openvpn奇怪的問題?ping不通server內網的地址。

火星人 @ 2014-03-04 , reply:0


openvpn奇怪的問題?ping不通server內網的地址。

網路簡單結構

192.168.1.191/24------192.168.1.1/24 eth0 公司網關 eth1 Public IP1 ------Internet------個人計算機 ADSL 上網,DHCP獲得網通上網公網IP地址

現在在192.168.1.191上配置OpenVPN(Unix)Server
在公司網關上做了埠映射 Public IP1 1194--192.168.1.191 1194
在個人計算機上配置OpenVPN(Windows XP)Client

問題是
我的個人計算機可以獲得OpenVPN發送過來的內網IP,可是就是Ping不通192.168.1.191

配置文件為

###server.conf###

port 1194
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key  
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.191 255.255.255.0 192.168.1.4 192.168.1.5
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

###server bridge-start###

tap="tap0"
eth="eth0"
eth_ip="192.168.1.191"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"


###client.ovpn###

dev tap
remote Public IP1 1194

連接之後的測試

在OpenVPN server 上,iptables -F刪除防火牆策略

# less openvpn-status.log
OpenVPN CLIENT LIST
Updated,Sat Sep 29 20:49:43 2007
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
client3,x.x.x.x(我的windows 公網IP):62463,26016,14684,Sat Sep 29 20:16:18 2007
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
00:ff:5a:b3:f3:93,client3,x.x.x.x(我的windows 公網IP):62463,Sat Sep 29 20:16:25 2007
GLOBAL STATS
Max bcast/mcast queue length,0
END

# arp -a
? (192.168.1.5) at <incomplete> on br0
? (192.168.1.1) at 00:19:E0:24:34:39 on br0


# ip route
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.191
default via 192.168.1.1 dev br0


在client端
ipconfig /all
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : TAP-Win32 Adapter V8 - 數據包計劃程
序微型埠
        Physical Address. . . . . . . . . : 00-FF-5A-B3-F3-93
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.5
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :
        DHCP Server . . . . . . . . . . . : 192.168.1.0
        Lease Obtained. . . . . . . . . . : 2007年9月29日 21:36:19
        Lease Expires . . . . . . . . . . : 2008年9月28日 21:36:19
               
               
C:\Documents and Settings\Administrator>arp -a

Interface: 192.168.1.5 --- 0x2
  Internet Address      Physical Address      Type
  192.168.1.191         00-00-00-00-00-00     invalid

route print:
192.168.1.0    255.255.255.0      192.168.1.5     192.168.1.5       30
192.168.1.5  255.255.255.255        127.0.0.1       127.0.0.1       30

client端的openvpnlog

Sat Sep 29 21:36:10 2007 OpenVPN 2.0.9 Win32-MinGW built on Oct  1 2006
Sat Sep 29 21:36:10 2007 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Sep 29 21:36:10 2007 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Sep 29 21:36:10 2007 LZO compression initialized
Sat Sep 29 21:36:10 2007 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Sep 29 21:36:10 2007 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Sat Sep 29 21:36:10 2007 Local Options hash (VER=V4): 'd79ca330'
Sat Sep 29 21:36:10 2007 Expected Remote Options hash (VER=V4): 'f7df56b8'
Sat Sep 29 21:36:10 2007 UDPv4 link local:
Sat Sep 29 21:36:10 2007 UDPv4 link remote: Public IP1:1194
Sat Sep 29 21:36:10 2007 TLS: Initial packet from  Public IP1:1194, sid=ecb7b622 8472bb1a
Sat Sep 29 21:36:12 2007 VERIFY OK:
Sat Sep 29 21:36:12 2007 VERIFY OK:
Sat Sep 29 21:36:13 2007 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Sep 29 21:36:13 2007 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 29 21:36:13 2007 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Sep 29 21:36:13 2007 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 29 21:36:13 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Sep 29 21:36:13 2007 Peer Connection Initiated with Public IP1:1194
Sat Sep 29 21:36:14 2007 SENT CONTROL : 'PUSH_REQUEST' (status=1)
Sat Sep 29 21:36:14 2007 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.1.191,ping 10,ping-restart 120,ifconfig 192.168.1.5 255.255.255.0'
Sat Sep 29 21:36:14 2007 OPTIONS IMPORT: timers and/or timeouts modified
Sat Sep 29 21:36:14 2007 OPTIONS IMPORT: --ifconfig/up options modified
Sat Sep 29 21:36:14 2007 OPTIONS IMPORT: route options modified
Sat Sep 29 21:36:14 2007 TAP-WIN32 device opened: \\.\Global\{5AB3F393-186A-4F35-958B-8638DC37BD69}.tap
Sat Sep 29 21:36:14 2007 TAP-Win32 Driver Version 8.4
Sat Sep 29 21:36:14 2007 TAP-Win32 MTU=1500
Sat Sep 29 21:36:14 2007 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.1.5/255.255.255.0 on interface {5AB3F393-186A-4F35-958B-8638DC37BD69}
Sat Sep 29 21:36:14 2007 Successful ARP Flush on interface {5AB3F393-186A-4F35-958B-8638DC37BD69}
Sat Sep 29 21:36:14 2007 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sat Sep 29 21:36:14 2007 Route: Waiting for TUN/TAP interface to come up...
Sat Sep 29 21:36:15 2007 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sat Sep 29 21:36:15 2007 Route: Waiting for TUN/TAP interface to come up...
Sat Sep 29 21:36:16 2007 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sat Sep 29 21:36:16 2007 Route: Waiting for TUN/TAP interface to come up...
Sat Sep 29 21:36:17 2007 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sat Sep 29 21:36:17 2007 Route: Waiting for TUN/TAP interface to come up...
Sat Sep 29 21:36:18 2007 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sat Sep 29 21:36:18 2007 Route: Waiting for TUN/TAP interface to come up...
Sat Sep 29 21:36:19 2007 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Sat Sep 29 21:36:19 2007 Initialization Sequence Completed


  

請問 誰遇到過這個問題?

這個server和client用192.168.1.0/24網段互相都不通。

為什麼我用的橋接模式還是沒有完整的arp表?

如果自己指定的話,arp表該怎麼寫?
比如,在server上,arp -s 192.168.1.5 MAC(應該是哪個MAC地址呢?)

謝謝。
《解決方案》

網路不通,指定mac也沒有用的。

你在伺服器上使用tcpdump -n -i tap0看看收到客戶端那些報文了。
《解決方案》

我也遇到這個總是了,能得到伺服器給的ip地址,可就是不能互通

應該做些什麼配置呢?
《解決方案》

不能訪問VPN後面的內網,主要還是路由問題.
主要是下面幾個參數:
# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"


# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
#   iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN.  This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
《解決方案》

真的是呀,十分感謝!我的問題也是出在push上
《解決方案》

能說說這裡配置是什麼意思嗎?
我原來的是:

push "route 10.16.100.0 255.255.255.0"

客戶端一直不能訪問到10.16.74.101

現在改成了
push "route 10.16.0.0 255.255.0.0"

客戶端就可以訪問了
《解決方案》

為什麼我的用這個方法就不行呢,我公司公網IP是221.179.33.9內網用的是10.1.1.1,內網網段是10.1.1.0網段,tap0 地址是10.1.2.1,就是說客戶端IP是10.1.2.0網段的,但是在家總也訪問不到10.1.1.0網段的IP ,push的方法我試了,行不通,在server上做iptables 轉發也試過了,請高手指點了




[火星人 via ] openvpn奇怪的問題?ping不通server內網的地址。已經有236次圍觀

http://www.coctec.com/docs/service/show-post-16550.html