服务器 Gind.cn
  1. 服务器 Gind.cn
  3. OpenVPN隧道在一段时间后不适用于子网
Intereting Posts
从崩溃的硬盘恢复Mdf文件 存储问题 – 无效的DWORD计数 – 如何排除故障 esxi vmdk磁盘空间不足 低于Solaris的信息 防火墙:入站规则已经存在,是否需要入站? 运行Ceph(或类似系统)虚拟化会降低性能吗? AWStats错误:pipe道命令失败 赶上所有子域名的电子邮件 Solaris 10删除软件包目录 计划的SQL作业无法启动 如何将SFTP / SSH访问权限授予外部开发人员并将其监控到public_html? 如何将通过思科ACL的外部访问权限列入白名单? Nagios和旧的服务器上的rrd 游戏专用服务器的处理器或RAM更重要的是什么? 在Web服务器上直接出站HTTP访问?

OpenVPN隧道在一段时间后不适用于子网

好吧,这听起来很奇怪,我有一个2客户端的OpenVPN服务器,1客户端正常工作,第二个约1天后退出。

服务器是10.7.2.1,客户端1 10.7.2.2(不工作)和客户端2 10.7.2.3。

其中每一个的内部networking是:

服务器(10.7.2.1):
10.0.96.0/24

客户端1(10.7.2.2):
10.21.0.0/24
192.168.0.0/24

客户2(10.7.2.3):
10.22.0.0/24

所以在一天之后,不可能从192.168.0.3 ping到10.0.96.253: 

ping 10.0.96.253 PING 10.0.96.253 (10.0.96.253) 56(84) bytes of data. ^C --- 10.0.96.253 ping statistics --- 8 packets transmitted, 0 received, 100% packet loss, time 7590ms

我确信数据包正确路由

 10.0.96.0/24 via 10.7.2.1 dev tun1 10.7.2.0/24 dev tun1 proto kernel scope link src 10.7.2.2 10.22.0.0/24 via 10.7.2.1 dev tun1

也可以通过tcpdumpvalidation: 

 [Interface:eth0:] 10:41:37.446320 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 20316, seq 4, length 64 [Interface:tun1:] 10:41:37.446332 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 20316, seq 4, length 64 [Interface:eth0:] 10:41:38.446967 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 20316, seq 5, length 64 [Interface:tun1:] 10:41:38.446983 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 20316, seq 5, length 64

tun1是客户端1上的networking接口。 

 32: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/none inet 10.7.2.2/24 brd 10.7.2.255 scope global tun1 valid_lft forever preferred_lft forever

当在服务器端做一个tcpdump时,什么也没有显示出来!

但是 ,如果我直接从客户端ping它确实工作: 

 ping 10.0.96.253 PING 10.0.96.253 (10.0.96.253) 56(84) bytes of data. 64 bytes from 10.0.96.253: icmp_seq=1 ttl=63 time=31.8 ms 64 bytes from 10.0.96.253: icmp_seq=2 ttl=63 time=31.3 ms 64 bytes from 10.0.96.253: icmp_seq=3 ttl=63 time=32.9 ms 64 bytes from 10.0.96.253: icmp_seq=4 ttl=63 time=31.7 ms 64 bytes from 10.0.96.253: icmp_seq=5 ttl=63 time=32.2 ms 64 bytes from 10.0.96.253: icmp_seq=6 ttl=63 time=38.4 ms 64 bytes from 10.0.96.253: icmp_seq=7 ttl=63 time=32.8 ms ^C --- 10.0.96.253 ping statistics --- 7 packets transmitted, 7 received, 0% packet loss, time 6008ms rtt min/avg/max/mdev = 31.331/33.060/38.428/2.264 ms

也可以在tcpdump中看到 

 [Interface:tun1:] 10:44:41.828197 IP 10.7.2.2 > 10.0.96.253: ICMP echo request, id 51791, seq 5, length 64 [Interface:tun1:] 10:44:41.860386 IP 10.0.96.253 > 10.7.2.2: ICMP echo reply, id 51791, seq 5, length 64

在通过systemctl重新启动openvpn之后,重新启动openvpn @ samba,它再次工作!

再次从192.168.0.3到10.0.96.253: 

 ping 10.0.96.253 PING 10.0.96.253 (10.0.96.253) 56(84) bytes of data. 64 bytes from 10.0.96.253: icmp_seq=1 ttl=62 time=33.9 ms 64 bytes from 10.0.96.253: icmp_seq=2 ttl=62 time=31.4 ms 64 bytes from 10.0.96.253: icmp_seq=3 ttl=62 time=32.0 ms 64 bytes from 10.0.96.253: icmp_seq=4 ttl=62 time=32.9 ms ^C --- 10.0.96.253 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3275ms rtt min/avg/max/mdev = 31.496/32.589/33.915/0.947 ms

和相应的tcpdump: 

 [Interface:eth0:] 10:47:25.230275 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 31580, seq 4, length 64 [Interface:tun1:] 10:47:25.230301 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 31580, seq 4, length 64 [Interface:tun1:] 10:47:25.262723 IP 10.0.96.253 > 192.168.0.3: ICMP echo reply, id 31580, seq 4, length 64 [Interface:eth0:] 10:47:25.262739 IP 10.0.96.253 > 192.168.0.3: ICMP echo reply, id 31580, seq 4, length 64

第二个客户端不显示此行为。 所以我很困难,不知道去哪里看,有人知道我能做什么?

服务器configuration: 

 port 1194 proto udp dev tun ca samba.ca.crt cert samba.crt key samba.key dh samba.dh.pem server 10.7.2.0 255.255.255.0 ifconfig-pool-persist samba.ipp.txt route 10.0.96.0 255.255.255.0 route 192.168.0.0 255.255.255.0 10.7.2.2 route 10.21.0.0 255.255.255.0 10.7.2.2 route 10.22.0.0 255.255.255.0 10.7.2.3 topology subnet mode server client-to-client client-config-dir samba.ccd ccd-exclusive samba.ccd comp-lzo persist-key persist-tun status samba.openvpn-status.log log-append /var/log/samba.openvpn.log verb 4 keepalive 10 120

服务器OpenVPN版本: 

 OpenVPN 2.3.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Aug 4 2015

客户端configuration: 

 client dev tun proto udp remote xx.xx.xx.xx 1194 resolv-retry infinite nobind persist-key persist-tun ca samba.ca.crt cert samba.crt key samba.key comp-lzo verb 4 status samba.openvpn-status.log log-append /var/log/samba.openvpn.log

客户CCD: 

 client-to-client iroute 10.21.0.0 255.255.255.0 iroute 192.168.0.0 255.255.255.0 push "route 10.0.96.0 255.255.255.0" push "route 10.22.0.0 255.255.255.0"

客户端OpenVPN版本: 

 OpenVPN 2.3.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Aug 4 2015