服务器 Gind.cn
  1. 服务器 Gind.cn
  3. OpenVPN无法ping通LAN设备
Intereting Posts
SQL Server最大内存设置不起作用 连接两个相同CIDR范围的AWS VPC区域 共享邮箱 – 用户无法创build或查看子文件夹 通过二层隧道Ping主机失败 如何更改rsyslogconfiguration文件目录 MySQL 5.6社区服务器无法在CentOS 6中启动 将caching中的逻辑卷存储在ZFS存储上会有什么好处? 如果两个具有相同源码stream的video同时拥有独立的caching文件? 为什么我的select批命令总是select第一个整数select? configurationSonicWall TZ100以保护VM(虚拟机)符合PCI要求 无线路由器没有分配正确的IP地址 为什么ausearch跳过条目? lighttpd不提供文件 几乎是空的fstab,我怎么能添加更多呢? FWBuilder DNS对象运行时间 – 何时完全parsingDNS名称?

OpenVPN无法ping通LAN设备

我有一个非常类似于此的设置,除了LAN客户端在一个DHCP中继路由器之后。 最外面的路由器将stream量转发到端口1194上的OpenVPN服务器,我可以成功连接客户端,将stream量传送到VPN服务器,通过自己的NAT进行路由。 我的VPN虚拟IP范围是172.31.0.0/24 

+-------------------------+ (public IP)| | {INTERNET}=============={ Router | | | | LAN switch | +------------+------------+ | (192.168.5.1) | | +-----------------------+ | | | | | OpenVPN | eth0: 192.168.5.96/24 +--------------{eth0 server | tun0: 172.31.0.0/24 | | | | | {tun0} | | +-----------------------+ | +--------+-----------+ | Router B | | Other LAN clients | | | | 192.168.1.0/24 | | (internal net) | +--------------------+

作为一个VPN客户端连接到networking外部,我可以在互联网上获得stream量,也可以连接到第一台路由器上的所有其他客户端。 (192.168.5.0/24)。 但是当我尝试访问第二个路由器内部局域网时,我得到了对ping的以下响应: 

 PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data. From 172.31.0.1 icmp_seq=1 Destination Host Unreachable

OpenVPN服务器托pipe在一个受限访问的盒子里,所以我只能通过web ui检索.conf文件,其中只显示有限的信息。 从客户端连接给我以下信息: 

 Thu Dec 29 13:36:30 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Thu Dec 29 13:36:30 2016 Socket Buffers: R=[87380->131072] S=[16384->131072] Thu Dec 29 13:36:30 2016 Attempting to establish TCP connection with [AF_INET]<public ip>:1194 [nonblock] Thu Dec 29 13:36:31 2016 TCP connection established with [AF_INET]<public ip>:1194 Thu Dec 29 13:36:31 2016 TCPv4_CLIENT link local: [undef] Thu Dec 29 13:36:31 2016 TCPv4_CLIENT link remote: [AF_INET]<public ip>:1194 Thu Dec 29 13:36:31 2016 TLS: Initial packet from [AF_INET]<public ip>:1194, sid=1081d793 4873f1e6 Thu Dec 29 13:36:31 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Thu Dec 29 13:36:32 2016 VERIFY OK: depth=1, CN=*, OU=RV320, O=*., L=*, C=*, ST=* Thu Dec 29 13:36:32 2016 VERIFY OK: depth=0, C=*, OU=*, CN=* Thu Dec 29 13:36:32 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Thu Dec 29 13:36:32 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Dec 29 13:36:32 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Thu Dec 29 13:36:32 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Dec 29 13:36:32 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Thu Dec 29 13:36:32 2016 [com] Peer Connection Initiated with [AF_INET]<public ip>:1194 Thu Dec 29 13:36:35 2016 SENT CONTROL [com]: 'PUSH_REQUEST' (status=1) Thu Dec 29 13:36:35 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 192.168.1.3,dhcp-option DNS 192.168.1.10,dhcp-option DOMAIN <company>.LOCAL,route 172.31.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 172.31.0.6 172.31.0.5' Thu Dec 29 13:36:35 2016 OPTIONS IMPORT: timers and/or timeouts modified Thu Dec 29 13:36:35 2016 OPTIONS IMPORT: --ifconfig/up options modified Thu Dec 29 13:36:35 2016 OPTIONS IMPORT: route options modified Thu Dec 29 13:36:35 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Thu Dec 29 13:36:35 2016 ROUTE_GATEWAY <client ip>/255.255.255.240 IFACE=eth1 HWADDR=* Thu Dec 29 13:36:35 2016 TUN/TAP device tun0 opened Thu Dec 29 13:36:35 2016 TUN/TAP TX queue length set to 100 Thu Dec 29 13:36:35 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Thu Dec 29 13:36:35 2016 /sbin/ip link set dev tun0 up mtu 1500 Thu Dec 29 13:36:35 2016 /sbin/ip addr add dev tun0 local 172.31.0.6 peer 172.31.0.5 Thu Dec 29 13:36:35 2016 /etc/openvpn/update-resolv-conf.sh tun0 1500 1559 172.31.0.6 172.31.0.5 init dhcp-option DNS 192.168.1.3 dhcp-option DNS 192.168.1.10 dhcp-option DOMAIN <company>.LOCAL Illegal option -x Thu Dec 29 13:36:35 2016 /sbin/ip route add <public ip>/32 via <client ip> Thu Dec 29 13:36:35 2016 /sbin/ip route add 0.0.0.0/1 via 172.31.0.5 Thu Dec 29 13:36:35 2016 /sbin/ip route add 128.0.0.0/1 via 172.31.0.5 Thu Dec 29 13:36:35 2016 /sbin/ip route add 172.31.0.0/24 via 172.31.0.5 Thu Dec 29 13:36:35 2016 Initialization Sequence Completed

我的客户端(linux盒子)启用了ip.forwarding,他们的路由表如下所示,从外部连接起来: 

 Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.31.0.5 128.0.0.0 UG 0 0 0 tun0 0.0.0.0 <client ip> 0.0.0.0 UG 0 0 0 eth1 <public ip> <client ip> 255.255.255.255 UGH 0 0 0 eth1 128.0.0.0 172.31.0.5 128.0.0.0 UG 0 0 0 tun0 <client ip> 0.0.0.0 255.255.255.240 U 1 0 0 eth1 172.31.0.0 172.31.0.5 255.255.255.0 UG 0 0 0 tun0 172.31.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0

我也尝试build立一个静态路由,build议在这里https://community.openvpn.net/openvpn/wiki/BridgingAndRouting,但没有任何运气。