【求助】無線路由器設置的openvpn為何連不上
我的路由器刷的是openwrt,一個嵌入式的linux系統,裝了openvpn,想把路由器作為伺服器使用,給手機的cmwap信號構建vpn網實現cmnet的功能,按照openwrt官網關於openvpn的設置方法(見此網頁http://wiki.openwrt.org/oldwiki/openvpnhowto),以及參照dd-wrt關於openvpn的設置(見此網頁http://www.51nb.com/forum/viewthread.php?tid=594513&highlight=openvpn%2Bcmwap),我也架設了openvpn的橋接,用手機撥號,啟動vpn后,一直連不上,後來想測試一下是不是我架設的openvpn是否能連通,故此在客戶端配置文件裡面去掉了http代理,用朋友家的一台電腦(裝xp)連接我的openvpn,連不上,故此,知道是我的openvpn沒有架設對,想向大家求助。
我的網路環境是,家裡的無線路由器,用的是歌華寬頻,每次開機都會動態分配ip
路由器的lan設置是static,連接的是內網,lan ip為192.168.21.1
wan設置是dhcp,此次歌華動態分配的ip為:219.236.211.81
伺服器端(路由器)設置為:
port 443
proto tcp-server
dev tap0
keepalive 10 60
comp-lzo
status /etc/openvpn/status.log
verb 3
secret /etc/openvpn/secret.key
push "route 192.168.21.0 255.255.255.0"
由於是動態ip,採用了3322的dyndns,已經在伺服器端進行了相應設置,能自動更新ip
客戶端(朋友家裝xp的台式機)設置為:
dev tap0
secret key.txt
proto tcp-client
remote *****.3322.org 443
keepalive 10 60
resolv-retry infinite
comp-lzo
verb 3
伺服器端防火牆設置加入了以下規則:
iptables -I INPUT 1 -p udp --dport 443 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -i tap0 -j ACCEPT
iptables -I FORWARD -i tap0 -j ACCEPT
iptables -I INPUT -i br-lan -j ACCEPT
iptables -I FORWARD -i br-lan -j ACCEPT
在伺服器端(路由器)查看網卡情況
root@OpenWrt:~# ifconfig
br-lan Link encap:Ethernet HWaddr **:**:**:**:**:**
inet addr:192.168.21.1 Bcast:192.168.21.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3075 errors:0 dropped:0 overruns:0 frame:0
TX packets:3419 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:646601 (631.4 KiB) TX bytes:2547549 (2.4 MiB)
br-wan Link encap:Ethernet HWaddr **:**:**:**:**:**
inet addr:219.236.211.81 Bcast:255.255.255.255 Mask:255.255.240.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:17262 errors:0 dropped:0 overruns:0 frame:0
TX packets:2721 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3093299 (2.9 MiB) TX bytes:644354 (629.2 KiB)
eth0 Link encap:Ethernet HWaddr **:**:**:**:**:**
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:17253 errors:0 dropped:0 overruns:0 frame:0
TX packets:3322 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3468509 (3.3 MiB) TX bytes:940590 (918.5 KiB)
Interrupt:5
eth0.0 Link encap:Ethernet HWaddr **:**:**:**:**:**
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:613 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:268734 (262.4 KiB)
eth0.1 Link encap:Ethernet HWaddr **:**:**:**:**:**
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:17262 errors:0 dropped:0 overruns:0 frame:0
TX packets:2721 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3162347 (3.0 MiB) TX bytes:655238 (639.8 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tap0 Link encap:Ethernet HWaddr **:**:**:**:**:**
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:609 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wl0 Link encap:Ethernet HWaddr **:**:**:**:**:**
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3056 errors:0 dropped:0 overruns:0 frame:3007
TX packets:3636 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:687379 (671.2 KiB) TX bytes:2636031 (2.5 MiB)
Interrupt:4 Base address:0x1000
root@OpenWrt:~# brctl show
bridge name bridge id STP enabled interfaces
br-lan 8000.0016b6208097 no eth0.0
wl0
tap0
br-wan 8000.0016b6208097 no eth0.1
從以上命令得知,網橋已經建立,eth0.0,wl0,tap0進行了橋接
vpn伺服器啟動后,從客戶端連接始終連接不上,結果如下,請求大大分析下,哪些地方弄錯了呢
Sun Dec 06 21:22:00 2009 OpenVPN 2.1_rc22 i686-pc-mingw32 built on Nov 20 2009
Sun Dec 06 21:22:00 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Dec 06 21:22:00 2009 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Dec 06 21:22:00 2009 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 06 21:22:00 2009 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Dec 06 21:22:00 2009 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 06 21:22:00 2009 LZO compression initialized
Sun Dec 06 21:22:00 2009 TAP-WIN32 device [本地連接 4] opened: \\.\Global\{7E8FE64A-B58D-411D-80A7-F8EE52AEB4D4}.tap
Sun Dec 06 21:22:00 2009 TAP-Win32 Driver Version 9.6
Sun Dec 06 21:22:00 2009 TAP-Win32 MTU=1500
Sun Dec 06 21:22:00 2009 Successful ARP Flush on interface {7E8FE64A-B58D-411D-80A7-F8EE52AEB4D4}
Sun Dec 06 21:22:00 2009 Data Channel MTU parms [ L:1579 D:1450 EF:47 EB:135 ET:32 EL:0 AF:3/1 ]
Sun Dec 06 21:22:00 2009 Local Options hash (VER=V4): '30b1d7b8'
Sun Dec 06 21:22:00 2009 Expected Remote Options hash (VER=V4): '810a7623'
Sun Dec 06 21:22:00 2009 Attempting to establish TCP connection with 219.236.211.81:443
Sun Dec 06 21:22:21 2009 TCP: connect to 219.236.211.81:443 failed, will try again in 5 seconds: Network is unreachable (WSAENETUNREACH)
Sun Dec 06 21:22:47 2009 TCP: connect to 219.236.211.81:443 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Sun Dec 06 21:23:13 2009 TCP: connect to 219.236.211.81:443 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Sun Dec 06 21:23:39 2009 TCP: connect to 219.236.211.81:443 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Sun Dec 06 21:24:05 2009 TCP: connect to 219.236.211.81:443 failed, will try again in 5 seconds: Network is unreachable (WSAENETUNREACH)
Sun Dec 06 21:24:31 2009 TCP: connect to 219.236.211.81:443 failed, will try again in 5 seconds: Network is unreachable (WSAENETUNREACH)
Sun Dec 06 21:24:57 2009 TCP: connect to 219.236.211.81:443 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Sun Dec 06 21:25:23 2009 TCP: connect to 219.236.211.81:443 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
[ 本帖最後由 happyasqw 於 2009-12-7 21:08 編輯 ]
《解決方案》
回復 #1 happyasqw 的帖子
路由器刷的是openwrt沒有玩過
總體上判斷應該是路由器裡面設置的網路有關的
《解決方案》
回復 #2 kns1024wh 的帖子
感謝kns1024wh大大,通過您的個人空間,我學了不少,現在可以連上了,我在防火牆處多加了一項規則
iptables -t nat -A prerouting_wan -p tcp --dport 443 -j ACCEPT
iptables -t nat -A prerouting_wan -p udp --dport 443 -j ACCEPT
之後就可以連上了,只是現在速度很慢,比不連vpn還要慢,不曉得是不是家用路由器內存太小的原因,不過,非常感謝kns1024wh大大的熱心幫助
《解決方案》
我的也是openwrt,自已在嘗試先!