XiaoHui.Net 笑汇程序员论坛
→ Web 网站开发与设计
Linux 下 OpenVPN 安装和 Windows OpenVPN GUI 安装笔记
|
| 我的安装终于可以连接上了,但是连上去以后访问不了网站,我也输入了echo 1 > /proc/sys/net/ipv4/ip_forward,但就是死活访问不了,怎么回事啊? |
|
| <blockquote>引用 kenny 的贴子<hr size=1 noshadow>我的安装终于可以连接上了,但是连上去以后访问不了网站,我也输入了echo 1 > /proc/sys/net/ipv4/ip_forward,但就是死活访问不了,怎么回事啊?<hr size=1 noshadow></blockquote>用 sysctl -a | grep for 看一下 ipfoward 是否打开了。 |
|
你好 我遇到一个问题我没法解决,想向你咨询下<br>
[root@localhost root]# /usr/local/sbin/openvpn --config /usr/local/etc/server.conf<br>
Sun Sep 27 17:41:12 2009 OpenVPN 2.0.9 i686-pc-linux [SSL] [LZO] built on Sep 27 2009<br>
Sun Sep 27 17:41:12 2009 Cannot open dh1024.pem for DH parameters:error:02001002:system library:fopen:NO such file or directory:error:2006D080:BIO routines:BIO_new_file:no such file <br>
Sun Sep 27 14:41:12 2009 Exiting<br>
这是怎么一回事呢?急急急!!! |
|
<blockquote>引用 藤苇 的贴子<hr size=1 noshadow>你好 我遇到一个问题我没法解决,想向你咨询下<br>
[root@localhost root]# /usr/local/sbin/openvpn --config /usr/local/etc/server.conf<br>
Sun Sep 27 17:41:12 2009 OpenVPN 2.0.9 i686-pc-linux [SSL] [LZO] built on Sep 27 2009<br>
Sun Sep 27 17:41:12 2009 Cannot open dh1024.pem for DH parameters:error:02001002:system library:fopen:NO such file or directory:error:2006D080:BIO routines:BIO_new_file:no such file <br>
Sun Sep 27 14:41:12 2009 Exiting<br>
这是怎么一回事呢?急急急!!!<hr size=1 noshadow></blockquote>没有 Diffie Hellman 参数或文件的位置没有设置正确。见第七步代码:
./build-dh |
|
你好<br>
./build-dh<br>
这一步我做了都是按照你上面说的去做的<br>
export D=`pwd` 只是这一步没做。<br>
export KEY_CONFIG=root/openvpn-2.0.9/easy-rsa/openssl.cnf <br>
export KEY_DIR=root/openvpn-2.0.9/easy-rsa/keys |
|
| 在root/openvpn-2.0.9/easy-rsa/keys下生成了这个文件dh1024.pem 。 |
|
| <blockquote>引用 藤苇 的贴子<hr size=1 noshadow>D=`pwd` 是什么意思呢?<hr size=1 noshadow></blockquote>pwd 表示当前工作目录 |
|
##############################################<br>
# Sample client-side OpenVPN 2.0 config file #<br>
# for connecting to multi-client server. #<br>
# #<br>
# This configuration can be used by multiple #<br>
# clients, however each client should have #<br>
# its own cert and key files. #<br>
# #<br>
# On Windows, you might want to rename this #<br>
# file so it has a .ovpn extension #<br>
##############################################<br>
<br>
# Specify that we are a client and that we<br>
# will be pulling certain config file directives<br>
# from the server.<br>
client<br>
<br>
# Use the same setting as you are using on<br>
# the server.<br>
# On most systems, the VPN will not function<br>
# unless you partially or fully disable<br>
# the firewall for the TUN/TAP interface.<br>
dev tap<br>
;dev tun<br>
<br>
# Windows needs the TAP-Win32 adapter name<br>
# from the Network Connections panel<br>
# if you have more than one. On XP SP2,<br>
# you may need to disable the firewall<br>
# for the TAP adapter.<br>
;dev-node MyTap<br>
<br>
# Are we connecting to a TCP or<br>
# UDP server? Use the same setting as<br>
# on the server.<br>
proto tcp<br>
;proto udp<br>
<br>
# The hostname/IP and port of the server.<br>
# You can have multiple remote entries<br>
# to load balance between the servers.<br>
remote 172.16.37.83 1194<br>
;remote my-server-2 1194<br>
<br>
# Choose a random host from the remote<br>
# list for load-balancing. Otherwise<br>
# try hosts in the order specified.<br>
;remote-random<br>
<br>
# Keep trying indefinitely to resolve the<br>
# host name of the OpenVPN server. Very useful<br>
# on machines which are not permanently connected<br>
# to the internet such as laptops.<br>
resolv-retry infinite<br>
<br>
# Most clients don't need to bind to<br>
# a specific local port number.<br>
nobind<br>
<br>
# Downgrade privileges after initialization (non-Windows only)<br>
;user nobody<br>
;group nobody<br>
<br>
# Try to preserve some state across restarts.<br>
persist-key<br>
persist-tun<br>
<br>
# If you are connecting through an<br>
# HTTP proxy to reach the actual OpenVPN<br>
# server, put the proxy server/IP and<br>
# port number here. See the man page<br>
# if your proxy server requires<br>
# authentication.<br>
;http-proxy-retry # retry on connection failures<br>
;http-proxy [proxy server] [proxy port #]<br>
<br>
# Wireless networks often produce a lot<br>
# of duplicate packets. Set this flag<br>
# to silence duplicate packet warnings.<br>
;mute-replay-warnings<br>
<br>
# SSL/TLS parms.<br>
# See the server config file for more<br>
# description. It's best to use<br>
# a separate .crt/.key file pair<br>
# for each client. A single ca<br>
# file can be used for all clients.<br>
ca ca.crt<br>
cert client1.crt<br>
key client1.key<br>
<br>
# Verify server certificate by checking<br>
# that the certicate has the nsCertType<br>
# field set to "server". This is an<br>
# important precaution to protect against<br>
# a potential attack discussed here:<br>
# http://openvpn.net/howto.html#mitm<br>
#<br>
# To use this feature, you will need to generate<br>
# your server certificates with the nsCertType<br>
# field set to "server". The build-key-server<br>
# script in the easy-rsa folder will do this.<br>
;ns-cert-type server<br>
<br>
# If a tls-auth key is used on the server<br>
# then every client must also have the key.<br>
;tls-auth ta.key 1<br>
<br>
# Select a cryptographic cipher.<br>
# If the cipher option is used on the server<br>
# then you must also specify it here.<br>
;cipher x<br>
<br>
# Enable compression on the VPN link.<br>
# Don't enable this unless it is also<br>
# enabled in the server config file.<br>
comp-lzo<br>
<br>
# Set log file verbosity.<br>
verb 3<br>
<br>
# Silence repeating messages<br>
;mute 20<br>
服务器配置<br>
#################################################<br>
# Sample OpenVPN 2.0 config file for #<br>
# multi-client server. #<br>
# #<br>
# This file is for the server side #<br>
# of a many-clients <-> one-server #<br>
# OpenVPN configuration. #<br>
# #<br>
# OpenVPN also supports #<br>
# single-machine <-> single-machine #<br>
# configurations (See the Examples page #<br>
# on the web site for more info). #<br>
# #<br>
# This config should work on Windows #<br>
# or Linux/BSD systems. Remember on #<br>
# Windows to quote pathnames and use #<br>
# double backslashes, e.g.: #<br>
# "C:\Program Files\OpenVPN\config\foo.key" #<br>
# #<br>
# Comments are preceded with '#' or ';' #<br>
#################################################<br>
<br>
# Which local IP address should OpenVPN<br>
# listen on? (optional)<br>
;local a.b.c.d<br>
<br>
# Which TCP/UDP port should OpenVPN listen on?<br>
# If you want to run multiple OpenVPN instances<br>
# on the same machine, use a different port<br>
# number for each one. You will need to<br>
# open up this port on your firewall.<br>
port 1194<br>
<br>
# TCP or UDP server?<br>
proto tcp<br>
;proto udp<br>
<br>
# "dev tun" will create a routed IP tunnel,<br>
# "dev tap" will create an ethernet tunnel.<br>
# Use "dev tap0" if you are ethernet bridging<br>
# and have precreated a tap0 virtual interface<br>
# and bridged it with your ethernet interface.<br>
# If you want to control access policies<br>
# over the VPN, you must create firewall<br>
# rules for the the TUN/TAP interface.<br>
# On non-Windows systems, you can give<br>
# an explicit unit number, such as tun0.<br>
# On Windows, use "dev-node" for this.<br>
# On most systems, the VPN will not function<br>
# unless you partially or fully disable<br>
# the firewall for the TUN/TAP interface.<br>
dev tap<br>
;dev tun<br>
<br>
# Windows needs the TAP-Win32 adapter name<br>
# from the Network Connections panel if you<br>
# have more than one. On XP SP2 or higher,<br>
# you may need to selectively disable the<br>
# Windows firewall for the TAP adapter.<br>
# Non-Windows systems usually don't need this.<br>
;dev-node MyTap<br>
<br>
# SSL/TLS root certificate (ca), certificate<br>
# (cert), and private key (key). Each client<br>
# and the server must have their own cert and<br>
# key file. The server and all clients will<br>
# use the same ca file.<br>
#<br>
# See the "easy-rsa" directory for a series<br>
# of scripts for generating RSA certificates<br>
# and private keys. Remember to use<br>
# a unique Common Name for the server<br>
# and each of the client certificates.<br>
#<br>
# Any X509 key management system can be used.<br>
# OpenVPN can also use a PKCS #12 formatted key file<br>
# (see "pkcs12" directive in man page).<br>
ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt<br>
cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt<br>
key /root/openvpn-2.0.9/easy-rsa/keys/server.key # This file should be kept secret<br>
<br>
# Diffie hellman parameters.<br>
# Generate your own with:<br>
# openssl dhparam -out dh1024.pem 1024<br>
# Substitute 2048 for 1024 if you are using<br>
# 2048 bit keys. <br>
dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem<br>
<br>
# Configure server mode and supply a VPN subnet<br>
# for OpenVPN to draw client addresses from.<br>
# The server will take 10.8.0.1 for itself,<br>
# the rest will be made available to clients.<br>
# Each client will be able to reach the server<br>
# on 10.8.0.1. Comment this line out if you are<br>
# ethernet bridging. See the man page for more info.<br>
server 10.0.0.0 255.255.255.0<br>
<br>
# Maintain a record of client <-> virtual IP address<br>
# associations in this file. If OpenVPN goes down or<br>
# is restarted, reconnecting clients can be assigned<br>
# the same virtual IP address from the pool that was<br>
# previously assigned.<br>
ifconfig-pool-persist ipp.txt<br>
<br>
# Configure server mode for ethernet bridging.<br>
# You must first use your OS's bridging capability<br>
# to bridge the TAP interface with the ethernet<br>
# NIC interface. Then you must manually set the<br>
# IP/netmask on the bridge interface, here we<br>
# assume 10.8.0.4/255.255.255.0. Finally we<br>
# must set aside an IP range in this subnet<br>
# (start=10.8.0.50 end=10.8.0.100) to allocate<br>
# to connecting clients. Leave this line commented<br>
# out unless you are ethernet bridging.<br>
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100<br>
<br>
# Push routes to the client to allow it<br>
# to reach other p10.8.0.1rivate subnets behind<br>
# the server. Remember that these<br>
# private subnets will also need<br>
# to know to route the OpenVPN client<br>
# address pool (10.8.0.0/255.255.255.0)<br>
# back to the OpenVPN server.<br>
;push "route 192.168.11.0 255.255.255.0"<br>
;push "route 192.168.13.0 255.255.255.0"<br>
<br>
# To assign specific IP addresses to specific<br>
# clients or if a connecting client has a private<br>
# subnet behind it that should also have VPN access,<br>
# use the subdirectory "ccd" for client-specific<br>
# configuration files (see man page for more info).<br>
<br>
# EXAMPLE: Suppose the client<br>
# having the certificate common name "Thelonious"<br>
# also has a small subnet behind his connecting<br>
# machine, such as 192.168.40.128/255.255.255.248.<br>
# First, uncomment out these lines:<br>
client-config-dir /usr/local/etc/ccd <br>
;route 192.168.40.128 255.255.255.248<br>
# Then create a file ccd/Thelonious with this line:<br>
# iroute 192.168.40.128 255.255.255.248<br>
# This will allow Thelonious' private subnet to<br>
# access the VPN. This example will only work<br>
# if you are routing, not bridging, i.e. you are<br>
# using "dev tun" and "server" directives.<br>
<br>
# EXAMPLE: Suppose you want to give<br>
# Thelonious a fixed VPN IP address of 10.9.0.1.<br>
# First uncomment out these lines:<br>
client-config-dir /usr/local/etc/ccd<br>
;route 10.9.0.0 255.255.255.252<br>
# Then add this line to ccd/Thelonious:<br>
# ifconfig-push 10.9.0.1 10.9.0.2<br>
<br>
# Suppose that you want to enable different<br>
# firewall access policies for different groups<br>
# of clients. There are two methods:<br>
# (1) Run multiple OpenVPN daemons, one for each<br>
# group, and firewall the TUN/TAP interface<br>
# for each group/daemon appropriately.<br>
# (2) (Advanced) Create a script to dynamically<br>
# modify the firewall in response to access<br>
# from different clients. See man<br>
# page for more info on learn-address script.<br>
;learn-address ./script<br>
<br>
# If enabled, this directive will configure<br>
# all clients to redirect their default<br>
# network gateway through the VPN, causing<br>
# all IP traffic such as web browsing and<br>
# and DNS lookups to go through the VPN<br>
# (The OpenVPN server machine may need to NAT<br>
# the TUN/TAP interface to the internet in<br>
# order for this to work properly).<br>
# CAVEAT: May break client's network config if<br>
# client's local DHCP server packets get routed<br>
# through the tunnel. Solution: make sure<br>
# client's local DHCP server is reachable via<br>
# a more specific route than the default route<br>
# of 0.0.0.0/0.0.0.0.<br>
;push "redirect-gateway"<br>
<br>
# Certain Windows-specific network settings<br>
# can be pushed to clients, such as DNS<br>
# or WINS server addresses. CAVEAT:<br>
# http://openvpn.net/faq.html#dhcpcaveats<br>
;push "dhcp-option DNS 10.8.0.1"<br>
;push "dhcp-option WINS 10.8.0.1"<br>
<br>
# Uncomment this directive to allow different<br>
# clients to be able to "see" each other.<br>
# By default, clients will only see the server.<br>
# To force clients to only see the server, you<br>
# will also need to appropriately firewall the<br>
# server's TUN/TAP interface.<br>
;client-to-client<br>
<br>
# Uncomment this directive if multiple clients<br>
# might connect with the same certificate/key<br>
# files or common names. This is recommended<br>
# only for testing purposes. For production use,<br>
# each client should have its own certificate/key<br>
# pair.<br>
#<br>
# IF YOU HAVE NOT GENERATED INDIVIDUAL<br>
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,<br>
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",<br>
# UNCOMMENT THIS LINE OUT.<br>
;duplicate-cn<br>
<br>
# The keepalive directive causes ping-like<br>
# messages to be sent back and forth over<br>
# the link so that each side knows when<br>
# the other side has gone down.<br>
# Ping every 10 seconds, assume that remote<br>
# peer is down if no ping received during<br>
# a 120 second time period.<br>
keepalive 10 120<br>
<br>
# For extra security beyond that provided<br>
# by SSL/TLS, create an "HMAC firewall"<br>
# to help block DoS attacks and UDP port flooding.<br>
#<br>
# Generate with:<br>
# openvpn --genkey --secret ta.key<br>
#<br>
# The server and each client must have<br>
# a copy of this key.<br>
# The second parameter should be '0'<br>
# on the server and '1' on the clients.<br>
;tls-auth ta.key 0 # This file is secret<br>
<br>
# Select a cryptographic cipher.<br>
# This config item must be copied to<br>
# the client config file as well.<br>
;cipher BF-CBC # Blowfish (default)<br>
;cipher AES-128-CBC # AES<br>
;cipher DES-EDE3-CBC # Triple-DES<br>
<br>
# Enable compression on the VPN link.<br>
# If you enable it here, you must also<br>
# enable it in the client config file.<br>
comp-lzo<br>
<br>
# The maximum number of concurrently connected<br>
# clients we want to allow.<br>
;max-clients 100<br>
<br>
# It's a good idea to reduce the OpenVPN<br>
# daemon's privileges after initialization.<br>
#<br>
# You can uncomment this out on<br>
# non-Windows systems.<br>
;user nobody<br>
;group nobody<br>
<br>
# The persist options will try to avoid<br>
# accessing certain resources on restart<br>
# that may no longer be accessible because<br>
# of the privilege downgrade.<br>
persist-key<br>
persist-tun<br>
<br>
# Output a short status file showing<br>
# current connections, truncated<br>
# and rewritten every minute.<br>
status /root/openvpn-2.0.9/easy-rsa/keys/openvpn-status.log<br>
<br>
# By default, log messages will go to the syslog (or<br>
# on Windows, if running as a service, they will go to<br>
# the "Program FilesOpenVPNlog" directory).<br>
# Use log or log-append to override this default.<br>
# "log" will truncate the log file on OpenVPN startup,<br>
# while "log-append" will append to it. Use one<br>
# or the other (but not both).<br>
;log openvpn.log<br>
;log-append openvpn.log<br>
<br>
# Set the appropriate level of log<br>
# file verbosity.<br>
#<br>
# 0 is silent, except for fatal errors/root/openvpn-2.0.9/easy-rsa/keys<br>
# 4 is reasonable for genera/root/openvpn-2.0.9/easy-rsa/keysl usage<br>
# 5 and 6 can help to debug connection problems<br>
# 9 is extremely verbose<br>
verb 3<br>
<br>
# Silence repeating messages. At most 20<br>
# sequential messages of the same message<br>
# category will be output to the log.<br>
;mute 20<br>
<br>
<br>
openvpn服务器是red hat Linux<br>
客户机是windows server 2000 两个网卡 开起了rip协议<br>
server ip: 172.16.37.83 虚拟ip 10.0.0.1;<br>
client1 ip:172.16.37.110 192.168.11.1 虚拟IP 10.0.0.5;<br>
client2 ip: 172.16.19.22. 192.168.12.1 虚拟ip 10.0.0.13;<br>
在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13<br>
client1 中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1<br>
<br>
client2中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1<br>
楼主这是哪出现了问题呢?拜托拜托 |
|
<blockquote>引用 藤苇 的贴子<hr size=1 noshadow>##############################################<br>
# Sample client-side OpenVPN 2.0 config file #<br>
# for connecting to multi-client server. #<br>
# #<br>
# This configuration can be used by multiple #<br>
# clients, however each client should have #<br>
# its own cert and key files. #<br>
# #<br>
# On Windows, you might want to rename this #<br>
# file so it has a .ovpn extension #<br>
##############################################<br>
<br>
# Specify that we are a client and that we<br>
# will be pulling certain config file directives<br>
# from the server.<br>
client<br>
<br>
# Use the same setting as you are using on<br>
# the server.<br>
# On most systems, the VPN will not function<br>
# unless you partially or fully disable<br>
# the firewall for the TUN/TAP interface.<br>
dev tap<br>
;dev tun<br>
<br>
# Windows needs the TAP-Win32 adapter name<br>
# from the Network Connections panel<br>
# if you have more than one. On XP SP2,<br>
# you may need to disable the firewall<br>
# for the TAP adapter.<br>
;dev-node MyTap<br>
<br>
# Are we connecting to a TCP or<br>
# UDP server? Use the same setting as<br>
# on the server.<br>
proto tcp<br>
;proto udp<br>
<br>
# The hostname/IP and port of the server.<br>
# You can have multiple remote entries<br>
# to load balance between the servers.<br>
remote 172.16.37.83 1194<br>
;remote my-server-2 1194<br>
<br>
# Choose a random host from the remote<br>
# list for load-balancing. Otherwise<br>
# try hosts in the order specified.<br>
;remote-random<br>
<br>
# Keep trying indefinitely to resolve the<br>
# host name of the OpenVPN server. Very useful<br>
# on machines which are not permanently connected<br>
# to the internet such as laptops.<br>
resolv-retry infinite<br>
<br>
# Most clients don't need to bind to<br>
# a specific local port number.<br>
nobind<br>
<br>
# Downgrade privileges after initialization (non-Windows only)<br>
;user nobody<br>
;group nobody<br>
<br>
# Try to preserve some state across restarts.<br>
persist-key<br>
persist-tun<br>
<br>
# If you are connecting through an<br>
# HTTP proxy to reach the actual OpenVPN<br>
# server, put the proxy server/IP and<br>
# port number here. See the man page<br>
# if your proxy server requires<br>
# authentication.<br>
;http-proxy-retry # retry on connection failures<br>
;http-proxy [proxy server] [proxy port #]<br>
<br>
# Wireless networks often produce a lot<br>
# of duplicate packets. Set this flag<br>
# to silence duplicate packet warnings.<br>
;mute-replay-warnings<br>
<br>
# SSL/TLS parms.<br>
# See the server config file for more<br>
# description. It's best to use<br>
# a separate .crt/.key file pair<br>
# for each client. A single ca<br>
# file can be used for all clients.<br>
ca ca.crt<br>
cert client1.crt<br>
key client1.key<br>
<br>
# Verify server certificate by checking<br>
# that the certicate has the nsCertType<br>
# field set to "server". This is an<br>
# important precaution to protect against<br>
# a potential attack discussed here:<br>
# http://openvpn.net/howto.html#mitm<br>
#<br>
# To use this feature, you will need to generate<br>
# your server certificates with the nsCertType<br>
# field set to "server". The build-key-server<br>
# script in the easy-rsa folder will do this.<br>
;ns-cert-type server<br>
<br>
# If a tls-auth key is used on the server<br>
# then every client must also have the key.<br>
;tls-auth ta.key 1<br>
<br>
# Select a cryptographic cipher.<br>
# If the cipher option is used on the server<br>
# then you must also specify it here.<br>
;cipher x<br>
<br>
# Enable compression on the VPN link.<br>
# Don't enable this unless it is also<br>
# enabled in the server config file.<br>
comp-lzo<br>
<br>
# Set log file verbosity.<br>
verb 3<br>
<br>
# Silence repeating messages<br>
;mute 20<br>
服务器配置<br>
#################################################<br>
# Sample OpenVPN 2.0 config file for #<br>
# multi-client server. #<br>
# #<br>
# This file is for the server side #<br>
# of a many-clients <-> one-server #<br>
# OpenVPN configuration. #<br>
# #<br>
# OpenVPN also supports #<br>
# single-machine <-> single-machine #<br>
# configurations (See the Examples page #<br>
# on the web site for more info). #<br>
# #<br>
# This config should work on Windows #<br>
# or Linux/BSD systems. Remember on #<br>
# Windows to quote pathnames and use #<br>
# double backslashes, e.g.: #<br>
# "C:\Program Files\OpenVPN\config\foo.key" #<br>
# #<br>
# Comments are preceded with '#' or ';' #<br>
#################################################<br>
<br>
# Which local IP address should OpenVPN<br>
# listen on? (optional)<br>
;local a.b.c.d<br>
<br>
# Which TCP/UDP port should OpenVPN listen on?<br>
# If you want to run multiple OpenVPN instances<br>
# on the same machine, use a different port<br>
# number for each one. You will need to<br>
# open up this port on your firewall.<br>
port 1194<br>
<br>
# TCP or UDP server?<br>
proto tcp<br>
;proto udp<br>
<br>
# "dev tun" will create a routed IP tunnel,<br>
# "dev tap" will create an ethernet tunnel.<br>
# Use "dev tap0" if you are ethernet bridging<br>
# and have precreated a tap0 virtual interface<br>
# and bridged it with your ethernet interface.<br>
# If you want to control access policies<br>
# over the VPN, you must create firewall<br>
# rules for the the TUN/TAP interface.<br>
# On non-Windows systems, you can give<br>
# an explicit unit number, such as tun0.<br>
# On Windows, use "dev-node" for this.<br>
# On most systems, the VPN will not function<br>
# unless you partially or fully disable<br>
# the firewall for the TUN/TAP interface.<br>
dev tap<br>
;dev tun<br>
<br>
# Windows needs the TAP-Win32 adapter name<br>
# from the Network Connections panel if you<br>
# have more than one. On XP SP2 or higher,<br>
# you may need to selectively disable the<br>
# Windows firewall for the TAP adapter.<br>
# Non-Windows systems usually don't need this.<br>
;dev-node MyTap<br>
<br>
# SSL/TLS root certificate (ca), certificate<br>
# (cert), and private key (key). Each client<br>
# and the server must have their own cert and<br>
# key file. The server and all clients will<br>
# use the same ca file.<br>
#<br>
# See the "easy-rsa" directory for a series<br>
# of scripts for generating RSA certificates<br>
# and private keys. Remember to use<br>
# a unique Common Name for the server<br>
# and each of the client certificates.<br>
#<br>
# Any X509 key management system can be used.<br>
# OpenVPN can also use a PKCS #12 formatted key file<br>
# (see "pkcs12" directive in man page).<br>
ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt<br>
cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt<br>
key /root/openvpn-2.0.9/easy-rsa/keys/server.key # This file should be kept secret<br>
<br>
# Diffie hellman parameters.<br>
# Generate your own with:<br>
# openssl dhparam -out dh1024.pem 1024<br>
# Substitute 2048 for 1024 if you are using<br>
# 2048 bit keys. <br>
dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem<br>
<br>
# Configure server mode and supply a VPN subnet<br>
# for OpenVPN to draw client addresses from.<br>
# The server will take 10.8.0.1 for itself,<br>
# the rest will be made available to clients.<br>
# Each client will be able to reach the server<br>
# on 10.8.0.1. Comment this line out if you are<br>
# ethernet bridging. See the man page for more info.<br>
server 10.0.0.0 255.255.255.0<br>
<br>
# Maintain a record of client <-> virtual IP address<br>
# associations in this file. If OpenVPN goes down or<br>
# is restarted, reconnecting clients can be assigned<br>
# the same virtual IP address from the pool that was<br>
# previously assigned.<br>
ifconfig-pool-persist ipp.txt<br>
<br>
# Configure server mode for ethernet bridging.<br>
# You must first use your OS's bridging capability<br>
# to bridge the TAP interface with the ethernet<br>
# NIC interface. Then you must manually set the<br>
# IP/netmask on the bridge interface, here we<br>
# assume 10.8.0.4/255.255.255.0. Finally we<br>
# must set aside an IP range in this subnet<br>
# (start=10.8.0.50 end=10.8.0.100) to allocate<br>
# to connecting clients. Leave this line commented<br>
# out unless you are ethernet bridging.<br>
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100<br>
<br>
# Push routes to the client to allow it<br>
# to reach other p10.8.0.1rivate subnets behind<br>
# the server. Remember that these<br>
# private subnets will also need<br>
# to know to route the OpenVPN client<br>
# address pool (10.8.0.0/255.255.255.0)<br>
# back to the OpenVPN server.<br>
;push "route 192.168.11.0 255.255.255.0"<br>
;push "route 192.168.13.0 255.255.255.0"<br>
<br>
# To assign specific IP addresses to specific<br>
# clients or if a connecting client has a private<br>
# subnet behind it that should also have VPN access,<br>
# use the subdirectory "ccd" for client-specific<br>
# configuration files (see man page for more info).<br>
<br>
# EXAMPLE: Suppose the client<br>
# having the certificate common name "Thelonious"<br>
# also has a small subnet behind his connecting<br>
# machine, such as 192.168.40.128/255.255.255.248.<br>
# First, uncomment out these lines:<br>
client-config-dir /usr/local/etc/ccd <br>
;route 192.168.40.128 255.255.255.248<br>
# Then create a file ccd/Thelonious with this line:<br>
# iroute 192.168.40.128 255.255.255.248<br>
# This will allow Thelonious' private subnet to<br>
# access the VPN. This example will only work<br>
# if you are routing, not bridging, i.e. you are<br>
# using "dev tun" and "server" directives.<br>
<br>
# EXAMPLE: Suppose you want to give<br>
# Thelonious a fixed VPN IP address of 10.9.0.1.<br>
# First uncomment out these lines:<br>
client-config-dir /usr/local/etc/ccd<br>
;route 10.9.0.0 255.255.255.252<br>
# Then add this line to ccd/Thelonious:<br>
# ifconfig-push 10.9.0.1 10.9.0.2<br>
<br>
# Suppose that you want to enable different<br>
# firewall access policies for different groups<br>
# of clients. There are two methods:<br>
# (1) Run multiple OpenVPN daemons, one for each<br>
# group, and firewall the TUN/TAP interface<br>
# for each group/daemon appropriately.<br>
# (2) (Advanced) Create a script to dynamically<br>
# modify the firewall in response to access<br>
# from different clients. See man<br>
# page for more info on learn-address script.<br>
;learn-address ./script<br>
<br>
# If enabled, this directive will configure<br>
# all clients to redirect their default<br>
# network gateway through the VPN, causing<br>
# all IP traffic such as web browsing and<br>
# and DNS lookups to go through the VPN<br>
# (The OpenVPN server machine may need to NAT<br>
# the TUN/TAP interface to the internet in<br>
# order for this to work properly).<br>
# CAVEAT: May break client's network config if<br>
# client's local DHCP server packets get routed<br>
# through the tunnel. Solution: make sure<br>
# client's local DHCP server is reachable via<br>
# a more specific route than the default route<br>
# of 0.0.0.0/0.0.0.0.<br>
;push "redirect-gateway"<br>
<br>
# Certain Windows-specific network settings<br>
# can be pushed to clients, such as DNS<br>
# or WINS server addresses. CAVEAT:<br>
# http://openvpn.net/faq.html#dhcpcaveats<br>
;push "dhcp-option DNS 10.8.0.1"<br>
;push "dhcp-option WINS 10.8.0.1"<br>
<br>
# Uncomment this directive to allow different<br>
# clients to be able to "see" each other.<br>
# By default, clients will only see the server.<br>
# To force clients to only see the server, you<br>
# will also need to appropriately firewall the<br>
# server's TUN/TAP interface.<br>
;client-to-client<br>
<br>
# Uncomment this directive if multiple clients<br>
# might connect with the same certificate/key<br>
# files or common names. This is recommended<br>
# only for testing purposes. For production use,<br>
# each client should have its own certificate/key<br>
# pair.<br>
#<br>
# IF YOU HAVE NOT GENERATED INDIVIDUAL<br>
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,<br>
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",<br>
# UNCOMMENT THIS LINE OUT.<br>
;duplicate-cn<br>
<br>
# The keepalive directive causes ping-like<br>
# messages to be sent back and forth over<br>
# the link so that each side knows when<br>
# the other side has gone down.<br>
# Ping every 10 seconds, assume that remote<br>
# peer is down if no ping received during<br>
# a 120 second time period.<br>
keepalive 10 120<br>
<br>
# For extra security beyond that provided<br>
# by SSL/TLS, create an "HMAC firewall"<br>
# to help block DoS attacks and UDP port flooding.<br>
#<br>
# Generate with:<br>
# openvpn --genkey --secret ta.key<br>
#<br>
# The server and each client must have<br>
# a copy of this key.<br>
# The second parameter should be '0'<br>
# on the server and '1' on the clients.<br>
;tls-auth ta.key 0 # This file is secret<br>
<br>
# Select a cryptographic cipher.<br>
# This config item must be copied to<br>
# the client config file as well.<br>
;cipher BF-CBC # Blowfish (default)<br>
;cipher AES-128-CBC # AES<br>
;cipher DES-EDE3-CBC # Triple-DES<br>
<br>
# Enable compression on the VPN link.<br>
# If you enable it here, you must also<br>
# enable it in the client config file.<br>
comp-lzo<br>
<br>
# The maximum number of concurrently connected<br>
# clients we want to allow.<br>
;max-clients 100<br>
<br>
# It's a good idea to reduce the OpenVPN<br>
# daemon's privileges after initialization.<br>
#<br>
# You can uncomment this out on<br>
# non-Windows systems.<br>
;user nobody<br>
;group nobody<br>
<br>
# The persist options will try to avoid<br>
# accessing certain resources on restart<br>
# that may no longer be accessible because<br>
# of the privilege downgrade.<br>
persist-key<br>
persist-tun<br>
<br>
# Output a short status file showing<br>
# current connections, truncated<br>
# and rewritten every minute.<br>
status /root/openvpn-2.0.9/easy-rsa/keys/openvpn-status.log<br>
<br>
# By default, log messages will go to the syslog (or<br>
# on Windows, if running as a service, they will go to<br>
# the "Program FilesOpenVPNlog" directory).<br>
# Use log or log-append to override this default.<br>
# "log" will truncate the log file on OpenVPN startup,<br>
# while "log-append" will append to it. Use one<br>
# or the other (but not both).<br>
;log openvpn.log<br>
;log-append openvpn.log<br>
<br>
# Set the appropriate level of log<br>
# file verbosity.<br>
#<br>
# 0 is silent, except for fatal errors/root/openvpn-2.0.9/easy-rsa/keys<br>
# 4 is reasonable for genera/root/openvpn-2.0.9/easy-rsa/keysl usage<br>
# 5 and 6 can help to debug connection problems<br>
# 9 is extremely verbose<br>
verb 3<br>
<br>
# Silence repeating messages. At most 20<br>
# sequential messages of the same message<br>
# category will be output to the log.<br>
;mute 20<br>
<br>
<br>
openvpn服务器是red hat Linux<br>
客户机是windows server 2000 两个网卡 开起了rip协议<br>
server ip: 172.16.37.83 虚拟ip 10.0.0.1;<br>
client1 ip:172.16.37.110 192.168.11.1 虚拟IP 10.0.0.5;<br>
client2 ip: 172.16.19.22. 192.168.12.1 虚拟ip 10.0.0.13;<br>
在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13<br>
client1 中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1<br>
<br>
client2中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1<br>
楼主这是哪出现了问题呢?拜托拜托<hr size=1 noshadow></blockquote>Tooooooo looooooooog, 看着头晕又不方便比较。 能不能把 #的注释去掉再贴上来。 |
|
client<br>
dev tap<br>
;dev tun<br>
;dev-node MyTap<br>
proto tcp<br>
;proto udp<br>
remote 172.16.37.83 1194<br>
;remote my-server-2 1194<br>
;remote-random<br>
resolv-retry infinite<br>
nobind<br>
;user nobody<br>
;group nobody<br>
persist-key<br>
persist-tun<br>
;http-proxy-retry # retry on connection failures<br>
;http-proxy [proxy server] [proxy port #]<br>
;mute-replay-warnings<br>
ca ca.crt<br>
cert client1.crt<br>
key client1.key<br>
;ns-cert-type server<br>
;tls-auth ta.key 1<br>
;cipher x<br>
comp-lzo<br>
verb 3<br>
服务器配置<br>
;local a.b.c.d<br>
port 1194<br>
proto tcp<br>
;proto udp<br>
dev tap<br>
;dev tun<br>
;dev-node MyTap<br>
ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt<br>
cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt<br>
key /root/openvpn-2.0.9/easy-rsa/keys/server.key # This file should be kept secret<br>
dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem<br>
server 10.0.0.0 255.255.255.0<br>
ifconfig-pool-persist ipp.txt<br>
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100<br>
;push "route 192.168.11.0 255.255.255.0"<br>
;push "route 192.168.13.0 255.255.255.0"<br>
client-config-dir /usr/local/etc/ccd <br>
;route 192.168.40.128 255.255.255.248<br>
client-config-dir /usr/local/etc/ccd<br>
;route 10.9.0.0 255.255.255.252<br>
;learn-address ./script<br>
;push "redirect-gateway"<br>
;push "dhcp-option DNS 10.8.0.1"<br>
;push "dhcp-option WINS 10.8.0.1"<br>
;duplicate-cn<br>
keepalive 10 120<br>
;tls-auth ta.key 0 # This file is secret<br>
;cipher BF-CBC # Blowfish (default)<br>
;cipher AES-128-CBC # AES<br>
;cipher DES-EDE3-CBC # Triple-DES<br>
comp-lzo<br>
;max-clients 100<br>
;user nobody<br>
;group nobody<br>
persist-key<br>
persist-tun<br>
status /root/openvpn-2.0.9/easy-rsa/keys/openvpn-status.log<br>
;log openvpn.log<br>
;log-append openvpn.log<br>
verb 3<br>
;mute 20<br>
<br>
<br>
openvpn服务器是red hat Linux<br>
客户机是windows server 2000 两个网卡 开起了rip协议<br>
server ip: 172.16.37.83 虚拟ip 10.0.0.1;<br>
client1 ip:172.16.37.110 192.168.11.1 虚拟IP 10.0.0.5;<br>
client2 ip: 172.16.19.22. 192.168.12.1 虚拟ip 10.0.0.13;<br>
在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13<br>
client1 中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1<br>
<br>
client2中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 <br>
192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1<br>
楼主这是哪出现了问题呢?拜托拜托 我的QQ是137294593加我 谢谢 |
|
client<br>
dev tap<br>
;dev tun<br>
;dev-node MyTap<br>
proto tcp<br>
;proto udp<br>
remote 172.16.37.83 1194<br>
;remote my-server-2 1194<br>
;remote-random<br>
resolv-retry infinite<br>
nobind<br>
;user nobody<br>
;group nobody<br>
persist-key<br>
persist-tun<br>
;http-proxy-retry # retry on connection failures<br>
;http-proxy [proxy server] [proxy port #]<br>
;mute-replay-warnings<br>
ca ca.crt<br>
cert client1.crt<br>
key client1.key<br>
;ns-cert-type server<br>
;tls-auth ta.key 1<br>
;cipher x<br>
comp-lzo<br>
verb 3<br>
服务器配置<br>
;local a.b.c.d<br>
port 1194<br>
proto tcp<br>
;proto udp<br>
dev tap<br>
;dev tun<br>
;dev-node MyTap<br>
ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt<br>
cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt<br>
key /root/openvpn-2.0.9/easy-rsa/keys/server.key # This file should be kept secret<br>
dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem<br>
server 10.0.0.0 255.255.255.0<br>
ifconfig-pool-persist ipp.txt<br>
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100<br>
;push "route 192.168.11.0 255.255.255.0"<br>
;push "route 192.168.13.0 255.255.255.0"<br>
client-config-dir /usr/local/etc/ccd <br>
;route 192.168.40.128 255.255.255.248<br>
client-config-dir /usr/local/etc/ccd<br>
;route 10.9.0.0 255.255.255.252<br>
;learn-address ./script<br>
;push "redirect-gateway"<br>
;push "dhcp-option DNS 10.8.0.1"<br>
;push "dhcp-option WINS 10.8.0.1"<br>
;duplicate-cn<br>
keepalive 10 120<br>
;tls-auth ta.key 0 # This file is secret<br>
;cipher BF-CBC # Blowfish (default)<br>
;cipher AES-128-CBC # AES<br>
;cipher DES-EDE3-CBC # Triple-DES<br>
comp-lzo<br>
;max-clients 100<br>
;user nobody<br>
;group nobody<br>
persist-key<br>
persist-tun<br>
status /root/openvpn-2.0.9/easy-rsa/keys/openvpn-status.log<br>
;log openvpn.log<br>
;log-append openvpn.log<br>
verb 3<br>
;mute 20<br>
<br>
<br>
openvpn服务器是red hat Linux<br>
客户机是windows server 2000 两个网卡 开起了rip协议<br>
server ip: 172.16.37.83 虚拟ip 10.0.0.1;<br>
client1 ip:172.16.37.110 192.168.11.1 虚拟IP 10.0.0.5;<br>
client2 ip: 172.16.19.22. 192.168.12.1 虚拟ip 10.0.0.13;<br>
在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13 192.168.11.1 192.168.12.1
<br>
client1 中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1<br>
<br>
client2中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 <br>
192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1<br>
楼主这是哪出现了问题呢?拜托拜托 我的QQ是137294593加我 谢谢 |
|
在以上的“在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13”修改一下<br>
应该是 在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13 192.168.11.1 192.168.12.1 |
|
<blockquote>引用 藤苇 的贴子<hr size=1 noshadow>在以上的“在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13”修改一下<br>
应该是 在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13 192.168.11.1 192.168.12.1<hr size=1 noshadow></blockquote>看了一下,配置很正常。有几个参数我没有用过,如client-config-dir 等。你可以参考我文中第四小节的样例文件,先用最简单的配置搭建起来再说。<br><br>
如果能连接但 Ping 不通,要看看是不是配置了 iptables。可参见第五节。 |
|
可以连接但ping不通,<br>
red hat Linux 中的网络配置要怎么设置呢? |
|
Microsoft Windows 2000 [Version 5.00.2195]<br>
(C) 版权所有 1985-1998 Microsoft Corp.<br>
<br>
C:Documents and SettingsAdministrator>ipconfig/all<br>
<br>
Windows 2000 IP Configuration<br>
<br>
Host Name . . . . . . . . . . . . : 2000serv-qh80ma<br>
Primary DNS Suffix . . . . . . . :<br>
Node Type . . . . . . . . . . . . : Hybrid<br>
IP Routing Enabled. . . . . . . . : Yes<br>
WINS Proxy Enabled. . . . . . . . : No<br>
<br>
Ethernet adapter 本地连接 3:<br>
<br>
Connection-specific DNS Suffix . :<br>
Description . . . . . . . . . . . : TAP-Win32 Adapter V8<br>
Physical Address. . . . . . . . . : 00-FF-C2-18-82-DA<br>
DHCP Enabled. . . . . . . . . . . : Yes<br>
Autoconfiguration Enabled . . . . : Yes<br>
IP Address. . . . . . . . . . . . : 10.0.0.5<br>
Subnet Mask . . . . . . . . . . . : 255.255.255.252<br>
Default Gateway . . . . . . . . . :<br>
DHCP Server . . . . . . . . . . . : 10.0.0.6<br>
DNS Servers . . . . . . . . . . . : 10.0.0.1<br>
70.88.98.10<br>
70.88.99.11<br>
Lease Obtained. . . . . . . . . . : 2009年10月12日 20:43:19<br>
Lease Expires . . . . . . . . . . : 2010年10月12日 20:43:19<br>
<br>
Ethernet adapter 本地连接 2:<br>
<br>
Connection-specific DNS Suffix . :<br>
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter<br>
<br>
Physical Address. . . . . . . . . : 00-0C-29-2E-84-B5<br>
DHCP Enabled. . . . . . . . . . . : No<br>
IP Address. . . . . . . . . . . . : 192.168.11.1<br>
Subnet Mask . . . . . . . . . . . : 255.255.255.0<br>
Default Gateway . . . . . . . . . : 172.16.37.110<br>
DNS Servers . . . . . . . . . . . : 218.30.19.40<br>
61.134.1.4<br>
<br>
Ethernet adapter 本地连接:<br>
<br>
Connection-specific DNS Suffix . :<br>
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter<br>
<br>
Physical Address. . . . . . . . . : 00-0C-29-2E-84-AB<br>
DHCP Enabled. . . . . . . . . . . : No<br>
IP Address. . . . . . . . . . . . : 172.16.37.110<br>
Subnet Mask . . . . . . . . . . . : 255.255.0.0<br>
Default Gateway . . . . . . . . . : 192.168.11.1<br>
DNS Servers . . . . . . . . . . . : 218.30.19.40<br>
61.134.1.4<br>
<br>
C:Documents and SettingsAdministrator>ping 10.0.0.1<br>
<br>
Pinging 10.0.0.1 with 32 bytes of data:<br>
<br>
Reply from 172.16.37.110: TTL expired in transit.<br>
Reply from 172.16.37.110: TTL expired in transit.<br>
Reply from 172.16.37.110: TTL expired in transit.<br>
Reply from 172.16.37.110: TTL expired in transit.<br>
<br>
Ping statistics for 10.0.0.1:<br>
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),<br>
Approximate round trip times in milli-seconds:<br>
Minimum = 0ms, Maximum = 0ms, Average = 0ms<br>
<br>
C:Documents and SettingsAdministrator>ping 10.0.0.13<br>
<br>
Pinging 10.0.0.13 with 32 bytes of data:<br>
<br>
Reply from 10.0.0.13: bytes=32 time<10ms TTL=128<br>
Reply from 10.0.0.13: bytes=32 time<10ms TTL=128<br>
Reply from 10.0.0.13: bytes=32 time<10ms TTL=128<br>
Reply from 10.0.0.13: bytes=32 time<10ms TTL=128<br>
<br>
Ping statistics for 10.0.0.13:<br>
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),<br>
Approximate round trip times in milli-seconds:<br>
Minimum = 0ms, Maximum = 0ms, Average = 0ms<br>
C:Documents and SettingsAdministrator>ping 172.16.37.83<br>
<br>
Pinging 172.16.37.83 with 32 bytes of data:<br>
<br>
Reply from 172.16.37.83: bytes=32 time<10ms TTL=64<br>
Reply from 172.16.37.83: bytes=32 time<10ms TTL=64<br>
Reply from 172.16.37.83: bytes=32 time<10ms TTL=64<br>
Reply from 172.16.37.83: bytes=32 time<10ms TTL=64<br>
<br>
Ping statistics for 172.16.37.83:<br>
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),<br>
Approximate round trip times in milli-seconds:<br>
Minimum = 0ms, Maximum = 0ms, Average = 0ms<br>
Default Gateway 那里没ip。<br>
麻烦你在给我看看哪个地方出错了!!! |
|
Mon Oct 12 20:43:17 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006<br>
Mon Oct 12 20:43:17 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.<br>
Mon Oct 12 20:43:17 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.<br>
Mon Oct 12 20:43:17 2009 LZO compression initialized<br>
Mon Oct 12 20:43:17 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]<br>
Mon Oct 12 20:43:17 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]<br>
Mon Oct 12 20:43:17 2009 Local Options hash (VER=V4): '69109d17'<br>
Mon Oct 12 20:43:17 2009 Expected Remote Options hash (VER=V4): 'c0103fa8'<br>
Mon Oct 12 20:43:17 2009 Attempting to establish TCP connection with 172.16.37.83:1194<br>
Mon Oct 12 20:43:17 2009 TCP connection established with 172.16.37.83:1194<br>
Mon Oct 12 20:43:17 2009 TCPv4_CLIENT link local: [undef]<br>
Mon Oct 12 20:43:17 2009 TCPv4_CLIENT link remote: 172.16.37.83:1194<br>
Mon Oct 12 20:43:17 2009 TLS: Initial packet from 172.16.37.83:1194, sid=f570158c 99bbcc93<br>
Mon Oct 12 20:43:17 2009 VERIFY OK: depth=1, /C=CN/ST=GD/L=SZ/O=xiaohui.com/emailAddress=your-email__at__xiaohui.com<br>
Mon Oct 12 20:43:17 2009 VERIFY OK: depth=0, /C=CN/ST=GD/O=xiaohui.com/CN=server/emailAddress=your-email__at__xiaohui.com<br>
Mon Oct 12 20:43:17 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key<br>
Mon Oct 12 20:43:17 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication<br>
Mon Oct 12 20:43:17 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key<br>
Mon Oct 12 20:43:17 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication<br>
Mon Oct 12 20:43:17 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA<br>
Mon Oct 12 20:43:17 2009 [server] Peer Connection Initiated with 172.16.37.83:1194<br>
Mon Oct 12 20:43:18 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)<br>
Mon Oct 12 20:43:18 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,route 192.168.13.0 255.255.255.0,dhcp-option DNS 10.0.0.1,dhcp-option DNS 70.88.98.10,dhcp-option DNS 70.88.99.11,route 10.0.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.0.0.5 10.0.0.6'<br>
Mon Oct 12 20:43:18 2009 OPTIONS IMPORT: timers and/or timeouts modified<br>
Mon Oct 12 20:43:18 2009 OPTIONS IMPORT: --ifconfig/up options modified<br>
Mon Oct 12 20:43:18 2009 OPTIONS IMPORT: route options modified<br>
Mon Oct 12 20:43:18 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified<br>
Mon Oct 12 20:43:18 2009 TAP-WIN32 device [本地连接 3] opened: \.Global{C21882DA-A40E-4842-8C84-E8ABD2B2938D}.tap<br>
Mon Oct 12 20:43:18 2009 TAP-Win32 Driver Version 8.4 <br>
Mon Oct 12 20:43:18 2009 TAP-Win32 MTU=1500<br>
Mon Oct 12 20:43:18 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.0.5/255.255.255.252 on interface {C21882DA-A40E-4842-8C84-E8ABD2B2938D} [DHCP-serv: 10.0.0.6, lease-time: 31536000]<br>
Mon Oct 12 20:43:18 2009 NOTE: FlushIpNetTable failed on interface [2] {C21882DA-A40E-4842-8C84-E8ABD2B2938D} (status=1413) : 无效索引。 <br>
Mon Oct 12 20:43:19 2009 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up<br>
Mon Oct 12 20:43:19 2009 route ADD 192.168.10.0 MASK 255.255.255.0 10.0.0.6<br>
Mon Oct 12 20:43:19 2009 Route addition via IPAPI succeeded<br>
Mon Oct 12 20:43:19 2009 route ADD 192.168.13.0 MASK 255.255.255.0 10.0.0.6<br>
Mon Oct 12 20:43:19 2009 Route addition via IPAPI succeeded<br>
Mon Oct 12 20:43:19 2009 route ADD 10.0.0.0 MASK 255.255.255.0 10.0.0.6<br>
Mon Oct 12 20:43:19 2009 Route addition via IPAPI succeeded<br>
Mon Oct 12 20:43:19 2009 Initialization Sequence Completed |
|
我的VPN应该属于已经配置好了,但是我启用VPN以后,我的客户端能打开大智慧,MSN,但是不能打开网页还有QQ,请问是为什么?<br>
谢谢! |
|
我的VPN通了,但是客户端能启动MSN和大智慧,但是不能打开网页和QQ,请问我还应该做什么?<br>
还有sysctl -w net.ipv4.ip_forward=0.改好后不能保存,不知是不是我的系统有问题。<br>
<br>
谢谢! |
|
| 很有帮助,谢谢小辉了,现在正在研究用密码用户名登陆。 |
|
回54楼<br>
你可以修改# vi /etc/sysctl.conf文件。net.ipv4.ip_forward = 0将0 改成1 |
|
ysbaggio<br>
您好!<br>
您用密码用户名登陆,怎么做的?<br>
我可以问问您吗?<br>
我的QQ是1050626886,请加我。 |
|
我启动vpn服务器的时候,/usr/local/sbin/openvpn --config /usr/local/etc/server.conf<br>
然后最后一行报错 <br>
Cannot load certificate file /home/zhangke/openvpn-2.0.5/easy-rsa/keys/server.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib<br>
请问该如何处理,server.crt就是在那个目录下,却无法加载 |
|
<blockquote>引用 david 的贴子<hr size=1 noshadow>我启动vpn服务器的时候,/usr/local/sbin/openvpn --config /usr/local/etc/server.conf<br>
然后最后一行报错 <br>
Cannot load certificate file /home/zhangke/openvpn-2.0.5/easy-rsa/keys/server.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib<br>
请问该如何处理,server.crt就是在那个目录下,却无法加载<hr size=1 noshadow></blockquote>证书没有做正确。按第六步重做一下。 |
|
如Tun设备已编到内核中, 可用下面办法:<br>
cat /proc/net/dev|grep tun<br>
<br>
如果上面无任何显示, 说明你的内核不支持TUN/TAP设备, 可通过重新编译内添加. |
|
OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables<br>
<br>
为什么我装完会报这个错,我也不知道这是为什么,请各位老大帮帮我呀! |
|
请教一下!<br>
我的安装及配置状态情况是这样的:<br>
OpenVPN Server在内网,通过Cisco网关端口映射到VPN服务器上,OpenVPN启动正常!<br>
server.conf: server 192.168.5.0 255.255.255.0<br>
两个客户端,一个在外网,一个在内网,连接状态正常。<br>
我的网关上已经具备了从5网段跨到2、1的能力,同时网关设置为192.168.5.1.<br>
问题:两个客户端均能够ping 192.168.5.1,但是无法ping通192.168.5.*(除1而外)、192.168.2.1、192.168.1.1,即无法访问vpn网段的客户端和其他网段。<br>
这可能是什么原因呢? |
|
<blockquote>引用 rogerer 的贴子<hr size=1 noshadow>请教一下!<br>
我的安装及配置状态情况是这样的:<br>
OpenVPN Server在内网,通过Cisco网关端口映射到VPN服务器上,OpenVPN启动正常!<br>
server.conf: server 192.168.5.0 255.255.255.0<br>
两个客户端,一个在外网,一个在内网,连接状态正常。<br>
我的网关上已经具备了从5网段跨到2、1的能力,同时网关设置为192.168.5.1.<br>
问题:两个客户端均能够ping 192.168.5.1,但是无法ping通192.168.5.*(除1而外)、192.168.2.1、192.168.1.1,即无法访问vpn网段的客户端和其他网段。<br>
这可能是什么原因呢?<hr size=1 noshadow></blockquote>应该是路由配置的问题。不过我没折腾过这块(我装openvpn只是为了翻墙,这些配置没折腾过) |
|
0 EL:0 AF:3/1 ]<br>
Sat Jun 26 20:42:53 2010 Local Options hash (VER=V4): '41690919'<br>
Sat Jun 26 20:42:53 2010 Expected Remote Options hash (VER=V4): '530fdded'<br>
Sat Jun 26 20:42:53 2010 UDPv4 link local (bound): [undef]:1194<br>
Sat Jun 26 20:42:53 2010 UDPv4 link remote: 61.164.41.148:1194<br>
Sat Jun 26 20:43:53 2010 TLS Error: TLS key negotiation failed to occur within 6<br>
0 seconds (check your network connectivity)<br>
Sat Jun 26 20:43:53 2010 TLS Error: TLS handshake failed<br>
Sat Jun 26 20:43:53 2010 TCP/UDP: Closing socket<br>
Sat Jun 26 20:43:53 2010 SIGUSR1[soft,tls-error] received, process restarting<br>
Sat Jun 26 20:43:53 2010 Restart pause, 2 second(s)<br>
Sat Jun 26 20:43:55 2010 IMPORTANT: OpenVPN's default port number is now 1194, b<br>
ased on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earl<br>
ier used 5000 as the default port.<br>
Sat Jun 26 20:43:55 2010 Re-using SSL/TLS context<br>
Sat Jun 26 20:43:55 2010 LZO compression initialized<br>
Sat Jun 26 20:43:55 2010 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:<br>
0 EL:0 ]<br>
Sat Jun 26 20:43:55 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:<br>
0 EL:0 AF:3/1 ]<br>
Sat Jun 26 20:43:55 2010 Local Options hash (VER=V4): '41690919'<br>
Sat Jun 26 20:43:55 2010 Expected Remote Options hash (VER=V4): '530fdded'<br>
Sat Jun 26 20:43:55 2010 UDPv4 link local (bound): [undef]:1194<br>
Sat Jun 26 20:43:55 2010 UDPv4 link remote: 61.164.41.148:1194<br>
一直出现这个问题,但是服务器上的 UDP 1194端口是开放的,不知道为何,请教 |
|
每次重启完服务器都要重新做以下步骤,否则不能上网。为什么呢?<br>
<br>
iptables -t nat -A POSTROUTING -s 10.8.8.0/24 -o eth0 -j SNAT --to-source x.x.x.x<br>
/etc/init.d/iptables save <br>
/etc/init.d/iptables restart <br>
不同的机器,-o eth0 参数可能不一样,具体可输入 ifconfig 查看,搞清 ip(70.8.7.6)所在的网卡号. <br>
<br>
<br>
同时, 需要将 ip forward 打开. 不要用 echo 1 > /proc/sys/net/ipv4/ip_forward 的方式, 这种方式重启后无效. 先查看一下: <br>
<br>
代码: <br>
<br>
<br>
sysctl -a | grep for <br>
#查看结果: <br>
net.ipv4.conf.tun0.mc_forwarding = 0 <br>
net.ipv4.conf.tun0.forwarding = 1 <br>
net.ipv4.conf.eth0.mc_forwarding = 0 <br>
net.ipv4.conf.eth0.forwarding = 1 <br>
net.ipv4.conf.lo.mc_forwarding = 0 <br>
net.ipv4.conf.lo.forwarding = 1 <br>
net.ipv4.conf.default.mc_forwarding = 0 <br>
net.ipv4.conf.default.forwarding = 1 <br>
net.ipv4.conf.all.mc_forwarding = 0 <br>
net.ipv4.conf.all.forwarding = 1 <br>
net.ipv4.ip_forward = 1 <br>
如果你的主机上列数值不是为1, 则要将其改成1, 例如: <br>
<br>
代码: <br>
<br>
sysctl -w net.ipv4.ip_forward=1 <br>
<br>
每次重启完,所有的 net.ipv4.xxxx 都 = 0 ,怎么解决呢? |
|