[OT]我的OpenVPN能连上,但是不能上网,请求帮助.
11,906 views
Skip to first unread message
Meteor
May 28, 2011, 10:50:40 PM5/28/11
to sh...@googlegroups.com
Log在这里.
截图在这里.
客户端的配置文件在这里.
http://www.everbox.com/f/W8WpqLm27tSxVnwa1lV1o1Y9hu
服务器的配置文件在这里.
openvpn.conf
http://www.everbox.com/f/QeTPZcDqvcX1Ne7FG1X16CpYEk
现在我的电脑的情况是可以连上我VPS上的OpenVPN服务器,但是客户端没法上网,好像显示没有Internet访问权限.
Meteor
May 28, 2011, 11:03:43 PM5/28/11
to sh...@googlegroups.com
但是ping 内网 10.8.0.1 却是成功的.
是不是访问外网的设置不正确?
leftuestc
May 29, 2011, 12:24:02 AM5/29/11
to Shanghai Linux User Group
ipv4 forward打开了么?
/etc/sysctl.conf 里面把net.ipv4.ip_forward=1 的注释去掉然后sysctl -p使之立马生效就行了。
/etc/sysctl.conf 里面把net.ipv4.ip_forward=1 的注释去掉然后sysctl -p使之立马生效就行了。
On 5月29日, 上午11时03分, Meteor <liuxingm...@gmail.com> wrote:
> 但是ping 内网 10.8.0.1 却是成功的.
> 是不是访问外网的设置不正确?
源泉星火(张明源)
May 29, 2011, 12:28:12 AM5/29/11
to sh...@googlegroups.com
Shell Xu
May 29, 2011, 1:55:37 AM5/29/11
to sh...@googlegroups.com
还有iptables呢。
Meteor
May 29, 2011, 6:16:20 AM5/29/11
to sh...@googlegroups.com
这个现在已经开了.
Meteor
May 29, 2011, 6:19:32 AM5/29/11
to sh...@googlegroups.com
$ ip route show |grep defaultdefault via 192.0.2.1 dev venet0
好像确实是网关不对.
走的不是10.*.*的网关.
Shell Xu
May 29, 2011, 6:19:44 AM5/29/11
to sh...@googlegroups.com
能够走vpn和服务器通讯么?确定一下。
在 2011年5月29日 下午6:16,Meteor <liuxi...@gmail.com> 写道:
> 这个现在已经开了.
--
无能者无所求,饱食而遨游,泛若不系之舟
blog: http://shell909090.com/blog/
twitter: http://twitter.com/shell909090
Meteor
May 29, 2011, 6:21:54 AM5/29/11
to sh...@googlegroups.com
iptable现在没问题.
因为我已经全部清空了.
没有任何规则.
Shell Xu
May 29, 2011, 6:23:08 AM5/29/11
to sh...@googlegroups.com
废话,没规则才有问题,你没做转发规则么?
在 2011年5月29日 下午6:21,Meteor <liuxi...@gmail.com> 写道:
> iptable现在没问题.
> 因为我已经全部清空了.
> 没有任何规则.
Shell Xu
May 29, 2011, 6:23:32 AM5/29/11
to sh...@googlegroups.com
日志里面有这句
C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 10.8.0.5
不知道你那里路由是什么状况。
C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 10.8.0.5
不知道你那里路由是什么状况。
--
Shell Xu
May 29, 2011, 6:27:04 AM5/29/11
to sh...@googlegroups.com
http://openvpn.net/index.php/open-source/documentation/howto.html
Routing all client traffic (including web-traffic) through the VPN
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
根据自己状况调整。
Routing all client traffic (including web-traffic) through the VPN
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
根据自己状况调整。
Meteor
May 29, 2011, 8:59:06 AM5/29/11
to sh...@googlegroups.com
你说的是对的.
iptable设错了.
我是这么做的.
/etc/rc.local在里面写iptable的.但是里面的iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to 202.248.185.66
这句话写成了我的另外1个VPS的地址了.所以出问题了.现在再搞一次.谢谢你了.希望今天可以搞定这个问题.参考这里的.
Shell Xu
May 29, 2011, 9:23:29 AM5/29/11
to sh...@googlegroups.com
为啥不用MASQUERADE呢?那就不管IP了。![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
WebRep
Overall rating
Meteor
May 30, 2011, 11:20:40 PM5/30/11
to sh...@googlegroups.com
因为不会用.....
Meteor
May 30, 2011, 11:35:39 PM5/30/11
to sh...@googlegroups.com
路由那边我不是很懂.
现在再把本来的问题分叉一下吧.
现在连自己的OpenVPN的时候,本地的Windows虚拟桥接老是分配给我255.255.255.252这个子网掩码.
但是VPS上的子网掩码不是这个,是255.255.255.0.
所以每次连OpenVPN.老是有这个Warning.
我看别人设置的OpenVPN好像就没这个警告.
有没有人知道这么解决这个子网掩码冲突的问题?
是改VPS上子网掩码,还是让OpenVPN在自动分配给我IP地址的时候,给255.255.255.252这个subnet mask?
节外生枝了,不好意思.
现在再把本来的问题分叉一下吧.
现在连自己的OpenVPN的时候,本地的Windows虚拟桥接老是分配给我255.255.255.252这个子网掩码.
但是VPS上的子网掩码不是这个,是255.255.255.0.
所以每次连OpenVPN.老是有这个Warning.
我看别人设置的OpenVPN好像就没这个警告.
有没有人知道这么解决这个子网掩码冲突的问题?
是改VPS上子网掩码,还是让OpenVPN在自动分配给我IP地址的时候,给255.255.255.252这个subnet mask?
节外生枝了,不好意思.
Shell Xu
May 30, 2011, 11:50:34 PM5/30/11
to sh...@googlegroups.com
你的配置呢?服务器和客户端的。
juju
May 31, 2011, 12:11:48 AM5/31/11
to sh...@googlegroups.com
你VPS上nat做了没
没做nat是不能出去的,255.255.255.252好像是windows的限制导致的,记得openvpn的文档里有说过的
Meteor
May 31, 2011, 1:40:18 AM5/31/11
to sh...@googlegroups.com
行,今天晚上回去上传一下给你.
Meteor
May 31, 2011, 10:08:55 AM5/31/11
to sh...@googlegroups.com
出问题了.
竟然VPS不能sftp下载文件了.
另外,Ping外网也不行了.
apt-get update都不行了.
囧...
难道这个VPS就这么废了?
Shell Xu
May 31, 2011, 10:13:43 AM5/31/11
to sh...@googlegroups.com
Meteor
Jun 13, 2011, 5:39:44 AM6/13/11
to sh...@googlegroups.com
好的.
另外Ping的问题过了那几天就好了.很诡异.
之后用SSH一直没什么问题.
好像这几天断线次数也减少了,是不是GFW减少干预次数了?
另外Ping的问题过了那几天就好了.很诡异.
之后用SSH一直没什么问题.
好像这几天断线次数也减少了,是不是GFW减少干预次数了?
沈洁
Jun 13, 2011, 5:46:38 AM6/13/11
to sh...@googlegroups.com
随手砸方校长吧,解救中国互联网
在 2011年6月13日 下午5:39,Meteor <liuxi...@gmail.com>写道:
好的.
另外Ping的问题过了那几天就好了.很诡异.
之后用SSH一直没什么问题.
好像这几天断线次数也减少了,是不是GFW减少干预次数了?
Meteor
Jun 13, 2011, 5:53:17 AM6/13/11
to sh...@googlegroups.com
NAT做错了.现在好了.
但是网关的问题还是没有解决.
但是网关的问题还是没有解决.
WARNING: potential route subnet conflict between local LAN [10.8.0.4/255.255.255.252] and remote VPN [10.8.0.0/255.255.255.0]
water...@gmail.com
Aug 9, 2016, 1:52:31 AM8/9/16
to Shanghai Linux User Group
请问你的NAT是怎么配置的?
网关的问题解决没?
我遇到和你一样的问题,google也找不到解决方法
albert zhang
Aug 9, 2016, 2:02:43 AM8/9/16
to shlug
你在server端推送路由了么?
--
-- You received this message because you are subscribed to the Google Groups Shanghai Linux User Group group. To post to this group, send email to sh...@googlegroups.com. To unsubscribe from this group, send email to shlug+unsubscribe@googlegroups.com. For more options, visit this group at https://groups.google.com/d/forum/shlug?hl=zh-CN
---
您收到此邮件是因为您订阅了Google网上论坛上的“Shanghai Linux User Group”群组。
要退订此群组并停止接收此群组的电子邮件,请发送电子邮件到shlug+unsubscribe@googlegroups.com。
要查看更多选项,请访问https://groups.google.com/d/optout。
--
Best Regards
Albert Zhang
Red Hat Certified Engineer
Shanghai,China
337890A0C
water...@gmail.com
Aug 9, 2016, 2:16:18 AM8/9/16
to Shanghai Linux User Group
麻烦帮忙看看配置有什么问题没
00100 nat 1 ip from 192.168.3.0/24 to any out via epair0b
00200 nat 1 ip from any to any in via epair0b
65535 allow ip from any to any 以及openvpn的配置
port 10011 proto tcp dev tun ca /mnt/openvpn/keys/pki/ca.crt cert /mnt/openvpn/keys/pki/issued/server.crt #key /mnt/openvpn/keys/pki/private/ca.key key /mnt/openvpn/keys/pki/private/server.key dh /mnt/openvpn/keys/pki/dh.pem server 192.168.3.0 255.255.255.0 #Purple network ifconfig-pool-persist ipp.txt push "route 192.168.2.0 255.255.255.0" #Yellow network #push "redirect-gateway def1" route 192.168.2.20 255.255.255.0 192.168.3.1 #Routes traffic from the Yellow net work side (192.168.2.0/24) #to the Purple network side (192.168. 3.0/24) #tls-auth /mnt/openvpn/keys/auth.key 0 #crl-verify /mnt/openvpn/keys/crl.pem keepalive 10 120 group nobody user nobody comp-lzo persist-key
ort 10011
proto tcp
dev tun
ca /mnt/openvpn/keys/pki/ca.crt
cert /mnt/openvpn/keys/pki/issued/server.crt
#key /mnt/openvpn/keys/pki/private/ca.key
key /mnt/openvpn/keys/pki/private/server.key
dh /mnt/openvpn/keys/pki/dh.pem
server 192.168.3.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 192.168.2.0 255.255.255.0" #Yellow network
#push "redirect-gateway def1"
route 192.168.2.20 255.255.255.0 192.168.3.1 #Routes traffic from the Yellow net
work side (192.168.2.0/24)
#to the Purple network side (192.168.
3.0/24)
#tls-auth /mnt/openvpn/keys/auth.key 0
#crl-verify /mnt/openvpn/keys/crl.pem
keepalive 10 120
group nobody
user nobody
comp-lzo
persist-key persist-tun verb 3
water...@gmail.com
Aug 9, 2016, 2:16:35 AM8/9/16
to Shanghai Linux User Group
这是server端的配置,有路由推送,帮忙看看配置文件有什么问题没,谢谢
port 10011 proto tcp dev tun ca /mnt/openvpn/keys/pki/ca.crt cert /mnt/openvpn/keys/pki/issued/server.crt #key /mnt/openvpn/keys/pki/private/ca.key key /mnt/openvpn/keys/pki/private/server.key dh /mnt/openvpn/keys/pki/dh.pem server 192.168.3.0 255.255.255.0 #Purple network i
fconfig-pool-persist ipp.txt
push "route 192.168.2.0 255.255.255.0" #Yellow network
#push "redirect-gateway def1 bypass-dhcp"
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
route 192.168.2.20 255.255.255.0 192.168.3.1 #Routes traffic from the Yellow net
work side (192.168.2.0/24)
#to the Purple network side (192.168.
3.0/24)
#tls-auth /mnt/openvpn/keys/auth.key 0
#crl-verify /mnt/openvpn/keys/crl.pem
keepalive 10 120
group nobody
user nobody On Tuesday, August 9, 2016 at 2:02:43 PM UTC+8, Zhang Albert wrote:
你在server端推送路由了么?
在 2016年8月9日 下午1:51, <water...@gmail.com>写道:
请问你的NAT是怎么配置的?网关的问题解决没?我遇到和你一样的问题,google也找不到解决方法
On Monday, June 13, 2011 at 5:53:17 PM UTC+8, Meteor wrote:NAT做错了.现在好了.
但是网关的问题还是没有解决.WARNING: potential route subnet conflict between local LAN [10.8.0.4/255.255.255.252] and remote VPN [10.8.0.0/255.255.255.0]
--
-- You received this message because you are subscribed to the Google Groups Shanghai Linux User Group group. To post to this group, send email to sh...@googlegroups.com. To unsubscribe from this group, send email to shlug+un...@googlegroups.com. For more options, visit this group at https://groups.google.com/d/forum/shlug?hl=zh-CN
---
您收到此邮件是因为您订阅了Google网上论坛上的“Shanghai Linux User Group”群组。
要退订此群组并停止接收此群组的电子邮件,请发送电子邮件到shlug+unsubscribe@googlegroups.com。
要查看更多选项,请访问https://groups.google.com/d/optout。
albert zhang
Aug 9, 2016, 3:30:30 AM8/9/16
to shlug
push "redirect-gateway"
push "route ip mask vpn_gateway"--
-- You received this message because you are subscribed to the Google Groups Shanghai Linux User Group group. To post to this group, send email to sh...@googlegroups.com. To unsubscribe from this group, send email to shlug+unsubscribe@googlegroups.com. For more options, visit this group at https://groups.google.com/d/forum/shlug?hl=zh-CN
---
您收到此邮件是因为您订阅了Google网上论坛上的“Shanghai Linux User Group”群组。
要退订此群组并停止接收此群组的电子邮件,请发送电子邮件到shlug+unsubscribe@googlegroups.com。
要查看更多选项,请访问https://groups.google.com/d/optout。
Heng Weiliang
Aug 9, 2016, 3:33:43 AM8/9/16
to water...@gmail.com, sh...@googlegroups.com
要退订此群组并停止接收此群组的电子邮件,请发送电子邮件到shlug+un...@googlegroups.com。
要查看更多选项,请访问https://groups.google.com/d/optout。
water...@gmail.com
Aug 9, 2016, 11:08:22 AM8/9/16
to Shanghai Linux User Group, water...@gmail.com
谢谢你的建议,不过这个脚本声明只在debian和ubuntu上测试过,暂时还是不用这个脚本。
要退订此群组并停止接收此群组的电子邮件,请发送电子邮件到shlug+unsubscribe@googlegroups.com。
要查看更多选项,请访问https://groups.google.com/d/optout。
water...@gmail.com
Aug 9, 2016, 11:08:28 AM8/9/16
to Shanghai Linux User Group
非常感谢你的回复!
这是我的网络拓扑:
LAN:192.168.2.0/24
LAN gw: 192.168.2.1
VPN subnet: 192.168.3.0/24
VPN server: 192.168.3.1/192.168.2.20
VPN client: 192.168.3.6
麻烦再说明下第二条命令的内容该怎么填,push "route 192.168.2.0 255.255.255.0 192.168.3.1"?
另外vpn client连成功后分配的掩码为啥是255.255.255.252、网关为啥是192.168.3.5呢?
IPv4 地址 . . . . . . . . . . . . : 192.168.3.6
子网掩码 . . . . . . . . . . . . : 255.255.255.252
默认网关. . . . . . . . . . . . . : 192.168.3.5
目前VPN client能连成功,但是192.168.2.20, 192.168.3.1, 192.168.3.5都不能ping通
albert zhang
Aug 9, 2016, 7:55:29 PM8/9/16
to shlug
push "redirect-gateway"
push "route 192.168.2.0 255.255.255.0 vpn_gateway"client-to-client
如果vpn子网和真实的子网要访问需要做iptbales nat部分
--
-- You received this message because you are subscribed to the Google Groups Shanghai Linux User Group group. To post to this group, send email to sh...@googlegroups.com. To unsubscribe from this group, send email to shlug+unsubscribe@googlegroups.com. For more options, visit this group at https://groups.google.com/d/forum/shlug?hl=zh-CN
---
您收到此邮件是因为您订阅了Google网上论坛上的“Shanghai Linux User Group”群组。
要退订此群组并停止接收此群组的电子邮件,请发送电子邮件到shlug+unsubscribe@googlegroups.com。
要查看更多选项,请访问https://groups.google.com/d/optout。
water...@gmail.com
Aug 10, 2016, 4:39:29 AM8/10/16
to Shanghai Linux User Group
我是按照这个链接来设置的vpn server和client,其中nat是用ipfw来做的
现在问题(vpn连接可以成功,但是vpn client不能ping通私网内的其他机器)还没解决掉,需要各位大神的继续帮助
这是ipfw设置的结果
root@OpenVPN:/ # ipfw list
00100 nat 1 ip from 192.168.3.0/24 to any out via epair0b
00200 nat 1 ip from any to any in via epair0b
65535 allow ip from any to any 现在问题(vpn连接可以成功,但是vpn client不能ping通私网内的其他机器)还没解决掉,需要各位大神的继续帮助
albert zhang
Aug 10, 2016, 4:54:49 AM8/10/16
to shlug
iptables -t nat -A POSTROUTING -s vpn_ip/mask -o eth0 -j MASQUERADE
--
-- You received this message because you are subscribed to the Google Groups Shanghai Linux User Group group. To post to this group, send email to sh...@googlegroups.com. To unsubscribe from this group, send email to shlug+unsubscribe@googlegroups.com. For more options, visit this group at https://groups.google.com/d/forum/shlug?hl=zh-CN
---
您收到此邮件是因为您订阅了Google网上论坛上的“Shanghai Linux User Group”群组。
要退订此群组并停止接收此群组的电子邮件,请发送电子邮件到shlug+unsubscribe@googlegroups.com。
要查看更多选项,请访问https://groups.google.com/d/optout。
water...@gmail.com
Aug 12, 2016, 4:13:08 AM8/12/16
to Shanghai Linux User Group
看来是freenas的jail有bug,之前在freenas jail上安装openvpn,不管怎么弄vpn client都不能ping通lan中的其他机器,虽然vpn client与vpn server能成功建连。不过也有可能是ipfw的配置还是有问题,懒得去调查了。
我现在在另外一台ubuntu上安装openvpn后,vpn client就可以与lan中的所有机器互联。
谢谢Albert与各位的建议!
albert zhang
Aug 12, 2016, 11:05:21 AM8/12/16
to shlug
bsd的写法和linux的不太一样。
--
-- You received this message because you are subscribed to the Google Groups Shanghai Linux User Group group. To post to this group, send email to sh...@googlegroups.com. To unsubscribe from this group, send email to shlug+unsubscribe@googlegroups.com. For more options, visit this group at https://groups.google.com/d/forum/shlug?hl=zh-CN
Serenade
Sep 22, 2016, 3:13:12 AM9/22/16
to shlug
试试把server端的mtu设为1300
--
Thanx & Regards,
小溪同学
小溪同学
Reply all
Reply to author
Forward
0 new messages