openvpn 不会将流量路由到客户端子网

我已经在我的 ubuntu 服务器上配置了 openvpn (

OpenVPN 2.4.12 x86_64-pc-linux-gnu

)。 我的 openvpn 客户端（使用 openwrt 路由器）能够使用我的 openvpn 服务器设置 VPN。 问题是我无法从 openvpn 服务器访问我的客户端专用网络 (192.168.8.0/24)。

openvpn 服务器：IP

192.168.2.12

(tun0

10.8.0.1

) openvpn 客户端: IP

192.168.8.1

(tun0

10.8.0.4

)

从我的 openvpn 服务器我可以 ping 到

10.8.0.4

，但不能 ping 到

192.168.8.1

在我的 openvpn 服务器上使用

tcpdump -i tun0

，我发现当我 ping

192.168.8.1

时，我的

tun0

接口上看不到 ping 流量。所以它没有将

192.168.8.1

路由到我的隧道。 Traceroute 也证实了这一点，它显示它将

192.168.8.1

发送到我的路由器 (

192.168.2.1

):

root@nuc2:~# traceroute 192.168.8.1
traceroute to 192.168.8.1 (192.168.8.1), 64 hops max
  1   192.168.2.1  0,210ms  0,226ms  * 
  2   *  *  * 

仅供参考，从我的 openvpn 服务器到我的 vpn 客户端的 VPN IP 地址的跟踪路由给出以下内容：

traceroute to 10.8.0.4 (10.8.0.4), 64 hops max
  1   10.8.0.4  7,268ms  7,170ms  6,670ms 
root@nuc2:~# 

这是我的

/etc/openvpn/server/server.conf

文件：

ocal 192.168.2.12
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
route 192.168.8.0 255.255.255.0
push "route 192.168.2.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 192.168.2.1"
push "dhcp-option DOMAIN lan"
push "dhcp-option DOMAIN-SEARCH lan"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
client-config-dir /etc/openvpn/client

我还创建了一个文件

/etc/openvpn/client/gl-inet.conf

，其中包含以下内容，我认为这可以确保将我的 openvpn 服务器上的子网 192.168.8.0/24 流量路由到 VPN：

iroute 192.168.8.0 255.255.255.0

请注意，在 openvpn 服务器上的日志文件（使用命令

tail -f /var/log/syslog | grep -i vpn

）中，我没有看到任何指示该文件 (

gl-inet.conf

) 已被读取或该路由已被处理。因此，名称

gl-inet.conf

可能不正确，或者需要执行一些额外操作来确保处理客户端配置文件。

仅供参考

tail -f /var/log/syslog | grep -i vpn

的摘录：

Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 TLS: Initial packet from [AF_INET]192.168.2.1:44409, sid=577f0ed8 416e3b2c
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 VERIFY OK: depth=1, CN=ChangeMe
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 VERIFY OK: depth=0, CN=gl-inet
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_VER=2.5.2
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_PLAT=linux
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_PROTO=6
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_NCP=2
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_LZ4=1
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_LZ4v2=1
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_LZO_STUB=1
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_COMP_STUB=1
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_COMP_STUBv2=1
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 peer info: IV_TCPNL=1
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Jan 21 10:38:23 nuc2 openvpn[5147]: 192.168.2.1:44409 [gl-inet] Peer Connection Initiated with [AF_INET]192.168.2.1:44409
Jan 21 10:38:23 nuc2 openvpn[5147]: MULTI: new connection by client 'gl-inet' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Jan 21 10:38:23 nuc2 openvpn[5147]: MULTI_sva: pool returned IPv4=10.8.0.4, IPv6=(Not enabled)
Jan 21 10:38:23 nuc2 openvpn[5147]: MULTI: Learn: 10.8.0.4 -> gl-inet/192.168.2.1:44409
Jan 21 10:38:23 nuc2 openvpn[5147]: MULTI: primary virtual IP for gl-inet/192.168.2.1:44409: 10.8.0.4
Jan 21 10:38:25 nuc2 openvpn[5147]: gl-inet/192.168.2.1:44409 PUSH: Received control message: 'PUSH_REQUEST'
Jan 21 10:38:25 nuc2 openvpn[5147]: gl-inet/192.168.2.1:44409 SENT CONTROL [gl-inet]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 192.168.2.1,dhcp-option DOMAIN lan,dhcp-option DOMAIN-SEARCH lan,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.4 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Jan 21 10:38:25 nuc2 openvpn[5147]: gl-inet/192.168.2.1:44409 Data Channel: using negotiated cipher 'AES-256-GCM'
Jan 21 10:38:25 nuc2 openvpn[5147]: gl-inet/192.168.2.1:44409 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 21 10:38:25 nuc2 openvpn[5147]: gl-inet/192.168.2.1:44409 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

我还在我的 openvpn 服务器网络的路由器上定义了到我的 openvpn 服务器的静态路由。