首页 随笔 乐走天涯 程序资料 评论中心 Tag 论坛 其他资源 搜索 消息中心 联系我 关于 RSS

Linux 下 OpenVPN 安装和 Windows OpenVPN GUI 安装笔记


日期: 2007-05-13 14:00 | 联系我 | 关注我: SteemIT, Twitter, Google+

  最后更新日期:2011-02-11

  • 2007.05.14: 首次整理
  • 2009-08-10: 加入 ip forward 的说明
  • 2011-02-11: 加入 OpenVPN 2.1 新版本中的 script-security 配置参数说明。

  基于伟大的 GFW 越来越牛B,网站的正常维护如 FTP、pop & smtp 的邮件收发、在 google 查技术资料,都经常被 GFW 强行断开。为了解决这个问题,于是我在自己的国外主机上安装了一个 OpenVPN,当时记录了一下安装的经过。

  今天正好又有一个朋友问及 OpenVPN 安装的事情,于是我重新整理一下这篇Linux 下 OpenVPN 安装和 Windows OpenVPN GUI 安装笔记(https://www.xiaohui.com/dev/server/20070514-install-openvpn.htm), 希望对大家有所帮助。

  当时在安装 OpenVPN 的时候,得到了 WenZK 的指导帮助。在此表示感谢。

一. OpenVPN 安装环境

    Server 端的环境
  1. redhat, kernel版本: 2.4.20-31.9, IP 为 70.8.7.6
  2. kernel 需要支持 tun 设备, 需要加载 iptables 模块.
    检查 tun 是否安装:
    代码:
    root@a [/]# modinfo tun 
    filename:    /lib/modules/2.4.20-31.9/kernel/drivers/net/tun.o 
    description:  
    author:       
    license:     "GPL" 
    
    如果没有 modinfo 命令, 直接找一下, 看看 kernel 里是否有 tun.o 文件:
    代码:
    find -name tun.o 
    ./lib/modules/2.4.20/kernel/drivers/net/tun.o 
    
    检查iptables 模块, 查看是否有下列文件:
    /etc/init.d/iptables
  3. OpenSSL。如果需要启用 SSL 连接,则需要先安装 OpenSSL。安装 OpenSSL 的方法在这里不做介绍,具体可以用 Google 搜索。CentOS 下可以用 yum install:
  4. yum install openssl
    yum install openssl-devel
  5. 安装的 OpenVPN 的版本: 2.0.5. 现在似乎已经有一个更新的版本了. 可在http://openvpn.net 上下载.

    Client 端的环境:
  1. Windows XP PRO SP2
  2. OpenVPN GUI For windows 1.0.3 , 可在 openvpn.se 下载
    注意: OpenVPN GUI for windows 的版本要和 OpenVPN Server 的版本配套.
    例如, 服务器装的是 OpenVPN 2.0.5, 那么下载的 OpenVPN GUI fow windows 应该是: openvpn-2.0.5-gui-1.0.3-install.exe
    OpenVPN GUI的所有历史版本: http://openvpn.se/files/install_packages/

二. OpenVPN 服务端安装过程

https://www.xiaohui.com/dev/server/20070514-install-openvpn.htm
  1. 用 SecureCRT 登录到 host, 进入根目录 代码:
    cd / 
  2. 下载 LZO,解压到lzo-2.02.

    地址: http://www.oberhumer.com/opensource/lzo/download/ 代码:

    wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.02.tar.gz
  3. 下载 OpenVPN, 解压到openvpn-2.0.5

    地址: http://openvpn.net/download.html 代码:

    wget http://openvpn.net/release/openvpn-2.0.5.tar.gz
  4. 安装 LZO 代码:
    cd /lzo-2.02 
    ./configure 
    make 
    make check 
    make install 
  5. 安装 OpenVPN

    代码:

    cd /openvpn-2.0.5
    ./configure 
    # 或用指定dir: (注:下述命令, 应该在一行写完. 为了方便显示, 这里分成了四行)
    # ./configure --with-lzo-headers=/usr/local/include 
    #  --with-lzo-lib=/usr/local/lib 
    #  --with-ssl-headers=/usr/local/include/openssl 
    #  --with-ssl-lib=/usr/local/lib 
    make 
    make install 
    
  6. 生成证书Key

    初始化 PKI

    (如果没有 export 命令也可以用 setenv [name] [value] 命令)

    代码:

    cd /openvpn-2.0.5/easy-rsa 
    export D=`pwd` 
    export KEY_CONFIG=$D/openssl.cnf 
    export KEY_DIR=$D/keys 
    export KEY_SIZE=1024 
    export KEY_COUNTRY=CN 
    export KEY_PROVINCE=GD 
    export KEY_CITY=SZ 
    export KEY_ORG="xiaohui.com" 
    export KEY_EMAIL="your-email [at] xiaohui.com" 
    Build:

    代码:

    ./clean-all 
    ./build-ca 
    
    Generating a 1024 bit RSA private key 
    ................++++++ 
    ........++++++ 
    writing new private key to 'ca.key' 
    ----- 
    You are about to be asked to enter information that will be incorporated 
    into your certificate request. 
    What you are about to enter is what is called a Distinguished Name or a DN. 
    There are quite a few fields but you can leave some blank 
    For some fields there will be a default value, 
    If you enter '.', the field will be left blank. 
    ----- 
    Country Name (2 letter code) [CN]: 
    State or Province Name (full name) [GD]: 
    Locality Name (eg, city) [SZ]: 
    Organization Name (eg, company) [xiaohui.com]: 
    Organizational Unit Name (eg, section) []:xiaohui.com 
    Common Name (eg, your name or your server's hostname) []:server 
    Email Address [your-email [at] xiaohui.com]: 
    # 建立 server key 代码: 代码:
    ./build-key-server server 
    
    Generating a 1024 bit RSA private key 
    ......++++++ 
    ....................++++++ 
    writing new private key to 'server.key' 
    ----- 
    You are about to be asked to enter information that will be incorporated 
    into your certificate request. 
    What you are about to enter is what is called a Distinguished Name or a DN. 
    There are quite a few fields but you can leave some blank 
    For some fields there will be a default value, 
    If you enter '.', the field will be left blank. 
    ----- 
    Country Name (2 letter code) [CN]: 
    State or Province Name (full name) [GD]: 
    Locality Name (eg, city) [SZ]: 
    Organization Name (eg, company) [xiaohui.com]: 
    Organizational Unit Name (eg, section) []:xiaohui.com 
    Common Name (eg, your name or your server's hostname) []:server 
    Email Address [your-email [at] xiaohui.com]: 
    
    Please enter the following 'extra' attributes 
    to be sent with your certificate request 
    A challenge password []:abcd1234 
    An optional company name []:xiaohui.com 
    Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf 
    Check that the request matches the signature 
    Signature ok 
    The Subject's Distinguished Name is as follows 
    countryName           :PRINTABLE:'CN' 
    stateOrProvinceName   :PRINTABLE:'GD' 
    localityName          :PRINTABLE:'SZ' 
    organizationName      :PRINTABLE:'xiaohui.com' 
    organizationalUnitName:PRINTABLE:'xiaohui.com' 
    commonName            :PRINTABLE:'server' 
    emailAddress          :IA5STRING:'your-email [at] xiaohui.com' 
    Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days) 
    Sign the certificate? [y/n]:y 
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y 
    Write out database with 1 new entries 
    Data Base Updated 

    #生成客户端 key

    代码:

    ./build-key client1 
    Generating a 1024 bit RSA private key 
    .....++++++ 
    ......++++++ 
    writing new private key to 'client1.key' 
    ----- 
    You are about to be asked to enter information that will be incorporated 
    into your certificate request. 
    What you are about to enter is what is called a Distinguished Name or a DN. 
    There are quite a few fields but you can leave some blank 
    For some fields there will be a default value, 
    If you enter '.', the field will be left blank. 
    ----- 
    Country Name (2 letter code) [CN]: 
    State or Province Name (full name) [GD]: 
    Locality Name (eg, city) [SZ]: 
    Organization Name (eg, company) [xiaohui.com]: 
    Organizational Unit Name (eg, section) []:xiaohui.com 
    Common Name (eg, your name or your server's hostname) []:client1    #重要: 每个不同的 client 生成的证书, 名字必须不同. 
    Email Address [your-email [at] xiaohui.com]: 
    
    Please enter the following 'extra' attributes 
    to be sent with your certificate request 
    A challenge password []:abcd1234 
    An optional company name []:xiaohui.com 
    Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf 
    Check that the request matches the signature 
    Signature ok 
    The Subject's Distinguished Name is as follows 
    countryName           :PRINTABLE:'CN' 
    stateOrProvinceName   :PRINTABLE:'GD' 
    localityName          :PRINTABLE:'SZ' 
    organizationName      :PRINTABLE:'xiaohui.com' 
    organizationalUnitName:PRINTABLE:'xiaohui.com' 
    commonName            :PRINTABLE:'client1' 
    emailAddress          :IA5STRING:'your-email [at] xiaohui.com' 
    Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days) 
    Sign the certificate? [y/n]:y 
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y 
    Write out database with 1 new entries 
    Data Base Updated 

    依次类推生成其他客户端证书/key

    代码:

    ./build-key client2 
    ./build-key client3 
    注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.
  7. 生成 Diffie Hellman 参数 。代码:
  8. ./build-dh 
  9. 将 keys 下的所有文件打包下载到本地

    代码:

    tar -cf mykeys.tar /openvpn-2.0.5/easy-rsa/keys 
    cp mykeys.tar /home/xiaohui.comsys/public_html/mykeys.tar 
    将 mykeys.tar 移到 web public(绝对路径因人而异) 上, 然后用 http://www.a.com/mykeys.tar 方式将其下载到本地保存, 然后将其从server删除: 代码:
    rm /home/xiaohui.comsys/public_html/mykeys.tar 
    也可以用其他方法把 key file搞到本地,例如 ftp.
  10. 创建服务端配置文件

    从样例文件创建:

    代码:

    cd $dir/sample-config-files/ # 进入源代码解压目录下的sample-config-files子目录 
    cp server.conf /usr/local/etc  # cp服务器配置文件到/usr/local/etc 
    vi /usr/local/etc/server.conf 
    我建立的server.conf 的内容稍后另附.
  11. 创建客户端配置文件

    代码:

    cd $dir/sample-config-files/  #进入源代码解压目录下的sample-config-files子目录 
    cp client.conf /usr/local/etc  #cp客户端配置文件到/usr/local/etc 
    vi /usr/local/etc/client.conf 
    我建立的client.conf 的内容稍后另附.
  12. 启动Openvpn: openvpn [server config file] 代码:
    /usr/local/sbin/openvpn --config /usr/local/etc/server.conf 

三. OpenVPN GUI For Windows 客户端安装过程

  1. 安装 OpenVPN GUI For Windows, 到 http://openvpn.se 下载. 目前的版本是 1.0.3. 注意: OpenVPN GUI 的版本要和 OpenVPN Server 的版本配套. 详见第一节一. 安装环境中的说明.
  2. 依屏幕指示安装openvpn gui.
  3. 配置 openvpn gui

    安装结束后, 进入安装文件夹下的 config 目录, 然后将上面第 10 步建立的 client.conf 文件从 server 上下载到此文件夹, 并更名为 client.ovpn

    同时, 将第8 步打包的 mykeys.tar 中的下列证书文件解压到此文件夹:

    代码:

    ca.crt 
    client1.crt 
    client1.csr 
    client1.key 
    然后双击 client.ovpn 即可启动 openvpn, 或者通过 OpenVPN GUI 的控制启动 VPN.

    如果双击 client.ovpn 没有反应, 则在任务栏点 OpenVPN GUI 的小图标右键, 选择 edit config, 将内容复制过去再保存. 然后再点右键中的 connect即可.

    如果需要第二台机器上使用 vpn , 进行同样的配置, 只需要将 client1.crt, client1.csr, client1.key 换成对应的 client2.xxx 即可, 然后将 client.ovpn 中的对应key文件值改掉.

四. OpenVPN 配置样例文件

  1. OpenVPN 服务端:server.conf

    代码:

    local 70.8.7.6 
    port 1194 
    proto udp 
    
    dev tun 
    
    ca /openvpn-2.0.5/easy-rsa/keys/ca.crt 
    cert /openvpn-2.0.5/easy-rsa/keys/server.crt 
    key /openvpn-2.0.5/easy-rsa/keys/server.key  # This file should be kept secret 
    dh /openvpn-2.0.5/easy-rsa/keys/dh1024.pem 
    
    server 10.8.0.0 255.255.255.0 
    
    client-to-client 
    keepalive 10 120 
    
    comp-lzo 
    
    persist-key 
    persist-tun 
    status /openvpn-2.0.5/easy-rsa/keys/openvpn-status.log 
    verb 4 
    
    push "dhcp-option DNS 10.8.0.1" 
    push "dhcp-option DNS 70.88.98.10"  # name server 地址, 如何获取见随后说明 
    push "dhcp-option DNS 70.88.99.11"  # name server 地址, 如何获取见随后说明 
    说明: 有些 domain 被 GFW 封掉了, 这时, 如果要访问这些网站, 应该将 server 上的 DNS push 到 client. 上面示例中的 dns ip: 70.88.98.10, 70.88.99.10, 可以在 /etc/resolv.conf 中找到: 代码:
    vi /etc/resolv.conf 
    nameserver   70.88.98.10 
    nameserver   70.88.99.11 
  2. OpenVPN 客户端: client.ovpn

    代码:

    client 
    
    dev tun 
    proto udp 
    
    remote 70.8.7.6 1194 
    
    persist-key 
    persist-tun 
    ca ca.crt 
    cert client1.crt 
    key client1.key 
    ns-cert-type server 
    comp-lzo 
    verb 3 
    
    redirect-gateway def1 

五. OpenVPN 访问外网的设置

  1. 打开路由 VPN连接成功后, 还需要设置路由, 才能透过VPN访问Internet. 在 linux host 上添加路由: 代码:
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 70.8.7.6 
    /etc/init.d/iptables save 
    /etc/init.d/iptables restart 
    不同的机器,-o eth0 参数可能不一样,具体可输入 ifconfig 查看,搞清 ip(70.8.7.6)所在的网卡号.

    同时, 需要将 ip forward 打开. 不要用 echo 1 > /proc/sys/net/ipv4/ip_forward 的方式, 这种方式重启后无效. 先查看一下:

    代码:

    
    sysctl -a | grep for 
    #查看结果: 
    net.ipv4.conf.tun0.mc_forwarding = 0 
    net.ipv4.conf.tun0.forwarding = 1 
    net.ipv4.conf.eth0.mc_forwarding = 0 
    net.ipv4.conf.eth0.forwarding = 1 
    net.ipv4.conf.lo.mc_forwarding = 0 
    net.ipv4.conf.lo.forwarding = 1 
    net.ipv4.conf.default.mc_forwarding = 0 
    net.ipv4.conf.default.forwarding = 1 
    net.ipv4.conf.all.mc_forwarding = 0 
    net.ipv4.conf.all.forwarding = 1 
    net.ipv4.ip_forward = 1 
    如果你的主机上列数值不是为1, 则要将其改成1, 例如:

    代码:

    sysctl -w net.ipv4.ip_forward=1 
    依此类推.
  2. 开启域名服务器

    如果你需要访问一些已经被GFW封掉了域名的网站, 但你的 OpenVPN 服务器没有被封的话,那么你需要在你的主机上开启 name server, 并将 dns push 给 client。 一般的独立主机, 都带有 private dns server.

    代码:

    rpm -qa | grep bind 
    /etc/init.d/named start 
    另外, 必须保证 server.conf 配置中, 有这三个配置:

    代码:

    push "dhcp-option DNS 10.8.0.1" 
    push "dhcp-option DNS 70.88.98.10"  # name server 地址 
    push "dhcp-option DNS 70.88.99.11"  # name server 地址 
    当 client 连接成功后, 在 cmd 下执行 ipconfig /all, 应该有这类似这样的输出:

    代码:

    Ethernet adapter Local Area Connection 3: 
            Connection-specific DNS Suffix  . : 
            Description . . . . . . . . . . . : TAP-Win32 Adapter V8 
            Physical Address. . . . . . . . . : 00-FF-AA-B0-60-2B 
            Dhcp Enabled. . . . . . . . . . . : Yes 
            Autoconfiguration Enabled . . . . : Yes 
            IP Address. . . . . . . . . . . . : 10.8.0.6 
            Subnet Mask . . . . . . . . . . . : 255.255.255.252 
            Default Gateway . . . . . . . . . : 10.8.0.5 
            DHCP Server . . . . . . . . . . . : 10.8.0.5 
            DNS Servers . . . . . . . . . . . : 10.8.0.1 
                                                70.88.98.10 
                                                70.88.99.11 
            Lease Obtained. . . . . . . . . . : 2006年5月25日 5:13:52 
            Lease Expires . . . . . . . . . . : 2007年5月25日 5:13:52 

六. 设置 OpenVPN 服务器 reboot后自动启动 openvpn

执行命令:

代码:

vi /etc/rc.local 
然后在最后面加入此行:

代码:

/usr/local/sbin/openvpn --config /usr/local/etc/server.conf > /dev/null 2>&1 & 

七. OpenVPN 测试

你可以用 VPN 登录上去之后, 测试 MSN, QQ, IE 等网络应用, 也可以尝试访问一些被 GFW 禁掉的网站, 当然, 前提是你的 VPN 服务器不在境内.

八. 使用 OpenVPN 的强烈注意事项

不建议用 VPN 登录 paypal 帐户和 google adsense 帐户. 否则有可能导致帐户受限或带来其他风险.

十. 一些补充

2011.01.11 补充:今天用 yum -y update 升级了 CentOS 之后,发现 OpenVPN 连接不上去了,老是说用户检验出错。经检查 server log,发现有以下日志:

Thu Feb 10 11:13:07 2011 us=3362 222.244.***.**:45771 TLS: Initial packet from 222.244.***.**:45771, sid=eec450eb 8673ceef

Thu Feb 10 11:13:10 2011 us=798063 222.244.***.**:45771 openvpn_execve: external program may not be called unless '--script-secur ity 2' or higher is enabled. Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier. See --help t ext or man page for detailed info.

Thu Feb 10 11:13:10 2011 us=798127 222.244.***.**:45771 TLS Auth Error: user-pass-verify script failed to execute: /usr/bin/php - q /home/xiaohui/openvpn-manager/admin/openvpn-auth.php

Thu Feb 10 11:13:10 2011 us=798141 222.244.***.**:45771 TLS Auth Error: Auth Username/Password verification failed for peer

经查,原来是 CentOS 在进行 yum update 时,将 OpenVPN 也由2.0 升级到了 2.1。而 OpenVPN 2.1 最大的改变之一,就是加了一个 script-security参数。如果按我的这篇教程进行安装,但装的是 OpenVPN 2.1 及以上版本的话,记得在 server.conf 中再加上这么一行配置即可:

script-security 3
相关文章:

如何在 Linux OpenVPN 服务端吊销(revoke) 客户端证书?

标签: VPN | Linux | OpenVPN | DNS

 文章评论

第 1 楼  发表于 2007-06-28 12:23 | Rony 的所有评论
很详细。 非常感谢。

第 2 楼  发表于 2008-09-10 11:48 | 拉拉 的所有评论
谢谢

第 3 楼  发表于 2008-09-12 21:47 | flintt 的所有评论
启动openvpn的终端关闭后,好像sever端停止了vpn的服务

第 4 楼  发表于 2008-09-19 17:23 | rrt 的所有评论
明显有硬伤,我只问一句,lz你自己严格按照你的文档做了没有。

结果怎么样?


我很怀疑你的iptables的nat设置。
回复于 2008-09-19 19:37:
如果有错误,还请麻烦指出。:)

有时候我记不清设置,都是直接看这篇笔记来做的。我按这个文档,装了不下十台 VPN SERVER了。

第 5 楼  发表于 2008-11-07 09:21 | gniudad 的所有评论
不错,感谢。
我也按这个文档装了不下10台了。哈哈。
只是文中:如果你的主机上列数值不是为1, 则要将其改成1, 例如:

代码:

sysctl -w net.ipv4.ip_forward=1

依此类推.
我以为全部要改成1,但好像只要最后一项改1就行了。

第 6 楼  发表于 2008-12-12 10:01 | tt 的所有评论
为什么我在做这一步# 建立 server key 代码: 代码: ./build-key-server server
的时候出错:error loading extension section server,请指教。
回复于 2008-12-15 14:34:

抱歉,今天才看到你的邮件。

我没有遇到过这个错误。你确认你的环境变量、软件版本、目录设置,都是按我说的来做的吗?

刚才在GOOGLE搜索了一下,你看看这里:

http://episteme.arstechnica.com/eve/forums/a/tpc/f/96509133/m/732009283831

注意最后的一个贴子,他说他解决了这个问题。你看看对你有用没。


第 7 楼  发表于 2008-12-25 11:00 | marion 的所有评论
搞多公钥-私钥对有什么必要?
为什么不用 duplicate-cn?

第 8 楼  发表于 2009-01-16 14:08 | zengw 的所有评论
我做到这一步:
cd /openvpn-2.0.5/easy-rsa
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=GD
export KEY_CITY=SZ
export KEY_ORG="dvdmaster"
export KEY_EMAIL="support@cooldvd.com"
./clean-all
后显示
mkdir:无法创建目录'pwd/keys': 没有那个文件或目录
回复于 2009-01-17 19:12:
你所使用的 OPENVPN,版本号是多少?

第 9 楼  发表于 2009-01-18 11:33 | zengw 的所有评论
OPENvpn 是2.0.9的,LZO是2.02的,Linux是redhat9的,内核为2.4.20;虚拟机是5.5.1版本的;
回复于 2009-01-18 12:21:
你尝试自己先手工把那几个目录建好看看。我没折腾过 OpenVPN 2.0.9。直接用文中的步骤安装 2.0.5 是没有问题的。

第 10 楼  发表于 2009-01-18 11:42 | zengw 的所有评论
以下是我的操作跟出错代码:
[root@localhost openvpn-2.0.9]# cd easy-rsa/
[root@localhost easy-rsa]# ls
2.0 build-key build-req make-crl revoke-crt Windows
build-ca build-key-pass build-req-pass openssl.cnf revoke-full
build-dh build-key-pkcs12 clean-all pwd sign-req
build-inter build-key-server list-crl README vars
[root@localhost easy-rsa]# pwd
/openvpn-2.0.9/easy-rsa
[root@localhost easy-rsa]# ./clean-all
you must define KEY_DIR
[root@localhost easy-rsa]# export D='pwd'
[root@localhost easy-rsa]# export KEY_CONFIG=$D/openssl.cnf
[root@localhost easy-rsa]# export KEY_DIR=$D/keys
[root@localhost easy-rsa]# export KEY_SIZE=1024
[root@localhost easy-rsa]# export KEY_COUNTRY=CN
[root@localhost easy-rsa]# export KEY_PROVINCE=GD
[root@localhost easy-rsa]# export KEY_CITY=SZ
[root@localhost easy-rsa]# export KEY_ORG="dvdmaster"
[root@localhost easy-rsa]# export KEY_EMAIL="support@cooldvd.com"
[root@localhost easy-rsa]# ./vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on pwd/keys
[root@localhost easy-rsa]# ./clean-all
[root@localhost easy-rsa]# ./build-ca
error on line -1 of pwd/openssl.cnf
1984:error:02001002:system library:fopen:No such file or directory:bss_file.c:104:fopen('pwd/openssl.cnf','rb')
1984:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:107:
1984:error:0E064072:configuration file routines:CONF_load:no such file:conf_def.c:197:[root@localhost easy-rsa]#

第 11 楼  发表于 2009-01-19 10:15 | zengw 的所有评论
能给我发一个openvpn2.0.5的安装包吗?网上找不到了
回复于 2009-01-20 15:07:
http://openvpn.net/release/

第 12 楼  发表于 2009-01-20 17:06 | zengw 的所有评论
问题已经得到解决,TKS!

第 13 楼  发表于 2009-02-05 04:54 | harley_chen 的所有评论
iptables 的ip伪装 我也设置了, 可是 vpn连接后, 还是没办法上网,不能ping外网...

nat功能也开了...

没用

第 14 楼  发表于 2009-02-10 11:39 | zengw 的所有评论
没做/etc/init.d/named start 这一步,完成后我用Windows vpn客户端拨号到vmware上去成功了并能上网,但是公司另一台PC拨号拨上去后却不能上网,其获得的IP和DNS均正常!请问是不是跟没做/etc/init.d/named start 这一步有关,但是跟vmware同一台PC上的Windows却可以上网!

第 15 楼  发表于 2009-02-20 20:12 | ks 的所有评论
我用freebsd和windowsxp,都已经配置安装完毕,客户端也分配到ip,但是互相之间却无法ping通
我已经在server端的配置文件中配置了local的地址,server端的ifconfig显示如下
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
inet 192.168.10.1 --> 192.168.10.2 netmask 0xffffffff
在server端本机ping 192.168.10.1也ping不通
client端ipconfig 显示的ip正常 只是没有网关
请问是什么原因
回复于 2009-02-21 00:02:
你本地局域网的 IP 段是多少?是不是SERVER指定的IP段,与本地局域网指定的相冲突?

第 16 楼  发表于 2009-02-25 21:09 | poppy 的所有评论
我在安装Openvpn的过程中,出现了这么个问题:
#modprobe tun
FATAL: Could not load /lib/modules/2.6.18-ovz028stab053.5-smp/modules.dep: No such file or directory

而且/lib/modules/下面是空的。。
我检查了下
# lsmod
Module Size Used by
没有tun设备~~
# modinfo tun
modinfo: could not open /lib/modules/2.6.18-ovz028stab053.5-smp/modules.dep

郁闷了。。是系统没有加载tun设备呢? 还是我哪个地方要开启tun设备?
怎么解决这个tun设备的问题啊。。谢谢了

第 17 楼  发表于 2009-02-25 22:39 | kingstar 的所有评论
看了这篇文章之后才装的 OPENVPN,稳妥起见,下载的 OPENVPN 版本正是楼主例文中的 2.0.5。

我在 theplanet 的主机上安装成功。终于破墙了。

感谢XH。

第 18 楼  发表于 2009-03-29 12:31 | SanGe 的所有评论
才看到。我也顶一下。:)

第 19 楼  发表于 2009-03-29 22:44 | FlyFire 的所有评论
XiaoHui 是不是写了个 HOOK,将网站文章的评论 和 论坛回贴,同步了?

我看见论坛里好多回贴的都标着“通过 XiaoHui.com 评论系统发表”。:)

第 20 楼  发表于 2009-03-29 23:28 | XiaoHui 的所有评论
原帖由 FlyFire 于 2009-3-29 21:44 发表
XiaoHui 是不是写了个 HOOK,将网站文章的评论 和 论坛回贴,同步了?

我看见论坛里好多回贴的都标着“通过 XiaoHui.com 评论系统发表”。:)


点头。我做了一个关联。如果论坛上讨论的话题,是我网站上发表的文章,就建立关联。然后用定时程序,将网站的评论和论坛的回贴进行同步。

第 21 楼  发表于 2009-05-06 09:53 | 王菲菲 的所有评论
成功了到底是一种什么情况。我是第一次用linux,第一次设置VPN。谢谢!怎么测试他的成功。
回复于 2009-05-08 18:27:
连接成功后,任务栏图标区的 OPENVPN GUI的 ICON, 会由暗红色变成绿色。

第 22 楼  发表于 2009-05-20 23:46 | 秋天的树 的所有评论
感谢@_@!

第 23 楼  发表于 2009-05-21 22:15 | pan 的所有评论
我的服务器跟客户机连接不上。我们电信网一个IP下有几个主机,而且IP是动态生成的,不知道是不是跟这个有关系?
回复于 2009-05-22 11:56:
你自己看日志记录,确保是连接到了正确的服务器上。

第 24 楼  发表于 2009-05-22 12:29 | liusir 的所有评论
上面安装不成功的,可能是 OPENVPN 不同版本的问题引起的差异。我刚才严格按 XIAOHUI 文档里说的 OPENVPN版本进行了安装,一路绿灯,成功了。:)

第 25 楼  发表于 2009-05-26 16:38 | pan 的所有评论
想在Windows下装个Redhat虚拟机,Redhat作服务器,Windows作客户机,但他们共用一个ip,而且ip是动态分配的,这样他们之间的openvpn能建立起来吗?
server.conf的local怎么写?
回复于 2009-05-26 20:54:
不懂,没试过。
虚拟机应该可以分配不同的IP的。

第 26 楼  发表于 2009-05-29 12:29 | luo 的所有评论
请问openvpn如何把两个不同区域的局域局连成一个局域网,就是说,两个公司,不同城市,两台linux做点对点连接后,下面的客户端可以互通?

第 27 楼  发表于 2009-05-29 16:59 | luo 的所有评论
按楼主的配置,winxp连接openvpn一直提示‘connecting to client has failed’,下面是客户端的日志。楼主帮我看看
Fri May 29 15:03:43 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005
Fri May 29 15:03:43 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri May 29 15:03:43 2009 LZO compression initialized
Fri May 29 15:03:43 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri May 29 15:03:43 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Fri May 29 15:03:43 2009 Local Options hash (VER=V4): '69109d17'
Fri May 29 15:03:43 2009 Expected Remote Options hash (VER=V4): 'c0103fa8'
Fri May 29 15:03:43 2009 Attempting to establish TCP connection with 192.168.1.222:1194
Fri May 29 15:03:43 2009 TCP connection established with 192.168.1.222:1194
Fri May 29 15:03:43 2009 TCPv4_CLIENT link local: [undef]
Fri May 29 15:03:43 2009 TCPv4_CLIENT link remote: 192.168.1.222:1194
Fri May 29 15:03:43 2009 TLS: Initial packet from 192.168.1.222:1194, sid=9e2dc9b0 29a67f10
Fri May 29 15:03:43 2009 VERIFY OK: depth=1, /C=CN/ST=GD/L=SZ/O=kemei/OU=kemei/CN=server/emailAddress=system-one@163.com
Fri May 29 15:03:43 2009 VERIFY OK: nsCertType=SERVER
Fri May 29 15:03:43 2009 VERIFY OK: depth=0, /C=CN/ST=GD/O=kemei/OU=kemei/CN=server/emailAddress=system-one@163.com
Fri May 29 15:03:43 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri May 29 15:03:43 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 29 15:03:43 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri May 29 15:03:43 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 29 15:03:43 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri May 29 15:03:43 2009 [server] Peer Connection Initiated with 192.168.1.222:1194
Fri May 29 15:03:45 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri May 29 15:03:45 2009 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.8.0.1,route 10.8.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Fri May 29 15:03:45 2009 OPTIONS IMPORT: timers and/or timeouts modified
Fri May 29 15:03:45 2009 OPTIONS IMPORT: --ifconfig/up options modified
Fri May 29 15:03:45 2009 OPTIONS IMPORT: route options modified
Fri May 29 15:03:45 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri May 29 15:03:45 2009 There are no TAP-Win32 adapters on this system. You should be able to create a TAP-Win32 adapter by going to Start -> All Programs -> OpenVPN -> Add a new TAP-Win32 virtual ethernet adapter.
Fri May 29 15:03:45 2009 Exiting
回复于 2009-05-30 00:05:
>> Fri May 29 15:03:45 2009 There are no TAP-Win32 adapters on this system. You should be able to create a TAP-Win32 adapter by going to Start -> All Programs -> OpenVPN -> Add a new TAP-Win32 virtual ethernet adapter
看这句LOG, 貌似是你 TAP 的驱动没装上?

第 28 楼  发表于 2009-05-30 12:21 | luo 的所有评论
上面那个问题我已经搞定了。原因是我下载了错误的for WIN版本导致虚拟网卡没有装上,但是现在又是有一问题就是我可以拔号上去了,但如何访问对方的局域网??目前这样我只能访问服务器那台,服务器或客户端还需要进行行怎么样的设置呢?

第 29 楼  发表于 2009-06-03 17:34 | xukai 的所有评论
Wed Jun 03 13:40:30 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005
Wed Jun 03 13:40:30 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Jun 03 13:40:30 2009 Cannot load certificate file xukai.crt: error:02001002:scd: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Wed Jun 03 13:40:30 2009 Exiting
我按照楼主的做下来,连接的时候的报错,上面是log中的文件。
报错是connecting to client has failed.
回复于 2009-06-03 18:10:
证书的配置没有做对。

第 30 楼  发表于 2009-06-03 18:21 | xukai 的所有评论
Wed Jun 03 16:10:32 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005
Wed Jun 03 16:10:32 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Jun 03 16:10:32 2009 LZO compression initialized
Wed Jun 03 16:10:32 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jun 03 16:10:32 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jun 03 16:10:32 2009 Local Options hash (VER=V4): '41690919'
Wed Jun 03 16:10:32 2009 Expected Remote Options hash (VER=V4): '530fdded'
Wed Jun 03 16:10:32 2009 UDPv4 link local (bound): [undef]:1194
Wed Jun 03 16:10:32 2009 UDPv4 link remote: 192.168.242.144:1194
Wed Jun 03 16:10:32 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:34 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:37 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:38 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:40 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:42 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:45 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:47 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:50 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:52 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:55 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:56 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:58 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:01 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:03 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:06 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:08 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:11 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:13 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:15 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:17 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:19 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:21 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:24 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:25 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:27 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:29 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:31 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:32 2009 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jun 03 16:11:32 2009 TLS Error: TLS handshake failed
Wed Jun 03 16:11:32 2009 TCP/UDP: Closing socket
Wed Jun 03 16:11:32 2009 SIGUSR1[soft,tls-error] received, process restarting
Wed Jun 03 16:11:32 2009 Restart pause, 2 second(s)
上面的问题解决了,现在老这样了,请问怎么回事?
回复于 2009-06-03 22:32:

客户端与服务端的物理链接不通。确认 1194 端口是开的,客户端与服务端能够正常PING通。下面是 OPENVPN 官方解释,你自己对照排除一下:

You get the error message: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). This error indicates that the client was unable to establish a network connection with the server.

    Solutions:
  • Make sure the client is using the correct hostname/IP address and port number which will allow it to reach the OpenVPN server.
  • If the OpenVPN server machine is a single-NIC box inside a protected LAN, make sure you are using a correct port forward rule on the server's gateway firewall. For example, suppose your OpenVPN box is at 192.168.4.4 inside the firewall, listening for client connections on UDP port 1194. The NAT gateway servicing the 192.168.4.x subnet should have a port forward rule that says forward UDP port 1194 from my public IP address to 192.168.4.4.
  • Open up the server's firewall to allow incoming connections to UDP port 1194 (or whatever TCP/UDP port you have configured in the server config file).

第 31 楼  发表于 2009-06-05 17:27 | luo 的所有评论
客户端连入服务端后。可以ping通服务端的lan wan tun ip,,但是连接服务端的lan同一交换下的电脑,有的可以连通,有的不行,,就比如127 77 5 212 这些IP都可以连通,其它IP又不能联通,不知道是什么原因,是因为路由的原因吗?获取的掩码是255.255.255.252,而且拔入后访问共享,比如访问77这台的默认共享c$,不需要提示输入用户和密码,直接就可以打开共享了,这我觉得有安全问题,这问xiaohui这是什么原因,怎么解决呀。
回复于 2009-06-05 18:06:
我装 VPN 只是为了穿墙,这种情况我不知道,没折腾过。不好意思。:)

第 32 楼  发表于 2009-07-10 17:15 | terry76 的所有评论
请教一下,不知道为什么我vpn进去后,能访问内网,但用不用server push过来的dns,仍是用着拔号连接的dns,客户机是win7系统。
回复于 2009-07-11 01:12:
这个我就搞不清了,没在 WIN7下测试过。

第 33 楼  发表于 2009-07-15 12:48 | lz 的所有评论
Wed Jul 15 10:43:22 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005
Wed Jul 15 10:43:22 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Jul 15 10:43:22 2009 Cannot load certificate file lz.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Wed Jul 15 10:43:22 2009 Exiting

按照你的配置顺利安装成功,客户端连接也正常。可过了几天之后我又建立了几个用户就连不上了。开始建的用户能连上,后建的几个一个也连不上。上面是日志,麻烦帮我分析下是什么原因?谢谢
回复于 2009-07-15 15:20:
你用的是证书校验方式吧?看提示,是你的证书有问题。 lz.crt load 失败。既然之前连接成功,就按以前的步骤,重做一下证书,并确保客户端的配置文件里,指定了正确的证书文件名。

第 34 楼  发表于 2009-07-15 18:58 | lz 的所有评论
是证书校验方式。证书和以前生成的方法是一样的啊,客户端配置文件也改了。用./build-key生成客户端有什么特别需要注意的么?除了做./build-key,还需要运行别的东西么?另外我生成客户端时提示:"you must define KEY_DIR",然后运行了一遍你文档里export的那些命令之后就可以使用了。
客户端配置如下:
client
dev tun
proto udp
remote 192.168.0.20 1194
persist-key
persist-tun
ca ca.crt
cert lz.crt
key lz.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
回复于 2009-07-15 19:04:
我许久没有接触 OpenVPN 这块了,技术细节我记不太清了,一时也没时间帮你分析。既然你第一次生成是正确的,而后面几次生成证书不对,那肯定是后面的步骤有错误或遗漏的地方。再仔细找找,排除一下原因。或者,全部重新生成一次证书(包括服务器证书)。
安装和配置的过程中,最好把你做的每一步的命令都记录一下,这样以后出问题或新做证书,也方便排查或实施。

第 35 楼  发表于 2009-07-16 18:41 | rinkey 的所有评论
WRwRThu Jul 16 16:36:24 2009 us=921733 client1/202.127.207.101:2239 MULTI: bad source address from client [202.127.207.101], packet dropped
客户端链接的时候,server的log里面有很多这样的记录,这是什么意思?怎么解决
回复于 2009-07-16 21:13:
我没接触过这个错误,查了一下资料,网上有篇关于这个错误的解决方案,你参考一下:
Openvpn – MULTI: bad source address from client – solution
在 OpenVPN 自己的newsgroup 上,有一个关于这个的讨论:
[Openvpn-users] MULTI: bad source address from client...packet dropped

第 36 楼  发表于 2009-07-16 21:30 | rinkey 的所有评论
openVPN服务器有两块网卡eth0 为公网IP,eth1为内网网关IP,并做了NAT。服务器买开启VPN时,内网的主机可以PING 通eth1和公网IP,但是开启VPN以后内网就PING不通了。而VPN client 也PING 不通内网主机。 怎么解决?

第 37 楼  发表于 2009-07-17 02:52 | 无名 的所有评论
因为不怎么熟悉linux,所以基本全部按照楼主命令的来做,
到最后开启vpn的时候,显示这样,(这里只列出最后一部分显示信息)
用的putty,最后命令一直停在那里,也不见开启1194端口,很奇怪,希望有人给予解答
最好能聊q,嘿嘿,这样太不方便,q:57112848
Fri Jul 17 01:49:47 2009 us=708255 TUN/TAP device tun0 opened
Fri Jul 17 01:49:47 2009 us=708281 TUN/TAP TX queue length set to 100
Fri Jul 17 01:49:47 2009 us=708312 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Fri Jul 17 01:49:47 2009 us=715115 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Fri Jul 17 01:49:47 2009 us=717906 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Jul 17 01:49:47 2009 us=717952 Socket Buffers: R=[109568->131072] S=[109568->131072]
Fri Jul 17 01:49:47 2009 us=717974 UDPv4 link local (bound): 210.127.253.11:1194
Fri Jul 17 01:49:47 2009 us=717985 UDPv4 link remote: [undef]
Fri Jul 17 01:49:47 2009 us=718003 MULTI: multi_init called, r=256 v=256
Fri Jul 17 01:49:47 2009 us=718036 IFCONFIG POOL: base=10.8.0.4 size=62
Fri Jul 17 01:49:47 2009 us=718069 Initialization Sequence Completed

第 38 楼  发表于 2009-08-21 20:24 | sail 的所有评论
Fri Aug 21 18:22:36 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Fri Aug 21 18:22:36 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Aug 21 18:22:36 2009 Cannot load certificate file client.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Fri Aug 21 18:22:36 2009 Exiting
这是我的客户端的问题 不知道怎么回事
回复于 2009-08-21 20:57:
客户端证书错误。

第 39 楼  发表于 2009-08-27 18:54 | 朵朵 的所有评论
根据这个做 我成功 谢谢xiaohui

第 40 楼  发表于 2009-09-10 10:46 | 王菲菲 的所有评论
Server 端的环境
redhat, kernel版本: 2.4.20-31.9, IP 为 70.8.7.6

“IP 为 70.8.7.6”是在什么时候设的?

谢谢!
回复于 2009-09-10 11:09:
安装 SERVER OS 时指定的。

第 41 楼  发表于 2009-09-12 11:42 | kenny 的所有评论
我的安装终于可以连接上了,但是连上去以后访问不了网站,我也输入了echo 1 > /proc/sys/net/ipv4/ip_forward,但就是死活访问不了,怎么回事啊?
回复于 2009-09-12 16:21:
用 sysctl -a | grep for 看一下 ipfoward 是否打开了。

第 42 楼  发表于 2009-09-27 19:40 | 藤苇 的所有评论
你好 我遇到一个问题我没法解决,想向你咨询下
[root@localhost root]# /usr/local/sbin/openvpn --config /usr/local/etc/server.conf
Sun Sep 27 17:41:12 2009 OpenVPN 2.0.9 i686-pc-linux [SSL] [LZO] built on Sep 27 2009
Sun Sep 27 17:41:12 2009 Cannot open dh1024.pem for DH parameters:error:02001002:system library:fopen:NO such file or directory:error:2006D080:BIO routines:BIO_new_file:no such file
Sun Sep 27 14:41:12 2009 Exiting
这是怎么一回事呢?急急急!!!
回复于 2009-09-27 21:44:
没有 Diffie Hellman 参数或文件的位置没有设置正确。见第七步代码: ./build-dh

第 43 楼  发表于 2009-09-27 23:17 | 藤苇 的所有评论
你好
./build-dh
这一步我做了都是按照你上面说的去做的
export D=`pwd` 只是这一步没做。
export KEY_CONFIG=root/openvpn-2.0.9/easy-rsa/openssl.cnf
export KEY_DIR=root/openvpn-2.0.9/easy-rsa/keys

第 44 楼  发表于 2009-09-27 23:25 | 藤苇 的所有评论
在root/openvpn-2.0.9/easy-rsa/keys下生成了这个文件dh1024.pem 。

第 45 楼  发表于 2009-09-27 23:28 | 藤苇 的所有评论
D=`pwd` 是什么意思呢?
回复于 2009-09-28 10:22:
pwd 表示当前工作目录

第 46 楼  发表于 2009-10-12 12:58 | 藤苇 的所有评论
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap
;dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
;proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 172.16.37.83 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client1.crt
key client1.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20
服务器配置
#################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# #
# Comments are preceded with '#' or ';' #
#################################################

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194

# TCP or UDP server?
proto tcp
;proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap
;dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt
cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt
key /root/openvpn-2.0.9/easy-rsa/keys/server.key # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.0.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

# Push routes to the client to allow it
# to reach other p10.8.0.1rivate subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.11.0 255.255.255.0"
;push "route 192.168.13.0 255.255.255.0"

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).

# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
client-config-dir /usr/local/etc/ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.

# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
client-config-dir /usr/local/etc/ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel. Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
;push "redirect-gateway"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client

# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
;user nobody
;group nobody

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /root/openvpn-2.0.9/easy-rsa/keys/openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
;log openvpn.log
;log-append openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors/root/openvpn-2.0.9/easy-rsa/keys
# 4 is reasonable for genera/root/openvpn-2.0.9/easy-rsa/keysl usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20


openvpn服务器是red hat Linux
客户机是windows server 2000 两个网卡 开起了rip协议
server ip: 172.16.37.83 虚拟ip 10.0.0.1;
client1 ip:172.16.37.110 192.168.11.1 虚拟IP 10.0.0.5;
client2 ip: 172.16.19.22. 192.168.12.1 虚拟ip 10.0.0.13;
在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13
client1 中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1

client2中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1
楼主这是哪出现了问题呢?拜托拜托
回复于 2009-10-12 18:47:
Tooooooo looooooooog, 看着头晕又不方便比较。 能不能把 #的注释去掉再贴上来。

第 47 楼  发表于 2009-10-12 19:23 | 藤苇 的所有评论
client
dev tap
;dev tun
;dev-node MyTap
proto tcp
;proto udp
remote 172.16.37.83 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca ca.crt
cert client1.crt
key client1.key
;ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
服务器配置
;local a.b.c.d
port 1194
proto tcp
;proto udp
dev tap
;dev tun
;dev-node MyTap
ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt
cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt
key /root/openvpn-2.0.9/easy-rsa/keys/server.key # This file should be kept secret
dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;push "route 192.168.11.0 255.255.255.0"
;push "route 192.168.13.0 255.255.255.0"
client-config-dir /usr/local/etc/ccd
;route 192.168.40.128 255.255.255.248
client-config-dir /usr/local/etc/ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status /root/openvpn-2.0.9/easy-rsa/keys/openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 3
;mute 20


openvpn服务器是red hat Linux
客户机是windows server 2000 两个网卡 开起了rip协议
server ip: 172.16.37.83 虚拟ip 10.0.0.1;
client1 ip:172.16.37.110 192.168.11.1 虚拟IP 10.0.0.5;
client2 ip: 172.16.19.22. 192.168.12.1 虚拟ip 10.0.0.13;
在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13
client1 中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1

client2中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1
192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1
楼主这是哪出现了问题呢?拜托拜托 我的QQ是137294593加我 谢谢

第 48 楼  发表于 2009-10-12 19:23 | 藤苇 的所有评论
client
dev tap
;dev tun
;dev-node MyTap
proto tcp
;proto udp
remote 172.16.37.83 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca ca.crt
cert client1.crt
key client1.key
;ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
服务器配置
;local a.b.c.d
port 1194
proto tcp
;proto udp
dev tap
;dev tun
;dev-node MyTap
ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt
cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt
key /root/openvpn-2.0.9/easy-rsa/keys/server.key # This file should be kept secret
dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;push "route 192.168.11.0 255.255.255.0"
;push "route 192.168.13.0 255.255.255.0"
client-config-dir /usr/local/etc/ccd
;route 192.168.40.128 255.255.255.248
client-config-dir /usr/local/etc/ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status /root/openvpn-2.0.9/easy-rsa/keys/openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 3
;mute 20


openvpn服务器是red hat Linux
客户机是windows server 2000 两个网卡 开起了rip协议
server ip: 172.16.37.83 虚拟ip 10.0.0.1;
client1 ip:172.16.37.110 192.168.11.1 虚拟IP 10.0.0.5;
client2 ip: 172.16.19.22. 192.168.12.1 虚拟ip 10.0.0.13;
在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13 192.168.11.1 192.168.12.1
client1 中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1

client2中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1
192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1
楼主这是哪出现了问题呢?拜托拜托 我的QQ是137294593加我 谢谢

第 49 楼  发表于 2009-10-12 20:07 | 藤苇 的所有评论
在以上的“在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13”修改一下
应该是 在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13 192.168.11.1 192.168.12.1
回复于 2009-10-12 21:27:
看了一下,配置很正常。有几个参数我没有用过,如client-config-dir 等。你可以参考我文中第四小节的样例文件,先用最简单的配置搭建起来再说。

如果能连接但 Ping 不通,要看看是不是配置了 iptables。可参见第五节。

第 50 楼  发表于 2009-10-12 21:45 | 藤苇 的所有评论
可以连接但ping不通,
red hat Linux 中的网络配置要怎么设置呢?

第 51 楼  发表于 2009-10-12 22:51 | 藤苇 的所有评论
Microsoft Windows 2000 [Version 5.00.2195]
(C) 版权所有 1985-1998 Microsoft Corp.

C:\Documents and Settings\Administrator>ipconfig/all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : 2000serv-qh80ma
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter 本地连接 3:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V8
Physical Address. . . . . . . . . : 00-FF-C2-18-82-DA
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.0.0.5
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.0.0.6
DNS Servers . . . . . . . . . . . : 10.0.0.1
70.88.98.10
70.88.99.11
Lease Obtained. . . . . . . . . . : 2009年10月12日 20:43:19
Lease Expires . . . . . . . . . . : 2010年10月12日 20:43:19

Ethernet adapter 本地连接 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter

Physical Address. . . . . . . . . : 00-0C-29-2E-84-B5
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.11.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.37.110
DNS Servers . . . . . . . . . . . : 218.30.19.40
61.134.1.4

Ethernet adapter 本地连接:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter

Physical Address. . . . . . . . . : 00-0C-29-2E-84-AB
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.37.110
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 192.168.11.1
DNS Servers . . . . . . . . . . . : 218.30.19.40
61.134.1.4

C:\Documents and Settings\Administrator>ping 10.0.0.1

Pinging 10.0.0.1 with 32 bytes of data:

Reply from 172.16.37.110: TTL expired in transit.
Reply from 172.16.37.110: TTL expired in transit.
Reply from 172.16.37.110: TTL expired in transit.
Reply from 172.16.37.110: TTL expired in transit.

Ping statistics for 10.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Documents and Settings\Administrator>ping 10.0.0.13

Pinging 10.0.0.13 with 32 bytes of data:

Reply from 10.0.0.13: bytes=32 time<10ms TTL=128
Reply from 10.0.0.13: bytes=32 time<10ms TTL=128
Reply from 10.0.0.13: bytes=32 time<10ms TTL=128
Reply from 10.0.0.13: bytes=32 time<10ms TTL=128

Ping statistics for 10.0.0.13:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Documents and Settings\Administrator>ping 172.16.37.83

Pinging 172.16.37.83 with 32 bytes of data:

Reply from 172.16.37.83: bytes=32 time<10ms TTL=64
Reply from 172.16.37.83: bytes=32 time<10ms TTL=64
Reply from 172.16.37.83: bytes=32 time<10ms TTL=64
Reply from 172.16.37.83: bytes=32 time<10ms TTL=64

Ping statistics for 172.16.37.83:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Default Gateway 那里没ip。
麻烦你在给我看看哪个地方出错了!!!

第 52 楼  发表于 2009-10-12 22:55 | 藤苇 的所有评论
Mon Oct 12 20:43:17 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Mon Oct 12 20:43:17 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon Oct 12 20:43:17 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Oct 12 20:43:17 2009 LZO compression initialized
Mon Oct 12 20:43:17 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Mon Oct 12 20:43:17 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Oct 12 20:43:17 2009 Local Options hash (VER=V4): '69109d17'
Mon Oct 12 20:43:17 2009 Expected Remote Options hash (VER=V4): 'c0103fa8'
Mon Oct 12 20:43:17 2009 Attempting to establish TCP connection with 172.16.37.83:1194
Mon Oct 12 20:43:17 2009 TCP connection established with 172.16.37.83:1194
Mon Oct 12 20:43:17 2009 TCPv4_CLIENT link local: [undef]
Mon Oct 12 20:43:17 2009 TCPv4_CLIENT link remote: 172.16.37.83:1194
Mon Oct 12 20:43:17 2009 TLS: Initial packet from 172.16.37.83:1194, sid=f570158c 99bbcc93
Mon Oct 12 20:43:17 2009 VERIFY OK: depth=1, /C=CN/ST=GD/L=SZ/O=xiaohui.com/emailAddress=your-email__at__xiaohui.com
Mon Oct 12 20:43:17 2009 VERIFY OK: depth=0, /C=CN/ST=GD/O=xiaohui.com/CN=server/emailAddress=your-email__at__xiaohui.com
Mon Oct 12 20:43:17 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Oct 12 20:43:17 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Oct 12 20:43:17 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Oct 12 20:43:17 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Oct 12 20:43:17 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Oct 12 20:43:17 2009 [server] Peer Connection Initiated with 172.16.37.83:1194
Mon Oct 12 20:43:18 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Oct 12 20:43:18 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,route 192.168.13.0 255.255.255.0,dhcp-option DNS 10.0.0.1,dhcp-option DNS 70.88.98.10,dhcp-option DNS 70.88.99.11,route 10.0.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.0.0.5 10.0.0.6'
Mon Oct 12 20:43:18 2009 OPTIONS IMPORT: timers and/or timeouts modified
Mon Oct 12 20:43:18 2009 OPTIONS IMPORT: --ifconfig/up options modified
Mon Oct 12 20:43:18 2009 OPTIONS IMPORT: route options modified
Mon Oct 12 20:43:18 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Oct 12 20:43:18 2009 TAP-WIN32 device [本地连接 3] opened: \\.\Global\{C21882DA-A40E-4842-8C84-E8ABD2B2938D}.tap
Mon Oct 12 20:43:18 2009 TAP-Win32 Driver Version 8.4
Mon Oct 12 20:43:18 2009 TAP-Win32 MTU=1500
Mon Oct 12 20:43:18 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.0.5/255.255.255.252 on interface {C21882DA-A40E-4842-8C84-E8ABD2B2938D} [DHCP-serv: 10.0.0.6, lease-time: 31536000]
Mon Oct 12 20:43:18 2009 NOTE: FlushIpNetTable failed on interface [2] {C21882DA-A40E-4842-8C84-E8ABD2B2938D} (status=1413) : 无效索引。
Mon Oct 12 20:43:19 2009 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
Mon Oct 12 20:43:19 2009 route ADD 192.168.10.0 MASK 255.255.255.0 10.0.0.6
Mon Oct 12 20:43:19 2009 Route addition via IPAPI succeeded
Mon Oct 12 20:43:19 2009 route ADD 192.168.13.0 MASK 255.255.255.0 10.0.0.6
Mon Oct 12 20:43:19 2009 Route addition via IPAPI succeeded
Mon Oct 12 20:43:19 2009 route ADD 10.0.0.0 MASK 255.255.255.0 10.0.0.6
Mon Oct 12 20:43:19 2009 Route addition via IPAPI succeeded
Mon Oct 12 20:43:19 2009 Initialization Sequence Completed

第 53 楼  发表于 2009-11-11 19:16 | 王菲菲 的所有评论
我的VPN应该属于已经配置好了,但是我启用VPN以后,我的客户端能打开大智慧,MSN,但是不能打开网页还有QQ,请问是为什么?
谢谢!

第 54 楼  发表于 2009-11-11 19:20 | 王菲菲 的所有评论
我的VPN通了,但是客户端能启动MSN和大智慧,但是不能打开网页和QQ,请问我还应该做什么?
还有sysctl -w net.ipv4.ip_forward=0.改好后不能保存,不知是不是我的系统有问题。

谢谢!

第 55 楼  发表于 2009-11-13 23:07 | ysbaggio 的所有评论
很有帮助,谢谢小辉了,现在正在研究用密码用户名登陆。

第 56 楼  发表于 2009-11-13 23:10 | ysbaggio 的所有评论
回54楼
你可以修改# vi /etc/sysctl.conf文件。net.ipv4.ip_forward = 0将0 改成1

第 57 楼  发表于 2009-11-19 12:36 | 王菲菲 的所有评论
ysbaggio
您好!
您用密码用户名登陆,怎么做的?
我可以问问您吗?
我的QQ是1050626886,请加我。

第 58 楼  发表于 2009-11-26 16:30 | david 的所有评论
我启动vpn服务器的时候,/usr/local/sbin/openvpn --config /usr/local/etc/server.conf
然后最后一行报错
Cannot load certificate file /home/zhangke/openvpn-2.0.5/easy-rsa/keys/server.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
请问该如何处理,server.crt就是在那个目录下,却无法加载
回复于 2009-11-26 19:37:
证书没有做正确。按第六步重做一下。

第 59 楼  发表于 2009-11-29 00:18 | zhaoke 的所有评论
如Tun设备已编到内核中, 可用下面办法:
cat /proc/net/dev|grep tun

如果上面无任何显示, 说明你的内核不支持TUN/TAP设备, 可通过重新编译内添加.

第 60 楼  发表于 2010-01-10 11:17 | 上善若水 的所有评论
Sun Jan 10 11:16:14 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Sun Jan 10 11:16:14 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Jan 10 11:16:14 2010 LZO compression initialized
Sun Jan 10 11:16:14 2010 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sun Jan 10 11:16:14 2010 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Jan 10 11:16:14 2010 Local Options hash (VER=V4): '69109d17'
Sun Jan 10 11:16:14 2010 Expected Remote Options hash (VER=V4): 'c0103fa8'
Sun Jan 10 11:16:14 2010 Attempting to establish TCP connection with 173.212.236.182:443
Sun Jan 10 11:16:14 2010 TCP connection established with 173.212.236.182:443
Sun Jan 10 11:16:14 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 10 11:16:14 2010 TCPv4_CLIENT link local: [undef]
Sun Jan 10 11:16:14 2010 TCPv4_CLIENT link remote: 173.212.236.182:443
我的vpn连接到这里就结束了。不知道是哪个环节出了问题。

第 61 楼  发表于 2010-01-20 22:15 | IDCMAMA 的所有评论
请允许我们原文加留言转载 http://idcmama.com/bbs/thread-117-1-1.html
程序员小辉 是中国OPENVPN事业的前辈先锋,常年无私帮助处于水深火热之中的中国广大网民,
从07年5月直到现在,无数国人从他的OPENVPN技术中获益,我们对其人品和技术深表敬意
回复于 2010-01-21 00:41:
汗,表扣上前辈加先锋的帽子啊,通常这样的人死得最快。。。。。

第 62 楼  发表于 2010-01-21 16:57 | IDCMAMA 的所有评论
您说得极是,已经修改
转载者按语: 程序员小辉,人品与技术齐高,常年无私帮助处于水深火热之中的中国广大网民

第 63 楼  发表于 2010-01-23 14:07 | tanlingyun 的所有评论
我 用 的 openvpn-2.0_rc16.tar.gz做到 ./build-ca这一步出错
error on line -1 of pwd/openssl.cnf
1775:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('pwd/openssl.cnf','rb')
1775:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
1775:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197:
请问 怎么解决 ?
回复于 2010-01-23 15:07:
你确保文中第六步的 export 参数设置正确了?如果设置正确了,那应该就是版本之差的参数差异。你试了下 2.0.5。我一直用的这个,新的版本我没测过。

第 64 楼  发表于 2010-01-23 18:44 | tanlingyun 的所有评论
谢谢你的回复,我的export都是按照你的设的,我下午又重新试了2.0.5还是这个问题,因为我是在Ubuntu 9.10上做的,我以为是openssl和openssl-devel的问题,我又重装了一下这两个,还是不行,后来又换到red hat 9.0上,还是这个问题
错误信息提到的bss_file.c和conf_def.c都是openssl源代码目录下的文件,不知道是不是openssl没装好的缘故,我是这样装的,cd openssl-0.98.1l ,然后./config --prefix=/usr/local/openssl,然后make 最后make install,安装没什么错误。
回复于 2010-01-23 19:09:
我以为你是在 centos 下装的。从提示的字面意思来看, 是没找到 openssl 的源程序目录。我不太清楚 redhat 和ubuntu 安装后的 openssl 最终目录是什么。centos 下装 openssl 是直接用 yum install openssl 即可。你打开 pwd/openssl.cnf,看看定义的 openssl 目录是不是你机器上的。

第 65 楼  发表于 2010-01-23 19:22 | tanlingyun 的所有评论
cd /openvpn-2.0.5/easy-rsa
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=GD
export KEY_CITY=SZ
export KEY_ORG="xiaohui.com"
export KEY_EMAIL="your-email [at] xiaohui.com"

我有点疑问,你的这里$D,实际应该在执行过程中换成pwd这个shell命令执行结果对吧,但在我这就当成pwd在使用了,所以会出现前面8楼的
mkdir:无法创建目录'pwd/keys': 没有那个文件或目录
但我把这个问题改正了之后,依然出现上面那几行错误,希望您再帮我看看

第 66 楼  发表于 2010-01-23 19:32 | tanlingyun 的所有评论
回64楼,我打开了openssl.cnf,里面选项很多,不知道哪个是指的源代码路径

第 67 楼  发表于 2010-01-23 20:45 | Danny 的所有评论
楼上的,你换成 CentOS 看看?可能这是操作系统的差异引起的配置文件不同引起的。我上周用的 CentOS 5.3, 按楼主教程, 一次性通过。

第 68 楼  发表于 2010-01-25 13:03 | tanlingyun 的所有评论
回67楼,谢谢你了,我在Ubuntu下用它自带的新立得软件包管理器安装了一个,现在可以用了,也谢谢xiaohui

第 69 楼  发表于 2010-02-23 21:23 | abc 的所有评论
安装完成,只能访问VPS的主机IP,别的全部PING不通。这不知为何?
回复于 2010-02-23 22:34:
查一下 ip forward 选项 或 iptalbes 规则。

第 70 楼  发表于 2010-02-24 09:38 | abc 的所有评论
ip forward=1
显示iptables: Unknown error 4294967295

这2条都已经做到了。
俺已经重装5次了,服务器端重复装不同版本应该没冲突吧?

第 71 楼  发表于 2010-03-23 17:48 | sndynteum 的所有评论
你好,openvpn配置如下
rhel5.03
server.conf
##########
local 192.168.186.128
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/vpn2010.crt
key /etc/openvpn/keys/vpn2010.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 10.10.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 10.10.10.1"
push "dhcp-option DNS 202.96.128.86"
client-to-client
keepalive 10 120
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
----------------ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.10.10.1 P-t-P:10.10.10.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1


#######
winXP sp2
client.ovpn
*************************
client
dev tun
proto udp
remote 192.168.186.128 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert client_pc1.crt
key client_pc1.key
verb 3
*****************************
能连样成功,在客户端用命令ipconfig /all时显出你的差不多但是没有网关
Default Gateway . . . . . . . . . : (空的)
帮帮看看我那里作错了,谢谢谢!!!
回复于 2010-03-23 23:05:
发现你用了 push 了一个 route, 也许是这块设置的原因,你从找找原因看看。

第 72 楼  发表于 2010-03-25 05:19 | fatima 的所有评论
请教!
1)5台电脑使用内网ip:192.168.0.*,通过ADSL上网,外网ip是64.200.199.200
2)用网内一单网卡计算机(linux)搭建vpn服务,ip为192.168.0.20。当server.conf配置该ip时,同网内计算机可以connect,client.conf中当然也是192.168.0.20。
3)我为这个服务器增加eth0:0=64.200.199.200,并把配置文件中的ip改为真实ip后,无法连接。请问问题出在哪里?该怎么做?
谢谢了!
回复于 2010-03-25 10:25:
给你的 client 和 server 端指定 log 文件,分析一下你的 log 日志

第 73 楼  发表于 2010-04-14 12:34 | leafly 的所有评论
很详细,开源的就是好

第 74 楼  发表于 2010-05-28 17:35 | 高 的所有评论
OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

为什么我装完会报这个错,我也不知道这是为什么,请各位老大帮帮我呀!

第 75 楼  发表于 2010-06-21 14:56 | rogerer 的所有评论
请教一下!
我的安装及配置状态情况是这样的:
OpenVPN Server在内网,通过Cisco网关端口映射到VPN服务器上,OpenVPN启动正常!
server.conf: server 192.168.5.0 255.255.255.0
两个客户端,一个在外网,一个在内网,连接状态正常。
我的网关上已经具备了从5网段跨到2、1的能力,同时网关设置为192.168.5.1.
问题:两个客户端均能够ping 192.168.5.1,但是无法ping通192.168.5.*(除1而外)、192.168.2.1、192.168.1.1,即无法访问vpn网段的客户端和其他网段。
这可能是什么原因呢?
回复于 2010-06-21 20:34:
应该是路由配置的问题。不过我没折腾过这块(我装openvpn只是为了翻墙,这些配置没折腾过)

第 76 楼  发表于 2010-06-26 21:45 | 123 的所有评论
0 EL:0 AF:3/1 ]
Sat Jun 26 20:42:53 2010 Local Options hash (VER=V4): '41690919'
Sat Jun 26 20:42:53 2010 Expected Remote Options hash (VER=V4): '530fdded'
Sat Jun 26 20:42:53 2010 UDPv4 link local (bound): [undef]:1194
Sat Jun 26 20:42:53 2010 UDPv4 link remote: 61.164.41.148:1194
Sat Jun 26 20:43:53 2010 TLS Error: TLS key negotiation failed to occur within 6
0 seconds (check your network connectivity)
Sat Jun 26 20:43:53 2010 TLS Error: TLS handshake failed
Sat Jun 26 20:43:53 2010 TCP/UDP: Closing socket
Sat Jun 26 20:43:53 2010 SIGUSR1[soft,tls-error] received, process restarting
Sat Jun 26 20:43:53 2010 Restart pause, 2 second(s)
Sat Jun 26 20:43:55 2010 IMPORTANT: OpenVPN's default port number is now 1194, b
ased on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earl
ier used 5000 as the default port.
Sat Jun 26 20:43:55 2010 Re-using SSL/TLS context
Sat Jun 26 20:43:55 2010 LZO compression initialized
Sat Jun 26 20:43:55 2010 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:
0 EL:0 ]
Sat Jun 26 20:43:55 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:
0 EL:0 AF:3/1 ]
Sat Jun 26 20:43:55 2010 Local Options hash (VER=V4): '41690919'
Sat Jun 26 20:43:55 2010 Expected Remote Options hash (VER=V4): '530fdded'
Sat Jun 26 20:43:55 2010 UDPv4 link local (bound): [undef]:1194
Sat Jun 26 20:43:55 2010 UDPv4 link remote: 61.164.41.148:1194
一直出现这个问题,但是服务器上的 UDP 1194端口是开放的,不知道为何,请教

第 77 楼  发表于 2010-08-03 21:46 | wei 的所有评论
每次重启完服务器都要重新做以下步骤,否则不能上网。为什么呢?

iptables -t nat -A POSTROUTING -s 10.8.8.0/24 -o eth0 -j SNAT --to-source x.x.x.x
/etc/init.d/iptables save
/etc/init.d/iptables restart
不同的机器,-o eth0 参数可能不一样,具体可输入 ifconfig 查看,搞清 ip(70.8.7.6)所在的网卡号.


同时, 需要将 ip forward 打开. 不要用 echo 1 > /proc/sys/net/ipv4/ip_forward 的方式, 这种方式重启后无效. 先查看一下:

代码:


sysctl -a | grep for
#查看结果:
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.ip_forward = 1
如果你的主机上列数值不是为1, 则要将其改成1, 例如:

代码:

sysctl -w net.ipv4.ip_forward=1

每次重启完,所有的 net.ipv4.xxxx 都 = 0 ,怎么解决呢?

第 78 楼  发表于 2010-08-18 18:40 | jackierkk 的所有评论
我想问下openvpn安全性到底在哪里,我做了测试,lan1电脑通过vpnserver拨到lan2内网用户,我用抓包工具去测试,可以截获到包的内容,并且没有加密。难道openvpn就是证书决定了它的安全?请高手给予解决,不胜感谢!

第 79 楼  发表于 2010-08-19 19:26 | randy 的所有评论
我的是windows下安装的,安装后运行客户端提示:createprocess failed, exe=' d:program filesopenvpninopenvpn.exe' cmdline='openvpn --verion' dir=' d:program filesopenvpnvin' 而且重新安装也不可以...服务器是没有问题的,其他用户可以正常访问,请问是什么问题

第 80 楼  发表于 2010-12-20 14:05 | lqph3387 的所有评论
为什么我执行完后会是这样呢:
[root@ns ns]# sysctl -p
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
error: "Operation not permitted" setting key "net.ipv4.conf.tun0.mc_forwarding"
net.ipv4.conf.tun0.forwarding = 1
error: "Operation not permitted" setting key "net.ipv4.conf.eth0.mc_forwarding"
net.ipv4.conf.eth0.forwarding = 1
error: "Operation not permitted" setting key "net.ipv4.conf.lo.mc_forwarding"
net.ipv4.conf.lo.forwarding = 1
error: "Operation not permitted" setting key "net.ipv4.conf.default.mc_forwarding"
net.ipv4.conf.default.forwarding = 1
error: "Operation not permitted" setting key "net.ipv4.conf.all.mc_forwarding"
net.ipv4.conf.all.forwarding = 1
net.ipv4.ip_forward = 1

第 81 楼  发表于 2011-01-05 10:27 | ganfic 的所有评论
请教高手们
我用vpn做了个服务端,虚拟出来的ip是10.8.0.1,网关是255.255.255.255,这个机器本身的内网ip是eth0:10.0.21.214,这个机器的外网ip是防火墙指向的;
我用我本机vpn连,获取到的ip是10.8.0.6,但是我只能ping通那个服务端214,
而不能ping通服务端内网的其他ip,如10.0.21.198
我的push是这样写的:push "route 10.0.21.0 255.255.255.192"
后来我又这样加了一条路由:
route add -net 10.8.0.0 netmask 255.255.255.255 gw 10.0.21.214 dev eth0

软件防火墙是关的,机器内网之间没有硬件防火墙

第 82 楼  发表于 2011-01-12 16:08 | smallfish 的所有评论
请教一下,看了你的文档,按照你的指导我已经配置成功了,但是有个问题很奇怪,就是VPN客户端网关地址,我获取到的IP是172.16.2.6,网关显示172.16.2.5,但是我在服务器端看到tun0的ip是172.16.2.1,而且在客户端是ping不通172.16.2.5的,我换个用户连接获取到的IP是172.16.2.10,网关地址是172.16.2.9,不知道啥原因?
回复于 2011-01-12 21:24:
我记得这种情况是正常的。分配的虚拟 IP 是成对出现的。即 网关是 2.5, 2.7, 对应的ip是 2.6, 2.8,... 至于为什么会是这样,我也没有细究过,做这个东西是为了翻墙用,连接上去后能成功翻墙就 OK了。 :D

第 83 楼  发表于 2011-03-08 22:00 | VPN 的所有评论
很详细,开源的就是好,感谢分享!

第 84 楼  发表于 2011-03-30 16:38 | nianyi 的所有评论
帮忙找找问题哦,整了好久也不知道哪儿错了
服务端已经成功运行
客户端始终TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) TLS Error: TLS handshake failed
我的服务端代码:
port 53
proto udp
dev tap
ca ca.crt
cert CdtsmServer.crt
dh dh1024.pem
server 192.168.100.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
push "route 192.168.3.0 255.255.255.0"
push "route 10.10.22.0 255.255.255.0"
push "route 121.194.12.0 255.255.255.0"
push "route 192.168.15.0 255.255.255.0"
push "dhcp-option DNS 10.10.22.243"
push "dhcp-option WINS 202.106.0.20"
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
max-clients 20
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
客户端:
client
dev tap
proto udp
remote 122.224.8.*** 53
remote-random
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert CdtsmClient.crt
key CdtsmClient.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3

我的服务器只有一张网卡,服务器在电信大楼,主要是想做UDP53端口的vnp

第 85 楼  发表于 2011-04-09 20:08 | scrlk 的所有评论
不错的说!

楼主,不知你是否关注过centos5.5已经更新openvpn的版本了,和官方的release同步啦。(使用rpmforge)应该修正了一下bug 。你的这篇是不是也要更新一下呢?
回复于 2011-04-09 23:08:
感谢通知。 下次我新装 vpn 的时候再根据实践更新一下。现在这台openvpn的服务器用得很好,就不折腾它了。

第 86 楼  发表于 2011-04-14 23:07 | xinshou 的所有评论
Thu Apr 14 22:06:07 2011 OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Aug 20 2010
Thu Apr 14 22:06:16 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Apr 14 22:06:16 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Apr 14 22:06:16 2011 Control Channel MTU parms [ L:1559 D:140 EF:40 EB:0 ET:0 EL:0 ]
Thu Apr 14 22:06:16 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Apr 14 22:06:16 2011 Data Channel MTU parms [ L:1559 D:1450 EF:59 EB:4 ET:0 EL:0 ]
Thu Apr 14 22:06:16 2011 Local Options hash (VER=V4): '30065675'
Thu Apr 14 22:06:16 2011 Expected Remote Options hash (VER=V4): '37840390'
Thu Apr 14 22:06:16 2011 Attempting to establish TCP connection with 110.42.0.99:1194
Thu Apr 14 22:06:16 2011 TCP connection established with 110.42.0.99:1194
Thu Apr 14 22:06:16 2011 TCPv4_CLIENT link local: [undef]
Thu Apr 14 22:06:16 2011 TCPv4_CLIENT link remote: 110.42.0.99:1194
Thu Apr 14 22:06:16 2011 TLS: Initial packet from 110.42.0.99:1194, sid=30926f07 772092ac
Thu Apr 14 22:06:16 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Apr 14 22:06:17 2011 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@myhost.mydomain
Thu Apr 14 22:06:17 2011 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@myhost.mydomain
Thu Apr 14 22:06:18 2011 Connection reset, restarting [0]
Thu Apr 14 22:06:18 2011 TCP/UDP: Closing socket
Thu Apr 14 22:06:18 2011 SIGUSR1[soft,connection-reset] received, process restarting
Thu Apr 14 22:06:18 2011 Restart pause, 5 second(s)
这是怎么个情况~~!
回复于 2011-04-15 09:59:
》》Thu Apr 14 22:06:16 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
证书配置似乎有问题。

第 87 楼  发表于 2011-06-08 12:20 | 陈建伟 的所有评论
我这边的问题是,我VPN的网段是10.8.0.?,服务器端和客户端是可以连接通的。但是我现在是想实现,通过VPN的链接,然后实现我的客户端,可以访问服务器内部网络的其它电脑,同时我的客户端可以访问服务器内部网络的其它电脑,你觉得这个该怎么实现?
我的服务器的内部网段是192.168.33.?,VPN服务器的本地IP,192.168.33.131, 客户端的本地IP是172.16.4.191
防火墙已经关闭
不知道下面的配置是否错误,为什么我就是没有办法实现?
服务器的配置文件
vi /etc/openvpn/server.conf

port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 58.22.96.66"
push "route 192.168.33.0 255.255.255.0"
client-config-dir ccd
route 172.16.4.0 255.255.255.0
client-to-client
verb 3
mute 20


然后在/etc/openvpn/ccd/下面的client1文件内容如下

ifconfig-push 10.8.0.5 10.8.0.6
iroute 172.16.4.0 255.255.255.0


客户端的配置文件/etc/openvpn/client.conf

client
dev tun
proto udp
remote 220.250.12.251 1194
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client1.crt
key /etc/openvpn/keys/client1.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
nvpn/client.conf
回复于 2011-06-08 14:26:
你好。我已经很久没有配置 vpn 了。当时写这个文章时配置它仅仅是为了翻 墙,没了解局端互联的情况。应该可以实现,你直接找它的官方文档看看。 :D

第 88 楼  发表于 2011-06-08 12:24 | 陈建伟 的所有评论
服务器端运行的输出
[root@uid5a1 ~]# /usr/local/sbin/openvpn /etc/openvpn/server.conf
Wed Jun 8 11:21:04 2011 OpenVPN 2.0.7 i686-pc-linux [SSL] [LZO] [EPOLL] built on May 25 2011
Wed Jun 8 11:21:04 2011 Diffie-Hellman initialized with 1024 bit key
Wed Jun 8 11:21:04 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jun 8 11:21:04 2011 TUN/TAP device tun0 opened
Wed Jun 8 11:21:04 2011 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Wed Jun 8 11:21:04 2011 /sbin/route add -net 172.16.4.0 netmask 255.255.255.0 gw 10.8.0.2
Wed Jun 8 11:21:04 2011 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Wed Jun 8 11:21:04 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jun 8 11:21:04 2011 UDPv4 link local (bound): [undef]:1194
Wed Jun 8 11:21:04 2011 UDPv4 link remote: [undef]
Wed Jun 8 11:21:04 2011 MULTI: multi_init called, r=256 v=256
Wed Jun 8 11:21:04 2011 IFCONFIG POOL: base=10.8.0.4 size=62
Wed Jun 8 11:21:04 2011 Initialization Sequence Completed
Wed Jun 8 11:21:17 2011 MULTI: multi_create_instance called
Wed Jun 8 11:21:17 2011 220.250.12.115:1194 Re-using SSL/TLS context
Wed Jun 8 11:21:17 2011 220.250.12.115:1194 LZO compression initialized
Wed Jun 8 11:21:17 2011 220.250.12.115:1194 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jun 8 11:21:17 2011 220.250.12.115:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jun 8 11:21:17 2011 220.250.12.115:1194 Local Options hash (VER=V4): '530fdded'
Wed Jun 8 11:21:17 2011 220.250.12.115:1194 Expected Remote Options hash (VER=V4): '41690919'
Wed Jun 8 11:21:17 2011 220.250.12.115:1194 TLS: Initial packet from 220.250.12.115:1194, sid=dc0ca068 0272b81d
Wed Jun 8 11:21:17 2011 220.250.12.115:1194 VERIFY OK: depth=1, /C=cn/ST=fj/L=Fuzhou/O=ffff/OU=vpn/CN=server/emailAddress=abcd@qq.com
Wed Jun 8 11:21:17 2011 220.250.12.115:1194 VERIFY OK: depth=0, /C=cn/ST=fj/L=Fuzhou/O=ffff/OU=vpn/CN=client1/emailAddress=abcd@qq.com
Wed Jun 8 11:21:17 2011 220.250.12.115:1194 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 8 11:21:17 2011 220.250.12.115:1194 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 8 11:21:17 2011 220.250.12.115:1194 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 8 11:21:17 2011 220.250.12.115:1194 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 8 11:21:17 2011 220.250.12.115:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun 8 11:21:17 2011 220.250.12.115:1194 [client1] Peer Connection Initiated with 220.250.12.115:1194
Wed Jun 8 11:21:17 2011 client1/220.250.12.115:1194 MULTI: Learn: 10.8.0.6 -> client1/220.250.12.115:1194
Wed Jun 8 11:21:17 2011 client1/220.250.12.115:1194 MULTI: primary virtual IP for client1/220.250.12.115:1194: 10.8.0.6
Wed Jun 8 11:21:19 2011 client1/220.250.12.115:1194 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jun 8 11:21:19 2011 client1/220.250.12.115:1194 SENT CONTROL [client1]: 'PUSH_REPLY,dhcp-option DNS 10.8.0.1,dhcp-option DNS 58.22.96.66,route 192.168.33.0 255.255.255.0,route 10.8.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)



客户端的运行的输出
[root@u8 ~]# /usr/local/sbin/openvpn /etc/openvpn/client.conf
Wed Jun 8 10:55:17 2011 OpenVPN 2.0.7 i686-pc-linux [SSL] [LZO] [EPOLL] built on May 25 2011
Wed Jun 8 10:55:17 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Jun 8 10:55:17 2011 LZO compression initialized
Wed Jun 8 10:55:17 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jun 8 10:55:17 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jun 8 10:55:17 2011 Local Options hash (VER=V4): '41690919'
Wed Jun 8 10:55:17 2011 Expected Remote Options hash (VER=V4): '530fdded'
Wed Jun 8 10:55:17 2011 UDPv4 link local (bound): [undef]:1194
Wed Jun 8 10:55:17 2011 UDPv4 link remote: 220.250.12.251:1194
Wed Jun 8 10:55:17 2011 TLS: Initial packet from 220.250.12.251:1194, sid=0f1c33d2 fb290674
Wed Jun 8 10:55:17 2011 VERIFY OK: depth=1, /C=cn/ST=fj/L=Fuzhou/O=ffff/OU=vpn/CN=server/emailAddress=abcd@qq.com
Wed Jun 8 10:55:17 2011 VERIFY OK: nsCertType=SERVER
Wed Jun 8 10:55:17 2011 VERIFY OK: depth=0, /C=cn/ST=fj/L=Fuzhou/O=ffff/OU=vpn/CN=server/emailAddress=abcd@qq.com
Wed Jun 8 10:55:17 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 8 10:55:17 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 8 10:55:17 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 8 10:55:17 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 8 10:55:17 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun 8 10:55:17 2011 [server] Peer Connection Initiated with 220.250.12.251:1194
Wed Jun 8 10:55:18 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jun 8 10:55:18 2011 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.8.0.1,dhcp-option DNS 58.22.96.66,route 192.168.33.0 255.255.255.0,route 10.8.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Wed Jun 8 10:55:18 2011 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 8 10:55:18 2011 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 8 10:55:18 2011 OPTIONS IMPORT: route options modified
Wed Jun 8 10:55:18 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jun 8 10:55:18 2011 TUN/TAP device tun0 opened
Wed Jun 8 10:55:18 2011 /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Wed Jun 8 10:55:18 2011 /sbin/route add -net 220.250.12.251 netmask 255.255.255.255 gw 172.16.4.253
Wed Jun 8 10:55:18 2011 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Wed Jun 8 10:55:18 2011 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Wed Jun 8 10:55:18 2011 /sbin/route add -net 192.168.33.0 netmask 255.255.255.0 gw 10.8.0.5
Wed Jun 8 10:55:18 2011 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.5
Wed Jun 8 10:55:18 2011 Initialization Sequence Completed
Wed Jun 8 11:17:41 2011 event_wait : Interrupted system call (code=4)
Wed Jun 8 11:17:41 2011 TCP/UDP: Closing socket
Wed Jun 8 11:17:41 2011 /sbin/route del -net 10.8.0.0 netmask 255.255.255.0
Wed Jun 8 11:17:41 2011 /sbin/route del -net 192.168.33.0 netmask 255.255.255.0
Wed Jun 8 11:17:41 2011 /sbin/route del -net 220.250.12.251 netmask 255.255.255.255
Wed Jun 8 11:17:41 2011 /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
Wed Jun 8 11:17:41 2011 /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
Wed Jun 8 11:17:41 2011 Closing TUN/TAP interface
Wed Jun 8 11:17:41 2011 SIGINT[hard,] received, process exiting
[root@uid5a8 ~]# vi /etc/openvpn/client.conf
[root@uid5a8 ~]# /usr/local/sbin/openvpn /etc/openvpn/client.conf
Wed Jun 8 11:20:49 2011 OpenVPN 2.0.7 i686-pc-linux [SSL] [LZO] [EPOLL] built on May 25 2011
Wed Jun 8 11:20:49 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Jun 8 11:20:49 2011 LZO compression initialized
Wed Jun 8 11:20:49 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jun 8 11:20:49 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jun 8 11:20:49 2011 Local Options hash (VER=V4): '41690919'
Wed Jun 8 11:20:49 2011 Expected Remote Options hash (VER=V4): '530fdded'
Wed Jun 8 11:20:49 2011 UDPv4 link local (bound): [undef]:1194
Wed Jun 8 11:20:49 2011 UDPv4 link remote: 220.250.12.251:1194
Wed Jun 8 11:20:49 2011 TLS: Initial packet from 220.250.12.251:1194, sid=ef31ceba 1210560e
Wed Jun 8 11:20:49 2011 VERIFY OK: depth=1, /C=cn/ST=fj/L=Fuzhou/O=ffff/OU=vpn/CN=server/emailAddress=abcd@qq.com
Wed Jun 8 11:20:49 2011 VERIFY OK: nsCertType=SERVER
Wed Jun 8 11:20:49 2011 VERIFY OK: depth=0, /C=cn/ST=fj/L=Fuzhou/O=ffff/OU=vpn/CN=server/emailAddress=abcd@qq.com
Wed Jun 8 11:20:49 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 8 11:20:49 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 8 11:20:49 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 8 11:20:49 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 8 11:20:49 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun 8 11:20:49 2011 [server] Peer Connection Initiated with 220.250.12.251:1194
Wed Jun 8 11:20:50 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jun 8 11:20:50 2011 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.8.0.1,dhcp-option DNS 58.22.96.66,route 192.168.33.0 255.255.255.0,route 10.8.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Wed Jun 8 11:20:50 2011 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 8 11:20:50 2011 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 8 11:20:50 2011 OPTIONS IMPORT: route options modified
Wed Jun 8 11:20:50 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jun 8 11:20:50 2011 TUN/TAP device tun0 opened
Wed Jun 8 11:20:50 2011 /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Wed Jun 8 11:20:50 2011 /sbin/route add -net 220.250.12.251 netmask 255.255.255.255 gw 172.16.4.253
Wed Jun 8 11:20:50 2011 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Wed Jun 8 11:20:50 2011 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Wed Jun 8 11:20:50 2011 /sbin/route add -net 192.168.33.0 netmask 255.255.255.0 gw 10.8.0.5
Wed Jun 8 11:20:50 2011 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.5
Wed Jun 8 11:20:51 2011 Initialization Sequence Completed




大家如果谁有答案的可以通知我。
我的QQ66472309

第 89 楼  发表于 2011-09-21 11:52 | ansx 的所有评论
Wed Sep 21 10:29:21 2011 TAP-WIN32 device [本地连接 13] opened: \.Global{F700F08E-D3FB-4DB7-AA1B-C285D1C9DA5C}.tap
Wed Sep 21 10:29:21 2011 NOTE: could not get adapter index for {F700F08E-D3FB-4DB7-AA1B-C285D1C9DA5C}
这是什么错误,在windows装上openvpn作为客户端连接时出现以上错误,并且在ipconfig /all根本就看到TAP-Win32 Adapter V9这样一个网络信息。
请高手解答。。。

第 90 楼  发表于 2011-10-09 09:41 | 色色 的所有评论
好详细的说明!我现在用的是用户名加密码方式认证了.

第 91 楼  发表于 2011-11-05 16:08 | andre 的所有评论
请问楼主网络IP怎么设置?

第 92 楼  发表于 2011-11-09 19:58 | andre 的所有评论
这是client端报错:
Wed Nov 09 19:57:06 2011 TLS Error: TLS handshake failed
Wed Nov 09 19:57:06 2011 TCP/UDP: Closing socket
Wed Nov 09 19:57:06 2011 SIGUSR1[soft,tls-error] received, process restarting
Wed Nov 09 19:57:06 2011 Restart pause, 2 second(s)
Wed Nov 09 19:57:08 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Nov 09 19:57:08 2011 Re-using SSL/TLS context
Wed Nov 09 19:57:08 2011 LZO compression initialized
Wed Nov 09 19:57:08 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Nov 09 19:57:08 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Nov 09 19:57:08 2011 Local Options hash (VER=V4): '41690919'
Wed Nov 09 19:57:08 2011 Expected Remote Options hash (VER=V4): '530fdded'
Wed Nov 09 19:57:08 2011 UDPv4 link local (bound): [undef]:1194
Wed Nov 09 19:57:08 2011 UDPv4 link remote: 192.168.10.42:1194
请高手指点:

第 93 楼  发表于 2011-12-11 21:46 | die 的所有评论
script-security 2 ,错误已经解决,见 http://www.nvery.com/2011/openvpn_script-security_2.htm

第 94 楼  发表于 2011-12-18 14:36 | ningyu 的所有评论
lz,openvpn能在ubuntu11.10上使用吗,
我在ubuntu11.10终端运行modinfo tun显示ERROR: modinfo: could not find module tun,这个要怎么解决啊
回复于 2011-12-18 15:40:
应该是可以的。不过我没有装过。看提示应该是 tun 设备没有打开。你可以根据错误提示 google 一下:
ubuntu+"could not find module tun"+openvpn

第 95 楼  发表于 2012-03-17 11:26 | ZJ王 的所有评论
win7建不了TAP网卡,唉,网上某教程说可以但也没用。好在xp没问题。。
回复于 2012-03-17 11:46:
可以的啊。我一直在 WIN7 下使用。注意装最新的那个客户端,另外,安装的时候,要用管理员模式(run as administrator)

第 96 楼  发表于 2012-03-27 15:46 | Hans 的所有评论
想请问小辉 win7底下安装TAP V9驱动之后 网卡速率恒定显示的是10MB OPENVPN官网上也说实际速度会大于显示速率 但是实际测试下来 同样的网络环境 用和不用VPN状态下 文件传输速率会相差3倍以上 请问你有遇到这个问题么?谢谢
回复于 2012-03-27 20:05:
用 openvpn 后,传输速度变慢,这个是正常的。首先有一个数据加密、解密过程的时间损耗;另外取决于vpn服务器到你客户端的通讯质量等等因素。我自己没有具体量化过这两者的比较。只要能连上并且能打开想要访问的网站和资料,不被 reset 断网,速度慢点,倒无所谓。 :)

第 97 楼  发表于 2012-06-12 12:32 | yangyang 的所有评论
LZ,我在一块 ARM 开发板上交叉编译了一个 OpenVPN,现在在 PC 上访问失败。我把信息贴在后面,希望 LZ 能够帮忙看一下。

ARM:Linux 3.0.1,OpenVPN 2.0.9
报错为:
connection reset by peer code 104 openvpn

PC:Ubuntu 11.10 x86_64 OpenVPN 2.0.9
报错为:
Tue Jun 12 12:18:37 2012 OpenVPN 2.0.9 x86_64-unknown-linux [SSL] [LZO] [EPOLL] built on Jun 12 2012
Tue Jun 12 12:18:37 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Jun 12 12:18:37 2012 LZO compression initialized
Tue Jun 12 12:18:37 2012 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Jun 12 12:18:37 2012 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jun 12 12:18:37 2012 Local Options hash (VER=V4): '69109d17'
Tue Jun 12 12:18:37 2012 Expected Remote Options hash (VER=V4): 'c0103fa8'
Tue Jun 12 12:18:37 2012 Attempting to establish TCP connection with 192.168.8.115:1194
Tue Jun 12 12:18:37 2012 TCP connection established with 192.168.8.115:1194
Tue Jun 12 12:18:37 2012 TCPv4_CLIENT link local: [undef]
Tue Jun 12 12:18:37 2012 TCPv4_CLIENT link remote: 192.168.8.115:1194
Tue Jun 12 12:18:37 2012 TLS: Initial packet from 192.168.8.115:1194, sid=4f1fdbe7 8434e7e9
Tue Jun 12 12:18:38 2012 VERIFY OK: depth=1, /C=CN/ST=JS/L=NANTONG/O=HNCST/OU=CS/CN=6410-Server/emailAddress=kormny@gmail.com
Tue Jun 12 12:18:38 2012 VERIFY OK: nsCertType=SERVER
Tue Jun 12 12:18:38 2012 VERIFY OK: depth=0, /C=CN/ST=JS/O=HNCST/OU=CS/CN=6410-Server/emailAddress=kormny@gmail.com
Tue Jun 12 12:18:38 2012 TLS_ERROR: BIO read tls_read_plaintext error: error:04091068:rsa routines:INT_RSA_VERIFY:bad signature: error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature
Tue Jun 12 12:18:38 2012 TLS Error: TLS object -> incoming plaintext read error
Tue Jun 12 12:18:38 2012 TLS Error: TLS handshake failed
Tue Jun 12 12:18:38 2012 Fatal TLS error (check_tls_errors_co), restarting
Tue Jun 12 12:18:38 2012 TCP/UDP: Closing socket
Tue Jun 12 12:18:38 2012 SIGUSR1[soft,tls-error] received, process restarting
Tue Jun 12 12:18:38 2012 Restart pause, 5 second(s)

网上有资料提到说这个报错可能是时间错误导致的,所以我在 ARM 上移植了 ntpdate,每次开机时都会同步一次时间,应该不是时间出错的问题。

第 98 楼  发表于 2012-06-29 11:29 | 夏知非 的所有评论
楼上的兄弟,你的问题解决了么?我在交叉编译openvpn的时候,运行windows客户端的时候也出现了这种错误~~~,如果有解决办法的话,谢谢分享下哈~

第 99 楼  发表于 2012-09-14 14:50 | luoguoling 的所有评论
你好,我的openvpn已经搭建成功了。国内的用户能够正常的拨入openvpn,并且能够登陆进入公司服务器。但是在国外,只能够拨入openvpn,但是登陆不了内网的服务器。用ping openvpn网关和内网服务器都是ttl过期。不知道为什么原因?在一开始的时候,连openvpn都拨入不进来,最后增加了一条主机路由,到对方主机的。最后才拨进来的。望楼主看看,谢谢 992975991 这是我的QQ号
回复于 2012-09-14 19:40:
你好。我这个笔记是在2007年装的时候记录的,目的是为了访问国外网站,对于内网、外网这些的路由我都没有涉及。配置成功后我就没有再升级维护过,许多技术细节都忘得差不多了。没法帮到你,实在不好意思。

第 100 楼  发表于 2012-09-14 18:00 | leon 的所有评论
就好像八楼那个问题,mkdir:无法创建目录'pwd/keys': 没有那个文件或目录,您的解答是:你尝试自己先手工把那几个目录建好看看。厄,那几个目录是哪几个?而且路径是为???
回复于 2012-09-14 19:40:
我许多技术细节都不记得了。 mkdir 无法建目录,有可能是权限不够,你检查一下权限,自己试着手动在 pwd 下 建立 keys 目录。如果你只是想要一台能用的配置,又想参考我的文章一次成功,那最好是安装我文档中提及的版本。因为许多人按我说的版本,加这篇教程都能一次配置成功。

第 101 楼  发表于 2013-01-29 09:13 | sana 的所有评论
我在安装openvpn时遇到错误终止,
提示如下:
[root@localhost openvpn-2.3.0]# make
make: *** 没有指明目标并且找不到 makefile。 停止。

第 102 楼  发表于 2013-03-12 16:22 | sky 的所有评论
你好!求助~~我在安装openvpn的时候,客户端一直连接不上服务器,一直显示黄灯。其中服务器时CentOs6,客户端是win7.客户端报错日志如下:
Tue Mar 12 15:03:21 2013 us=805320 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Tue Mar 12 15:03:21 2013 us=805389 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Mar 12 15:03:21 2013 us=819038 LZO compression initialized
Tue Mar 12 15:03:21 2013 us=819105 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Mar 12 15:03:21 2013 us=821044 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 12 15:03:21 2013 us=821080 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Mar 12 15:03:21 2013 us=821088 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Mar 12 15:03:21 2013 us=821106 Local Options hash (VER=V4): '69109d17'
Tue Mar 12 15:03:21 2013 us=821118 Expected Remote Options hash (VER=V4): 'c0103fa8'
Tue Mar 12 15:03:21 2013 us=821138 Attempting to establish TCP connection with 192.168.1.102:1194
Tue Mar 12 15:03:42 2013 us=820609 TCP: connect to 192.168.1.102:1194 failed, will try again in 5 seconds
Tue Mar 12 15:04:08 2013 us=820914 TCP: connect to 192.168.1.102:1194 failed, will try again in 5 seconds
回复于 2013-03-12 18:25:
客户端日志看不出什么来。你启用一下 SERVER 端日志观察一下看看。我很多年没有接触它了,已经比较陌生了。

第 103 楼  发表于 2013-03-13 14:50 | sky 的所有评论
这是服务器端的日志:
OpenVPN CLIENT LIST
Updated,Wed Mar 13 13:46:25 2013
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END
回复于 2013-03-14 18:31:
这些日志看不出什么来啊。:)

第 104 楼  发表于 2013-03-18 15:02 | sky 的所有评论
你好!我的问题已经解决了,是配置的时候服务端和客户端少了route-method exe 、route-delay 2 这两句话。很感谢你抽时间出来回答我的问题!另外还想请教你一个问题,我现在是用证书和密钥来实现客户端和服务端的互连,感觉这样挺麻烦的,每增加一个客户端我都要手动生成一次证书和密钥,然后拷贝到客户端,有没有什么办法是让服务器自动生成证书,然后自动发送到客户端,不需要手动实现的?
回复于 2013-03-18 18:48:
要实现这个自动化,需要你自己写程序来实现了,例如发送到用户的邮箱,让用户自己加。另外一种方法就是 用户名+密码的登录方式,安全性比证书方式要低一个级别,优点就是管理方便。
密码方式登录需要配置 auth-user-pass参数,具体你查一下。

第 105 楼  发表于 2013-03-19 16:03 | sky 的所有评论
我在网上查了下,如你所说,用户名密码验证方式确实方便很多。非常感谢!

第 106 楼  发表于 2013-03-20 19:02 | 张华 的所有评论
我有两个问题想请教:
1. 我服务端程序启动后( /usr/local/sbin/openvpn --config /usr/local/etc/server.conf ),停止在如下信息处:
Wed Mar 20 17:52:04 2013 us=456037 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Wed Mar 20 17:52:04 2013 us=459198 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Mar 20 17:52:04 2013 us=459659 GID set to nobody
Wed Mar 20 17:52:04 2013 us=459690 UID set to nobody
Wed Mar 20 17:52:04 2013 us=459714 Socket Buffers: R=[110592->131072] S=[110592->131072]
Wed Mar 20 17:52:04 2013 us=459737 UDPv4 link local (bound): 198.130.223.141:1194
Wed Mar 20 17:52:04 2013 us=459750 UDPv4 link remote: [undef]
Wed Mar 20 17:52:04 2013 us=459775 MULTI: multi_init called, r=256 v=256
Wed Mar 20 17:52:04 2013 us=459814 IFCONFIG POOL: base=10.8.0.4 size=62
Wed Mar 20 17:52:04 2013 us=459870 Initialization Sequence Completed

这种情况启动结果正确吗?


2. 当客户端启动,连接服务器时,服务端程序崩溃了(提示段错误),信息如下:

Wed Mar 20 17:52:08 2013 us=602786 MULTI: multi_create_instance called
Wed Mar 20 17:52:08 2013 us=602842 198.130.223.175:1194 Re-using SSL/TLS context
Wed Mar 20 17:52:08 2013 us=602878 198.130.223.175:1194 LZO compression initialized
Wed Mar 20 17:52:08 2013 us=603063 198.130.223.175:1194 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Mar 20 17:52:08 2013 us=603088 198.130.223.175:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Mar 20 17:52:08 2013 us=603151 198.130.223.175:1194 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed Mar 20 17:52:08 2013 us=603172 198.130.223.175:1194 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Wed Mar 20 17:52:08 2013 us=603210 198.130.223.175:1194 Local Options hash (VER=V4): '530fdded'
Wed Mar 20 17:52:08 2013 us=603236 198.130.223.175:1194 Expected Remote Options hash (VER=V4): '41690919'
Wed Mar 20 17:52:08 2013 us=603302 198.130.223.175:1194 TLS: Initial packet from 198.130.223.175:1194, sid=3e0b6083 0c8b1f44
Segmentation fault

此情况,如何解决?

第 107 楼  发表于 2013-03-20 19:02 | 张华 的所有评论
我有两个问题想请教:
1. 我服务端程序启动后( /usr/local/sbin/openvpn --config /usr/local/etc/server.conf ),停止在如下信息处:
Wed Mar 20 17:52:04 2013 us=456037 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Wed Mar 20 17:52:04 2013 us=459198 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Mar 20 17:52:04 2013 us=459659 GID set to nobody
Wed Mar 20 17:52:04 2013 us=459690 UID set to nobody
Wed Mar 20 17:52:04 2013 us=459714 Socket Buffers: R=[110592->131072] S=[110592->131072]
Wed Mar 20 17:52:04 2013 us=459737 UDPv4 link local (bound): 198.130.223.141:1194
Wed Mar 20 17:52:04 2013 us=459750 UDPv4 link remote: [undef]
Wed Mar 20 17:52:04 2013 us=459775 MULTI: multi_init called, r=256 v=256
Wed Mar 20 17:52:04 2013 us=459814 IFCONFIG POOL: base=10.8.0.4 size=62
Wed Mar 20 17:52:04 2013 us=459870 Initialization Sequence Completed

这种情况启动结果正确吗?


2. 当客户端启动,连接服务器时,服务端程序崩溃了(提示段错误),信息如下:

Wed Mar 20 17:52:08 2013 us=602786 MULTI: multi_create_instance called
Wed Mar 20 17:52:08 2013 us=602842 198.130.223.175:1194 Re-using SSL/TLS context
Wed Mar 20 17:52:08 2013 us=602878 198.130.223.175:1194 LZO compression initialized
Wed Mar 20 17:52:08 2013 us=603063 198.130.223.175:1194 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Mar 20 17:52:08 2013 us=603088 198.130.223.175:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Mar 20 17:52:08 2013 us=603151 198.130.223.175:1194 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed Mar 20 17:52:08 2013 us=603172 198.130.223.175:1194 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Wed Mar 20 17:52:08 2013 us=603210 198.130.223.175:1194 Local Options hash (VER=V4): '530fdded'
Wed Mar 20 17:52:08 2013 us=603236 198.130.223.175:1194 Expected Remote Options hash (VER=V4): '41690919'
Wed Mar 20 17:52:08 2013 us=603302 198.130.223.175:1194 TLS: Initial packet from 198.130.223.175:1194, sid=3e0b6083 0c8b1f44
Segmentation fault

此情况,如何解决?

第 108 楼  发表于 2013-03-21 00:40 | johndoe 的所有评论
windows下客户端安装过程里面..... 楼主.... 你.....你....居然说吧ca.key copy到客户端?....
那意味着....
哎....
赶紧改下吧
回复于 2013-03-24 12:20:
是做笔记COPY内容时笔误。这个文件不该COPY过去的。已经修正,多谢指正!

第 109 楼  发表于 2013-08-14 15:11 | kevin 的所有评论
我同事登录openvpn 有的时候提示 connecting to ** has failed 之前是好的 没有对vpn做过什么变动,有的时候重启下电脑就好了有的时候就不行,请问这是为什么,怎么处理,谢谢
回复于 2013-08-14 20:52:
这个要仔细检查 CLIENT 和 SERVER 端的 LOG。如果是连接到国外,大多数原因是因为墙的存在。

第 110 楼  发表于 2013-09-13 19:30 | junjun 的所有评论
openvpn客户端可以连接上qiang*wai的openVPN server。但是我在客户端设置了redirect-gateway def1,然后就无法访问网络了。请问应该怎么设置才能通过那台服务器访问国*外站点。服务器是windows 2003 server。谢谢!

第 111 楼  发表于 2017-11-30 22:40 | Susanne 的所有评论
Very good information. Lucky me I found your website by chance (stumbleupon).
I have saved it for later!

共有评论 111 条, 显示 111 条。

发表你的评论
如果你想针对此文发表评论, 请填写下列表单:
姓名: * 必填 (Twitter 用户可输入以 @ 开头的用户名, Steemit 用户可输入 @@ 开头的用户名)
E-mail: 可选 (不会被公开。如果我回复了你的评论,你将会收到邮件通知)
网站 / Blog: 可选
反垃圾广告: 为了防止广告机器人自动发贴, 请计算下列表达式的值:
7 x 5 + 2 = * 必填
评论内容:
* 必填
你可以使用下列标签修饰文字:
[b] 文字 [/b]: 加粗文字
[quote] 文字 [/quote]: 引用文字

 
首页 随笔 乐走天涯 猎户星 Google Earth 程序资料 程序生活 评论 Tag 论坛 资源 搜索 联系 关于 隐私声明 版权声明 订阅邮件

程序员小辉 建站于 1997 ◇ 做一名最好的开发者是我不变的理想。
Copyright © XiaoHui.com; 保留所有权利。