我现在有一个DigitalOcean的VPS,并设置一个OpenVPN下面的教程: https : //www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6
和这个:
http://www.unixmen.com/setup-openvpn-server-client-centos-6-5/
当我在SSH控制台中键入“service openvpn start”时,我的服务器立即脱机。 我仍然可以通过DigitalOcean的在线SSH客户端访问我的服务器SSH。 从那里我检查,如果openvpn运行正常,一切似乎没问题。 我检查了我的ifconfig,这似乎也没关系。 我有点失落了。 这是正常的吗?
编辑:
Jul 24 04:40:53 designfully openvpn[18186]: 107.170.42.192:37556 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Jul 24 04:40:53 designfully openvpn[18186]: 107.170.42.192:37556 [client] Peer Connection Initiated with [AF_INET]107.170.42.192:37556 Jul 24 04:40:53 designfully openvpn[18186]: client/107.170.42.192:37556 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled) Jul 24 04:40:53 designfully openvpn[18186]: client/107.170.42.192:37556 MULTI: Learn: 10.8.0.6 -> client/107.170.42.192:37556 Jul 24 04:40:53 designfully openvpn[18186]: client/107.170.42.192:37556 MULTI: primary virtual IP for client/107.170.42.192:37556: 10.8.0.6 Jul 24 04:40:53 designfully openvpn[18175]: event_wait : Interrupted system call (code=4) Jul 24 04:40:53 designfully openvpn[18175]: SIGTERM[hard,] received, process exiting Jul 24 04:40:53 designfully openvpn[18186]: event_wait : Interrupted system call (code=4) Jul 24 04:40:53 designfully openvpn[18186]: /sbin/ip route del 10.8.0.0/24 Jul 24 04:40:53 designfully openvpn[18186]: ERROR: Linux route delete command failed: external program exited with error status: 2 Jul 24 04:40:53 designfully openvpn[18186]: Closing TUN/TAP interface Jul 24 04:40:53 designfully openvpn[18186]: /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2 Jul 24 04:40:53 designfully openvpn[18186]: Linux ip addr del failed: external program exited with error status: 2 Jul 24 04:40:53 designfully openvpn[18186]: SIGTERM[hard,] received, process exiting Jul 24 04:40:56 designfully openvpn[18222]: OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013 Jul 24 04:40:56 designfully openvpn[18222]: Socket Buffers: R=[124928->131072] S=[124928->131072] Jul 24 04:40:56 designfully openvpn[18223]: UDPv4 link local: [undef] Jul 24 04:40:56 designfully openvpn[18223]: UDPv4 link remote: [AF_INET]107.170.42.192:1194 Jul 24 04:40:56 designfully openvpn[18226]: OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013 Jul 24 04:40:56 designfully openvpn[18226]: Diffie-Hellman initialized with 2048 bit key Jul 24 04:40:56 designfully openvpn[18226]: Socket Buffers: R=[124928->131072] S=[124928->131072] Jul 24 04:40:56 designfully openvpn[18226]: ROUTE_GATEWAY 107.170.42.1/255.255.255.0 IFACE=eth0 HWADDR=04:01:20:b9:d8:01 Jul 24 04:40:56 designfully kernel: tun0: Disabled Privacy Extensions Jul 24 04:40:56 designfully openvpn[18226]: TUN/TAP device tun0 opened Jul 24 04:40:56 designfully openvpn[18226]: TUN/TAP TX queue length set to 100 Jul 24 04:40:56 designfully openvpn[18226]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Jul 24 04:40:56 designfully openvpn[18226]: /sbin/ip link set dev tun0 up mtu 1500 Jul 24 04:40:56 designfully openvpn[18226]: /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2 Jul 24 04:40:56 designfully openvpn[18226]: /sbin/ip route add 10.8.0.0/24 via 10.8.0.2 Jul 24 04:40:56 designfully openvpn[18234]: GID set to nobody Jul 24 04:40:56 designfully openvpn[18234]: UID set to nobody Jul 24 04:40:56 designfully openvpn[18234]: UDPv4 link local (bound): [undef] Jul 24 04:40:56 designfully openvpn[18234]: UDPv4 link remote: [undef] Jul 24 04:40:56 designfully openvpn[18234]: MULTI: multi_init called, r=256 v=256 Jul 24 04:40:56 designfully openvpn[18234]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0 Jul 24 04:40:56 designfully openvpn[18234]: ifconfig_pool_read(), in='client,10.8.0.4', TODO: IPv6 Jul 24 04:40:56 designfully openvpn[18234]: succeeded -> ifconfig_pool_set() Jul 24 04:40:56 designfully openvpn[18234]: IFCONFIG POOL LIST Jul 24 04:40:56 designfully openvpn[18234]: client,10.8.0.4 Jul 24 04:40:56 designfully openvpn[18234]: Initialization Sequence Completed Jul 24 04:40:59 designfully openvpn[18234]: 107.170.42.192:59378 TLS: Initial packet from [AF_INET]107.170.42.192:59378, sid=d3e62c34 63ae7ffd Jul 24 04:40:59 designfully openvpn[18223]: TLS: Initial packet from [AF_INET]107.170.42.192:1194, sid=863e093f df2c985a Jul 24 04:40:59 designfully openvpn[18223]: VERIFY OK: depth=1, C=US, ST=MI, L=Macomb, O=SimplyJordan, OU=server, CN=SimplyJordan CA, name=EasyRSA, [email protected] Jul 24 04:40:59 designfully openvpn[18223]: VERIFY OK: nsCertType=SERVER Jul 24 04:40:59 designfully openvpn[18223]: VERIFY OK: depth=0, C=US, ST=MI, L=Macomb, O=SimplyJordan, OU=server, CN=server, name=EasyRSA, [email protected] Jul 24 04:40:59 designfully openvpn[18234]: 107.170.42.192:59378 VERIFY OK: depth=1, C=US, ST=MI, L=Macomb, O=SimplyJordan, OU=server, CN=SimplyJordan CA, name=EasyRSA, [email protected] Jul 24 04:40:59 designfully openvpn[18234]: 107.170.42.192:59378 VERIFY OK: depth=0, C=US, ST=MI, L=Macomb, O=SimplyJordan, OU=server, CN=client, name=EasyRSA, [email protected] Jul 24 04:40:59 designfully openvpn[18234]: 107.170.42.192:59378 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Jul 24 04:40:59 designfully openvpn[18234]: 107.170.42.192:59378 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Jul 24 04:40:59 designfully openvpn[18234]: 107.170.42.192:59378 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Jul 24 04:40:59 designfully openvpn[18234]: 107.170.42.192:59378 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Jul 24 04:40:59 designfully openvpn[18223]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Jul 24 04:40:59 designfully openvpn[18223]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Jul 24 04:40:59 designfully openvpn[18223]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Jul 24 04:40:59 designfully openvpn[18223]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Jul 24 04:40:59 designfully openvpn[18223]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Jul 24 04:40:59 designfully openvpn[18223]: [server] Peer Connection Initiated with [AF_INET]107.170.42.192:1194 Jul 24 04:40:59 designfully openvpn[18234]: 107.170.42.192:59378 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Jul 24 04:40:59 designfully openvpn[18234]: 107.170.42.192:59378 [client] Peer Connection Initiated with [AF_INET]107.170.42.192:59378 Jul 24 04:40:59 designfully openvpn[18234]: client/107.170.42.192:59378 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled) Jul 24 04:40:59 designfully openvpn[18234]: client/107.170.42.192:59378 MULTI: Learn: 10.8.0.6 -> client/107.170.42.192:59378 Jul 24 04:40:59 designfully openvpn[18234]: client/107.170.42.192:59378 MULTI: primary virtual IP for client/107.170.42.192:59378: 10.8.0.6 Jul 24 04:41:01 designfully openvpn[18223]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Jul 24 04:41:01 designfully openvpn[18234]: client/107.170.42.192:59378 PUSH: Received control message: 'PUSH_REQUEST' Jul 24 04:41:01 designfully openvpn[18234]: client/107.170.42.192:59378 send_push_reply(): safe_cap=940 Jul 24 04:41:01 designfully openvpn[18234]: client/107.170.42.192:59378 SENT CONTROL [client]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1) Jul 24 04:41:01 designfully openvpn[18223]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' Jul 24 04:41:01 designfully openvpn[18223]: OPTIONS IMPORT: timers and/or timeouts modified Jul 24 04:41:01 designfully openvpn[18223]: OPTIONS IMPORT: --ifconfig/up options modified Jul 24 04:41:01 designfully openvpn[18223]: OPTIONS IMPORT: route options modified Jul 24 04:41:01 designfully openvpn[18223]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Jul 24 04:41:01 designfully openvpn[18223]: ROUTE_GATEWAY 107.170.42.1/255.255.255.0 IFACE=eth0 HWADDR=04:01:20:b9:d8:01 Jul 24 04:41:01 designfully kernel: tun1: Disabled Privacy Extensions Jul 24 04:41:01 designfully openvpn[18223]: TUN/TAP device tun1 opened Jul 24 04:41:01 designfully openvpn[18223]: TUN/TAP TX queue length set to 100 Jul 24 04:41:01 designfully openvpn[18223]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Jul 24 04:41:01 designfully openvpn[18223]: /sbin/ip link set dev tun1 up mtu 1500 Jul 24 04:41:01 designfully openvpn[18223]: /sbin/ip addr add dev tun1 local 10.8.0.6 peer 10.8.0.5 Jul 24 04:41:01 designfully openvpn[18223]: /sbin/ip route add 107.170.42.192/32 via 107.170.42.1 Jul 24 04:41:01 designfully openvpn[18223]: /sbin/ip route add 0.0.0.0/1 via 10.8.0.5 Jul 24 04:41:01 designfully openvpn[18223]: /sbin/ip route add 128.0.0.0/1 via 10.8.0.5 Jul 24 04:41:01 designfully openvpn[18223]: /sbin/ip route add 10.8.0.1/32 via 10.8.0.5 Jul 24 04:41:01 designfully openvpn[18223]: Initialization Sequence Completed Jul 24 04:42:57 designfully kernel: atkbd.c: Unknown key released (translated set 2, code 0xe0 on isa0060/serio0). Jul 24 04:42:57 designfully kernel: atkbd.c: Use 'setkeycodes e060 <keycode>' to make it known. Jul 24 04:43:39 designfully openvpn[18223]: event_wait : Interrupted system call (code=4) Jul 24 04:43:39 designfully openvpn[18223]: /sbin/ip route del 10.8.0.1/32 Jul 24 04:43:39 designfully openvpn[18223]: /sbin/ip route del 107.170.42.192/32 Jul 24 04:43:39 designfully openvpn[18223]: /sbin/ip route del 0.0.0.0/1 Jul 24 04:43:39 designfully openvpn[18234]: event_wait : Interrupted system call (code=4) Jul 24 04:43:39 designfully openvpn[18234]: /sbin/ip route del 10.8.0.0/24 Jul 24 04:43:39 designfully openvpn[18223]: /sbin/ip route del 128.0.0.0/1 Jul 24 04:43:39 designfully openvpn[18234]: ERROR: Linux route delete command failed: external program exited with error status: 2 Jul 24 04:43:39 designfully openvpn[18234]: Closing TUN/TAP interface Jul 24 04:43:39 designfully openvpn[18234]: /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2 Jul 24 04:43:39 designfully openvpn[18223]: Closing TUN/TAP interface Jul 24 04:43:39 designfully openvpn[18223]: /sbin/ip addr del dev tun1 local 10.8.0.6 peer 10.8.0.5 Jul 24 04:43:39 designfully openvpn[18234]: Linux ip addr del failed: external program exited with error status: 2 Jul 24 04:43:39 designfully openvpn[18234]: SIGTERM[hard,] received, process exiting Jul 24 04:43:39 designfully openvpn[18223]: SIGTERM[hard,] received, process exiting 编辑:
################################################# # Sample OpenVPN 2.0 config file for # # multi-client server. # # # # This file is for the server side # # of a many-clients <-> one-server # # OpenVPN configuration. # # # # OpenVPN also supports # # single-machine <-> single-machine # # configurations (See the Examples page # # on the web site for more info). # # # # This config should work on Windows # # or Linux/BSD systems. Remember on # # Windows to quote pathnames and use # # double backslashes, eg: # # "C:\\Program Files\\OpenVPN\\config\\foo.key" # # # # Comments are preceded with '#' or ';' # ################################################# # Which local IP address should OpenVPN # listen on? (optional) ;local abcd # Which TCP/UDP port should OpenVPN listen on? # If you want to run multiple OpenVPN instances # on the same machine, use a different port # number for each one. You will need to # open up this port on your firewall. port 1194 # TCP or UDP server? ;proto tcp proto udp # "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. # Use "dev tap0" if you are ethernet bridging # and have precreated a tap0 virtual interface # and bridged it with your ethernet interface. # If you want to control access policies # over the VPN, you must create firewall # rules for the the TUN/TAP interface. # On non-Windows systems, you can give # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you # have more than one. On XP SP2 or higher, # you may need to selectively disable the # Windows firewall for the TAP adapter. # Non-Windows systems usually don't need this. ;dev-node MyTap # SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and # key file. The server and all clients will # use the same ca file. # # See the "easy-rsa" directory for a series # of scripts for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. # # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). ca ca.crt cert server.crt key server.key # This file should be kept secret # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh1024.pem 1024 # Substitute 2048 for 1024 if you are using # 2048 bit keys. dh dh2048.pem # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are # ethernet bridging. See the man page for more info. server 10.8.0.0 255.255.255.0 # Maintain a record of client <-> virtual IP address # associations in this file. If OpenVPN goes down or # is restarted, reconnecting clients can be assigned # the same virtual IP address from the pool that was # previously assigned. ifconfig-pool-persist ipp.txt # Configure server mode for ethernet bridging. # You must first use your OS's bridging capability # to bridge the TAP interface with the ethernet # NIC interface. Then you must manually set the # IP/netmask on the bridge interface, here we # assume 10.8.0.4/255.255.255.0. Finally we # must set aside an IP range in this subnet # (start=10.8.0.50 end=10.8.0.100) to allocate # to connecting clients. Leave this line commented # out unless you are ethernet bridging. ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 # Configure server mode for ethernet bridging # using a DHCP-proxy, where clients talk # to the OpenVPN server-side DHCP server # to receive their IP address allocation # and DNS server addresses. You must first use # your OS's bridging capability to bridge the TAP # interface with the ethernet NIC interface. # Note: this mode only works on clients (such as # Windows), where the client-side TAP adapter is # bound to a DHCP client. ;server-bridge # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. ;push "route 192.168.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0" # To assign specific IP addresses to specific # clients or if a connecting client has a private # subnet behind it that should also have VPN access, # use the subdirectory "ccd" for client-specific # configuration files (see man page for more info). # EXAMPLE: Suppose the client # having the certificate common name "Thelonious" # also has a small subnet behind his connecting # machine, such as 192.168.40.128/255.255.255.248. # First, uncomment out these lines: ;client-config-dir ccd ;route 192.168.40.128 255.255.255.248 # Then create a file ccd/Thelonious with this line: # iroute 192.168.40.128 255.255.255.248 # This will allow Thelonious' private subnet to # access the VPN. This example will only work # if you are routing, not bridging, ie you are # using "dev tun" and "server" directives. # EXAMPLE: Suppose you want to give # Thelonious a fixed VPN IP address of 10.9.0.1. # First uncomment out these lines: ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 # Then add this line to ccd/Thelonious: # ifconfig-push 10.9.0.1 10.9.0.2 # Suppose that you want to enable different # firewall access policies for different groups # of clients. There are two methods: # (1) Run multiple OpenVPN daemons, one for each # group, and firewall the TUN/TAP interface # for each group/daemon appropriately. # (2) (Advanced) Create a script to dynamically # modify the firewall in response to access # from different clients. See man # page for more info on learn-address script. ;learn-address ./script # If enabled, this directive will configure # all clients to redirect their default # network gateway through the VPN, causing # all IP traffic such as web browsing and # and DNS lookups to go through the VPN # (The OpenVPN server machine may need to NAT # or bridge the TUN/TAP interface to the internet # in order for this to work properly). push "redirect-gateway def1 bypass-dhcp" # Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats # The addresses below refer to the public # DNS servers provided by opendns.com. push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" # Uncomment this directive to allow different # clients to be able to "see" each other. # By default, clients will only see the server. # To force clients to only see the server, you # will also need to appropriately firewall the # server's TUN/TAP interface. ;client-to-client # Uncomment this directive if multiple clients # might connect with the same certificate/key # files or common names. This is recommended # only for testing purposes. For production use, # each client should have its own certificate/key # pair. # # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", # UNCOMMENT THIS LINE OUT. ;duplicate-cn # The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120 # For extra security beyond that provided # by SSL/TLS, create an "HMAC firewall" # to help block DoS attacks and UDP port flooding. # # Generate with: # openvpn --genkey --secret ta.key # # The server and each client must have # a copy of this key. # The second parameter should be '0' # on the server and '1' on the clients. ;tls-auth ta.key 0 # This file is secret # Select a cryptographic cipher. # This config item must be copied to # the client config file as well. ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. comp-lzo # The maximum number of concurrently connected # clients we want to allow. ;max-clients 100 # It's a good idea to reduce the OpenVPN # daemon's privileges after initialization. # # You can uncomment this out on # non-Windows systems. user nobody group nobody # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun # Output a short status file showing # current connections, truncated # and rewritten every minute. status openvpn-status.log # By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory). # Use log or log-append to override this default. # "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. Use one # or the other (but not both). ;log openvpn.log ;log-append openvpn.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3 # Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. ;mute 20
你的问题来自线路
Jul 24 04:40:29 designfully openvpn[18223]: /sbin/ip route add 0.0.0.0/1 via 10.8.0.5 Jul 24 04:40:29 designfully openvpn[18115]: /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
每一行通过OpenVPN隧道添加一半的互联网路由; 结果就是你所有的networkingstream量都会下降到VPN。
无论你的VPN合作伙伴是高兴地路由所有的stream量,在这种情况下,你应该罚款,或者他们不是,在这种情况下,你不应该添加该路线。
从你失去连接的事实,我非常强烈的猜测是后者。 您没有向我们展示您的configuration(如问),所以我不知道这些路由是在本地configuration还是由您的OpenVPN合作伙伴广告。 如果他们是本地configuration的,不要这样做。 如果您的OpenVPN合作伙伴坚持宣传这条路线给您,他们需要处理您的stream量,或者您需要忽略路线。