服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Windows 10奇怪的OpenVPN行为
Intereting Posts
vsftpd LIST导致GnuTLS错误-15 NAT后面的networking服务器给403 文件夹/存储镜像 Azure:将公共IP映射到VM上的特定端口 可扩展的Linux文件系统w /冗余和支持不同的驱动器大小? 雄猫一次又一次地下降 电脑locking时密码错误 Exchange 2007传输规则仅适用于SMTP 为VMware ESXi VM分配交换空间的最佳方式是什么? pipe理交换机和WFilter 是否有任何types的Google Apps邮件日志? 如何使用xm来增加Xen客户机上的交换大小? 确定TCP套接字是否在内核空间中 如何查找分配给已被删除的接口的IP地址 通过局域网将服务器的stream量直接传送

Windows 10奇怪的OpenVPN行为

我有一个运行OpenVPN的服务器(93.xxx.xxx.xxx是公共IP),不同的Android和Windows客户端可以连接到互联网,但是我的Windows 10 PC上的OpenVPN客户端performance得很奇怪:

  1. 它成功连接和validation。 
Sun Nov 08 10:50:38 2015 NOTE: --user option is not implemented on Windows Sun Nov 08 10:50:38 2015 NOTE: --group option is not implemented on Windows Sun Nov 08 10:50:38 2015 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 4 2015 Sun Nov 08 10:50:38 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08 Sun Nov 08 10:50:38 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342 Sun Nov 08 10:50:38 2015 Need hold release from management interface, waiting... Sun Nov 08 10:50:39 2015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342 Sun Nov 08 10:50:39 2015 MANAGEMENT: CMD 'state on' Sun Nov 08 10:50:39 2015 MANAGEMENT: CMD 'log all on' Sun Nov 08 10:50:39 2015 MANAGEMENT: CMD 'hold off' Sun Nov 08 10:50:39 2015 MANAGEMENT: CMD 'hold release' Sun Nov 08 10:50:43 2015 MANAGEMENT: CMD 'username "Auth" "qwerty"' Sun Nov 08 10:50:43 2015 MANAGEMENT: CMD 'password [...]' Sun Nov 08 10:50:43 2015 Socket Buffers: R=[65536->65536] S=[65536->65536] Sun Nov 08 10:50:43 2015 UDPv4 link local: [undef] Sun Nov 08 10:50:43 2015 UDPv4 link remote: [AF_INET]93.xxx.xxx.xxx:50005 Sun Nov 08 10:50:43 2015 MANAGEMENT: >STATE:1446979843,WAIT,,, Sun Nov 08 10:50:43 2015 MANAGEMENT: >STATE:1446979843,AUTH,,, Sun Nov 08 10:50:43 2015 TLS: Initial packet from [AF_INET]93.xxx.xxx.xxx:50005, sid=48bd669d fdf76b86 Sun Nov 08 10:50:43 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Sun Nov 08 10:50:43 2015 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=server, [email protected] Sun Nov 08 10:50:43 2015 Validating certificate key usage Sun Nov 08 10:50:43 2015 ++ Certificate has key usage 00a0, expects 00a0 Sun Nov 08 10:50:43 2015 VERIFY KU OK Sun Nov 08 10:50:43 2015 Validating certificate extended key usage Sun Nov 08 10:50:43 2015 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sun Nov 08 10:50:43 2015 VERIFY EKU OK Sun Nov 08 10:50:43 2015 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=server, name=server, [email protected] Sun Nov 08 10:50:43 2015 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Sun Nov 08 10:50:43 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Nov 08 10:50:43 2015 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Sun Nov 08 10:50:43 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Nov 08 10:50:43 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Sun Nov 08 10:50:43 2015 [server] Peer Connection Initiated with [AF_INET]93.xxx.xxx.xxx:50005 Sun Nov 08 10:50:44 2015 MANAGEMENT: >STATE:1446979844,GET_CONFIG,,, Sun Nov 08 10:50:45 2015 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Sun Nov 08 10:50:45 2015 PUSH: Received control message: 'PUSH_REPLY,route 172.16.101.0 255.0.0.0,redirect-gateway def1 bypass-dhcp,route 172.16.101.0 255.255.255.0,topology net30,ping 3,ping-restart 10,ifconfig 172.16.101.6 172.16.101.5' Sun Nov 08 10:50:45 2015 OPTIONS IMPORT: timers and/or timeouts modified Sun Nov 08 10:50:45 2015 OPTIONS IMPORT: --ifconfig/up options modified Sun Nov 08 10:50:45 2015 OPTIONS IMPORT: route options modified Sun Nov 08 10:50:45 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Sun Nov 08 10:50:45 2015 MANAGEMENT: >STATE:1446979845,ASSIGN_IP,,172.16.101.6, Sun Nov 08 10:50:45 2015 open_tun, tt->ipv6=0 Sun Nov 08 10:50:45 2015 TAP-WIN32 device [Ethernet 6] opened: \\.\Global\{B3106E59-6B92-4B4D-8A96-B9476295FF36}.tap Sun Nov 08 10:50:45 2015 TAP-Windows Driver Version 9.9 Sun Nov 08 10:50:45 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.16.101.6/255.255.255.252 on interface {B3106E59-6B92-4B4D-8A96-B9476295FF36} [DHCP-serv: 172.16.101.5, lease-time: 31536000] Sun Nov 08 10:50:45 2015 Successful ARP Flush on interface [79] {B3106E59-6B92-4B4D-8A96-B9476295FF36} Sun Nov 08 10:50:50 2015 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 93.xxx.xxx.xxx MASK 255.255.255.255 192.168.10.1 Sun Nov 08 10:50:50 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4 Sun Nov 08 10:50:50 2015 Route addition via IPAPI succeeded [adaptive] Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 192.168.10.1 MASK 255.255.255.255 192.168.10.1 IF 24 Sun Nov 08 10:50:50 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4 Sun Nov 08 10:50:50 2015 Route addition via IPAPI succeeded [adaptive] Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 172.16.101.5 Sun Nov 08 10:50:50 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4 Sun Nov 08 10:50:50 2015 Route addition via IPAPI succeeded [adaptive] Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 172.16.101.5 Sun Nov 08 10:50:50 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4 Sun Nov 08 10:50:50 2015 Route addition via IPAPI succeeded [adaptive] Sun Nov 08 10:50:50 2015 MANAGEMENT: >STATE:1446979850,ADD_ROUTES,,, Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 172.16.101.0 MASK 255.0.0.0 172.16.101.5 Sun Nov 08 10:50:50 2015 Warning: address 172.16.101.0 is not a network address in relation to netmask 255.0.0.0 Sun Nov 08 10:50:50 2015 ROUTE: route addition failed using CreateIpForwardEntry: The parameter is incorrect. [status=87 if_index=79] Sun Nov 08 10:50:50 2015 Route addition via IPAPI failed [adaptive] Sun Nov 08 10:50:50 2015 Route addition fallback to route.exe Sun Nov 08 10:50:50 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 172.16.101.0 MASK 255.255.255.0 172.16.101.5 Sun Nov 08 10:50:50 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4 Sun Nov 08 10:50:50 2015 Route addition via IPAPI succeeded [adaptive] Sun Nov 08 10:50:50 2015 Initialization Sequence Completed Sun Nov 08 10:50:50 2015 MANAGEMENT: >STATE:1446979850,CONNECTED,SUCCESS,172.16.101.6,93.xxx.xxx.xxx
  1. 它能够ping谷歌,8.8.8.8等,但不能浏览网页(页面正在加载3-5秒,然后停止。)这主要是Chrome和Firefox。 边缘似乎工作得更好,但仍然performance奇怪(缓慢的页面加载,页面加载完全需要刷新)[ 页面加载无限的屏幕截图 ]

SSH似乎也不起作用,与FTP一样: 

 Status: Connection established, waiting for welcome message... Status: Insecure server, it does not support FTP over TLS. Status: Connected Status: Retrieving directory listing... *Nothing happens*

像在线游戏(UDP?)的东西很好。

还请注意:

  • 不同的其他客户端可以连接到服务器,并没有任何问题(Windows的也是)(和相同的凭据login)。
  • 客户端和服务器之间没有防火墙。
  • 当客户端尝试连接到类似的服务器时,会出现同样的问题(即使是之前完美工作的问题)。
  • 即使与VPN连接的ping显示0%的数据包丢失。
  • 实际的互联网连接是好的,客户端可以连接到非openvpn VPN没有任何问题。

所有服务器的iptables(只有一个) 

 [email protected]:~# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 172.16.101.0/24 anywhere 
 [email protected]:~# cat /proc/sys/net/ipv4/ip_forward 1

客户端路由(连接到vpn): 

 >cmd /k route print =========================================================================== Interface List 24...10 c3 7b 96 51 7c ......Realtek PCIe GBE Family Controller 79...00 ff b3 10 6e 59 ......TAP-Windows Adapter V9 #2 1...........................Software Loopback Interface 1 47...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 45...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter 52...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.116 20 0.0.0.0 128.0.0.0 172.16.101.9 172.16.101.10 30 93.xxx.xxx.xxx 255.255.255.255 192.168.10.1 192.168.10.116 20 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 128.0.0.0 128.0.0.0 172.16.101.9 172.16.101.10 30 172.16.101.0 255.255.255.0 172.16.101.9 172.16.101.10 30 172.16.101.8 255.255.255.252 On-link 172.16.101.10 286 172.16.101.10 255.255.255.255 On-link 172.16.101.10 286 172.16.101.11 255.255.255.255 On-link 172.16.101.10 286 192.168.10.0 255.255.255.0 On-link 192.168.10.116 276 192.168.10.1 255.255.255.255 192.168.10.1 192.168.10.116 20 192.168.10.116 255.255.255.255 On-link 192.168.10.116 276 192.168.10.255 255.255.255.255 On-link 192.168.10.116 276 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.10.116 276 224.0.0.0 240.0.0.0 On-link 172.16.101.10 286 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.10.116 276 255.255.255.255 255.255.255.255 On-link 172.16.101.10 286 =========================================================================== Persistent Routes: None IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 1 306 ::1/128 On-link 24 276 fe80::/64 On-link 79 286 fe80::/64 On-link 24 276 fe80::5990:eaa3:40fd:4a6d/128 On-link 79 286 fe80::8dce:5ebc:c720:2d68/128 On-link 1 306 ff00::/8 On-link 24 276 ff00::/8 On-link 79 286 ff00::/8 On-link =========================================================================== Persistent Routes: None

客户端路由(从vpn断开): 

 >cmd /k route print =========================================================================== Interface List 24...10 c3 7b 96 51 7c ......Realtek PCIe GBE Family Controller 79...00 ff b3 10 6e 59 ......TAP-Windows Adapter V9 #2 1...........................Software Loopback Interface 1 45...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter 52...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.116 20 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.10.0 255.255.255.0 On-link 192.168.10.116 276 192.168.10.116 255.255.255.255 On-link 192.168.10.116 276 192.168.10.255 255.255.255.255 On-link 192.168.10.116 276 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.10.116 276 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.10.116 276 =========================================================================== Persistent Routes: None IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 45 306 ::/0 On-link 1 306 ::1/128 On-link 45 306 2001::/32 On-link 45 306 2001:0:9d38:6abd:107a:364f:9711:5573/128 On-link 24 276 fe80::/64 On-link 45 306 fe80::/64 On-link 45 306 fe80::107a:364f:9711:5573/128 On-link 24 276 fe80::5990:eaa3:40fd:4a6d/128 On-link 1 306 ff00::/8 On-link 24 276 ff00::/8 On-link 45 306 ff00::/8 On-link =========================================================================== Persistent Routes: None

客户端configuration: 

 client dev tun proto udp remote 93.xxx.xxx.xxx 50005 resolv-retry infinite user nobody group nobody resolv-retry infinite nobind persist-key persist-tun verb 3 auth-user-pass cipher AES-128-CBC auth SHA1 remote-cert-tls server comp-lzo <ca> -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- </ca>

服务器configuration: 

 port 50005 proto udp dev tun server 172.16.101.0 255.255.255.0 duplicate-cn client-to-client cipher AES-128-CBC auth SHA1 comp-lzo username-as-common-name client-cert-not-required auth-user-pass-verify /etc/openvpn/script/login.sh via-env comp-lzo user nobody ;group nogroup username-as-common-name client-cert-not-required auth-user-pass-verify /etc/openvpn/script/login.sh via-env keepalive 3 10 push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" push "route 172.16.101.0 255.0.0.0" push "redirect-gateway def1 bypass-dhcp" script-security 3 system client-connect /etc/openvpn/script/connect.sh client-disconnect /etc/openvpn/script/disconnect.sh persist-key persist-tun status openvpn-status.log verb 5 management localhost 7555 <ca> ... </ca> <cert> ... </cert> <key> ... </key> <dh> ... </dh>

任何build议将不胜感激。 谢谢。

将客户端的MTU设置一点。 使用ping与-l来设置有效负载大小并find正确的大小来设置。 https://www.sonassi.com/help/magestack/setting-correct-mtu-for-openvpn