 12 20:44:33 2022 us=255201 passtos = DISABLED
Sun Jun 12 20:44:33 2022 us=255248 resolve_retry_seconds = 1000000000
Sun Jun 12 20:44:33 2022 us=255295 resolve_in_advance = DISABLED
Sun Jun 12 20:44:33 2022 us=255341 username = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=255396 groupname = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=255450 chroot_dir = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=255498 cd_dir = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=255554 writepid = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=255603 up_script = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=255648 down_script = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=255699 down_pre = DISABLED
Sun Jun 12 20:44:33 2022 us=255744 up_restart = DISABLED
Sun Jun 12 20:44:33 2022 us=255790 up_delay = DISABLED
Sun Jun 12 20:44:33 2022 us=255835 daemon = DISABLED
Sun Jun 12 20:44:33 2022 us=255882 inetd = 0
Sun Jun 12 20:44:33 2022 us=255939 log = DISABLED
Sun Jun 12 20:44:33 2022 us=256001 suppress_timestamps = DISABLED
Sun Jun 12 20:44:33 2022 us=256053 machine_readable_output = DISABLED
Sun Jun 12 20:44:33 2022 us=256111 nice = 0
Sun Jun 12 20:44:33 2022 us=256164 verbosity = 5
Sun Jun 12 20:44:33 2022 us=256210 mute = 0
Sun Jun 12 20:44:33 2022 us=256268 gremlin = 0
Sun Jun 12 20:44:33 2022 us=256318 status_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=256364 status_file_version = 1
Sun Jun 12 20:44:33 2022 us=256417 status_file_update_freq = 60
Sun Jun 12 20:44:33 2022 us=256469 occ = ENABLED
Sun Jun 12 20:44:33 2022 us=256515 rcvbuf = 0
Sun Jun 12 20:44:33 2022 us=256561 sndbuf = 0
Sun Jun 12 20:44:33 2022 us=256606 mark = 0
Sun Jun 12 20:44:33 2022 us=256656 sockflags = 0
Sun Jun 12 20:44:33 2022 us=256700 fast_io = DISABLED
Sun Jun 12 20:44:33 2022 us=256756 comp.alg = 0
Sun Jun 12 20:44:33 2022 us=256807 comp.flags = 0
Sun Jun 12 20:44:33 2022 us=256851 route_script = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=256905 route_default_gateway = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=256958 route_default_metric = 0
Sun Jun 12 20:44:33 2022 us=257009 route_noexec = DISABLED
Sun Jun 12 20:44:33 2022 us=257056 route_delay = 0
Sun Jun 12 20:44:33 2022 us=257109 route_delay_window = 30
Sun Jun 12 20:44:33 2022 us=257161 route_delay_defined = DISABLED
Sun Jun 12 20:44:33 2022 us=257212 route_nopull = DISABLED
Sun Jun 12 20:44:33 2022 us=257263 route_gateway_via_dhcp = DISABLED
Sun Jun 12 20:44:33 2022 us=257313 allow_pull_fqdn = DISABLED
Sun Jun 12 20:44:33 2022 us=257358 Pull filters:
Sun Jun 12 20:44:33 2022 us=257411 ignore "redirect-gateway"
Sun Jun 12 20:44:33 2022 us=257462 management_addr = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=257507 management_port = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=257560 management_user_pass = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=257612 management_log_history_cache = 250
Sun Jun 12 20:44:33 2022 us=257660 management_echo_buffer_size = 100
Sun Jun 12 20:44:33 2022 us=257801 management_write_peer_info_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=257849 management_client_user = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=257896 management_client_group = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=257945 management_flags = 0
Sun Jun 12 20:44:33 2022 us=257990 shared_secret_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=258036 key_direction = not set
Sun Jun 12 20:44:33 2022 us=258097 ciphername = 'AES-256-CBC'
Sun Jun 12 20:44:33 2022 us=258143 ncp_enabled = ENABLED
Sun Jun 12 20:44:33 2022 us=258189 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Sun Jun 12 20:44:33 2022 us=258235 authname = 'SHA512'
Sun Jun 12 20:44:33 2022 us=258282 prng_hash = 'SHA1'
Sun Jun 12 20:44:33 2022 us=258329 prng_nonce_secret_len = 16
Sun Jun 12 20:44:33 2022 us=258381 keysize = 0
Sun Jun 12 20:44:33 2022 us=258432 engine = DISABLED
Sun Jun 12 20:44:33 2022 us=258478 replay = ENABLED
Sun Jun 12 20:44:33 2022 us=258532 mute_replay_warnings = DISABLED
Sun Jun 12 20:44:33 2022 us=258584 replay_window = 64
Sun Jun 12 20:44:33 2022 us=258630 replay_time = 15
Sun Jun 12 20:44:33 2022 us=258674 packet_id_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=258725 use_iv = ENABLED
Sun Jun 12 20:44:33 2022 us=258776 test_crypto = DISABLED
Sun Jun 12 20:44:33 2022 us=258828 tls_server = DISABLED
Sun Jun 12 20:44:33 2022 us=258909 tls_client = ENABLED
Sun Jun 12 20:44:33 2022 us=258956 key_method = 2
Sun Jun 12 20:44:33 2022 us=259002 ca_file = '[[INLINE]]'
Sun Jun 12 20:44:33 2022 us=259058 ca_path = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259110 dh_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259161 cert_file = '[[INLINE]]'
Sun Jun 12 20:44:33 2022 us=259208 extra_certs_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259257 priv_key_file = '[[INLINE]]'
Sun Jun 12 20:44:33 2022 us=259302 pkcs12_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259347 cipher_list = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259392 cipher_list_tls13 = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259443 tls_cert_profile = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259488 tls_verify = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259544 tls_export_cert = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259595 verify_x509_type = 0
Sun Jun 12 20:44:33 2022 us=259640 verify_x509_name = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259692 crl_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=259743 ns_cert_type = 0
Sun Jun 12 20:44:33 2022 us=259789 remote_cert_ku[i] = 65535
Sun Jun 12 20:44:33 2022 us=259840 remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=259886 remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=259938 remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=259989 remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260040 remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260090 remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260135 remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260184 remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260232 remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260285 remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260336 remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260381 remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260433 remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260485 remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260535 remote_cert_ku[i] = 0
Sun Jun 12 20:44:33 2022 us=260580 remote_cert_eku = 'TLS Web Server Authentication'
Sun Jun 12 20:44:33 2022 us=260634 ssl_flags = 0
Sun Jun 12 20:44:33 2022 us=260684 tls_timeout = 2
Sun Jun 12 20:44:33 2022 us=260729 renegotiate_bytes = -1
Sun Jun 12 20:44:33 2022 us=260783 renegotiate_packets = 0
Sun Jun 12 20:44:33 2022 us=260835 renegotiate_seconds = 3600
Sun Jun 12 20:44:33 2022 us=260882 handshake_window = 60
Sun Jun 12 20:44:33 2022 us=260935 transition_window = 3600
Sun Jun 12 20:44:33 2022 us=260986 single_session = DISABLED
Sun Jun 12 20:44:33 2022 us=261031 push_peer_info = DISABLED
Sun Jun 12 20:44:33 2022 us=261084 tls_exit = DISABLED
Sun Jun 12 20:44:33 2022 us=261134 tls_auth_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=261185 tls_crypt_file = '[[INLINE]]'
Sun Jun 12 20:44:33 2022 us=261237 pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261284 pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261337 pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261388 pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261433 pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261483 pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261530 pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261578 pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261626 pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261684 pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261736 pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261787 pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261832 pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261885 pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261935 pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=261980 pkcs11_protected_authentication = DISABLED
Sun Jun 12 20:44:33 2022 us=262036 pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262087 pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262133 pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262187 pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262238 pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262284 pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262337 pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262388 pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262439 pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262490 pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262536 pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262585 pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262632 pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262685 pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262737 pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262789 pkcs11_private_mode = 00000000
Sun Jun 12 20:44:33 2022 us=262840 pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=262903 pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=262952 pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263006 pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263056 pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263101 pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263153 pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263203 pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263249 pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263301 pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263352 pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263397 pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263449 pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263500 pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263546 pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263593 pkcs11_cert_private = DISABLED
Sun Jun 12 20:44:33 2022 us=263641 pkcs11_pin_cache_period = -1
Sun Jun 12 20:44:33 2022 us=263689 pkcs11_id = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=263744 pkcs11_id_management = DISABLED
Sun Jun 12 20:44:33 2022 us=263816 server_network = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=263867 server_netmask = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=263936 server_network_ipv6 = ::
Sun Jun 12 20:44:33 2022 us=263989 server_netbits_ipv6 = 0
Sun Jun 12 20:44:33 2022 us=264048 server_bridge_ip = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=264103 server_bridge_netmask = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=264156 server_bridge_pool_start = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=264206 server_bridge_pool_end = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=264256 ifconfig_pool_defined = DISABLED
Sun Jun 12 20:44:33 2022 us=264305 ifconfig_pool_start = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=264359 ifconfig_pool_end = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=264409 ifconfig_pool_netmask = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=264459 ifconfig_pool_persist_filename = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=264507 ifconfig_pool_persist_refresh_freq = 600
Sun Jun 12 20:44:33 2022 us=264559 ifconfig_ipv6_pool_defined = DISABLED
Sun Jun 12 20:44:33 2022 us=264621 ifconfig_ipv6_pool_base = ::
Sun Jun 12 20:44:33 2022 us=264674 ifconfig_ipv6_pool_netbits = 0
Sun Jun 12 20:44:33 2022 us=264728 n_bcast_buf = 256
Sun Jun 12 20:44:33 2022 us=264779 tcp_queue_limit = 64
Sun Jun 12 20:44:33 2022 us=264830 real_hash_size = 256
Sun Jun 12 20:44:33 2022 us=264876 virtual_hash_size = 256
Sun Jun 12 20:44:33 2022 us=264928 client_connect_script = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=264975 learn_address_script = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=265028 client_disconnect_script = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=265079 client_config_dir = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=265126 ccd_exclusive = DISABLED
Sun Jun 12 20:44:33 2022 us=265176 tmp_dir = '/tmp'
Sun Jun 12 20:44:33 2022 us=265221 push_ifconfig_defined = DISABLED
Sun Jun 12 20:44:33 2022 us=265275 push_ifconfig_local = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=265325 push_ifconfig_remote_netmask = 0.0.0.0
Sun Jun 12 20:44:33 2022 us=265375 push_ifconfig_ipv6_defined = DISABLED
Sun Jun 12 20:44:33 2022 us=265425 push_ifconfig_ipv6_local = ::/0
Sun Jun 12 20:44:33 2022 us=265479 push_ifconfig_ipv6_remote = ::
Sun Jun 12 20:44:33 2022 us=265524 enable_c2c = DISABLED
Sun Jun 12 20:44:33 2022 us=265576 duplicate_cn = DISABLED
Sun Jun 12 20:44:33 2022 us=265627 cf_max = 0
Sun Jun 12 20:44:33 2022 us=265679 cf_per = 0
Sun Jun 12 20:44:33 2022 us=265725 max_clients = 1024
Sun Jun 12 20:44:33 2022 us=265776 max_routes_per_client = 256
Sun Jun 12 20:44:33 2022 us=265827 auth_user_pass_verify_script = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=265874 auth_user_pass_verify_script_via_file = DISABLED
Sun Jun 12 20:44:33 2022 us=265925 auth_token_generate = DISABLED
Sun Jun 12 20:44:33 2022 us=265971 auth_token_lifetime = 0
Sun Jun 12 20:44:33 2022 us=266023 port_share_host = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=266068 port_share_port = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=266118 client = ENABLED
Sun Jun 12 20:44:33 2022 us=266164 pull = ENABLED
Sun Jun 12 20:44:33 2022 us=266209 auth_user_pass_file = '[UNDEF]'
Sun Jun 12 20:44:33 2022 us=266274 OpenVPN 2.4.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 16 2020
Sun Jun 12 20:44:33 2022 us=266338 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Sun Jun 12 20:44:33 2022 us=268773 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jun 12 20:44:33 2022 us=268919 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jun 12 20:44:33 2022 us=268984 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jun 12 20:44:33 2022 us=269048 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jun 12 20:44:33 2022 us=269273 Control Channel MTU parms [ L:1623 D:1154 EF:96 EB:0 ET:0 EL:3 ]
Sun Jun 12 20:44:33 2022 us=269401 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Sun Jun 12 20:44:33 2022 us=269514 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Sun Jun 12 20:44:33 2022 us=269568 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Sun Jun 12 20:44:33 2022 us=269655 TCP/UDP: Preserving recently used remote address: [AF_INET]168.119.40.249:1194
Sun Jun 12 20:44:33 2022 us=269754 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sun Jun 12 20:44:33 2022 us=269811 Attempting to establish TCP connection with [AF_INET]168.119.40.249:1194 [nonblock]
Sun Jun 12 20:44:34 2022 us=270392 TCP connection established with [AF_INET]168.119.40.249:1194
Sun Jun 12 20:44:34 2022 us=270551 TCP_CLIENT link local: (not bound)
Sun Jun 12 20:44:34 2022 us=270595 TCP_CLIENT link remote: [AF_INET]168.119.40.249:1194
WRSun Jun 12 20:44:34 2022 us=295598 TLS: Initial packet from [AF_INET]168.119.40.249:1194, sid=524c914c 8714a143
WWRWRSun Jun 12 20:44:34 2022 us=367225 VERIFY OK: depth=1, CN=ChangeMe
Sun Jun 12 20:44:34 2022 us=368405 VERIFY KU OK
Sun Jun 12 20:44:34 2022 us=368498 Validating certificate extended key usage
Sun Jun 12 20:44:34 2022 us=368565 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Jun 12 20:44:34 2022 us=368626 VERIFY EKU OK
Sun Jun 12 20:44:34 2022 us=368684 VERIFY OK: depth=0, CN=server
RWWWRRWRWSun Jun 12 20:44:34 2022 us=497066 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sun Jun 12 20:44:34 2022 us=497258 [server] Peer Connection Initiated with [AF_INET]168.119.40.249:1194
Sun Jun 12 20:44:35 2022 us=670987 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
WRRSun Jun 12 20:44:35 2022 us=759338 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.133.10.0 255.255.255.0,sndbuf 512000,rcvbuf 512000,route-gateway 10.170.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.170.0.19 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Sun Jun 12 20:44:35 2022 us=759756 OPTIONS IMPORT: timers and/or timeouts modified
Sun Jun 12 20:44:35 2022 us=759832 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Sun Jun 12 20:44:35 2022 us=759905 Socket Buffers: R=[372480->425984] S=[87040->425984]
Sun Jun 12 20:44:35 2022 us=759976 OPTIONS IMPORT: --ifconfig/up options modified
Sun Jun 12 20:44:35 2022 us=760030 OPTIONS IMPORT: route options modified
Sun Jun 12 20:44:35 2022 us=760083 OPTIONS IMPORT: route-related options modified
Sun Jun 12 20:44:35 2022 us=760136 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jun 12 20:44:35 2022 us=760189 OPTIONS IMPORT: peer-id set
Sun Jun 12 20:44:35 2022 us=760243 OPTIONS IMPORT: adjusting link_mtu to 1626
Sun Jun 12 20:44:35 2022 us=760308 OPTIONS IMPORT: data channel crypto options modified
Sun Jun 12 20:44:35 2022 us=760379 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Jun 12 20:44:35 2022 us=760481 Data Channel MTU parms [ L:1554 D:1450 EF:54 EB:406 ET:0 EL:3 ]
Sun Jun 12 20:44:35 2022 us=760952 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jun 12 20:44:35 2022 us=761040 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jun 12 20:44:35 2022 us=761769 ROUTE_GATEWAY 192.168.178.1/255.255.255.0 IFACE=eth2 HWADDR=00:0d:b9:3d:e8:82
Sun Jun 12 20:44:35 2022 us=762707 TUN/TAP device tun0 opened
Sun Jun 12 20:44:35 2022 us=762822 TUN/TAP TX queue length set to 100
Sun Jun 12 20:44:35 2022 us=762965 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jun 12 20:44:35 2022 us=763065 /sbin/ip link set dev tun0 up mtu 1500
Sun Jun 12 20:44:35 2022 us=767441 /sbin/ip addr add dev tun0 10.170.0.19/24 broadcast 10.170.0.255
Sun Jun 12 20:44:35 2022 us=771677 /sbin/ip route add 10.133.10.0/24 via 10.170.0.1
Sun Jun 12 20:44:35 2022 us=775371 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jun 12 20:44:35 2022 us=775477 Initialization Sequence Completed
我做错了什么?我需要让它为我的期末考试做好准备。
编辑1:我附加了以下内容server.conf
client-config-dir /etc/openvpn/ccd
log-append /var/log/openvpn.log
route 10.133.10.0 255.255.255.0
我创建了 ccd 目录并添加了一个名为server_hq打印服务器 CN 的文件(位于日志中)。
现在包含:
ifconfig-push 10.170.0.19 255.255.255.0
iroute 10.133.10.0 255.255.255.0
server_hq(打印服务器)的连接日志
Sun Jun 12 21:25:36 2022 MULTI: Learn: 10.133.10.40 -> server_hq/<IP>:19295
Sun Jun 12 21:28:18 2022 server_hq/<IP>:19295 Connection reset, restarting [0]
Sun Jun 12 21:28:18 2022 server_hq/<IP>:19295 SIGUSR1[soft,connection-reset] received, client-instance restarting
Sun Jun 12 21:29:04 2022 TCP connection established with [AF_INET]<IP>:19294
Sun Jun 12 21:29:05 2022 <IP>:19294 TLS: Initial packet from [AF_INET]<IP>:19294, sid=9264ab12 043d9161
Sun Jun 12 21:29:05 2022 <IP>:19294 VERIFY OK: depth=1, CN=ChangeMe
Sun Jun 12 21:29:05 2022 <IP>:19294 VERIFY OK: depth=0, CN=server_hq
Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_VER=2.4.9
Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_PLAT=linux
Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_PROTO=2
Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_NCP=2
Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_LZ4=1
Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_LZ4v2=1
Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_LZO=1
Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_COMP_STUB=1
Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_COMP_STUBv2=1
Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_TCPNL=1
Sun Jun 12 21:29:05 2022 <IP>:19294 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sun Jun 12 21:29:05 2022 <IP>:19294 [server_hq] Peer Connection Initiated with [AF_INET]<IP>:19294
Sun Jun 12 21:29:05 2022 server_hq/<IP>:19294 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/server_hq
Sun Jun 12 21:29:05 2022 server_hq/<IP>:19294 MULTI: Learn: 10.170.0.19 -> server_hq/<IP>:19294
Sun Jun 12 21:29:05 2022 server_hq/<IP>:19294 MULTI: primary virtual IP for server_hq/<IP>:19294: 10.170.0.19
Sun Jun 12 21:29:05 2022 server_hq/<IP>:19294 MULTI: internal route 10.133.10.0/24 -> server_hq/<IP>:19294
Sun Jun 12 21:29:05 2022 server_hq/<IP>:19294 MULTI: Learn: 10.133.10.0/24 -> server_hq/<IP>:19294
Sun Jun 12 21:29:06 2022 server_hq/<IP>:19294 PUSH: Received control message: 'PUSH_REQUEST'
Sun Jun 12 21:29:06 2022 server_hq/<IP>:19294 SENT CONTROL [server_hq]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,sndbuf 512000,rcvbuf 512000,route-gateway >Sun Jun 12 21:29:06 2022 server_hq/<IP>:19294 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Jun 12 21:29:06 2022 server_hq/<IP>:19294 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jun 12 21:29:06 2022 server_hq/<IP>:19294 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jun 12 21:29:25 2022 MULTI: Learn: 10.133.10.40 -> server_hq/<IP>:19294
然后我重新启动了两个 OpenVPN,并尝试 ping 其中一台打印机……但没有成功。
答案1
为了让 VPN 网络上的客户端能够访问您的打印机,需要满足以下条件:
route针对现有客户的广告- OpenVPN 服务器上的正确路由,指向打印机
iroute打印服务器的条目- 对于上述内容,打印服务器网络的客户端配置条目
- 最后,在打印服务器上进行正确的路由
此外,从技术上来说这不是必需的,但您可能希望在 VPN 上为打印服务器分配一个固定的 IP 地址。
因此,首先,您需要在 OpenVPN 服务器上创建一个客户端配置目录。该目录可以位于任何地方,也可以命名为任意名称。创建一个目录,然后将此行添加到您的server.conf:
client-config-dir /the/client-config-directory
在该目录中,放入一个与打印服务器的 CN(即打印服务器使用的证书的 CN 字段)同名的文件。该文件应包含以下内容:
ifconfig-push 10.170.0.254 255.255.255.0
iroute 10.133.10.0 255.255.255.0
这将确保打印服务器始终获得固定的 IP 地址 ( 10.170.0.254),并且 OpenVPN 服务器将知道打印服务器后面的子网。您还需要route在内核的路由表中有一个正确的条目,因此请将此行server.conf也添加到您的:
route 10.133.10.0 255.255.255.0
通过此设置,您的 VPN 服务器将知道将发往您服务器的数据包路由到何处。最后要考虑的一件事是打印服务器和打印机的网络设置。上述设置创建了一个路由网络,因此您的打印机将看到来自 VPN 内部的连接(即来自地址10.170.0.x)。打印机必须知道这些连接应该路由回 VPN,并且它们必须有这样做的方法。如果您的打印服务器是它们的默认路由器,那么您需要做的就是在打印服务器的防火墙上允许 VPN 子网和本地子网之间的流量。如果有另一台计算机充当默认网关,那么您需要确保打印机将数据包路由回打印服务器。在这种情况下,要么向打印机添加自定义路由,要么在打印服务器上设置 NAT。