OpenVPN 伺服器不回复客戶端 ping

OpenVPN 客戶端似乎在 CentOS 7 客戶端虛擬機上初始化。但是，當客戶端發送 ping 時，伺服器的響應並不清楚。

具體來說，

ping 10.8.0.0來自客戶端沒有得到伺服器的任何響應。

ping 10.8.0.1來自客戶端的確實得到了響應，但它來自伺服器嗎？

ping 10.0.2.2來自客戶端的確實得到了響應，但它來自伺服器嗎？

我如何解釋這些ping反應？伺服器是否ping響應請求？如果沒有，需要對以下內容進行哪些具體更改才能讓伺服器回復ping來自客戶端的 a？

---

目前設置：

---

在伺服器上，server.conf是：

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  
dh dh2048.pem
server 10.8.0.0 255.255.255.0
route 10.8.1.0 255.255.255.0 
route 10.8.2.0 255.255.255.0 
client-config-dir ccd 
client-to-client 
ifconfig-pool-persist ipp.txt
keepalive 10 120
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

另外，在伺服器中，上面/etc/openvpn/ccd提到的目錄中的兩個文件server.conf是：

/etc/openvpn/ccd/administrators，其中僅包含以下一行：

ifconfig-push 10.8.1.1 10.8.1.2

，/etc/openvpn/ccd/otherorgs其中僅包含以下一行：

ifconfig-push 10.8.2.1 10.8.2.2

伺服器的firewalld配置是：

[root@hostname easy-rsa]# firewall-cmd --get-default-zone
public
[root@hostname easy-rsa]# firewall-cmd --get-active-zones
internal
 interfaces: tun0
public
 interfaces: enp3s0
[root@hostname easy-rsa]# firewall-cmd --list-all
public (default, active)
 interfaces: enp3s0
 sources: 
 services: dhcpv6-client http imaps openvpn smtp ssh
 ports: 
 masquerade: yes
 forward-ports: 
 icmp-blocks: 
 rich rules: 
[root@hostname easy-rsa]# firewall-cmd --zone=internal --list-all
internal (active)
 interfaces: tun0
 sources: 
 services: dhcpv6-client ipp-client mdns samba-client ssh
 ports: 
 masquerade: no
 forward-ports: 
 icmp-blocks: 
 rich rules: 
   rule family="ipv4" source address="10.8.1.0/24" service name="https_others" accept
   rule family="ipv4" source address="10.8.1.0/24" service name="https" accept
   rule family="ipv4" source address="10.8.0.0/24" service name="https" accept
   rule family="ipv4" source NOT address="10.8.1.1" service name="ssh" reject
   rule family="ipv4" source address="10.8.2.0/24" service name="https_others" accept
[root@hostname easy-rsa]# 

在客戶端，client.ovpn是：

client
dev tun
proto udp
remote ip.addr.of.server 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca /etc/openvpn/ca.crt
cert /etc/openvpn/centos_vm1_client.crt
key /etc/openvpn/centos_vm1_client.key

客戶端似乎啟動了，因為客戶端給出了以下日誌：

[user@localhost openvpn]$ sudo openvpn --config ~/openvpn_config/client.ovpn
[sudo] password for user: 
Wed Jun 15 16:52:23 2016 OpenVPN 2.3.11 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on May 10 2016
Wed Jun 15 16:52:23 2016 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Wed Jun 15 16:52:23 2016 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Jun 15 16:52:23 2016 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jun 15 16:52:23 2016 UDPv4 link local: [undef]
Wed Jun 15 16:52:23 2016 UDPv4 link remote: [AF_INET]ip.addr.of.server:1194
Wed Jun 15 16:52:23 2016 TLS: Initial packet from [AF_INET]ip.addr.of.server:1194, sid=40ea5916 7f5543b1
Wed Jun 15 16:52:23 2016 VERIFY OK: depth=1, C=UK, ST=RW, L=SomeCity, O=OrganizationName, OU=MyOrganizationalUnit, CN=somedomain.com, name=server, emailAddress=some@domain.com
Wed Jun 15 16:52:23 2016 VERIFY OK: depth=0, C=UK, ST=RW, L=SomeCity, O=OrganizationName, OU=MyOrganizationalUnit, CN=server, name=server, emailAddress=some@domain.com
Wed Jun 15 16:52:24 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 15 16:52:24 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 15 16:52:24 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 15 16:52:24 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 15 16:52:24 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Jun 15 16:52:24 2016 [server] Peer Connection Initiated with [AF_INET]ip.addr.of.server:1194
Wed Jun 15 16:52:26 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jun 15 16:52:27 2016 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.18 10.8.0.17'
Wed Jun 15 16:52:27 2016 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 15 16:52:27 2016 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 15 16:52:27 2016 OPTIONS IMPORT: route options modified
Wed Jun 15 16:52:27 2016 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:d5:85:a9
Wed Jun 15 16:52:27 2016 TUN/TAP device tun0 opened
Wed Jun 15 16:52:27 2016 TUN/TAP TX queue length set to 100
Wed Jun 15 16:52:27 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Jun 15 16:52:27 2016 /usr/sbin/ip link set dev tun0 up mtu 1500
Wed Jun 15 16:52:27 2016 /usr/sbin/ip addr add dev tun0 local 10.8.0.18 peer 10.8.0.17
Wed Jun 15 16:52:27 2016 /usr/sbin/ip route add 10.8.0.1/32 via 10.8.0.17
Wed Jun 15 16:52:27 2016 Initialization Sequence Completed

---

平結果：

---

在客戶端上打開一個新終端並 ping 到server.conf上面給出的伺服器地址沒有響應

[user@localhost ~]$ ping 10.8.0.0
PING 10.8.0.0 (10.8.0.0) 56(84) bytes of data.  

但是，ping 到上面 OpenVPN 啟動日誌中給出的兩個兩個 IP 地址確實會產生響應：

[user@localhost ~]$ ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=91.1 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=93.1 ms
...
^C
--- 10.8.0.1 ping statistics ---
14 packets transmitted, 14 received, 0% packet loss, time 13013ms
rtt min/avg/max/mdev = 89.449/93.387/101.522/2.731 ms
[user@localhost ~]$ ping 10.0.2.2
PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data.
64 bytes from 10.0.2.2: icmp_seq=1 ttl=63 time=0.245 ms
64 bytes from 10.0.2.2: icmp_seq=2 ttl=63 time=0.429 ms
...
^C
--- 10.0.2.2 ping statistics ---
9 packets transmitted, 9 received, 0% packet loss, time 8009ms
rtt min/avg/max/mdev = 0.170/0.410/0.558/0.117 ms
[user@localhost ~]$ 

從 OpenVPN 的手冊頁：

   --server network netmask ['nopool']
          A helper directive designed to  simplify  the  configuration  of
          OpenVPN's  server  mode.   This directive will set up an OpenVPN
          server which will allocate addresses to clients out of the given
          network/netmask.   The  server itself will take the ".1" address
          of the given network for use as the server-side endpoint of  the
          local TUN/TAP interface.

並且來自openvpn.conf（至少我的 CentOS7 一個）：

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0

如您所見，您不應該這樣做，ping 10.8.0.0因為它是一個網路地址 - 伺服器被分配了第一個地址。在您的情況下，這是 10.8.0.1。

正如您所發現的，您可以ping 10.8.0.1花費 90 毫秒。延遲是因為它是 VPN 的遠端端（來自您的客戶端）。

你也可以ping 10.0.2.2只用0.2ms，所以這是本地端。

所以底線是 - 一切都很好。

引用自：https://unix.stackexchange.com/questions/290046