服务器主机ETH0在VLAN8,ETH1是带的无线AP,ETH1的IP地址是192.168.68.100,通过ETH0转发上网,ETH0的网关地址是VLAN8,IP地址是172.16.8.254/24,自己的地址是172.16.8.20/24;
路由器做了端口映射:路由器出口地址是a.b.c.d,端口转发做了80,20,21,22,23,443,1194,等,
现在的实现想法有两个:一个是FTP用户从外网访问使用a.b.c.d:60021进来,访问不了,提示返回不可路由的地址,主动被动都测试了,都不行,估计和fillzilla的兼容性有关系,不知道有没有什么好办法没;
还有一个想法是,外网用户通过服务器建立的VPN拨入,获得ETH1段的某几个IP地址(这个很重要,Eth1里面,只能分配指定的IP地址,而且还不是地址段,因为有防火墙的缘故,我针对每一个可用的地址进行了防火墙设置),实现内外网互通;
网上看了很多openVPN的教程,但是似乎和我的情况都不太一样;
还有几个比较重要的疑问:为什么我建立好以后的VPN服务器,看不到监听端口1194,难道是有访问的时候才行吗?
root@cccsq-server:/etc/openvpn# netstat -anup
激活Internet连接 (服务器和已建立连接的)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:5353 0.0.0.0:* 809/avahi-daemon: r
udp 0 0 172.16.8.20:36178 115.29.164.43:6060 ESTABLISHED 2250/phddns
udp 0 0 0.0.0.0:36199 0.0.0.0:* 809/avahi-daemon: r
udp 0 0 0.0.0.0:10000 0.0.0.0:* 4546/perl
udp 0 0 127.0.0.1:53 0.0.0.0:* 12143/dnsmasq
udp 0 0 192.168.68.100:53 0.0.0.0:* 12143/dnsmasq
udp 0 0 127.0.1.1:53 0.0.0.0:* 1404/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 12143/dnsmasq
udp 0 0 192.168.68.100:123 0.0.0.0:* 4690/ntpd
udp 0 0 172.16.8.20:123 0.0.0.0:* 4690/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 4690/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 4690/ntpd
udp 0 0 192.168.68.255:137 0.0.0.0:* 2238/nmbd
udp 0 0 192.168.68.100:137 0.0.0.0:* 2238/nmbd
udp 0 0 172.16.8.255:137 0.0.0.0:* 2238/nmbd
udp 0 0 172.16.8.20:137 0.0.0.0:* 2238/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 2238/nmbd
udp 0 0 192.168.68.255:138 0.0.0.0:* 2238/nmbd
udp 0 0 192.168.68.100:138 0.0.0.0:* 2238/nmbd
udp 0 0 172.16.8.255:138 0.0.0.0:* 2238/nmbd
udp 0 0 172.16.8.20:138 0.0.0.0:* 2238/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 2238/nmbd
udp 0 0 0.0.0.0:631 0.0.0.0:* 2388/cups-browsed
udp6 0 0 :::5353 :::* 809/avahi-daemon: r
udp6 0 0 fe80::204:5fff:fe04:123 :::* 4690/ntpd
udp6 0 0 fe80::204:5fff:fe04:123 :::* 4690/ntpd
udp6 0 0 ::1:123 :::* 4690/ntpd
udp6 0 0 :::123 :::* 4690/ntpd
udp6 0 0 :::58144 :::* 809/avahi-daemon: r
还有就是:UDP和TCP端口,是不是在server.conf里面可以同时开启?
还有问题是:那个ipp.txt那个文件是干什么用的?
还有问题是:网络上的一些教程关于server.conf和client.conf里面关于一些IP地址的描述不是太清楚,不知道是干什么用的?例如:
代码: 全选
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap0
;dev tun
代码: 全选
push "redirect-gateway def1" push "dhcp-option DNS 10.8.0.1"
最后这两行指示客户端用OpenVPN作为默认的网关,并用10.8.0.1作为DNS服务器。注意10.8.0.1是OpenVPN启动时自动创建的隧道接口的IP。如果客户用别的域名解析服务,那么我们就得提防不安全的DNS服务器。为了避免这种泄露,我们建议所有OpenVPN客户端使用10.8.0.1作为DNS服务器。
10.8.0.1是OpenVPN启动时自动创建的隧道接口的IP,那么我怎么替换成我这种情况的192段的IP地址?
代码: 全选
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 172.16.8.20 255.255.255.0
代码: 全选
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
代码: 全选
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 172.16.8.20 255.255.255.0 172.16.8.120 172.16.8.150
代码: 全选
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
push "route 192.168.68.0 255.255.255.0"
代码: 全选
push "redirect-gateway def1"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 192.168.68.100"
代码: 全选
remote 222.173.11.62 1194
客户端用什么工具拨入比较方便啊?都是windows的系统,直接用系统的拨号建立连接的方式吗?
我在内网怎么测试我的OPEN VPN呢??