带有Amazon Linux的AWS EC2安装OpenVPN，它可以正常工作，但在重新启动之后，它可以工作 – 为什么？

我已经search谷歌，但我没有find我的问题的答案。

问题：我有一台运行Open VPN的AWS EC2服务器。我有一个Windows 10客户端。我使用“sudo reboot”重新启动完整的AWS EC2服务器，在重新启动客户端（Windows 10）后可以连接，但是我无法打开任何网站。

（OpenVPN的重启EC2服务器后，让我连接（客户端），但我无法打开任何网站）。现在我在这里尝试。

我跟随login客户端：

Sun May 14 20:10:28 2017 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode Sun May 14 20:10:28 2017 OpenVPN 2.4.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 11 2017 Sun May 14 20:10:28 2017 Windows version 6.2 (Windows 8 or greater) 64bit Sun May 14 20:10:28 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.10 Enter Management Password: Sun May 14 20:10:28 2017 open_tun Sun May 14 20:10:28 2017 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{5E768F9D-FF78-47F1-A881-B6F6132019B6}.tap Sun May 14 20:10:28 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.4.0.2/255.255.255.252 on interface {5E768F9D-FF78-47F1-A881-B6F6132019B6} [DHCP-serv: 10.4.0.1, lease-time: 31536000] Sun May 14 20:10:29 2017 Successful ARP Flush on interface [8] {5E768F9D-FF78-47F1-A881-B6F6132019B6} Sun May 14 20:10:29 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Sun May 14 20:10:29 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]ec2-ip:1194 Sun May 14 20:10:29 2017 Attempting to establish TCP connection with [AF_INET]ec2-ip:1194 [nonblock] Sun May 14 20:10:30 2017 TCP connection established with [AF_INET]ec2-ip:1194 Sun May 14 20:10:30 2017 TCP_CLIENT link local: (not bound) Sun May 14 20:10:30 2017 TCP_CLIENT link remote: [AF_INET]ec2-ip:1194 Sun May 14 20:10:39 2017 Peer Connection Initiated with [AF_INET]ec2-ip:1194 Sun May 14 20:10:45 2017 Initialization Sequence Completed

我的configuration是一样的http://envyandroid.com/setup-free-private-vpn-on-amazon-ec2/

 port 1194 proto tcp-server dev tun1 ifconfig 10.4.0.1 10.4.0.2 status server-tcp.log verb 3 secret ovpn.key push dhcp-option DNS 8.8.8.8 push dhcp-option DNS 8.8.4.4 cipher AES-256-CBC

客户端configuration是：

 proto tcp-client remote ec2-ip port 1194 dev tun secret ovpn.key redirect-gateway def1 ifconfig 10.4.0.2 10.4.0.1 cipher AES-256-CBC

服务器日志：

 Sun May 14 21:23:10 2017 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode Sun May 14 21:23:10 2017 OpenVPN 2.4.1 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 3 2017 Sun May 14 21:23:10 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06 Sun May 14 21:23:10 2017 Outgoing Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key Sun May 14 21:23:10 2017 Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication Sun May 14 21:23:10 2017 Incoming Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key Sun May 14 21:23:10 2017 Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication Sun May 14 21:23:10 2017 TUN/TAP device tun1 opened Sun May 14 21:23:10 2017 TUN/TAP TX queue length set to 100 Sun May 14 21:23:10 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Sun May 14 21:23:10 2017 /sbin/ip link set dev tun1 up mtu 1500 Sun May 14 21:23:10 2017 /sbin/ip addr add dev tun1 local 10.4.0.1 peer 10.4.0.2 Sun May 14 21:23:10 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET Sun May 14 21:23:10 2017 Socket Buffers: R=[87380->87380] S=[16384->16384] Sun May 14 21:23:10 2017 Listening for incoming TCP connection on [AF_INET][undef]:1194 Sun May 14 21:24:32 2017 TCP connection established with [AF_INET]:50479 Sun May 14 21:24:32 2017 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194 Sun May 14 21:24:32 2017 TCPv4_SERVER link remote: [AF_INET]my-windows10-local-ip:50479 Sun May 14 21:24:32 2017 Peer Connection Initiated with [AF_INET]my-windows10-local-ip:50479 Sun May 14 21:24:33 2017 Initialization Sequence Completed

从命令“iptables-save”输出：

 # Generated by iptables-save v1.4.18 on Sun May 14 23:02:24 2017 *nat :PREROUTING ACCEPT [122:6630] :INPUT ACCEPT [7:360] :OUTPUT ACCEPT [95:6264] :POSTROUTING ACCEPT [95:6264] -A POSTROUTING -s 0.0.0.0/2 -o eth0 -j MASQUERADE -A POSTROUTING -s 0.0.0.0/2 -o eth0 -j MASQUERADE -A POSTROUTING -s 0.0.0.0/2 -o eth0 -j MASQUERADE -A POSTROUTING -s 0.0.0.0/2 -o eth0 -j MASQUERADE -A POSTROUTING -s 0.0.0.0/2 -o eth0 -j MASQUERADE -A POSTROUTING -s 0.0.0.0/2 -o eth0 -j MASQUERADE -A POSTROUTING -s 0.0.0.0/2 -o eth0 -j MASQUERADE -A POSTROUTING -s 0.0.0.0/2 -o eth0 -j MASQUERADE -A POSTROUTING -s 0.0.0.0/2 -o eth0 -j MASQUERADE -A POSTROUTING -s 0.0.0.0/2 -o eth0 -j MASQUERADE -A POSTROUTING -s 0.0.0.0/2 -o eth0 -j MASQUERADE -A POSTROUTING -s 0.0.0.0/2 -o eth0 -j MASQUERADE COMMIT # Completed on Sun May 14 23:02:24 2017 # Generated by iptables-save v1.4.18 on Sun May 14 23:02:24 2017 *filter :INPUT ACCEPT [634:91381] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [639:54866] COMMIT # Completed on Sun May 14 23:02:24 2017

“sysctl -a | grep forward”的输出：

 net.ipv4.conf.all.forwarding = 0 net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.default.forwarding = 0 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.eth0.forwarding = 0 net.ipv4.conf.eth0.mc_forwarding = 0 net.ipv4.conf.lo.forwarding = 0 net.ipv4.conf.lo.mc_forwarding = 0 net.ipv4.conf.tun1.forwarding = 0 net.ipv4.conf.tun1.mc_forwarding = 0 net.ipv4.ip_forward = 0 net.ipv4.ip_forward_use_pmtu = 0 error: "Input/output error" reading key "net.ipv6.conf.all.stable_secret" net.ipv6.conf.all.forwarding = 0 net.ipv6.conf.all.mc_forwarding = 0 error: "Input/output error" reading key "net.ipv6.conf.default.stable_secret" error: "Input/output error" reading key "net.ipv6.conf.eth0.stable_secret" net.ipv6.conf.default.forwarding = 0 net.ipv6.conf.default.mc_forwarding = 0 net.ipv6.conf.eth0.forwarding = 0 net.ipv6.conf.eth0.mc_forwarding = 0 error: "Input/output error" reading key "net.ipv6.conf.lo.stable_secret" net.ipv6.conf.lo.forwarding = 0 net.ipv6.conf.lo.mc_forwarding = 0 net.ipv6.conf.tun1.forwarding = 0 net.ipv6.conf.tun1.mc_forwarding = 0

我希望我能在你的帮助下find一个解决scheme。

我没有看到OpenVPNconfiguration的任何问题，所以我认为，iptablesconfiguration有问题。部署完成后可能无法保存，现在你的NAT部分是空的，这就是为什么你不能访问任何网站。

更新问题是禁用转发。有需要添加到/etc/sysctl.confstringnet.ipv4.ip_forward=1 ，持久转发设置。