XiaoHui.Net 笑汇程序员论坛
→ Web 网站开发与设计
Linux 下 OpenVPN 安装和 Windows OpenVPN GUI 安装笔记
|
| 我的服务器跟客户机连接不上。我们电信网一个IP下有几个主机,而且IP是动态生成的,不知道是不是跟这个有关系? |
|
| <blockquote>引用 pan 的贴子<hr size=1 noshadow>我的服务器跟客户机连接不上。我们电信网一个IP下有几个主机,而且IP是动态生成的,不知道是不是跟这个有关系?<hr size=1 noshadow></blockquote>你自己看日志记录,确保是连接到了正确的服务器上。 |
|
| 上面安装不成功的,可能是 OPENVPN 不同版本的问题引起的差异。我刚才严格按 XIAOHUI 文档里说的 OPENVPN版本进行了安装,一路绿灯,成功了。:) |
|
想在Windows下装个Redhat虚拟机,Redhat作服务器,Windows作客户机,但他们共用一个ip,而且ip是动态分配的,这样他们之间的openvpn能建立起来吗?<br>
server.conf的local怎么写? |
|
<blockquote>引用 pan 的贴子<hr size=1 noshadow>想在Windows下装个Redhat虚拟机,Redhat作服务器,Windows作客户机,但他们共用一个ip,而且ip是动态分配的,这样他们之间的openvpn能建立起来吗?<br>
server.conf的local怎么写?<hr size=1 noshadow></blockquote>不懂,没试过。<br>虚拟机应该可以分配不同的IP的。 |
|
| 请问openvpn如何把两个不同区域的局域局连成一个局域网,就是说,两个公司,不同城市,两台linux做点对点连接后,下面的客户端可以互通? |
|
按楼主的配置,winxp连接openvpn一直提示‘connecting to client has failed’,下面是客户端的日志。楼主帮我看看<br>
Fri May 29 15:03:43 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005<br>
Fri May 29 15:03:43 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.<br>
Fri May 29 15:03:43 2009 LZO compression initialized<br>
Fri May 29 15:03:43 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]<br>
Fri May 29 15:03:43 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]<br>
Fri May 29 15:03:43 2009 Local Options hash (VER=V4): '69109d17'<br>
Fri May 29 15:03:43 2009 Expected Remote Options hash (VER=V4): 'c0103fa8'<br>
Fri May 29 15:03:43 2009 Attempting to establish TCP connection with 192.168.1.222:1194<br>
Fri May 29 15:03:43 2009 TCP connection established with 192.168.1.222:1194<br>
Fri May 29 15:03:43 2009 TCPv4_CLIENT link local: [undef]<br>
Fri May 29 15:03:43 2009 TCPv4_CLIENT link remote: 192.168.1.222:1194<br>
Fri May 29 15:03:43 2009 TLS: Initial packet from 192.168.1.222:1194, sid=9e2dc9b0 29a67f10<br>
Fri May 29 15:03:43 2009 VERIFY OK: depth=1, /C=CN/ST=GD/L=SZ/O=kemei/OU=kemei/CN=server/emailAddress=system-one@163.com<br>
Fri May 29 15:03:43 2009 VERIFY OK: nsCertType=SERVER<br>
Fri May 29 15:03:43 2009 VERIFY OK: depth=0, /C=CN/ST=GD/O=kemei/OU=kemei/CN=server/emailAddress=system-one@163.com<br>
Fri May 29 15:03:43 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key<br>
Fri May 29 15:03:43 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication<br>
Fri May 29 15:03:43 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key<br>
Fri May 29 15:03:43 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication<br>
Fri May 29 15:03:43 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA<br>
Fri May 29 15:03:43 2009 [server] Peer Connection Initiated with 192.168.1.222:1194<br>
Fri May 29 15:03:45 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)<br>
Fri May 29 15:03:45 2009 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.8.0.1,route 10.8.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'<br>
Fri May 29 15:03:45 2009 OPTIONS IMPORT: timers and/or timeouts modified<br>
Fri May 29 15:03:45 2009 OPTIONS IMPORT: --ifconfig/up options modified<br>
Fri May 29 15:03:45 2009 OPTIONS IMPORT: route options modified<br>
Fri May 29 15:03:45 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified<br>
Fri May 29 15:03:45 2009 There are no TAP-Win32 adapters on this system. You should be able to create a TAP-Win32 adapter by going to Start -> All Programs -> OpenVPN -> Add a new TAP-Win32 virtual ethernet adapter.<br>
Fri May 29 15:03:45 2009 Exiting |
|
<blockquote>引用 luo 的贴子<hr size=1 noshadow>按楼主的配置,winxp连接openvpn一直提示‘connecting to client has failed’,下面是客户端的日志。楼主帮我看看<br>
Fri May 29 15:03:43 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005<br>
Fri May 29 15:03:43 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.<br>
Fri May 29 15:03:43 2009 LZO compression initialized<br>
Fri May 29 15:03:43 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]<br>
Fri May 29 15:03:43 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]<br>
Fri May 29 15:03:43 2009 Local Options hash (VER=V4): '69109d17'<br>
Fri May 29 15:03:43 2009 Expected Remote Options hash (VER=V4): 'c0103fa8'<br>
Fri May 29 15:03:43 2009 Attempting to establish TCP connection with 192.168.1.222:1194<br>
Fri May 29 15:03:43 2009 TCP connection established with 192.168.1.222:1194<br>
Fri May 29 15:03:43 2009 TCPv4_CLIENT link local: [undef]<br>
Fri May 29 15:03:43 2009 TCPv4_CLIENT link remote: 192.168.1.222:1194<br>
Fri May 29 15:03:43 2009 TLS: Initial packet from 192.168.1.222:1194, sid=9e2dc9b0 29a67f10<br>
Fri May 29 15:03:43 2009 VERIFY OK: depth=1, /C=CN/ST=GD/L=SZ/O=kemei/OU=kemei/CN=server/emailAddress=system-one@163.com<br>
Fri May 29 15:03:43 2009 VERIFY OK: nsCertType=SERVER<br>
Fri May 29 15:03:43 2009 VERIFY OK: depth=0, /C=CN/ST=GD/O=kemei/OU=kemei/CN=server/emailAddress=system-one@163.com<br>
Fri May 29 15:03:43 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key<br>
Fri May 29 15:03:43 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication<br>
Fri May 29 15:03:43 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key<br>
Fri May 29 15:03:43 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication<br>
Fri May 29 15:03:43 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA<br>
Fri May 29 15:03:43 2009 [server] Peer Connection Initiated with 192.168.1.222:1194<br>
Fri May 29 15:03:45 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)<br>
Fri May 29 15:03:45 2009 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.8.0.1,route 10.8.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'<br>
Fri May 29 15:03:45 2009 OPTIONS IMPORT: timers and/or timeouts modified<br>
Fri May 29 15:03:45 2009 OPTIONS IMPORT: --ifconfig/up options modified<br>
Fri May 29 15:03:45 2009 OPTIONS IMPORT: route options modified<br>
Fri May 29 15:03:45 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified<br>
Fri May 29 15:03:45 2009 There are no TAP-Win32 adapters on this system. You should be able to create a TAP-Win32 adapter by going to Start -> All Programs -> OpenVPN -> Add a new TAP-Win32 virtual ethernet adapter.<br>
Fri May 29 15:03:45 2009 Exiting<hr size=1 noshadow></blockquote>>> Fri May 29 15:03:45 2009 <b>There are no TAP-Win32 adapters on this system</b>. You should be able to create a TAP-Win32 adapter by going to Start -> All Programs -> OpenVPN -> Add a new TAP-Win32 virtual ethernet adapter<br>
看这句LOG, 貌似是你 TAP 的驱动没装上? |
|
| 上面那个问题我已经搞定了。原因是我下载了错误的for WIN版本导致虚拟网卡没有装上,但是现在又是有一问题就是我可以拔号上去了,但如何访问对方的局域网??目前这样我只能访问服务器那台,服务器或客户端还需要进行行怎么样的设置呢? |
|
Wed Jun 03 13:40:30 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005<br>
Wed Jun 03 13:40:30 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.<br>
Wed Jun 03 13:40:30 2009 Cannot load certificate file xukai.crt: error:02001002:scd: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib<br>
Wed Jun 03 13:40:30 2009 Exiting<br>
我按照楼主的做下来,连接的时候的报错,上面是log中的文件。<br>
报错是connecting to client has failed. |
|
<blockquote>引用 xukai 的贴子<hr size=1 noshadow>Wed Jun 03 13:40:30 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005<br>
Wed Jun 03 13:40:30 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.<br>
Wed Jun 03 13:40:30 2009 Cannot load certificate file xukai.crt: error:02001002:scd: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib<br>
Wed Jun 03 13:40:30 2009 Exiting<br>
我按照楼主的做下来,连接的时候的报错,上面是log中的文件。<br>
报错是connecting to client has failed.<hr size=1 noshadow></blockquote>证书的配置没有做对。 |
|
Wed Jun 03 16:10:32 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005<br>
Wed Jun 03 16:10:32 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.<br>
Wed Jun 03 16:10:32 2009 LZO compression initialized<br>
Wed Jun 03 16:10:32 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]<br>
Wed Jun 03 16:10:32 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]<br>
Wed Jun 03 16:10:32 2009 Local Options hash (VER=V4): '41690919'<br>
Wed Jun 03 16:10:32 2009 Expected Remote Options hash (VER=V4): '530fdded'<br>
Wed Jun 03 16:10:32 2009 UDPv4 link local (bound): [undef]:1194<br>
Wed Jun 03 16:10:32 2009 UDPv4 link remote: 192.168.242.144:1194<br>
Wed Jun 03 16:10:32 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:34 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:37 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:38 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:40 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:42 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:45 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:47 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:50 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:52 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:55 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:56 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:58 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:01 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:03 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:06 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:08 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:11 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:13 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:15 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:17 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:19 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:21 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:24 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:25 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:27 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:29 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:31 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:32 2009 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)<br>
Wed Jun 03 16:11:32 2009 TLS Error: TLS handshake failed<br>
Wed Jun 03 16:11:32 2009 TCP/UDP: Closing socket<br>
Wed Jun 03 16:11:32 2009 SIGUSR1[soft,tls-error] received, process restarting<br>
Wed Jun 03 16:11:32 2009 Restart pause, 2 second(s)<br>
上面的问题解决了,现在老这样了,请问怎么回事? |
|
<blockquote>引用 xukai 的贴子<hr size=1 noshadow>Wed Jun 03 16:10:32 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005<br>
Wed Jun 03 16:10:32 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.<br>
Wed Jun 03 16:10:32 2009 LZO compression initialized<br>
Wed Jun 03 16:10:32 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]<br>
Wed Jun 03 16:10:32 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]<br>
Wed Jun 03 16:10:32 2009 Local Options hash (VER=V4): '41690919'<br>
Wed Jun 03 16:10:32 2009 Expected Remote Options hash (VER=V4): '530fdded'<br>
Wed Jun 03 16:10:32 2009 UDPv4 link local (bound): [undef]:1194<br>
Wed Jun 03 16:10:32 2009 UDPv4 link remote: 192.168.242.144:1194<br>
Wed Jun 03 16:10:32 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:34 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:37 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:38 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:40 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:42 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:45 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:47 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:50 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:52 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:55 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:56 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:10:58 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:01 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:03 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:06 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:08 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:11 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:13 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:15 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:17 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:19 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:21 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:24 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:25 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:27 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:29 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:31 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)<br>
Wed Jun 03 16:11:32 2009 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)<br>
Wed Jun 03 16:11:32 2009 TLS Error: TLS handshake failed<br>
Wed Jun 03 16:11:32 2009 TCP/UDP: Closing socket<br>
Wed Jun 03 16:11:32 2009 SIGUSR1[soft,tls-error] received, process restarting<br>
Wed Jun 03 16:11:32 2009 Restart pause, 2 second(s)<br>
上面的问题解决了,现在老这样了,请问怎么回事?<hr size=1 noshadow></blockquote><p>客户端与服务端的物理链接不通。确认 1194 端口是开的,客户端与服务端能够正常PING通。下面是 OPENVPN 官方解释,你自己对照排除一下:</p>
<blockquote>
<p>You get the error message: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). This error indicates that the client was unable to establish a network connection with the server.</p>
<ul><b>Solutions:</b>
<li> Make sure the client is using the correct hostname/IP address and port number which will allow it to reach the OpenVPN server.</li>
<li> If the OpenVPN server machine is a single-NIC box inside a protected LAN, make sure you are using a correct port forward rule on the server's gateway firewall. For example, suppose your OpenVPN box is at 192.168.4.4 inside the firewall, listening for client connections on UDP port 1194. The NAT gateway servicing the 192.168.4.x subnet should have a port forward rule that says forward UDP port 1194 from my public IP address to 192.168.4.4.</li>
<li> Open up the server's firewall to allow incoming connections to UDP port 1194 (or whatever TCP/UDP port you have configured in the server config file).</li>
</ul> |
|
| 客户端连入服务端后。可以ping通服务端的lan wan tun ip,,但是连接服务端的lan同一交换下的电脑,有的可以连通,有的不行,,就比如127 77 5 212 这些IP都可以连通,其它IP又不能联通,不知道是什么原因,是因为路由的原因吗?获取的掩码是255.255.255.252,而且拔入后访问共享,比如访问77这台的默认共享c$,不需要提示输入用户和密码,直接就可以打开共享了,这我觉得有安全问题,这问xiaohui这是什么原因,怎么解决呀。 |
|
| <blockquote>引用 luo 的贴子<hr size=1 noshadow>客户端连入服务端后。可以ping通服务端的lan wan tun ip,,但是连接服务端的lan同一交换下的电脑,有的可以连通,有的不行,,就比如127 77 5 212 这些IP都可以连通,其它IP又不能联通,不知道是什么原因,是因为路由的原因吗?获取的掩码是255.255.255.252,而且拔入后访问共享,比如访问77这台的默认共享c$,不需要提示输入用户和密码,直接就可以打开共享了,这我觉得有安全问题,这问xiaohui这是什么原因,怎么解决呀。<hr size=1 noshadow></blockquote>我装 VPN 只是为了穿墙,这种情况我不知道,没折腾过。不好意思。:) |
|
| 请教一下,不知道为什么我vpn进去后,能访问内网,但用不用server push过来的dns,仍是用着拔号连接的dns,客户机是win7系统。 |
|
| <blockquote>引用 terry76 的贴子<hr size=1 noshadow>请教一下,不知道为什么我vpn进去后,能访问内网,但用不用server push过来的dns,仍是用着拔号连接的dns,客户机是win7系统。<hr size=1 noshadow></blockquote>这个我就搞不清了,没在 WIN7下测试过。 |
|
Wed Jul 15 10:43:22 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005<br>
Wed Jul 15 10:43:22 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.<br>
Wed Jul 15 10:43:22 2009 Cannot load certificate file lz.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib<br>
Wed Jul 15 10:43:22 2009 Exiting<br>
<br>
按照你的配置顺利安装成功,客户端连接也正常。可过了几天之后我又建立了几个用户就连不上了。开始建的用户能连上,后建的几个一个也连不上。上面是日志,麻烦帮我分析下是什么原因?谢谢 |
|
<blockquote>引用 lz 的贴子<hr size=1 noshadow>Wed Jul 15 10:43:22 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005<br>
Wed Jul 15 10:43:22 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.<br>
Wed Jul 15 10:43:22 2009 Cannot load certificate file lz.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib<br>
Wed Jul 15 10:43:22 2009 Exiting<br>
<br>
按照你的配置顺利安装成功,客户端连接也正常。可过了几天之后我又建立了几个用户就连不上了。开始建的用户能连上,后建的几个一个也连不上。上面是日志,麻烦帮我分析下是什么原因?谢谢<hr size=1 noshadow></blockquote>你用的是证书校验方式吧?看提示,是你的证书有问题。 lz.crt load 失败。既然之前连接成功,就按以前的步骤,重做一下证书,并确保客户端的配置文件里,指定了正确的证书文件名。 |
|
是证书校验方式。证书和以前生成的方法是一样的啊,客户端配置文件也改了。用./build-key生成客户端有什么特别需要注意的么?除了做./build-key,还需要运行别的东西么?另外我生成客户端时提示:"you must define KEY_DIR",然后运行了一遍你文档里export的那些命令之后就可以使用了。<br>
客户端配置如下:<br>
client <br>
dev tun <br>
proto udp <br>
remote 192.168.0.20 1194 <br>
persist-key <br>
persist-tun <br>
ca ca.crt <br>
cert lz.crt <br>
key lz.key <br>
ns-cert-type server <br>
comp-lzo <br>
verb 3 <br>
redirect-gateway def1 |
|
<blockquote>引用 lz 的贴子<hr size=1 noshadow>是证书校验方式。证书和以前生成的方法是一样的啊,客户端配置文件也改了。用./build-key生成客户端有什么特别需要注意的么?除了做./build-key,还需要运行别的东西么?另外我生成客户端时提示:"you must define KEY_DIR",然后运行了一遍你文档里export的那些命令之后就可以使用了。<br>
客户端配置如下:<br>
client <br>
dev tun <br>
proto udp <br>
remote 192.168.0.20 1194 <br>
persist-key <br>
persist-tun <br>
ca ca.crt <br>
cert lz.crt <br>
key lz.key <br>
ns-cert-type server <br>
comp-lzo <br>
verb 3 <br>
redirect-gateway def1<hr size=1 noshadow></blockquote>我许久没有接触 OpenVPN 这块了,技术细节我记不太清了,一时也没时间帮你分析。既然你第一次生成是正确的,而后面几次生成证书不对,那肯定是后面的步骤有错误或遗漏的地方。再仔细找找,排除一下原因。或者,全部重新生成一次证书(包括服务器证书)。<br>
安装和配置的过程中,最好把你做的每一步的命令都记录一下,这样以后出问题或新做证书,也方便排查或实施。 |
|
WRwRThu Jul 16 16:36:24 2009 us=921733 client1/202.127.207.101:2239 MULTI: bad source address from client [202.127.207.101], packet dropped<br>
客户端链接的时候,server的log里面有很多这样的记录,这是什么意思?怎么解决 |
|
<blockquote>引用 rinkey 的贴子<hr size=1 noshadow>WRwRThu Jul 16 16:36:24 2009 us=921733 client1/202.127.207.101:2239 MULTI: bad source address from client [202.127.207.101], packet dropped<br>
客户端链接的时候,server的log里面有很多这样的记录,这是什么意思?怎么解决<hr size=1 noshadow></blockquote>我没接触过这个错误,查了一下资料,网上有篇关于这个错误的解决方案,你参考一下:<br>
<a href="http://www.void.gr/kargig/blog/2008/05/17/openvpn-multi-bad-source-address-from-client-solution/" class=external>Openvpn � MULTI: bad source address from client � solution</a><br>
在 OpenVPN 自己的newsgroup 上,有一个关于这个的讨论:<br>
<a href="http://openvpn.net/archive/openvpn-users/2005-03/msg00091.html" class=external>[Openvpn-users] MULTI: bad source address from client...packet dropped</a> |
|
| openVPN服务器有两块网卡eth0 为公网IP,eth1为内网网关IP,并做了NAT。服务器买开启VPN时,内网的主机可以PING 通eth1和公网IP,但是开启VPN以后内网就PING不通了。而VPN client 也PING 不通内网主机。 怎么解决? |
|
因为不怎么熟悉linux,所以基本全部按照楼主命令的来做,<br>
到最后开启vpn的时候,显示这样,(这里只列出最后一部分显示信息)<br>
用的putty,最后命令一直停在那里,也不见开启1194端口,很奇怪,希望有人给予解答<br>
最好能聊q,嘿嘿,这样太不方便,q:57112848<br>
Fri Jul 17 01:49:47 2009 us=708255 TUN/TAP device tun0 opened<br>
Fri Jul 17 01:49:47 2009 us=708281 TUN/TAP TX queue length set to 100<br>
Fri Jul 17 01:49:47 2009 us=708312 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500<br>
Fri Jul 17 01:49:47 2009 us=715115 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2<br>
Fri Jul 17 01:49:47 2009 us=717906 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]<br>
Fri Jul 17 01:49:47 2009 us=717952 Socket Buffers: R=[109568->131072] S=[109568->131072]<br>
Fri Jul 17 01:49:47 2009 us=717974 UDPv4 link local (bound): 210.127.253.11:1194<br>
Fri Jul 17 01:49:47 2009 us=717985 UDPv4 link remote: [undef]<br>
Fri Jul 17 01:49:47 2009 us=718003 MULTI: multi_init called, r=256 v=256<br>
Fri Jul 17 01:49:47 2009 us=718036 IFCONFIG POOL: base=10.8.0.4 size=62<br>
Fri Jul 17 01:49:47 2009 us=718069 Initialization Sequence Completed |
|
Fri Aug 21 18:22:36 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006<br>
Fri Aug 21 18:22:36 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.<br>
Fri Aug 21 18:22:36 2009 Cannot load certificate file client.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib<br>
Fri Aug 21 18:22:36 2009 Exiting<br>
这是我的客户端的问题 不知道怎么回事 |
|
<blockquote>引用 sail 的贴子<hr size=1 noshadow>Fri Aug 21 18:22:36 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006<br>
Fri Aug 21 18:22:36 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.<br>
Fri Aug 21 18:22:36 2009 Cannot load certificate file client.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib<br>
Fri Aug 21 18:22:36 2009 Exiting<br>
这是我的客户端的问题 不知道怎么回事<hr size=1 noshadow></blockquote>客户端证书错误。 |
|
Server 端的环境 <br>
redhat, kernel版本: 2.4.20-31.9, IP 为 70.8.7.6 <br>
<br>
“IP 为 70.8.7.6”是在什么时候设的?<br>
<br>
谢谢! |
|
<blockquote>引用 王菲菲 的贴子<hr size=1 noshadow>Server 端的环境 <br>
redhat, kernel版本: 2.4.20-31.9, IP 为 70.8.7.6 <br>
<br>
“IP 为 70.8.7.6”是在什么时候设的?<br>
<br>
谢谢!<hr size=1 noshadow></blockquote>安装 SERVER OS 时指定的。 |
|