cent.os4.3下用openssl做了一个VPN,客户端拨号进来后.,不能访问内网服务器( 游戏 )
openss.l主机 eth0 217.*.*.* 外汇
. .eht1 192.168.0.1教育
以下是.我的serve.r.conf配置文件信息,请高手指点 女人
# Which .local IP add.ress should OpenVPN.
# listen .on? (optional)电脑
;local 192..168.0.1学习
# Which TCP/UD.P port sh.ould OpenVPN listen on? 电子
# .If. you want to run multiple OpenVPN instances教育
# on the same machine, use a .di.fferent port[成人用品]
#. n.umber for each one. You will need to.
# open up this po.rt on y.our firewall.[成人用品]
port 1194
# TCP o.r UDP server?电脑
proto tcp
#proco tcp
# "dev tun" will cre.ate a. routed IP tunnel,[成人用品]
# "dev .tap" will create a.n ethernet tunnel. 乙肝
# Use "dev tap0" if y.ou are ether.net bridging 建材
# and have prec.reated .a tap0 virtual interface.
# and br.id.ged it with your ethernet interface. 建材
#. If you want to contr.ol access policies电影
# over the VPN, you must create fire..wall--- 印刷
# rules. for the the. TUN/TAP interface. 外汇
# O.n non-Windows systems, you. can give.
# .an explicit unit n.umber, such as tun0.(广告)
# On Windows, u.se "dev-node" fo.r this.教育
# On most. systems, the. VPN will not function教育
# unless y.ou partially or fully d.isable.
# the firewall fo.r the .TUN/TAP interface..
;dev tap
dev tun
# Windows needs the TAP-Wi..n32 adapter name--- 印刷
# fr.om the Network Connections pa.nel if you[成人用品]
#. have more than one. On X.P SP2 or higher,.
# you ma.y need to selectively .disable the.
# Windows fire.wall for .the TAP adapter.[成人用品]
# Non.-Windows systems usually do.n't need this.虚拟主机
;dev-node MyT.ap域名
# SSL/TLS. ro.ot certificate (ca), certificate.
# (cert), and private key (key).. Eac.h client--- 印刷
# and the server must have their o.wn ce.rt and学习
# key file. The server and all. clients. will.
# us.e the same ca file.服务器
#
# See the "easy-rsa" direc.tory for a seri.es 建材
#. of scripts for generating R.SA certificates虚拟主机
# an.d private. keys. Remember to use学习
# a unique. Common Name for the se.rver电影
#. and each of t.he client certificates.投资
#
# A.ny X509 key management system can be used..服务器
# OpenVP.N can al.so use a PKCS #12 formatted key file 鲜花
# (see "pkc.s12" directive .in man page).教育
ca /mn.t/software/openvpn-2.0.9/easy-r.sa/keys/ca.crt[成人用品]
cert /mnt./softw.are/openvpn-2.0.9/easy-rsa/keys/server.crt 乙肝
key /mnt/software/openvpn-2.0.9/.easy-rsa/keys/server.key # This file should be k.ep.t secret--------------彩票
# Diffie hell.man paramet.ers.教育
# Generat.e your own with:--- 印刷
# . openssl. dhparam -out dh1024.pem 1024 健康
# Subs.titute 2048 for 1024 if. you are using
# .2048 bit keys. 婚庆
dh /mnt/software/op.envpn-2.0.9/easy-rsa/keys/dh10.24.pem 外汇
# Configure s.erver mode and s.upply a VPN subnet电影
# fo.r OpenVPN to dr.aw client addresses from.电影
# The server will take 10..8.0.1 f.or itself,.
# t.he rest wi.ll be made available to clients.健康
# Each client .will be able to reach the serv.er 外汇
# on 10.8.0.1. Comm.ent this line out if you. are.
# ethernet br.idging. See the man page. for more info.健康
server 192.168.0.0 255.255..255..0.
# Maintain a r.ecord of clie.nt <-> virtual IP address域名
# associations in this file. If Ope.nV.PN goes down or[成人用品]
# is re.started, reconnecting clients can be assign.ed[成人用品]
# the same virtual IP add.ress from the pool that .was域名
# previousl.y assigned.教育
ifconfi.g-pool-persist .ipp.txt.
# Configur.e server mode .for ethernet bridging..
# You must first use your .OS's bridging capabili.ty[成人用品]
# to bridge the TAP interfa.ce with the. ethernet虚拟主机
# NIC interface.. Then you must manually set th.e.
# IP/netmask .on the bridge interface, .here we--------------彩票
# assume 10.8.0.4/255.255.255.0. . Finally w.e.
# mus.t set. aside an IP range in this subnet(广告)
# (start=10..8.0.50 end=10.8.0.100) .to allocate 汽车
# to connecting clients.. .Leave this line commented投资
# out unless you are ethe..rnet bridging.<性病>
;server-bridge 10.8.0.4 255.255.255..0 10.8.0.50 10.8.0..100.
# Push routes. to the client to allow i.t.
# to reach. other private subnets be.hind.
#. the server. Remember th.at these 健康
# private s.ubnets will .also need<性病>
# .to know to rou.te the OpenVPN client.
# address pool (10.8.0.0/255.255..255.0.) 外汇
# .back to the OpenVP.N server.投资
;push "route. 192.1.68.10.0 255.255.255.0"健康
;pus.h "route 1.92.168.20.0 255.255.255.0" 女人
# To. assign specific IP addresse.s to specific( 游戏 )
# clients o.r if a connecting client has a pr.ivate电脑
# su.bnet behind it that should also have VPN acces.s,.
# use the .subdirec.tory "ccd" for client-specific.
# configurat.ion files (see man page for mor.e info).<性病>
# EXAMPLE.: Suppose the cl.ient 建材
# having the certifi.cate common name "Thelon.ious" 美容
#. also has a small subnet behi.nd his connecting.
# machine, such as 1.92.168.40.128/255.2.55.255.248..
#. First,. uncomment out these lines:.
;client-config-dir c.cd.
;route .192.168.40.128 255.25.5.255.248服务器
# Then create a fi.le ccd/Th.elonious with this line:.
# irout.e 192.168.40.128 255.25.5.255.248投资
# This will allow Thelon.i.ous' private subnet to.
# acc.ess the VPN. This example will only wo.rk 汽车
# if. you a.re routing, not bridging, i.e. you are 婚庆
# using "dev t.un" and "server" direct.ives.电脑
# EXAMPLE:. Suppose you want. to give 女人
# Thelonious .a fi.xed VPN IP address of 10.9.0.1.虚拟主机
# Fi.rst uncomment out these lin.es: 乙肝
;client-co.nfig-dir ccd.
;route 10...9.0.0 255.255.255.252--- 印刷
# Then add this line to ccd/Theloni.o.us:.
# ifco.nfig-pus.h 10.9.0.1 10.9.0.2虚拟主机
# S.uppose that you want to enable di.fferent.
# fir.ewall access policies for. different groups 婚庆
# of clien.ts. There are tw.o methods: 健康
# .(1) .Run multiple OpenVPN daemons, one for each 美容
# group, a.nd firewall the TUN/TA.P interface.
# for each group/daemon app.ropriate.ly.[成人用品]
# (2) (Advanced.) C.reate a script to dynamically外贸
# modify the firewall in respo..nse to access[成人用品]
# from di.fferent clients. Se.e man教育
# page for m.ore info on learn-.address script.电脑
;.learn-address ./script投资
# If enabled, this directive w.ill configur.e 鲜花
# all clients. to redirect their default. 杀毒
# network gateway throug.h the VPN, cau.sing 健康
# all IP traffic suc.h as. web browsing and.
# and. D.NS lookups to go through the VPN.
# (The OpenVPN server machine may need ..to NAT( 游戏 )
# the TUN/TAP inter.face to the .internet in电影
# order for .this .to work properly). 健康
# CAVEAT: May break. client's network conf.ig if.
# cl.ient's local DHCP server p.ackets get routed--------------彩票
# through th.e. tunnel. Solution: make sure服务器
# client's local.. DHCP server is reachable via.
# a more specific rout.e than the defau.lt route 美容
# of 0.0.0.0/0.0..0.0.服务器
;push "re.direct-gateway" 健康
# Cer.tain Windows-specific network .settings.
#. can be pushed to clients,. such as DNS.
# or WINS. server add.resses. CAVEAT:[成人用品]
#
http://openvpn.net/faq.html#dhcpcaveats.;push "dhcp-o.ption DNS 10..8.0.1"
;push "dhcp-option WIN..S 10.8.0.1"教育
# Uncomment this directive to a.ll.ow different电影
# clients to b.e able to "see" ea.ch other..
# By default, clients. will .only see the server.虚拟主机
# To force clients .to only .see the server, you 女人
# .w.ill also need to appropriately firewall the( 游戏 )
# ser.ver's TUN/TAP interfa.ce.服务器
client-to-cl.ient 健康
# Uncomment this dir.ective if multip.le clients.
#. might connect with .the same certificate/key.
# files or common .n.ames. This is recommended 健康
# only. for testing purposes. For production use., 汽车
# eac.h cli.ent should have its own certificate/key(广告)
# pair.
#
# IF YOU HA.VE NOT GENERATED INDIVID.UAL.
# CE.RTIFICATE/KEY PAIR.S FOR EACH CLIENT, 杀毒
# EACH H.AVIN.G ITS OWN UNIQUE "COMMON NAME",健康
# UNCOMME.NT THI.S LINE OUT.电脑
;duplicate-cn
# The keepalive .directive causes ping.-like 乙肝
# messages to be sent back a.nd forth ov.er.
# the l.ink .so that each side knows when健康
# the o.ther side has gone down..电影
# .Ping every 10 seconds., assume that remote.
# peer is down i.f no ping received .during 美容
# a. 120 second time per.iod.电影
keepali.ve 10 120服务器
# For extra security beyond that p.ro.vided健康
# by SSL/TLS, create ..an "HMAC firewall".
# to h.elp block DoS attacks and UDP port fl.ooding..
#
#. Generate with:[成人用品]
# openvpn -.-genkey. --secret ta.key 婚庆
#
# The server and each client m.ust ha.ve 杀毒
# a c.opy of this key. 鲜花
# .The second paramete.r should be '0' 电子
#. on the server and '.1' on the clients.服务器
;tls-auth ta.key 0 # This fil.e i.s secret投资
# Selec.t a cryptographic ciph.er..
# This. config item m.ust be copied to域名
# th.e client config fil.e as well.健康
;c.ipher BF-CBC # Blow.fish (default)学习
;c.ipher AES-128-CBC # AES. 外汇
;cipher DES-EDE3-CBC # Triple-DE..S 杀毒
# Enable compres.sion. on the VPN link.域名
# If you enable it here, you must.. also学习
# enable it i.n the client confi.g file.
#comp-lzo (z.hushi diao.)外贸
# The max.im.um number of concurrently connected服务器
# clients .w.e want to allow. 建材
;max-c.lients 100( 游戏 )
# It's a good idea to reduce. the. OpenVPN 汽车
# daemon's privileges after init.ializa.tion.学习
#
# You can uncomment t.his out .on 女人
# non-Windows. systems.(广告)
;user nobody
;group nobody
# The persist options wi.ll try to a.void投资
# accessing certain. .resources on restart外贸
# that may no. longer be accessib.le because 美容
#. of the privilege downgrade...
persist-key
persist-tun
# O.utput a short stat.us file showing 汽车
# current co.nnectio.ns, truncated.
# .and rewritten every m.inute..
status openv.pn-status.log 鲜花
# By default, log messages will go to the. s.yslog (or.
# on Windows, if running as a service, t.hey will go t.o服务器
#. the "\Program Files\OpenVPN\log" dir.ectory).电影
# Use log or log-appe.nd t.o override this default.服务器
# ."log" will truncate t.he log file on OpenVPN startup,教育
# while. "log-append" will append to it.. Use one
# or the other (but not b..oth)..
;log .openvpn.log
;log-append op.envpn.log电脑
# Set the appropriate level o.f l.og.
# file ve.rbosity..
#
# 0 is silent, except for fat.al. errors域名
# 4 is re.asonable for general usa.ge教育
# 5 and 6. can help to .debug connection problems--------------彩票
# 9 is extremely ve.rbose[成人用品]
verb 5
# Silence repeating .messages. At m.ost 20 鲜花
# sequent.ial mess.ages of the same message 汽车
# category will be .ou.tput to the log..
;mute 20
