Windows 2012 서버에서 OpenVPN 서버를 실행하고 있습니다. 완벽하게 작동하며 iPhone과 iPad에서 VPN에 연결할 수 있고 모든 웹 트래픽이 VPN을 통해 라우팅되며 iOS 원격 데스크톱 앱을 사용하여 네트워크에 있는 장치에 원격으로 연결할 수 있습니다.
iOS 장치와 동일한 클라이언트 프로필을 사용하여 Windows 10 노트북에 OpenVPN 앱을 설치했는데, 연결이 가능하지만 인터넷이나 LAN의 모든 장치에 액세스할 수 없습니다.
DNS가 작동하는 것 같습니다. 도메인 이름을 핑하려고 하면 IP가 확인되지만 요청 시간 초과가 발생합니다.
VPN 게이트웨이 10.8.0.1에도 핑을 보낼 수 없습니다.
이것은 내 서버 구성입니다.
port 1194
proto udp
dev tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
push "redirect-gateway local def1"
push "dhcp-option DNS 8.8.8.8"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
ca "C:\\Program Files (x86)\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files (x86)\\OpenVPN\\config\\server.crt"
key "C:\\Program Files (x86)\\OpenVPN\\config\\server.key"
dh "C:\\Program Files (x86)\\OpenVPN\\config\\dh1024.pem"
이것은 내 클라이언트 구성입니다.
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
그리고 이것은 가장 최근 연결의 로그입니다.
Mon Jan 16 13:45:08 2017 OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 27 2016
Mon Jan 16 13:45:08 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Mon Jan 16 13:45:08 2017 library versions: OpenSSL 1.0.2i 22 Sep 2016, LZO 2.09
Enter Management Password:
Mon Jan 16 13:45:08 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Mon Jan 16 13:45:08 2017 Need hold release from management interface, waiting...
Mon Jan 16 13:45:09 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Mon Jan 16 13:45:09 2017 MANAGEMENT: CMD 'state on'
Mon Jan 16 13:45:09 2017 MANAGEMENT: CMD 'log all on'
Mon Jan 16 13:45:09 2017 MANAGEMENT: CMD 'hold off'
Mon Jan 16 13:45:09 2017 MANAGEMENT: CMD 'hold release'
Mon Jan 16 13:45:09 2017 MANAGEMENT: >STATE:1484574309,RESOLVE,,,,,,
Mon Jan 16 13:45:09 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Jan 16 13:45:09 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Jan 16 13:45:09 2017 UDP link local: (not bound)
Mon Jan 16 13:45:09 2017 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Jan 16 13:45:09 2017 MANAGEMENT: >STATE:1484574309,WAIT,,,,,,
Mon Jan 16 13:45:09 2017 MANAGEMENT: >STATE:1484574309,AUTH,,,,,,
Mon Jan 16 13:45:09 2017 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=153bc069 fc314ff6
Mon Jan 16 13:45:10 2017 VERIFY OK: depth=1, C=UK, ST=...
Mon Jan 16 13:45:10 2017 VERIFY OK: nsCertType=SERVER
Mon Jan 16 13:45:10 2017 VERIFY OK: depth=0, C=UK, ST=...
Mon Jan 16 13:45:10 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Jan 16 13:45:10 2017 [server] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Jan 16 13:45:11 2017 MANAGEMENT: >STATE:1484574311,GET_CONFIG,,,,,,
Mon Jan 16 13:45:11 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Jan 16 13:45:11 2017 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,redirect-gateway local def1,dhcp-option DNS 8.8.8.8,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Mon Jan 16 13:45:11 2017 OPTIONS IMPORT: timers and/or timeouts modified
Mon Jan 16 13:45:11 2017 OPTIONS IMPORT: --ifconfig/up options modified
Mon Jan 16 13:45:11 2017 OPTIONS IMPORT: route options modified
Mon Jan 16 13:45:11 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Jan 16 13:45:11 2017 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jan 16 13:45:11 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Mon Jan 16 13:45:11 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jan 16 13:45:11 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jan 16 13:45:11 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Mon Jan 16 13:45:11 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jan 16 13:45:11 2017 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Mon Jan 16 13:45:11 2017 interactive service msg_channel=536
Mon Jan 16 13:45:11 2017 ROUTE_GATEWAY 172.20.10.1/255.255.255.240 I=12 HWADDR=14:10:9f:ce:13:73
Mon Jan 16 13:45:11 2017 open_tun
Mon Jan 16 13:45:11 2017 TAP-WIN32 device [Ethernet 4] opened: \\.\Global\{27AC27A1-A13C-4E12-B90F-C2797B3E8157}.tap
Mon Jan 16 13:45:11 2017 TAP-Windows Driver Version 9.21
Mon Jan 16 13:45:11 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {27AC27A1-A13C-4E12-B90F-C2797B3E8157} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Mon Jan 16 13:45:11 2017 Successful ARP Flush on interface [6] {27AC27A1-A13C-4E12-B90F-C2797B3E8157}
Mon Jan 16 13:45:11 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Jan 16 13:45:11 2017 MANAGEMENT: >STATE:1484574311,ASSIGN_IP,,10.8.0.6,,,,
Mon Jan 16 13:45:16 2017 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Mon Jan 16 13:45:16 2017 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Mon Jan 16 13:45:16 2017 Route addition via service succeeded
Mon Jan 16 13:45:16 2017 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Mon Jan 16 13:45:16 2017 Route addition via service succeeded
Mon Jan 16 13:45:16 2017 MANAGEMENT: >STATE:1484574316,ADD_ROUTES,,,,,,
Mon Jan 16 13:45:16 2017 C:\WINDOWS\system32\route.exe ADD 192.168.0.0 MASK 255.255.255.0 10.8.0.5
Mon Jan 16 13:45:16 2017 Route addition via service succeeded
Mon Jan 16 13:45:16 2017 C:\WINDOWS\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.5
Mon Jan 16 13:45:16 2017 Route addition via service succeeded
Mon Jan 16 13:45:16 2017 Initialization Sequence Completed
Mon Jan 16 13:45:16 2017 MANAGEMENT: >STATE:1484574316,CONNECTED,SUCCESS,10.8.0.6,xxx.xxx.xxx.xxx,1194,,
어디서부터 시작해야 할지 아이디어가 있나요?
답변1
연결되어 있는 동안 Windows 10 클라이언트의 라우팅 테이블을 보여 주시겠어요?
C:\> route print
클라이언트 로그에 따르면 OpenVPN 클라이언트는 원래 기본 게이트웨이(연결이 설정되기 전에 사용된 게이트웨이)를 통해 OpenVPN 서버에 고정 경로를 추가하지 않았습니다. 이는 경로가 없기 때문에 OpenVPN 클라이언트 패킷이 서버에 도달하는 것을 방지합니다. 다음 줄을 교체하여 서버 구성을 변경하는 것이 좋습니다.
push "redirect-gateway local def1"
다음 중 하나를 사용하세요.
push "redirect-gateway autolocal def1"
push "redirect-gateway def1"
참조:
$ man 8 openvpn
--redirect-gateway flags...
Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN. This is a client-side option.
This option performs three steps:
(1) Create a static route for the --remote address which forwards to the pre-existing default gateway. This is done so that (3) will not create a routing loop.
(2) Delete the default gateway route.
(3) Set the new default gateway to be the VPN endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified).
When the tunnel is torn down, all of the above steps are reversed so that the original default route is restored.
Option flags:
local -- Add the local flag if both OpenVPN servers are directly connected via a common subnet, such as with wireless. The local flag will cause step 1 above to be omit‐
ted.
autolocal -- Try to automatically determine whether to enable local flag above.
def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the
original default gateway.
bypass-dhcp -- Add a direct route to the DHCP server (if it is non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows
clients).
bypass-dns -- Add a direct route to the DNS server(s) (if they are non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows
clients).
block-local -- Block access to local LAN when the tunnel is active, except for the LAN gateway itself. This is accomplished by routing the local LAN (except for the LAN
gateway address) into the tunnel.
ipv6 -- Redirect IPv6 routing into the tunnel. This works similar to the def1 flag, that is, more specific IPv6 routes are added (2000::/4, 3000::/4), covering the whole
IPv6 unicast space.
!ipv4 -- Do not redirect IPv4 traffic - typically used in the flag pair ipv6 !ipv4 to redirect IPv6-only.
답변2
이전 버전의 OpenVPN-GUI에서 이는 라우팅 테이블을 변경하는 데 필요한 관리 권한으로 OpenVPN.exe 파일이 실행되지 않는 증상이었습니다.
으로 라우팅 테이블을 연결하고 확인합니다 netstat -rn. 원격 네트워크에 대한 경로가 없으면 openvpn.exe 바이너리를 찾아 관리자로 실행되도록 변경합니다.
답변3
당연하게 들릴 수도 있지만 Windows 10에서 방화벽을 비활성화해 보셨나요? 또 다른 옵션은 주소 지정을 다시 확인하는 것입니다. 로그에 따르면 게이트웨이 주소가 10.8.0.1이 아닌 10.8.0.5인 것 같습니다.
답변4
저처럼 타사 VPN 제공업체에서 자체 OpenVPN 서버로 전환한 경우 OpenVPN을 포함하여 시스템에 있는 모든 VPN 클라이언트를 제거해야 합니다. 모든 구성 및 레지스트리 항목을 삭제했는지 확인하십시오. 그런 다음 OpenVPN을 깨끗하고 새롭게 다시 설치하세요. 다른 VPN 클라이언트는 아마도 OpenVPN 클라이언트를 기반으로 하며 TAP 어댑터 및 구성을 공유하므로 올바른 클라이언트가 아닐 수도 있습니다.
또한,자동 설치 프로그램서버 측에서는 서버 구성에서 발생할 수 있는 실수를 처리하는 데 도움이 됩니다.