我的目標是將 PC 從網路連接到我家中的本地 VPN,然後存取本地 LAN 中的電腦。
解釋:
****** ************** ****************** *********
* PC * ----------> * ISP-ROUTER * -----> * OPENWRT ROUTER * ------> * My PC *
****** INTERNET ************** DMZ ****************** WLAN *********
OpenWRT路由器透過LAN連接埠而不是WAN連接埠連接,因為ISP路由器已經提供LAN。
OpenWRT 路由器執行 OpenVPN。我可以使用「全球電腦」連線到我的 VPN,但無法 ping 通「我的電腦」。
我嘗試了在網路上找到的所有內容,但總是得到相同的結果。 OpenWRT 路由器是運行 OpenWRT 12.04 的 Netgear WDNR3700。
這是我嘗試過的配置,但沒有得到積極的結果:
/etc/config/openvpn
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /tmp/openvpn-status.log
verb 3
/etc/config/網絡
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.0.0.5'
option gateway '10.0.0.4'
option broadcast '10.0.0.255'
option dns '8.8.8.8'
option ifname 'eth0.1 wlan0 radio1.network1'
option bridge 'true'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config switch
option name 'rtl8366s'
option reset '1'
option enable_vlan '1'
option blinkrate '2'
config switch_vlan
option device 'rtl8366s'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_port
option device 'rtl8366s'
option port '1'
option led '6'
config switch_port
option device 'rtl8366s'
option port '2'
option led '9'
config switch_port
option device 'rtl8366s'
option port '5'
option led '2'
config interface 'vpn'
option proto 'none'
option ifname 'tun0-00'`
/etc/config/防火牆
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
option network 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option network 'vpn'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'vpn'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option src 'vpn'
option target 'ACCEPT'
option name 'VPN'
option dest_port '1194'
option proto 'tcpudp'
option family 'ipv4'
config rule
option target 'ACCEPT'
option proto 'tcp'
option dest_port '9100'
option name 'Printer 0'
option src 'lan'
我嘗試的所有方法總是得到相同的結果:連接到 VPN 沒問題,但 ping 本地 PC 不起作用。我甚至無法 ping 通路由器的內部 IP。
希望你能幫助我。提前致謝。
答案1
根據這篇文章我發現了問題: 如何以廉價的方式透過互聯網連接多個網絡
在我的配置中,我將路由資訊推送到客戶端,但不推送到伺服器本身。所以我添加了這一行:route 10.0.0.0 255.255.255.0一切正常。
新的設定檔:
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
route 10.0.0.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /tmp/openvpn-status.log
verb 3