Linux 下 OpenVPN 安装和 Windows OpenVPN GUI 安装笔记

 文章评论

发表你的评论 | 评论中心 | 联系我  

第 1 楼  Rony 发表于 2007-06-28 12:23

很详细。 非常感谢。

第 2 楼  拉拉 发表于 2008-09-10 11:48

谢谢

第 3 楼  flintt 发表于 2008-09-12 21:47

启动openvpn的终端关闭后，好像sever端停止了vpn的服务

第 4 楼  rrt 发表于 2008-09-19 17:23

明显有硬伤，我只问一句，lz你自己严格按照你的文档做了没有。

结果怎么样？


我很怀疑你的iptables的nat设置。

XiaoHui 回复于 2008-09-19 19:37 :
如果有错误，还请麻烦指出。:)

有时候我记不清设置，都是直接看这篇笔记来做的。我按这个文档，装了不下十台 VPN SERVER了。

第 5 楼  gniudad 发表于 2008-11-07 09:21

不错，感谢。
我也按这个文档装了不下10台了。哈哈。
只是文中：如果你的主机上列数值不是为1, 则要将其改成1, 例如:

代码:

sysctl -w net.ipv4.ip_forward=1

依此类推.
我以为全部要改成1，但好像只要最后一项改1就行了。

第 6 楼  tt 发表于 2008-12-12 10:01

为什么我在做这一步# 建立 server key 代码: 代码: ./build-key-server server
的时候出错：error loading extension section server，请指教。

XiaoHui 回复于 2008-12-15 14:34 :

抱歉，今天才看到你的邮件。

我没有遇到过这个错误。你确认你的环境变量、软件版本、目录设置，都是按我说的来做的吗？

刚才在GOOGLE搜索了一下，你看看这里：

http://episteme.arstechnica.com/eve/forums/a/tpc/f/96509133/m/732009283831

注意最后的一个贴子，他说他解决了这个问题。你看看对你有用没。

第 7 楼  marion 发表于 2008-12-25 11:00

搞多公钥-私钥对有什么必要？
为什么不用 duplicate-cn？

第 8 楼  zengw 发表于 2009-01-16 14:08

我做到这一步:
cd /openvpn-2.0.5/easy-rsa
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=GD
export KEY_CITY=SZ
export KEY_ORG="dvdmaster"
export KEY_EMAIL="support@cooldvd.com"
./clean-all
后显示
mkdir:无法创建目录'pwd/keys': 没有那个文件或目录

XiaoHui 回复于 2009-01-17 19:12 :
你所使用的 OPENVPN，版本号是多少？

第 9 楼  zengw 发表于 2009-01-18 11:33

OPENvpn 是2.0.9的，LZO是2.02的，Linux是redhat9的，内核为2.4.20；虚拟机是5.5.1版本的；

XiaoHui 回复于 2009-01-18 12:21 :
你尝试自己先手工把那几个目录建好看看。我没折腾过 OpenVPN 2.0.9。直接用文中的步骤安装 2.0.5　是没有问题的。

第 10 楼  zengw 发表于 2009-01-18 11:42

以下是我的操作跟出错代码：
[root@localhost openvpn-2.0.9]# cd easy-rsa/
[root@localhost easy-rsa]# ls
2.0 build-key build-req make-crl revoke-crt Windows
build-ca build-key-pass build-req-pass openssl.cnf revoke-full
build-dh build-key-pkcs12 clean-all pwd sign-req
build-inter build-key-server list-crl README vars
[root@localhost easy-rsa]# pwd
/openvpn-2.0.9/easy-rsa
[root@localhost easy-rsa]# ./clean-all
you must define KEY_DIR
[root@localhost easy-rsa]# export D='pwd'
[root@localhost easy-rsa]# export KEY_CONFIG=$D/openssl.cnf
[root@localhost easy-rsa]# export KEY_DIR=$D/keys
[root@localhost easy-rsa]# export KEY_SIZE=1024
[root@localhost easy-rsa]# export KEY_COUNTRY=CN
[root@localhost easy-rsa]# export KEY_PROVINCE=GD
[root@localhost easy-rsa]# export KEY_CITY=SZ
[root@localhost easy-rsa]# export KEY_ORG="dvdmaster"
[root@localhost easy-rsa]# export KEY_EMAIL="support@cooldvd.com"
[root@localhost easy-rsa]# ./vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on pwd/keys
[root@localhost easy-rsa]# ./clean-all
[root@localhost easy-rsa]# ./build-ca
error on line -1 of pwd/openssl.cnf
1984:error:02001002:system library:fopen:No such file or directory:bss_file.c:104:fopen('pwd/openssl.cnf','rb')
1984:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:107:
1984:error:0E064072:configuration file routines:CONF_load:no such file:conf_def.c:197:[root@localhost easy-rsa]#

第 11 楼  zengw 发表于 2009-01-19 10:15

能给我发一个openvpn2.0.5的安装包吗？网上找不到了

XiaoHui 回复于 2009-01-20 15:07 :
http://openvpn.net/release/

第 12 楼  zengw 发表于 2009-01-20 17:06

问题已经得到解决，TKS!

第 13 楼  harley_chen 发表于 2009-02-05 04:54

iptables 的ip伪装 我也设置了, 可是 vpn连接后, 还是没办法上网,不能ping外网...

nat功能也开了...

没用

第 14 楼  zengw 发表于 2009-02-10 11:39

没做/etc/init.d/named start 这一步，完成后我用Windows vpn客户端拨号到vmware上去成功了并能上网，但是公司另一台PC拨号拨上去后却不能上网，其获得的IP和DNS均正常！请问是不是跟没做/etc/init.d/named start 这一步有关，但是跟vmware同一台PC上的Windows却可以上网！

第 15 楼  ks 发表于 2009-02-20 20:12

我用freebsd和windowsxp，都已经配置安装完毕，客户端也分配到ip，但是互相之间却无法ping通
我已经在server端的配置文件中配置了local的地址，server端的ifconfig显示如下
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
inet 192.168.10.1 --> 192.168.10.2 netmask 0xffffffff
在server端本机ping 192.168.10.1也ping不通
client端ipconfig 显示的ip正常　只是没有网关
请问是什么原因

XiaoHui 回复于 2009-02-21 00:02 :
你本地局域网的 IP　段是多少？是不是SERVER指定的IP段，与本地局域网指定的相冲突？

第 16 楼  poppy 发表于 2009-02-25 21:09

我在安装Openvpn的过程中，出现了这么个问题：
#modprobe tun
FATAL: Could not load /lib/modules/2.6.18-ovz028stab053.5-smp/modules.dep: No such file or directory

而且/lib/modules/下面是空的。。
我检查了下
# lsmod
Module Size Used by
没有tun设备~~
# modinfo tun
modinfo: could not open /lib/modules/2.6.18-ovz028stab053.5-smp/modules.dep

郁闷了。。是系统没有加载tun设备呢？ 还是我哪个地方要开启tun设备？
怎么解决这个tun设备的问题啊。。谢谢了

第 17 楼  kingstar 发表于 2009-02-25 22:39

看了这篇文章之后才装的 OPENVPN，稳妥起见，下载的 OPENVPN　版本正是楼主例文中的　2.0.5。

我在 theplanet 的主机上安装成功。终于破墙了。

感谢XH。

第 18 楼  SanGe 发表于 2009-03-29 12:31

才看到。我也顶一下。:)

第 19 楼  FlyFire 发表于 2009-03-29 22:44

XiaoHui 是不是写了个 HOOK，将网站文章的评论　和　论坛回贴，同步了？

我看见论坛里好多回贴的都标着“通过 XiaoHui.com 评论系统发表”。:)

第 20 楼  XiaoHui 发表于 2009-03-29 23:28

原帖由 FlyFire 于 2009-3-29 21:44 发表
XiaoHui 是不是写了个 HOOK，将网站文章的评论　和　论坛回贴，同步了？

我看见论坛里好多回贴的都标着“通过 XiaoHui.com 评论系统发表”。:)

点头。我做了一个关联。如果论坛上讨论的话题，是我网站上发表的文章，就建立关联。然后用定时程序，将网站的评论和论坛的回贴进行同步。

第 21 楼  王菲菲 发表于 2009-05-06 09:53

成功了到底是一种什么情况。我是第一次用linux，第一次设置VPN。谢谢！怎么测试他的成功。

XiaoHui 回复于 2009-05-08 18:27 :
连接成功后，任务栏图标区的 OPENVPN GUI的 ICON，　会由暗红色变成绿色。

第 22 楼  秋天的树 发表于 2009-05-20 23:46

感谢@_@!

第 23 楼  pan 发表于 2009-05-21 22:15

我的服务器跟客户机连接不上。我们电信网一个IP下有几个主机，而且IP是动态生成的，不知道是不是跟这个有关系？

XiaoHui 回复于 2009-05-22 11:56 :
你自己看日志记录，确保是连接到了正确的服务器上。

第 24 楼  liusir 发表于 2009-05-22 12:29

上面安装不成功的，可能是 OPENVPN 不同版本的问题引起的差异。我刚才严格按 XIAOHUI 文档里说的 OPENVPN版本进行了安装，一路绿灯，成功了。:)

第 25 楼  pan 发表于 2009-05-26 16:38

想在Windows下装个Redhat虚拟机，Redhat作服务器，Windows作客户机，但他们共用一个ip，而且ip是动态分配的，这样他们之间的openvpn能建立起来吗？
server.conf的local怎么写？

XiaoHui 回复于 2009-05-26 20:54 :
不懂，没试过。
虚拟机应该可以分配不同的IP的。

第 26 楼  luo 发表于 2009-05-29 12:29

请问openvpn如何把两个不同区域的局域局连成一个局域网，就是说，两个公司，不同城市，两台linux做点对点连接后，下面的客户端可以互通？

第 27 楼  luo 发表于 2009-05-29 16:59

按楼主的配置，winxp连接openvpn一直提示‘connecting to client has failed’，下面是客户端的日志。楼主帮我看看
Fri May 29 15:03:43 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005
Fri May 29 15:03:43 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri May 29 15:03:43 2009 LZO compression initialized
Fri May 29 15:03:43 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri May 29 15:03:43 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Fri May 29 15:03:43 2009 Local Options hash (VER=V4): '69109d17'
Fri May 29 15:03:43 2009 Expected Remote Options hash (VER=V4): 'c0103fa8'
Fri May 29 15:03:43 2009 Attempting to establish TCP connection with 192.168.1.222:1194
Fri May 29 15:03:43 2009 TCP connection established with 192.168.1.222:1194
Fri May 29 15:03:43 2009 TCPv4_CLIENT link local: [undef]
Fri May 29 15:03:43 2009 TCPv4_CLIENT link remote: 192.168.1.222:1194
Fri May 29 15:03:43 2009 TLS: Initial packet from 192.168.1.222:1194, sid=9e2dc9b0 29a67f10
Fri May 29 15:03:43 2009 VERIFY OK: depth=1, /C=CN/ST=GD/L=SZ/O=kemei/OU=kemei/CN=server/emailAddress=system-one@163.com
Fri May 29 15:03:43 2009 VERIFY OK: nsCertType=SERVER
Fri May 29 15:03:43 2009 VERIFY OK: depth=0, /C=CN/ST=GD/O=kemei/OU=kemei/CN=server/emailAddress=system-one@163.com
Fri May 29 15:03:43 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri May 29 15:03:43 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 29 15:03:43 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri May 29 15:03:43 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 29 15:03:43 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri May 29 15:03:43 2009 [server] Peer Connection Initiated with 192.168.1.222:1194
Fri May 29 15:03:45 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri May 29 15:03:45 2009 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.8.0.1,route 10.8.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Fri May 29 15:03:45 2009 OPTIONS IMPORT: timers and/or timeouts modified
Fri May 29 15:03:45 2009 OPTIONS IMPORT: --ifconfig/up options modified
Fri May 29 15:03:45 2009 OPTIONS IMPORT: route options modified
Fri May 29 15:03:45 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri May 29 15:03:45 2009 There are no TAP-Win32 adapters on this system. You should be able to create a TAP-Win32 adapter by going to Start -> All Programs -> OpenVPN -> Add a new TAP-Win32 virtual ethernet adapter.
Fri May 29 15:03:45 2009 Exiting

XiaoHui 回复于 2009-05-30 00:05 :
>> Fri May 29 15:03:45 2009 There are no TAP-Win32 adapters on this system. You should be able to create a TAP-Win32 adapter by going to Start -> All Programs -> OpenVPN -> Add a new TAP-Win32 virtual ethernet adapter
看这句LOG, 貌似是你 TAP 的驱动没装上？

第 28 楼  luo 发表于 2009-05-30 12:21

上面那个问题我已经搞定了。原因是我下载了错误的for WIN版本导致虚拟网卡没有装上，但是现在又是有一问题就是我可以拔号上去了，但如何访问对方的局域网？？目前这样我只能访问服务器那台，服务器或客户端还需要进行行怎么样的设置呢？

第 29 楼  xukai 发表于 2009-06-03 17:34

Wed Jun 03 13:40:30 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005
Wed Jun 03 13:40:30 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Jun 03 13:40:30 2009 Cannot load certificate file xukai.crt: error:02001002:scd: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Wed Jun 03 13:40:30 2009 Exiting
我按照楼主的做下来，连接的时候的报错，上面是log中的文件。
报错是connecting to client has failed.

XiaoHui 回复于 2009-06-03 18:10 :
证书的配置没有做对。

第 30 楼  xukai 发表于 2009-06-03 18:21

Wed Jun 03 16:10:32 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005
Wed Jun 03 16:10:32 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Jun 03 16:10:32 2009 LZO compression initialized
Wed Jun 03 16:10:32 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jun 03 16:10:32 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jun 03 16:10:32 2009 Local Options hash (VER=V4): '41690919'
Wed Jun 03 16:10:32 2009 Expected Remote Options hash (VER=V4): '530fdded'
Wed Jun 03 16:10:32 2009 UDPv4 link local (bound): [undef]:1194
Wed Jun 03 16:10:32 2009 UDPv4 link remote: 192.168.242.144:1194
Wed Jun 03 16:10:32 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:34 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:37 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:38 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:40 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:42 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:45 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:47 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:50 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:52 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:55 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:56 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:58 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:01 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:03 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:06 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:08 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:11 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:13 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:15 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:17 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:19 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:21 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:24 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:25 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:27 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:29 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:31 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:32 2009 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jun 03 16:11:32 2009 TLS Error: TLS handshake failed
Wed Jun 03 16:11:32 2009 TCP/UDP: Closing socket
Wed Jun 03 16:11:32 2009 SIGUSR1[soft,tls-error] received, process restarting
Wed Jun 03 16:11:32 2009 Restart pause, 2 second(s)
上面的问题解决了，现在老这样了，请问怎么回事？

XiaoHui 回复于 2009-06-03 22:32 :

客户端与服务端的物理链接不通。确认 1194 端口是开的，客户端与服务端能够正常PING通。下面是 OPENVPN　官方解释，你自己对照排除一下：

You get the error message: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). This error indicates that the client was unable to establish a network connection with the server.

Solutions:
• Make sure the client is using the correct hostname/IP address and port number which will allow it to reach the OpenVPN server.
• If the OpenVPN server machine is a single-NIC box inside a protected LAN, make sure you are using a correct port forward rule on the server's gateway firewall. For example, suppose your OpenVPN box is at 192.168.4.4 inside the firewall, listening for client connections on UDP port 1194. The NAT gateway servicing the 192.168.4.x subnet should have a port forward rule that says forward UDP port 1194 from my public IP address to 192.168.4.4.
• Open up the server's firewall to allow incoming connections to UDP port 1194 (or whatever TCP/UDP port you have configured in the server config file).

第 31 楼  luo 发表于 2009-06-05 17:27

客户端连入服务端后。可以ping通服务端的lan wan tun ip，，但是连接服务端的lan同一交换下的电脑，有的可以连通，有的不行，，就比如127 77 5 212 这些IP都可以连通，其它IP又不能联通，不知道是什么原因，是因为路由的原因吗？获取的掩码是255.255.255.252,而且拔入后访问共享，比如访问77这台的默认共享c$,不需要提示输入用户和密码，直接就可以打开共享了，这我觉得有安全问题，这问xiaohui这是什么原因，怎么解决呀。

XiaoHui 回复于 2009-06-05 18:06 :
我装 VPN 只是为了穿墙，这种情况我不知道，没折腾过。不好意思。:)

第 32 楼  terry76 发表于 2009-07-10 17:15

请教一下，不知道为什么我vpn进去后，能访问内网，但用不用server push过来的dns，仍是用着拔号连接的dns，客户机是win7系统。

XiaoHui 回复于 2009-07-11 01:12 :
这个我就搞不清了，没在 WIN7下测试过。

第 33 楼  lz 发表于 2009-07-15 12:48

Wed Jul 15 10:43:22 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005
Wed Jul 15 10:43:22 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Jul 15 10:43:22 2009 Cannot load certificate file lz.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Wed Jul 15 10:43:22 2009 Exiting

按照你的配置顺利安装成功，客户端连接也正常。可过了几天之后我又建立了几个用户就连不上了。开始建的用户能连上，后建的几个一个也连不上。上面是日志，麻烦帮我分析下是什么原因？谢谢

XiaoHui 回复于 2009-07-15 15:20 :
你用的是证书校验方式吧？看提示，是你的证书有问题。 lz.crt load 失败。既然之前连接成功，就按以前的步骤，重做一下证书，并确保客户端的配置文件里，指定了正确的证书文件名。

第 34 楼  lz 发表于 2009-07-15 18:58

是证书校验方式。证书和以前生成的方法是一样的啊，客户端配置文件也改了。用./build-key生成客户端有什么特别需要注意的么？除了做./build-key，还需要运行别的东西么？另外我生成客户端时提示："you must define KEY_DIR"，然后运行了一遍你文档里export的那些命令之后就可以使用了。
客户端配置如下：
client
dev tun
proto udp
remote 192.168.0.20 1194
persist-key
persist-tun
ca ca.crt
cert lz.crt
key lz.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1

XiaoHui 回复于 2009-07-15 19:04 :
我许久没有接触 OpenVPN 这块了，技术细节我记不太清了，一时也没时间帮你分析。既然你第一次生成是正确的，而后面几次生成证书不对，那肯定是后面的步骤有错误或遗漏的地方。再仔细找找，排除一下原因。或者，全部重新生成一次证书（包括服务器证书）。
安装和配置的过程中，最好把你做的每一步的命令都记录一下，这样以后出问题或新做证书，也方便排查或实施。

第 35 楼  rinkey 发表于 2009-07-16 18:41

WRwRThu Jul 16 16:36:24 2009 us=921733 client1/202.127.207.101:2239 MULTI: bad source address from client [202.127.207.101], packet dropped
客户端链接的时候，server的log里面有很多这样的记录，这是什么意思？怎么解决

XiaoHui 回复于 2009-07-16 21:13 :
我没接触过这个错误，查了一下资料，网上有篇关于这个错误的解决方案，你参考一下：
Openvpn – MULTI: bad source address from client – solution
在 OpenVPN 自己的newsgroup 上，有一个关于这个的讨论：
[Openvpn-users] MULTI: bad source address from client...packet dropped

第 36 楼  rinkey 发表于 2009-07-16 21:30

openVPN服务器有两块网卡eth0 为公网IP，eth1为内网网关IP，并做了NAT。服务器买开启VPN时，内网的主机可以PING 通eth1和公网IP，但是开启VPN以后内网就PING不通了。而VPN client 也PING 不通内网主机。 怎么解决？

第 37 楼  无名 发表于 2009-07-17 02:52

因为不怎么熟悉linux，所以基本全部按照楼主命令的来做，
到最后开启vpn的时候，显示这样，(这里只列出最后一部分显示信息)
用的putty，最后命令一直停在那里，也不见开启1194端口，很奇怪，希望有人给予解答
最好能聊q，嘿嘿，这样太不方便，q：57112848
Fri Jul 17 01:49:47 2009 us=708255 TUN/TAP device tun0 opened
Fri Jul 17 01:49:47 2009 us=708281 TUN/TAP TX queue length set to 100
Fri Jul 17 01:49:47 2009 us=708312 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Fri Jul 17 01:49:47 2009 us=715115 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Fri Jul 17 01:49:47 2009 us=717906 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Jul 17 01:49:47 2009 us=717952 Socket Buffers: R=[109568->131072] S=[109568->131072]
Fri Jul 17 01:49:47 2009 us=717974 UDPv4 link local (bound): 210.127.253.11:1194
Fri Jul 17 01:49:47 2009 us=717985 UDPv4 link remote: [undef]
Fri Jul 17 01:49:47 2009 us=718003 MULTI: multi_init called, r=256 v=256
Fri Jul 17 01:49:47 2009 us=718036 IFCONFIG POOL: base=10.8.0.4 size=62
Fri Jul 17 01:49:47 2009 us=718069 Initialization Sequence Completed

第 38 楼  sail 发表于 2009-08-21 20:24

Fri Aug 21 18:22:36 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Fri Aug 21 18:22:36 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Aug 21 18:22:36 2009 Cannot load certificate file client.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Fri Aug 21 18:22:36 2009 Exiting
这是我的客户端的问题 不知道怎么回事

XiaoHui 回复于 2009-08-21 20:57 :
客户端证书错误。

第 39 楼  朵朵 发表于 2009-08-27 18:54

根据这个做 我成功 谢谢xiaohui

第 40 楼  王菲菲 发表于 2009-09-10 10:46

Server 端的环境
redhat, kernel版本: 2.4.20-31.9, IP 为 70.8.7.6

“IP 为 70.8.7.6”是在什么时候设的？

谢谢！

XiaoHui 回复于 2009-09-10 11:09 :
安装 SERVER OS 时指定的。

第 41 楼  kenny 发表于 2009-09-12 11:42

我的安装终于可以连接上了，但是连上去以后访问不了网站，我也输入了echo 1 > /proc/sys/net/ipv4/ip_forward，但就是死活访问不了，怎么回事啊？

XiaoHui 回复于 2009-09-12 16:21 :
用 sysctl -a | grep for 看一下 ipfoward 是否打开了。

第 42 楼  藤苇 发表于 2009-09-27 19:40

你好 我遇到一个问题我没法解决，想向你咨询下
[root@localhost root]# /usr/local/sbin/openvpn --config /usr/local/etc/server.conf
Sun Sep 27 17:41:12 2009 OpenVPN 2.0.9 i686-pc-linux [SSL] [LZO] built on Sep 27 2009
Sun Sep 27 17:41:12 2009 Cannot open dh1024.pem for DH parameters:error:02001002:system library:fopen:NO such file or directory:error:2006D080:BIO routines:BIO_new_file:no such file
Sun Sep 27 14:41:12 2009 Exiting
这是怎么一回事呢？急急急！！！

XiaoHui 回复于 2009-09-27 21:44 :
没有 Diffie Hellman 参数或文件的位置没有设置正确。见第七步代码: ./build-dh

第 43 楼  藤苇 发表于 2009-09-27 23:17

你好
./build-dh
这一步我做了都是按照你上面说的去做的
export D=`pwd` 只是这一步没做。
export KEY_CONFIG=root/openvpn-2.0.9/easy-rsa/openssl.cnf
export KEY_DIR=root/openvpn-2.0.9/easy-rsa/keys

第 44 楼  藤苇 发表于 2009-09-27 23:25

在root/openvpn-2.0.9/easy-rsa/keys下生成了这个文件dh1024.pem 。

第 45 楼  藤苇 发表于 2009-09-27 23:28

D=`pwd` 是什么意思呢?

XiaoHui 回复于 2009-09-28 10:22 :
pwd 表示当前工作目录

第 46 楼  藤苇 发表于 2009-10-12 12:58

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap
;dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
;proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 172.16.37.83 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client1.crt
key client1.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20
服务器配置
#################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# #
# Comments are preceded with '#' or ';' #
#################################################

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194

# TCP or UDP server?
proto tcp
;proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap
;dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt
cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt
key /root/openvpn-2.0.9/easy-rsa/keys/server.key # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.0.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

# Push routes to the client to allow it
# to reach other p10.8.0.1rivate subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.11.0 255.255.255.0"
;push "route 192.168.13.0 255.255.255.0"

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).

# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
client-config-dir /usr/local/etc/ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.

# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
client-config-dir /usr/local/etc/ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel. Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
;push "redirect-gateway"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client

# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
;user nobody
;group nobody

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /root/openvpn-2.0.9/easy-rsa/keys/openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
;log openvpn.log
;log-append openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors/root/openvpn-2.0.9/easy-rsa/keys
# 4 is reasonable for genera/root/openvpn-2.0.9/easy-rsa/keysl usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20


openvpn服务器是red hat Linux
客户机是windows server 2000 两个网卡 开起了rip协议
server ip： 172.16.37.83 虚拟ip 10.0.0.1；
client1 ip：172.16.37.110 192.168.11.1 虚拟IP 10.0.0.5；
client2 ip： 172.16.19.22. 192.168.12.1 虚拟ip 10.0.0.13；
在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13
client1 中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1

client2中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1
楼主这是哪出现了问题呢？拜托拜托

XiaoHui 回复于 2009-10-12 18:47 :
Tooooooo looooooooog, 看着头晕又不方便比较。 能不能把 #的注释去掉再贴上来。

第 47 楼  藤苇 发表于 2009-10-12 19:23

client
dev tap
;dev tun
;dev-node MyTap
proto tcp
;proto udp
remote 172.16.37.83 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca ca.crt
cert client1.crt
key client1.key
;ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
服务器配置
;local a.b.c.d
port 1194
proto tcp
;proto udp
dev tap
;dev tun
;dev-node MyTap
ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt
cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt
key /root/openvpn-2.0.9/easy-rsa/keys/server.key # This file should be kept secret
dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;push "route 192.168.11.0 255.255.255.0"
;push "route 192.168.13.0 255.255.255.0"
client-config-dir /usr/local/etc/ccd
;route 192.168.40.128 255.255.255.248
client-config-dir /usr/local/etc/ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status /root/openvpn-2.0.9/easy-rsa/keys/openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 3
;mute 20


openvpn服务器是red hat Linux
客户机是windows server 2000 两个网卡 开起了rip协议
server ip： 172.16.37.83 虚拟ip 10.0.0.1；
client1 ip：172.16.37.110 192.168.11.1 虚拟IP 10.0.0.5；
client2 ip： 172.16.19.22. 192.168.12.1 虚拟ip 10.0.0.13；
在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13
client1 中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1

client2中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1
192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1
楼主这是哪出现了问题呢？拜托拜托 我的QQ是137294593加我 谢谢

第 48 楼  藤苇 发表于 2009-10-12 19:23

client
dev tap
;dev tun
;dev-node MyTap
proto tcp
;proto udp
remote 172.16.37.83 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca ca.crt
cert client1.crt
key client1.key
;ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
服务器配置
;local a.b.c.d
port 1194
proto tcp
;proto udp
dev tap
;dev tun
;dev-node MyTap
ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt
cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt
key /root/openvpn-2.0.9/easy-rsa/keys/server.key # This file should be kept secret
dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;push "route 192.168.11.0 255.255.255.0"
;push "route 192.168.13.0 255.255.255.0"
client-config-dir /usr/local/etc/ccd
;route 192.168.40.128 255.255.255.248
client-config-dir /usr/local/etc/ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status /root/openvpn-2.0.9/easy-rsa/keys/openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 3
;mute 20


openvpn服务器是red hat Linux
客户机是windows server 2000 两个网卡 开起了rip协议
server ip： 172.16.37.83 虚拟ip 10.0.0.1；
client1 ip：172.16.37.110 192.168.11.1 虚拟IP 10.0.0.5；
client2 ip： 172.16.19.22. 192.168.12.1 虚拟ip 10.0.0.13；
在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13 192.168.11.1 192.168.12.1
client1 中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1

client2中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1
192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1
楼主这是哪出现了问题呢？拜托拜托 我的QQ是137294593加我 谢谢

第 49 楼  藤苇 发表于 2009-10-12 20:07

在以上的“在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13”修改一下
应该是 在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13 192.168.11.1 192.168.12.1

XiaoHui 回复于 2009-10-12 21:27 :
看了一下，配置很正常。有几个参数我没有用过，如client-config-dir 等。你可以参考我文中第四小节的样例文件，先用最简单的配置搭建起来再说。

如果能连接但 Ping 不通，要看看是不是配置了 iptables。可参见第五节。

第 50 楼  藤苇 发表于 2009-10-12 21:45

可以连接但ping不通，
red hat Linux 中的网络配置要怎么设置呢？

第 51 楼  藤苇 发表于 2009-10-12 22:51

Microsoft Windows 2000 [Version 5.00.2195]
(C) 版权所有 1985-1998 Microsoft Corp.

C:\Documents and Settings\Administrator>ipconfig/all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : 2000serv-qh80ma
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter 本地连接 3:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V8
Physical Address. . . . . . . . . : 00-FF-C2-18-82-DA
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.0.0.5
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.0.0.6
DNS Servers . . . . . . . . . . . : 10.0.0.1
70.88.98.10
70.88.99.11
Lease Obtained. . . . . . . . . . : 2009年10月12日 20:43:19
Lease Expires . . . . . . . . . . : 2010年10月12日 20:43:19

Ethernet adapter 本地连接 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter

Physical Address. . . . . . . . . : 00-0C-29-2E-84-B5
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.11.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.37.110
DNS Servers . . . . . . . . . . . : 218.30.19.40
61.134.1.4

Ethernet adapter 本地连接:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter

Physical Address. . . . . . . . . : 00-0C-29-2E-84-AB
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.37.110
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 192.168.11.1
DNS Servers . . . . . . . . . . . : 218.30.19.40
61.134.1.4

C:\Documents and Settings\Administrator>ping 10.0.0.1

Pinging 10.0.0.1 with 32 bytes of data:

Reply from 172.16.37.110: TTL expired in transit.
Reply from 172.16.37.110: TTL expired in transit.
Reply from 172.16.37.110: TTL expired in transit.
Reply from 172.16.37.110: TTL expired in transit.

Ping statistics for 10.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Documents and Settings\Administrator>ping 10.0.0.13

Pinging 10.0.0.13 with 32 bytes of data:

Reply from 10.0.0.13: bytes=32 time<10ms TTL=128
Reply from 10.0.0.13: bytes=32 time<10ms TTL=128
Reply from 10.0.0.13: bytes=32 time<10ms TTL=128
Reply from 10.0.0.13: bytes=32 time<10ms TTL=128

Ping statistics for 10.0.0.13:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Documents and Settings\Administrator>ping 172.16.37.83

Pinging 172.16.37.83 with 32 bytes of data:

Reply from 172.16.37.83: bytes=32 time<10ms TTL=64
Reply from 172.16.37.83: bytes=32 time<10ms TTL=64
Reply from 172.16.37.83: bytes=32 time<10ms TTL=64
Reply from 172.16.37.83: bytes=32 time<10ms TTL=64

Ping statistics for 172.16.37.83:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Default Gateway 那里没ip。
麻烦你在给我看看哪个地方出错了！！！

第 52 楼  藤苇 发表于 2009-10-12 22:55

Mon Oct 12 20:43:17 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Mon Oct 12 20:43:17 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon Oct 12 20:43:17 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Oct 12 20:43:17 2009 LZO compression initialized
Mon Oct 12 20:43:17 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Mon Oct 12 20:43:17 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Oct 12 20:43:17 2009 Local Options hash (VER=V4): '69109d17'
Mon Oct 12 20:43:17 2009 Expected Remote Options hash (VER=V4): 'c0103fa8'
Mon Oct 12 20:43:17 2009 Attempting to establish TCP connection with 172.16.37.83:1194
Mon Oct 12 20:43:17 2009 TCP connection established with 172.16.37.83:1194
Mon Oct 12 20:43:17 2009 TCPv4_CLIENT link local: [undef]
Mon Oct 12 20:43:17 2009 TCPv4_CLIENT link remote: 172.16.37.83:1194
Mon Oct 12 20:43:17 2009 TLS: Initial packet from 172.16.37.83:1194, sid=f570158c 99bbcc93
Mon Oct 12 20:43:17 2009 VERIFY OK: depth=1, /C=CN/ST=GD/L=SZ/O=xiaohui.com/emailAddress=your-email__at__xiaohui.com
Mon Oct 12 20:43:17 2009 VERIFY OK: depth=0, /C=CN/ST=GD/O=xiaohui.com/CN=server/emailAddress=your-email__at__xiaohui.com
Mon Oct 12 20:43:17 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Oct 12 20:43:17 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Oct 12 20:43:17 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Oct 12 20:43:17 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Oct 12 20:43:17 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Oct 12 20:43:17 2009 [server] Peer Connection Initiated with 172.16.37.83:1194
Mon Oct 12 20:43:18 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Oct 12 20:43:18 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,route 192.168.13.0 255.255.255.0,dhcp-option DNS 10.0.0.1,dhcp-option DNS 70.88.98.10,dhcp-option DNS 70.88.99.11,route 10.0.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.0.0.5 10.0.0.6'
Mon Oct 12 20:43:18 2009 OPTIONS IMPORT: timers and/or timeouts modified
Mon Oct 12 20:43:18 2009 OPTIONS IMPORT: --ifconfig/up options modified
Mon Oct 12 20:43:18 2009 OPTIONS IMPORT: route options modified
Mon Oct 12 20:43:18 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Oct 12 20:43:18 2009 TAP-WIN32 device [本地连接 3] opened: \\.\Global\{C21882DA-A40E-4842-8C84-E8ABD2B2938D}.tap
Mon Oct 12 20:43:18 2009 TAP-Win32 Driver Version 8.4
Mon Oct 12 20:43:18 2009 TAP-Win32 MTU=1500
Mon Oct 12 20:43:18 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.0.5/255.255.255.252 on interface {C21882DA-A40E-4842-8C84-E8ABD2B2938D} [DHCP-serv: 10.0.0.6, lease-time: 31536000]
Mon Oct 12 20:43:18 2009 NOTE: FlushIpNetTable failed on interface [2] {C21882DA-A40E-4842-8C84-E8ABD2B2938D} (status=1413) : 无效索引。
Mon Oct 12 20:43:19 2009 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
Mon Oct 12 20:43:19 2009 route ADD 192.168.10.0 MASK 255.255.255.0 10.0.0.6
Mon Oct 12 20:43:19 2009 Route addition via IPAPI succeeded
Mon Oct 12 20:43:19 2009 route ADD 192.168.13.0 MASK 255.255.255.0 10.0.0.6
Mon Oct 12 20:43:19 2009 Route addition via IPAPI succeeded
Mon Oct 12 20:43:19 2009 route ADD 10.0.0.0 MASK 255.255.255.0 10.0.0.6
Mon Oct 12 20:43:19 2009 Route addition via IPAPI succeeded
Mon Oct 12 20:43:19 2009 Initialization Sequence Completed

第 53 楼  王菲菲 发表于 2009-11-11 19:16

我的VPN应该属于已经配置好了，但是我启用VPN以后，我的客户端能打开大智慧，MSN，但是不能打开网页还有QQ，请问是为什么？
谢谢！

第 54 楼  王菲菲 发表于 2009-11-11 19:20

我的VPN通了，但是客户端能启动MSN和大智慧，但是不能打开网页和QQ，请问我还应该做什么？
还有sysctl -w net.ipv4.ip_forward=0.改好后不能保存，不知是不是我的系统有问题。

谢谢！

第 55 楼  ysbaggio 发表于 2009-11-13 23:07

很有帮助，谢谢小辉了，现在正在研究用密码用户名登陆。

第 56 楼  ysbaggio 发表于 2009-11-13 23:10

回54楼
你可以修改# vi /etc/sysctl.conf文件。net.ipv4.ip_forward = 0将0 改成1

第 57 楼  王菲菲 发表于 2009-11-19 12:36

ysbaggio
您好！
您用密码用户名登陆，怎么做的？
我可以问问您吗？
我的QQ是1050626886，请加我。

第 58 楼  david 发表于 2009-11-26 16:30

我启动vpn服务器的时候,/usr/local/sbin/openvpn --config /usr/local/etc/server.conf
然后最后一行报错
Cannot load certificate file /home/zhangke/openvpn-2.0.5/easy-rsa/keys/server.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
请问该如何处理,server.crt就是在那个目录下,却无法加载

XiaoHui 回复于 2009-11-26 19:37 :
证书没有做正确。按第六步重做一下。

第 59 楼  zhaoke 发表于 2009-11-29 00:18

如Tun设备已编到内核中, 可用下面办法:
cat /proc/net/dev|grep tun

如果上面无任何显示, 说明你的内核不支持TUN/TAP设备, 可通过重新编译内添加.

第 60 楼  上善若水 发表于 2010-01-10 11:17

Sun Jan 10 11:16:14 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Sun Jan 10 11:16:14 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Jan 10 11:16:14 2010 LZO compression initialized
Sun Jan 10 11:16:14 2010 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sun Jan 10 11:16:14 2010 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Jan 10 11:16:14 2010 Local Options hash (VER=V4): '69109d17'
Sun Jan 10 11:16:14 2010 Expected Remote Options hash (VER=V4): 'c0103fa8'
Sun Jan 10 11:16:14 2010 Attempting to establish TCP connection with 173.212.236.182:443
Sun Jan 10 11:16:14 2010 TCP connection established with 173.212.236.182:443
Sun Jan 10 11:16:14 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 10 11:16:14 2010 TCPv4_CLIENT link local: [undef]
Sun Jan 10 11:16:14 2010 TCPv4_CLIENT link remote: 173.212.236.182:443
我的vpn连接到这里就结束了。不知道是哪个环节出了问题。

第 61 楼  IDCMAMA 发表于 2010-01-20 22:15

请允许我们原文加留言转载 http://idcmama.com/bbs/thread-117-1-1.html
程序员小辉 是中国OPENVPN事业的前辈先锋，常年无私帮助处于水深火热之中的中国广大网民，
从07年5月直到现在，无数国人从他的OPENVPN技术中获益，我们对其人品和技术深表敬意

XiaoHui 回复于 2010-01-21 00:41 :
汗，表扣上前辈加先锋的帽子啊，通常这样的人死得最快。。。。。

第 62 楼  IDCMAMA 发表于 2010-01-21 16:57

您说得极是，已经修改
转载者按语： 程序员小辉，人品与技术齐高，常年无私帮助处于水深火热之中的中国广大网民

第 63 楼  tanlingyun 发表于 2010-01-23 14:07

我 用 的 openvpn-2.0_rc16.tar.gz做到 ./build-ca这一步出错
error on line -1 of pwd/openssl.cnf
1775:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('pwd/openssl.cnf','rb')
1775:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
1775:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197:
请问 怎么解决 ?

XiaoHui 回复于 2010-01-23 15:07 :
你确保文中第六步的 export 参数设置正确了？如果设置正确了，那应该就是版本之差的参数差异。你试了下 2.0.5。我一直用的这个，新的版本我没测过。

第 64 楼  tanlingyun 发表于 2010-01-23 18:44

谢谢你的回复，我的export都是按照你的设的，我下午又重新试了2.0.5还是这个问题，因为我是在Ubuntu 9.10上做的，我以为是openssl和openssl-devel的问题，我又重装了一下这两个，还是不行，后来又换到red hat 9.0上，还是这个问题
错误信息提到的bss_file.c和conf_def.c都是openssl源代码目录下的文件，不知道是不是openssl没装好的缘故，我是这样装的，cd openssl-0.98.1l ，然后./config --prefix=/usr/local/openssl，然后make 最后make install，安装没什么错误。

XiaoHui 回复于 2010-01-23 19:09 :
我以为你是在 centos 下装的。从提示的字面意思来看， 是没找到 openssl 的源程序目录。我不太清楚 redhat 和ubuntu 安装后的 openssl 最终目录是什么。centos 下装 openssl 是直接用 yum install openssl 即可。你打开 pwd/openssl.cnf，看看定义的 openssl 目录是不是你机器上的。

第 65 楼  tanlingyun 发表于 2010-01-23 19:22

cd /openvpn-2.0.5/easy-rsa
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=GD
export KEY_CITY=SZ
export KEY_ORG="xiaohui.com"
export KEY_EMAIL="your-email [at] xiaohui.com"

我有点疑问，你的这里$D，实际应该在执行过程中换成pwd这个shell命令执行结果对吧，但在我这就当成pwd在使用了，所以会出现前面8楼的
mkdir:无法创建目录'pwd/keys': 没有那个文件或目录
但我把这个问题改正了之后，依然出现上面那几行错误，希望您再帮我看看

第 66 楼  tanlingyun 发表于 2010-01-23 19:32

回64楼，我打开了openssl.cnf，里面选项很多，不知道哪个是指的源代码路径

第 67 楼  Danny 发表于 2010-01-23 20:45

楼上的，你换成 CentOS 看看？可能这是操作系统的差异引起的配置文件不同引起的。我上周用的 CentOS 5.3, 按楼主教程， 一次性通过。

第 68 楼  tanlingyun 发表于 2010-01-25 13:03

回67楼，谢谢你了，我在Ubuntu下用它自带的新立得软件包管理器安装了一个，现在可以用了，也谢谢xiaohui

第 69 楼  abc 发表于 2010-02-23 21:23

安装完成，只能访问VPS的主机IP，别的全部PING不通。这不知为何？

XiaoHui 回复于 2010-02-23 22:34 :
查一下 ip forward 选项 或 iptalbes 规则。

第 70 楼  abc 发表于 2010-02-24 09:38

ip forward=1
显示iptables: Unknown error 4294967295

这2条都已经做到了。
俺已经重装5次了，服务器端重复装不同版本应该没冲突吧？