客户端/服务器在同一子网中的OpenVPN

8

我正在尝试从位于具有相同子网(也是192.168.1.0/24)的网络上的客户端将vpn打开到办公网络(192.168.1.0/24)。它是linux(ubuntu 9.10)服务器和Windows客户端。

我遵循了这个ubuntu openvpn社区文档指南,从我可以知道的基础连接正常。当然,我会收到很多有关ip地址冲突的错误/警告。

然后,我试图按照本指南中的“肮脏的NAT技巧来使VPN与也已在专用地址空间中编号的客户端一起使用”,但没有成功。虽然我对路由/伪装有理论上的了解,但我的实践经验相对较少,并且不确定出什么问题。

到目前为止,我已经到了客户端连接到服务器并被分配IP 10.22.8.10的地步。但是,我无法像文档中所示那样对服务器ip 10.22.8.1进行ping操作。

服务器配置基本相同引导1与修改脱离导向器2的,即设置“服务器桥10.22.8.1 255.255.255.0 10.22.8.10 10.22.8.120”和“推“路线10.22.0.0 255.255.0.0 10.22.8.1 ”。另外,我将tap接口配置命令添加到up.sh。

客户端配置与指南1相同。

服务器'ifconfig tap0'(编辑:抱歉,如果看起来很麻烦。在编辑此帖子的预览窗格中看起来不错)

tap0链接encap:以太网HWaddr ee:ee:a8:04:8a:fc inet地址:10.22.8.1 Bcast:0.0.0.0掩码:255.255.255.0 inet6地址:fe80 :: ecee:a8ff:fe04:8afc / 64范围:链接广播多点广播运行MTU:1500指标:1 RX数据包:610错误:0掉线:0超限:0帧:0 TX数据包:4533错误:0掉线:0超限:0载波:0冲突:0 txqueuelen:100接收字节:111341(111.3 KB)发送字节:650830(650.8 KB)

客户端登录连接:

  Mon Mar 01 00:30:13 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009  
    Mon Mar 01 00:30:13 2010 WARNING: No server certificate verification method has been enabled.  See URL-REDACTED for more info.
    Mon Mar 01 00:30:13 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Mon Mar 01 00:30:13 2010 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
    Mon Mar 01 00:30:13 2010 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Mar 01 00:30:13 2010 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Mar 01 00:30:13 2010 LZO compression initialized
    Mon Mar 01 00:30:13 2010 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Mon Mar 01 00:30:13 2010 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Mon Mar 01 00:30:13 2010 Local Options hash (VER=V4): '13a273ba'
    Mon Mar 01 00:30:13 2010 Expected Remote Options hash (VER=V4): '360696c5'
    Mon Mar 01 00:30:13 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Mon Mar 01 00:30:13 2010 UDPv4 link local: [undef]
    Mon Mar 01 00:30:13 2010 UDPv4 link remote: REDACTED:1194
    Mon Mar 01 00:30:13 2010 TLS: Initial packet from REDACTED:1194, sid=11055cf2 cc0d1ea0
    Mon Mar 01 00:30:14 2010 VERIFY OK: depth=1, REDACTED
    Mon Mar 01 00:30:14 2010 VERIFY OK: depth=0, REDACTED
    Mon Mar 01 00:30:14 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Mar 01 00:30:14 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Mar 01 00:30:14 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Mar 01 00:30:14 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Mar 01 00:30:14 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Mon Mar 01 00:30:14 2010 [server] Peer Connection Initiated with REDACTED:1194
    Mon Mar 01 00:30:17 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Mon Mar 01 00:30:17 2010 PUSH: Received control message: 'PUSH_REPLY,route 10.22.0.0 255.255.0.0 10.22.8.1,route-gateway 10.22.8.1,ping 10,ping-restart 120,ifconfig 10.22.8.10 255.255.255.0'
    Mon Mar 01 00:30:17 2010 OPTIONS IMPORT: timers and/or timeouts modified
    Mon Mar 01 00:30:17 2010 OPTIONS IMPORT: --ifconfig/up options modified
    Mon Mar 01 00:30:17 2010 OPTIONS IMPORT: route options modified
    Mon Mar 01 00:30:17 2010 OPTIONS IMPORT: route-related options modified
    Mon Mar 01 00:30:17 2010 ROUTE default_gateway=192.168.1.254
    Mon Mar 01 00:30:17 2010 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{7464875E-98E9-46AF-8F86-69FF32FFB722}.tap
    Mon Mar 01 00:30:17 2010 TAP-Win32 Driver Version 9.6 
    Mon Mar 01 00:30:17 2010 TAP-Win32 MTU=1500
    Mon Mar 01 00:30:17 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.22.8.10/255.255.255.0 on interface {7464875E-98E9-46AF-8F86-69FF32FFB722} [DHCP-serv: 10.22.8.0, lease-time: 31536000]
    Mon Mar 01 00:30:17 2010 Successful ARP Flush on interface [33] {7464875E-98E9-46AF-8F86-69FF32FFB722}
    Mon Mar 01 00:30:22 2010 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
    Mon Mar 01 00:30:22 2010 C:\WINDOWS\system32\route.exe ADD 10.22.0.0 MASK 255.255.0.0 10.22.8.1
    Mon Mar 01 00:30:22 2010 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    Mon Mar 01 00:30:22 2010 Route addition via IPAPI succeeded [adaptive]
    Mon Mar 01 00:30:22 2010 Initialization Sequence Completed
    Mon Mar 01 01:30:14 2010 TLS: soft reset sec=0 bytes=648728/0 pkts=3922/0
    Mon Mar 01 01:30:14 2010 VERIFY OK: depth=1, REDACTED
    Mon Mar 01 01:30:14 2010 VERIFY OK: depth=0, REDACTED
    Mon Mar 01 01:30:15 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Mar 01 01:30:15 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Mar 01 01:30:15 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Mar 01 01:30:15 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Mar 01 01:30:15 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

客户端路由似乎正常(路由打印):

  Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.23     25
        10.22.0.0      255.255.0.0        10.22.8.1       10.22.8.10     30
        10.22.8.0    255.255.255.0         On-link        10.22.8.10    286
       10.22.8.10  255.255.255.255         On-link        10.22.8.10    286
      10.22.8.255  255.255.255.255         On-link        10.22.8.10    286
    ...

但是,当我尝试到达10.22.8.1时,它似乎仍然想跳出本地互联网连接:

  C:\Windows\system32>tracert 10.22.8.1
    Tracing route to 10.22.8.1 over a maximum of 30 hops
      1     1 ms     1 ms     1 ms  home.gateway [192.168.1.254]
      2  nexthop.qld.iinet.net.au [203.55.228.88]  reports: Destination net unreachable.

有人可以向我建议我做错了什么吗(或者,如果有一种简单,更可行的方法来做我想做的事情-请注意,按照指南2中的解决方案#1,不能重命名这两个子网)

vpn  routing  openvpn  subnet 
前卫
source
我认为这是一个非常有趣的问题,并且我不介意尝试复制它-尽管我认为创建此方案对我来说可能有点麻烦。根据您的route print,您使用的不是XP,而是Windows Vista或7。您能告诉我,以便我创建适当的VM进行测试吗?
裂变
@fission:我正在使用Windows7。如果您有兴趣,我可能可以在Windows XP计算机上尝试。如果您需要任何进一步的信息,请告诉我。
fostandy,2010年

Answers:

3

您的默认路由度量值小于10.22.0.0/16路由,它将路由到默认路由。在解析路由时,如果有多个路由与目标匹配,则较低的度量值路由优先。

通过VPN推送默认路由,或者为10.22.0.0/16降低指标(默认路由的指标增加)。

它看起来应该像这样:

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
      0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.23    1000
    10.22.0.0      255.255.0.0        10.22.8.1       10.22.8.10     30
    10.22.8.0    255.255.255.0         On-link        10.22.8.10    286
   10.22.8.10  255.255.255.255         On-link        10.22.8.10    286
  10.22.8.255  255.255.255.255         On-link        10.22.8.10    286
康拉德斯
source
1

您需要做的是删除默认路由,并添加仅针对您的VPN服务器的路由,并将其标记为可通过本地路由器使用。

因此,您应该有3条路线:

vpn.example.com 255.255.255.255 gw 1​​92.168.1.254
192.168.1.0 255.255.255.0 GW 10.22.8.1
0.0.0.0 0.0.0.0 GW 10.22.8.1
休伯特·卡里奥(Hubert Kario)
source
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.