我是 OpenVPN 新手。我已经为我的 Windows Server 2019 数据中心配置 OpenVPN 服务器超过一周了。我还在路由和远程访问以及防火墙中配置了 NAT。客户端设备也是 Windows。我不知道缺少什么,因为客户端的 IP 地址没有变化。我附上了一些有关服务器和客户端的信息。我能得到一些帮助吗?谢谢。
服务器.ovpn
port 1194
proto udp4
dev tun
ca ca.crt
cert server.crt
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
客户端.opvn
client
dev tun
proto udp4
remote <my_windows_server_ip_address> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert bgp_vpn.crt
key bgp_vpn.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
我的客户端和服务器日志在这里。客户端日志
2023-01-21 10:11:17 TCP/UDP: Preserving recently used remote address: [AF_INET]<my_server_ip_address>:1194
2023-01-21 10:11:17 Socket Buffers: R=[65536->65536] S=[65536->65536]
2023-01-21 10:11:17 UDPv4 link local: (not bound)
2023-01-21 10:11:17 UDPv4 link remote: [AF_INET]<my_server_ip_address>:1194
2023-01-21 10:11:17 MANAGEMENT: >STATE:1674272477,WAIT,,,,,,
2023-01-21 10:11:17 MANAGEMENT: >STATE:1674272477,AUTH,,,,,,
2023-01-21 10:11:17 TLS: Initial packet from [AF_INET]<my_server_ip_address>:1194, sid=a2d611d2 e4c72ba2
2023-01-21 10:11:17 VERIFY OK: depth=1, CN=bagyiphyo.online
2023-01-21 10:11:17 VERIFY KU OK
2023-01-21 10:11:17 Validating certificate extended key usage
2023-01-21 10:11:17 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-01-21 10:11:17 VERIFY EKU OK
2023-01-21 10:11:17 VERIFY OK: depth=0, CN=server
2023-01-21 10:11:17 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-01-21 10:11:17 [server] Peer Connection Initiated with [AF_INET]<my_server_ip_address>:1194
2023-01-21 10:11:17 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
2023-01-21 10:11:17 OPTIONS IMPORT: timers and/or timeouts modified
2023-01-21 10:11:17 OPTIONS IMPORT: --ifconfig/up options modified
2023-01-21 10:11:17 OPTIONS IMPORT: route options modified
2023-01-21 10:11:17 OPTIONS IMPORT: peer-id set
2023-01-21 10:11:17 OPTIONS IMPORT: adjusting link_mtu to 1624
2023-01-21 10:11:17 OPTIONS IMPORT: data channel crypto options modified
2023-01-21 10:11:17 Data Channel: using negotiated cipher 'AES-256-GCM'
2023-01-21 10:11:17 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-21 10:11:17 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-21 10:11:17 interactive service msg_channel=644
2023-01-21 10:11:17 open_tun
2023-01-21 10:11:17 tap-windows6 device [OpenVPN TAP-Windows6] opened
2023-01-21 10:11:17 TAP-Windows Driver Version 9.24
2023-01-21 10:11:17 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {60A13B47-B75C-4508-9173-9A33FCEB4040} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
2023-01-21 10:11:17 Successful ARP Flush on interface [39] {60A13B47-B75C-4508-9173-9A33FCEB4040}
2023-01-21 10:11:17 MANAGEMENT: >STATE:1674272477,ASSIGN_IP,,10.8.0.6,,,,
2023-01-21 10:11:17 IPv4 MTU set to 1500 on interface 39 using service
2023-01-21 10:11:22 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
2023-01-21 10:11:22 MANAGEMENT: >STATE:1674272482,ADD_ROUTES,,,,,,
2023-01-21 10:11:22 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
2023-01-21 10:11:22 Route addition via service succeeded
2023-01-21 10:11:22 Initialization Sequence Completed
2023-01-21 10:11:22 MANAGEMENT: >STATE:1674272482,CONNECTED,SUCCESS,10.8.0.6,<my_server_ip_address>,1194,,
服务器日志
2023-01-21 10:41:16 103.94.68.42:17589 TLS: Initial packet from [AF_INET]103.94.68.42:17589, sid=2a442a2b 77d1aabf
2023-01-21 10:41:16 103.94.68.42:17589 VERIFY OK: depth=1, CN=bagyiphyo.online
2023-01-21 10:41:16 103.94.68.42:17589 VERIFY OK: depth=0, CN=client_vpn
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_VER=2.5.8
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_PLAT=win
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_PROTO=6
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_NCP=2
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_LZ4=1
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_LZ4v2=1
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_LZO=1
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_COMP_STUB=1
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_COMP_STUBv2=1
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_TCPNL=1
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_GUI_VER=OpenVPN_GUI_11
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_SSO=openurl,crtext
2023-01-21 10:41:16 103.94.68.42:17589 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-01-21 10:41:16 103.94.68.42:17589 [client_vpn] Peer Connection Initiated with [AF_INET]103.94.68.42:17589
2023-01-21 10:41:16 client_vpn/103.94.68.42:17589 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
2023-01-21 10:41:16 client_vpn/103.94.68.42:17589 MULTI: Learn: 10.8.0.6 -> client_vpn/103.94.68.42:17589
2023-01-21 10:41:16 client_vpn/103.94.68.42:17589 MULTI: primary virtual IP for client_vpn/103.94.68.42:17589: 10.8.0.6
2023-01-21 10:41:16 client_vpn/103.94.68.42:17589 Data Channel: using negotiated cipher 'AES-256-GCM'
2023-01-21 10:41:16 client_vpn/103.94.68.42:17589 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-21 10:41:16 client_vpn/103.94.68.42:17589 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-21 10:41:16 client_vpn/103.94.68.42:17589 SENT CONTROL [client_vpn]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
对于所有日志,https://drive.google.com/file/d/1wxvWMbmChDAJYHgcw4fZRAsplptJfZgg/view?usp=sharing
以下是客户端连接到服务器时的 tracert
Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:
1 2 ms 2 ms 1 ms gpon.net [192.168.1.1]
2 * 5 ms * 10.69.32.1 [10.69.32.1]
3 * * * Request timed out.
4 * * * Request timed out.
5 3 ms 3 ms 3 ms 203.215.63.237
6 59 ms 60 ms 59 ms 15169.sgw.equinix.com [27.111.228.150]
7 * * * Request timed out.
8 * * * Request timed out.
9 60 ms 61 ms 60 ms dns.google [8.8.8.8]
Trace complete.
客户端的路由表
===========================================================================
Interface List
38...........................Wintun Userspace Tunnel
39...00 ff 60 a1 3b 47 ......TAP-Windows Adapter V9
6...e0 d0 45 47 5b b8 ......Microsoft Wi-Fi Direct Virtual Adapter
16...e2 d0 45 47 5b b7 ......Microsoft Wi-Fi Direct Virtual Adapter #2
9...e0 d0 45 47 5b b7 ......Intel(R) Wi-Fi 6 AX201 160MHz
10...e0 d0 45 47 5b bb ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.225 35
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.1.0 255.255.255.0 On-link 192.168.1.225 291
192.168.1.225 255.255.255.255 On-link 192.168.1.225 291
192.168.1.255 255.255.255.255 On-link 192.168.1.225 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.1.225 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.1.225 291
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
9 291 fe80::/64 On-link
9 291 fe80::f770:dd5d:92f3:c17a/128
On-link
1 331 ff00::/8 On-link
9 291 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
答案1
好吧,这很奇怪,但我认为问题与 Windows 处理网络配置的方式有关。首先,退出 OpenVPN GUI 或相关进程。然后禁用“路由和远程访问”中的 NAT 配置(如果之前已启用)。重新启用 NAT。然后以管理员身份启动 OpenVPN GUI。现在客户端连接成功使用服务器的公共 IP。以前,我在启动 OpenVPN GUI 后进行 NAT 配置。