我们在pfSense v2.0.1路由器上用“OpenVPN tap桥接修复软件包”build立一个OpenVPN服务器来构build一个桥接VPNnetworking。 我们遵循这个HOWTO: 链接
几乎所有的工作都很好,希望在客户端(Ubuntu 11.10 x64)在线获取tap设备。
这里是日志文件的片段:
# openvpn --config client.conf --script-security 2 Wed Apr 18 18:36:49 2012 OpenVPN 2.2.0 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jul 4 2011 Wed Apr 18 18:36:49 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Wed Apr 18 18:36:49 2012 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Enter Private Key Password: Wed Apr 18 18:36:53 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Wed Apr 18 18:36:53 2012 WARNING: file '/etc/openvpn/ta.key' is group or others accessible Wed Apr 18 18:36:53 2012 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file Wed Apr 18 18:36:53 2012 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Apr 18 18:36:53 2012 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Apr 18 18:36:53 2012 LZO compression initialized Wed Apr 18 18:36:53 2012 Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ] Wed Apr 18 18:36:53 2012 Socket Buffers: R=[126976->131072] S=[126976->131072] Wed Apr 18 18:36:53 2012 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ] Wed Apr 18 18:36:53 2012 Local Options hash (VER=V4): 'a7133b47' Wed Apr 18 18:36:53 2012 Expected Remote Options hash (VER=V4): 'c5677ab3' Wed Apr 18 18:36:53 2012 UDPv4 link local: [undef] Wed Apr 18 18:36:53 2012 UDPv4 link remote: [AF_INET]9.9.9.9:9999 Wed Apr 18 18:36:53 2012 TLS: Initial packet from [AF_INET]9.9.9.9:9999, sid=e19da0d4 b45b5daf Wed Apr 18 18:36:54 2012 VERIFY OK: depth=1, /C=DE/ST=state/L=City/O=Company/CN=pfsense/emailAddress=admin@domain Wed Apr 18 18:36:54 2012 VERIFY OK: depth=0, /C=DE/ST=state/L=City/O=Company/CN=pfsense/emailAddress=admin@domain Wed Apr 18 18:36:55 2012 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Wed Apr 18 18:36:55 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Apr 18 18:36:55 2012 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Wed Apr 18 18:36:55 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Apr 18 18:36:55 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Wed Apr 18 18:36:55 2012 [pfsense] Peer Connection Initiated with [AF_INET]9.9.9.9:9999 Wed Apr 18 18:36:57 2012 SENT CONTROL [pfsense]: 'PUSH_REQUEST' (status=1) Wed Apr 18 18:36:57 2012 PUSH: Received control message: 'PUSH_REPLY,route 10.0.0.0 255.0.0.0,dhcp-option DOMAIN local.domain,dhcp-option DNS 10.0.0.1,redirect-gateway def1,redirect-gateway local def1,ping 10,ping-restart 60' Wed Apr 18 18:36:57 2012 OPTIONS IMPORT: timers and/or timeouts modified Wed Apr 18 18:36:57 2012 OPTIONS IMPORT: route options modified Wed Apr 18 18:36:57 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Wed Apr 18 18:36:57 2012 ROUTE default_gateway=192.168.9.2 Wed Apr 18 18:36:57 2012 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options Wed Apr 18 18:36:57 2012 OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.0.0.0 Wed Apr 18 18:36:57 2012 TUN/TAP device tap0 opened Wed Apr 18 18:36:57 2012 TUN/TAP TX queue length set to 100 Wed Apr 18 18:36:57 2012 NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing Wed Apr 18 18:36:57 2012 Initialization Sequence Completed 我们很困惑,当“tap0” – 设备重新启动时,客户端不使用服务器提交的“PUSH”命令。 当连接build立时,客户端上的“ifconfig”显示没有tap设备。 也没有设置vpn指定的路由。 任何人的想法?
虽然我不是专家,但最近我必须为自己做这个。 我不知道你正在使用什么命令行参数,但为了接收“推送”选项,客户端必须指示它信任服务器来摆弄它的路由表,这是通过指定
--pull
要么
--client
(这意味着 – 拉)
希望这可以帮助。