Networking
OpenVPN 伺服器配置
我有一個OpenVPN伺服器正在執行,客戶端可以連接到它並訪問網際網路,但是所有客戶端都獲得10.8.0.6的IP 地址,因此它們無法相互 ping 通。
我不確定,但我認為問題可能出在伺服器上的路由上。我的預設設置是:
路線
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 138.68.64.1 0.0.0.0 UG 0 0 0 eth0 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0 10.19.0.0 * 255.255.0.0 U 0 0 0 eth0 138.68.64.0 * 255.255.240.0 U 0 0 0 eth0iptables -vL
Chain INPUT (policy DROP 14729 packets, 733K bytes) pkts bytes target prot opt in out source destination 3927K 786M ufw-before-logging-input all -- any any anywhere anywhere 3927K 786M ufw-before-input all -- any any anywhere anywhere 155K 7897K ufw-after-input all -- any any anywhere anywhere 155K 7876K ufw-after-logging-input all -- any any anywhere anywhere 155K 7876K ufw-reject-input all -- any any anywhere anywhere 155K 7876K ufw-track-input all -- any any anywhere anywhere 1 40 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ircd Chain FORWARD (policy ACCEPT 33404 packets, 14M bytes) pkts bytes target prot opt in out source destination 6389K 4665M ufw-before-logging-forward all -- any any anywhere anywhere 6389K 4665M ufw-before-forward all -- any any anywhere anywhere 6389K 4665M ufw-after-forward all -- any any anywhere anywhere 6389K 4665M ufw-after-logging-forward all -- any any anywhere anywhere 6389K 4665M ufw-reject-forward all -- any any anywhere anywhere Chain OUTPUT (policy ACCEPT 123 packets, 7504 bytes) pkts bytes target prot opt in out source destination 5027K 4648M ufw-before-logging-output all -- any any anywhere anywhere 5027K 4648M ufw-before-output all -- any any anywhere anywhere 61051 4324K ufw-after-output all -- any any anywhere anywhere 61051 4324K ufw-after-logging-output all -- any any anywhere anywhere 61051 4324K ufw-reject-output all -- any any anywhere anywhere 61051 4324K ufw-track-output all -- any any anywhere anywhere Chain ufw-after-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-after-input (1 references) pkts bytes target prot opt in out source destination 175 13652 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-ns 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-dgm 30 1388 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:netbios-ssn 143 6380 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:microsoft-ds 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootps 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootpc 0 0 ufw-skip-to-policy-input all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-after-logging-input (1 references) pkts bytes target prot opt in out source destination 85877 4224K LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-after-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-forward (1 references) pkts bytes target prot opt in out source destination 6389K 4665M ufw-user-forward all -- any any anywhere anywhere Chain ufw-before-input (1 references) pkts bytes target prot opt in out source destination 308K 32M ACCEPT all -- lo any anywhere anywhere 3405K 742M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 5247 288K ufw-logging-deny all -- any any anywhere anywhere state INVALID 5247 288K DROP all -- any any anywhere anywhere state INVALID 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded 0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem 436 17126 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 0 0 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc 206K 11M ufw-not-local all -- any any anywhere anywhere 0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns 0 0 ACCEPT udp -- any any anywhere 239.255.255.250 udp dpt:1900 206K 11M ufw-user-input all -- any any anywhere anywhere Chain ufw-before-logging-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-output (1 references) pkts bytes target prot opt in out source destination 308K 32M ACCEPT all -- any lo anywhere anywhere 4656K 4611M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 61003 4321K ufw-user-output all -- any any anywhere anywhere Chain ufw-logging-allow (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) pkts bytes target prot opt in out source destination 2476 148K RETURN all -- any any anywhere anywhere state INVALID limit: avg 3/min burst 10 128 12121 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) pkts bytes target prot opt in out source destination 206K 11M RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL 0 0 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type MULTICAST 4 312 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST 0 0 ufw-logging-deny all -- any any anywhere anywhere limit: avg 3/min burst 10 0 0 DROP all -- any any anywhere anywhere Chain ufw-reject-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-reject-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-reject-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-skip-to-policy-forward (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere Chain ufw-skip-to-policy-input (7 references) pkts bytes target prot opt in out source destination 348 21420 DROP all -- any any anywhere anywhere Chain ufw-skip-to-policy-output (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere Chain ufw-track-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-track-output (1 references) pkts bytes target prot opt in out source destination 16 1904 ACCEPT tcp -- any any anywhere anywhere state NEW 60802 4295K ACCEPT udp -- any any anywhere anywhere state NEW Chain ufw-user-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-user-input (1 references) pkts bytes target prot opt in out source destination 46826 2776K ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 1 57 ACCEPT udp -- any any anywhere anywhere udp dpt:ssh 715 74931 ACCEPT udp -- any any anywhere anywhere udp dpt:openvpn 2193 114K ACCEPT tcp -- any any anywhere anywhere tcp dpt:http-alt 1264 65840 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http 153 8788 ACCEPT tcp -- any any anywhere anywhere tcp dpt:4848 Chain ufw-user-limit (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] " 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere Chain ufw-user-logging-forward (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-logging-input (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-logging-output (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-output (1 references) pkts bytes target prot opt in out source destinationWindows 客戶端上的 ipconfig:
Ethernet adapter Ethernet 3: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::9ec:a83c:51ba:8661%5 IPv4 Address. . . . . . . . . . . : 10.8.0.6 Subnet Mask . . . . . . . . . . . : 255.255.255.252 Default Gateway . . . . . . . . . :我的 Linux 客戶端上的 ifconfig:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:209 errors:0 dropped:0 overruns:0 frame:0 TX packets:620 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:52695 (51.4 Kb) TX bytes:71108 (69.4 Kb)我的伺服器上的 ifconfig:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:2559262 errors:0 dropped:0 overruns:0 frame:0 TX packets:3865745 errors:0 dropped:989 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:445611223 (424.9 MiB) TX bytes:4221065665 (3.9 GiB)我的目標是能夠進行客戶端與客戶端之間的通信,實現這一目標的可能方法是什麼?
可能導致這種情況的一件事是使用相同的證書連接多個客戶端 - OpenVPN 伺服器將它們視為相同的客戶端,因此為它們分配相同的 IP 地址。
如果是這種情況,您可以為每個客戶端製作一個唯一的證書,或者將
duplicate-cn選項添加到伺服器上的選項中,或者檢查 OpenVPN GUI 選項上的“重複連接”。