我已经在这个好几天了,并尝试了所有可以在网上search的东西,但似乎没有任何工作。
客户端可以连接并接收来自VPN服务器的ping响应,并且在日志中看不到任何错误。 只是客户没有互联网连接。
每当我注释掉在server.conf上push "redirect-gateway def1 bypass-dhcp" ,事情就会push "redirect-gateway def1 bypass-dhcp"但互联网不会被过滤掉。 如果启用,网站将连接,但将无法检索内容。
在客户端: $ wget google.com
--2016-10-30 13:39:44-- http://google.com/ Resolving google.com (google.com)... 216.58.217.174 Connecting to google.com (google.com)|216.58.217.174|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://www.google.com/ [following] --2016-10-30 13:39:44-- http://www.google.com/ Resolving www.google.com (www.google.com)... 216.58.217.164 Connecting to www.google.com (www.google.com)|216.58.217.164|:80... connected. HTTP request sent, awaiting response...
…留在那里,直到超时。
这是我的confs和settings:
系统:
Ubuntu 16.04.1 on EC2, OpenVPN 2.3.10 x86_64
AWS EC2设置:
Security Group: Allow Inbound: ports 22/tcp and 1194/udp Allow Outbound: all Source/Destination Check: Disabled # (Is this really necessary?)
服务器:
$ cat /etc/openvpn/server.conf | grep -v '#' | grep -v ';' | tr -s '\n'
port 1194 proto udp dev tun ca ca.crt cert AWS-01.crt dh dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.0.0.0 255.255.0.0" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" client-to-client keepalive 10 120 key-direction 0 auth SHA256 comp-lzo max-clients 10 user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3
$ cat /proc/sys/net/ipv4/ip_forward
1
$ sudo cat /etc/ufw/before.rules
... # First entry *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE COMMIT ...
$ cat /etc/default/ufw | grep -v '#' | tr -s '\n'
IPV6=yes DEFAULT_INPUT_POLICY="DROP" DEFAULT_OUTPUT_POLICY="ACCEPT" DEFAULT_FORWARD_POLICY="ACCEPT" DEFAULT_APPLICATION_POLICY="SKIP" MANAGE_BUILTINS=no IPT_SYSCTL=/etc/ufw/sysctl.conf IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
$ sudo ufw status
Status: active To Action From -- ------ ---- 22 LIMIT Anywhere 1194/udp LIMIT Anywhere 22 (v6) LIMIT Anywhere (v6) 1194/udp (v6) LIMIT Anywhere (v6)
链接:服务器$ sudo iptables -L -v -n
客户:
在Ubuntu 16.10和Android 7.0上testingclient.ovpn 的结果相同。
client dev tun proto udp remote XXX.XXX.public.ip 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun remote-cert-tls server cipher AES-128-CBC auth SHA256 key-direction 1 comp-lzo verb 3 script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf <ca> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </cert> <key> -----BEGIN ENCRYPTED PRIVATE KEY----- -----END ENCRYPTED PRIVATE KEY----- </key> <tls-auth> -----BEGIN OpenVPN Static key V1----- -----END OpenVPN Static key V1----- </tls-auth>
任何帮助我失踪? 谢谢!
附加信息:
客户端,预先和发布VPN防火墙规则:
http://pastebin.com/vJRRwzpe,http://pastebin.com/DJ6Wv5q0
客户端路由表$ route -n :
preVPN:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.254.254 0.0.0.0 UG 600 0 0 wlp3s0 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 docker0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0 192.168.254.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp3s0
postVPN:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.254.254 0.0.0.0 UG 600 0 0 wlp3s0 10.0.0.0 10.8.0.5 255.255.0.0 UG 0 0 0 tun0 10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0 10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 52.45.164.133 192.168.254.254 255.255.255.255 UGH 0 0 0 wlp3s0 128.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 docker0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0 192.168.254.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp3s0
由于您可以在google.com获取该网页,该网页会将redirect返回到www.google.com ,因此您的configuration没有任何问题。 这个事实意味着客户端能够打开一个到google.com的TCP连接,并发出一个HTTP请求并接收一个响应。
这是否也发生在其他网站?