OpenVPN 서버가 클라이언트 핑에 응답하지 않습니다.

OpenVPN 서버가 클라이언트 핑에 응답하지 않습니다.

OpenVPN 클라이언트는 CentOS 7 클라이언트 가상 머신에서 초기화된 것으로 보입니다. 그러나 클라이언트가 ping을 보내면 서버의 응답이 명확하지 않습니다.

구체적으로,

ping 10.8.0.0고객으로부터확실히서버로부터 응답을 받으세요.
ping 10.8.0.1고객으로부터하다응답을 받는데 서버에서 오는 것인가요?
ping 10.0.2.2고객으로부터하다응답을 받는데 서버에서 오는 것인가요?

이러한 응답을 어떻게 해석합니까 ping? 서버가 ping요청에 응답합니까? 그렇지 않은 경우 서버가 ping클라이언트에 응답하려면 다음 중 어떤 구체적인 변경이 필요합니까 ?


현재 설정:
서버에서, server.conf예:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  
dh dh2048.pem
server 10.8.0.0 255.255.255.0
route 10.8.1.0 255.255.255.0 
route 10.8.2.0 255.255.255.0 
client-config-dir ccd 
client-to-client 
ifconfig-pool-persist ipp.txt
keepalive 10 120
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

또한 서버에서 /etc/openvpn/ccd위에서 언급한 디렉터리의 두 파일은 다음 server.conf과 같습니다.

/etc/openvpn/ccd/administrators, 여기에는 다음 줄만 포함됩니다.

ifconfig-push 10.8.1.1 10.8.1.2

그리고 /etc/openvpn/ccd/otherorgs다음 줄만 포함됩니다.

ifconfig-push 10.8.2.1 10.8.2.2

firewalld서버 구성은 다음과 같습니다.

[root@hostname easy-rsa]# firewall-cmd --get-default-zone
public
[root@hostname easy-rsa]# firewall-cmd --get-active-zones
internal
  interfaces: tun0
public
  interfaces: enp3s0
[root@hostname easy-rsa]# firewall-cmd --list-all
public (default, active)
  interfaces: enp3s0
  sources: 
  services: dhcpv6-client http imaps openvpn smtp ssh
  ports: 
  masquerade: yes
  forward-ports: 
  icmp-blocks: 
  rich rules: 
[root@hostname easy-rsa]# firewall-cmd --zone=internal --list-all
internal (active)
  interfaces: tun0
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="10.8.1.0/24" service name="https_others" accept
    rule family="ipv4" source address="10.8.1.0/24" service name="https" accept
    rule family="ipv4" source address="10.8.0.0/24" service name="https" accept
    rule family="ipv4" source NOT address="10.8.1.1" service name="ssh" reject
    rule family="ipv4" source address="10.8.2.0/24" service name="https_others" accept
[root@hostname easy-rsa]# 

클라이언트에서, client.ovpn예:

client
dev tun
proto udp
remote ip.addr.of.server 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca /etc/openvpn/ca.crt
cert /etc/openvpn/centos_vm1_client.crt
key /etc/openvpn/centos_vm1_client.key

클라이언트가 다음 로그를 제공하므로 클라이언트가 시작된 것 같습니다.

[user@localhost openvpn]$ sudo openvpn --config ~/openvpn_config/client.ovpn
[sudo] password for user: 
Wed Jun 15 16:52:23 2016 OpenVPN 2.3.11 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on May 10 2016
Wed Jun 15 16:52:23 2016 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Wed Jun 15 16:52:23 2016 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Jun 15 16:52:23 2016 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jun 15 16:52:23 2016 UDPv4 link local: [undef]
Wed Jun 15 16:52:23 2016 UDPv4 link remote: [AF_INET]ip.addr.of.server:1194
Wed Jun 15 16:52:23 2016 TLS: Initial packet from [AF_INET]ip.addr.of.server:1194, sid=40ea5916 7f5543b1
Wed Jun 15 16:52:23 2016 VERIFY OK: depth=1, C=UK, ST=RW, L=SomeCity, O=OrganizationName, OU=MyOrganizationalUnit, CN=somedomain.com, name=server, [email protected]
Wed Jun 15 16:52:23 2016 VERIFY OK: depth=0, C=UK, ST=RW, L=SomeCity, O=OrganizationName, OU=MyOrganizationalUnit, CN=server, name=server, [email protected]
Wed Jun 15 16:52:24 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 15 16:52:24 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 15 16:52:24 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 15 16:52:24 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 15 16:52:24 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Jun 15 16:52:24 2016 [server] Peer Connection Initiated with [AF_INET]ip.addr.of.server:1194
Wed Jun 15 16:52:26 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jun 15 16:52:27 2016 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.18 10.8.0.17'
Wed Jun 15 16:52:27 2016 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 15 16:52:27 2016 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 15 16:52:27 2016 OPTIONS IMPORT: route options modified
Wed Jun 15 16:52:27 2016 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:d5:85:a9
Wed Jun 15 16:52:27 2016 TUN/TAP device tun0 opened
Wed Jun 15 16:52:27 2016 TUN/TAP TX queue length set to 100
Wed Jun 15 16:52:27 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Jun 15 16:52:27 2016 /usr/sbin/ip link set dev tun0 up mtu 1500
Wed Jun 15 16:52:27 2016 /usr/sbin/ip addr add dev tun0 local 10.8.0.18 peer 10.8.0.17
Wed Jun 15 16:52:27 2016 /usr/sbin/ip route add 10.8.0.1/32 via 10.8.0.17
Wed Jun 15 16:52:27 2016 Initialization Sequence Completed


핑 결과:
클라이언트에서 새 터미널을 열고 위에 제공된 서버 주소를 ping server.conf해도 응답이 없습니다.

[user@localhost ~]$ ping 10.8.0.0
PING 10.8.0.0 (10.8.0.0) 56(84) bytes of data.  

그러나 위의 OpenVPN 시작 로그에 제공된 두 IP 주소를 핑하면 다음과 같은 응답이 생성되었습니다.

[user@localhost ~]$ ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=91.1 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=93.1 ms
...
^C
--- 10.8.0.1 ping statistics ---
14 packets transmitted, 14 received, 0% packet loss, time 13013ms
rtt min/avg/max/mdev = 89.449/93.387/101.522/2.731 ms
[user@localhost ~]$ ping 10.0.2.2
PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data.
64 bytes from 10.0.2.2: icmp_seq=1 ttl=63 time=0.245 ms
64 bytes from 10.0.2.2: icmp_seq=2 ttl=63 time=0.429 ms
...
^C
--- 10.0.2.2 ping statistics ---
9 packets transmitted, 9 received, 0% packet loss, time 8009ms
rtt min/avg/max/mdev = 0.170/0.410/0.558/0.117 ms
[user@localhost ~]$ 

답변1

OpenVPN 매뉴얼 페이지에서:

   --server network netmask ['nopool']
          A helper directive designed to  simplify  the  configuration  of
          OpenVPN's  server  mode.   This directive will set up an OpenVPN
          server which will allocate addresses to clients out of the given
          network/netmask.   The  server itself will take the ".1" address
          of the given network for use as the server-side endpoint of  the
          local TUN/TAP interface.

그리고 openvpn.conf(적어도 내 CentOS7은):

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0

보시다시피 ping 10.8.0.0네트워크 주소이기 때문에 이 작업을 수행할 수 없습니다. 서버에 첫 번째 주소가 할당되었습니다. 귀하의 경우에는 10.8.0.1입니다.

아시다시피 가능하며 ping 10.8.0.190밀리초가 걸립니다. 클라이언트의 VPN 원격 측이기 때문에 지연이 발생합니다.

괜찮아요 ping 10.0.2.2. 0.2ms밖에 안 걸리거든요. 그게 로컬 쪽이죠.

그래서 결론은 - 다 좋다는 것입니다.

관련 정보