我试图在TCP端口443上使用静态密钥身份validation(而不是TLS)来设置OpenVPN; 但连接到服务器后,客户端无法通过VPN访问互联网。
这是我目前的设置:
这是在OpenVZ上运行的启用了TUN / TAP 的Debian VPS 。
这是configuration文件:
dev tun proto tcp-server port 443 ifconfig 10.8.0.1 10.8.0.2 secret /etc/openvpn/static.key push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" 这也是我应用的iptables脚本:
#!/bin/bash # A Sample OpenVPN-aware firewall. # vetnet0 is connected to the internet. # eth1 is connected to a private subnet. # Change this subnet to correspond to your private # ethernet subnet. Home will use HOME_NET/24 and # Office will use OFFICE_NET/24. PRIVATE=10.0.0.0/24 # Loopback address LOOP=127.0.0.1 # Delete old iptables rules # and temporarily block all traffic. iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP iptables -F # Set default policies iptables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP # Prevent external packets from using loopback addr iptables -A INPUT -i vetnet0 -s $LOOP -j DROP iptables -A FORWARD -i vetnet0 -s $LOOP -j DROP iptables -A INPUT -i vetnet0 -d $LOOP -j DROP iptables -A FORWARD -i vetnet0 -d $LOOP -j DROP # Anything coming from the Internet should have a real Internet address iptables -A FORWARD -i vetnet0 -s 192.168.0.0/16 -j DROP iptables -A FORWARD -i vetnet0 -s 172.16.0.0/12 -j DROP iptables -A FORWARD -i vetnet0 -s 10.0.0.0/8 -j DROP iptables -A INPUT -i vetnet0 -s 192.168.0.0/16 -j DROP iptables -A INPUT -i vetnet0 -s 172.16.0.0/12 -j DROP iptables -A INPUT -i vetnet0 -s 10.0.0.0/8 -j DROP # Block outgoing NetBios (if you have windows machines running # on the private subnet). This will not affect any NetBios # traffic that flows over the VPN tunnel, but it will stop # local windows machines from broadcasting themselves to # the internet. iptables -A FORWARD -p tcp --sport 137:139 -o vetnet0 -j DROP iptables -A FORWARD -p udp --sport 137:139 -o vetnet0 -j DROP iptables -A OUTPUT -p tcp --sport 137:139 -o vetnet0 -j DROP iptables -A OUTPUT -p udp --sport 137:139 -o vetnet0 -j DROP # Check source address validity on packets going out to internet iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP # Allow local loopback iptables -A INPUT -s $LOOP -j ACCEPT iptables -A INPUT -d $LOOP -j ACCEPT # Allow incoming pings (can be disabled) iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Allow services such as www and ssh (can be disabled) iptables -A INPUT -p tcp --dport http -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT # Allow incoming OpenVPN packets # Duplicate the line below for each # OpenVPN tunnel, changing --dport n # to match the OpenVPN UDP port. # # In OpenVPN, the port number is # controlled by the --port n option. # If you put this option in the config # file, you can remove the leading '--' # # If you taking the stateful firewall # approach (see the OpenVPN HOWTO), # then comment out the line below. iptables -A INPUT -p udp --dport 1194 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Allow packets from TUN/TAP devices. # When OpenVPN is run in a secure mode, # it will authenticate packets prior # to their arriving on a tun or tap # interface. Therefore, it is not # necessary to add any filters here, # unless you want to restrict the # type of packets which can flow over # the tunnel. iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT # Allow packets from private subnets iptables -A INPUT -i eth1 -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT # Keep state of connections from local machine and private subnets iptables -A OUTPUT -m state --state NEW -o vetnet0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -o vetnet0 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #SNAT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o vetnet0 -j SNAT --to-source <ip> # Masquerade local subnet #iptables -t nat -A POSTROUTING -s $PRIVATE -o vetnet0 -j MASQUERADE
iptables -L -v -n输出
Chain INPUT (policy DROP 1 packets, 60 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- vetnet0 * 127.0.0.1 0.0.0.0/0 0 0 DROP all -- vetnet0 * 0.0.0.0/0 127.0.0.1 0 0 DROP all -- vetnet0 * 192.168.0.0/16 0.0.0.0/0 0 0 DROP all -- vetnet0 * 172.16.0.0/12 0.0.0.0/0 0 0 DROP all -- vetnet0 * 10.0.0.0/8 0.0.0.0/0 486 1016K ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 127.0.0.1 4 240 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 691 78432 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 1705 152K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 102 8054 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 9 756 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 40 5988 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- vetnet0 * 127.0.0.1 0.0.0.0/0 0 0 DROP all -- vetnet0 * 0.0.0.0/0 127.0.0.1 0 0 DROP all -- vetnet0 * 192.168.0.0/16 0.0.0.0/0 0 0 DROP all -- vetnet0 * 172.16.0.0/12 0.0.0.0/0 0 0 DROP all -- vetnet0 * 10.0.0.0/8 0.0.0.0/0 0 0 DROP tcp -- * vetnet0 0.0.0.0/0 0.0.0.0/0 tcp spts:137:139 0 0 DROP udp -- * vetnet0 0.0.0.0/0 0.0.0.0/0 udp spts:137:139 0 0 DROP all -- eth1 * !10.0.0.0/24 0.0.0.0/0 0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * vetnet0 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT 3046 packets, 2269K bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * vetnet0 0.0.0.0/0 0.0.0.0/0 tcp spts:137:139 0 0 DROP udp -- * vetnet0 0.0.0.0/0 0.0.0.0/0 udp spts:137:139 0 0 ACCEPT all -- * vetnet0 0.0.0.0/0 0.0.0.0/0 state NEW
输出ifconfig
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:12007 errors:0 dropped:0 overruns:0 frame:0 TX packets:12007 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:21446320 (20.4 MiB) TX bytes:21446320 (20.4 MiB) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.1 PtP:10.8.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:127.0.0.2 PtP:127.0.0.2 Bcast:0.0.0.0 Mask:255.255.255.255 UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 RX packets:25189 errors:0 dropped:0 overruns:0 frame:0 TX packets:27831 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2689401 (2.5 MiB) TX bytes:18616342 (17.7 MiB) venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:<ip> PtP:<ip> Bcast:0.0.0.0 Mask:255.255.255.255 UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
netstat -rn输出
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 venet0
客户端是运行OpenVPN 2.3的Windows 8.1机器
这是configuration文件:
remote <server_ip> 443 dev tun proto tcp-client ifconfig 10.8.0.2 10.8.0.1 secret "C:\\Program Files\\OpenVPN\\config\\static.key" verb 6
在连接客户端时,在Windows上为OpenVPN创build了一个连接,但是无法访问互联网(我也确定它在连接列表的顶部)。