我使用 openvpn 连接到我的大学 VPN 网络,其配置文件由大学提供。
client
remote 141.52.8.20
port 1194
dev tun
proto udp
auth-user-pass
nobind
comp-lzo no
tls-version-min 1.2
ca /etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2.pem
verify-x509-name "C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=Karlsruhe Institute of Technology, OU=Steinbuch Centre for Computing, CN=ovpn.scc.kit.edu" subject
cipher AES-256-CBC
auth SHA384
verb 3
script-security 2
连接的输出为:
Mon Apr 2 12:30:11 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]141.52.8.20:1194
Mon Apr 2 12:30:11 2018 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Apr 2 12:30:11 2018 UDP link local: (not bound)
Mon Apr 2 12:30:11 2018 UDP link remote: [AF_INET]141.52.8.20:1194
Mon Apr 2 12:30:11 2018 TLS: Initial packet from [AF_INET]141.52.8.20:1194, sid=9b21388b f279b997
Mon Apr 2 12:30:11 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Apr 2 12:30:11 2018 VERIFY OK: depth=3, C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2
Mon Apr 2 12:30:11 2018 VERIFY OK: depth=2, C=DE, O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU=DFN-PKI, CN=DFN-Verein Certification Authority 2
Mon Apr 2 12:30:11 2018 VERIFY OK: depth=1, C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=Karlsruhe Institute of Technology, CN=KIT-CA
Mon Apr 2 12:30:11 2018 VERIFY X509NAME OK: C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=Karlsruhe Institute of Technology, OU=Steinbuch Centre for Computing, CN=ovpn.scc.kit.edu
Mon Apr 2 12:30:11 2018 VERIFY OK: depth=0, C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=Karlsruhe Institute of Technology, OU=Steinbuch Centre for Computing, CN=ovpn.scc.kit.edu
Mon Apr 2 12:30:11 2018 Control Channel: TLSv1.2, cipher SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Mon Apr 2 12:30:11 2018 [ovpn.scc.kit.edu] Peer Connection Initiated with [AF_INET]141.52.8.20:1194
Mon Apr 2 12:30:12 2018 SENT CONTROL [ovpn.scc.kit.edu]: 'PUSH_REQUEST' (status=1)
Mon Apr 2 12:30:12 2018 PUSH: Received control message: 'PUSH_REPLY,topology subnet,redirect-gateway def1,route-ipv6 2000::/3,dhcp-option DNS 141.3.175.71,dhcp-option DNS 141.3.175.72,dhcp-option DOMAIN kit.edu,tun-ipv6,route-gateway 141.52.120.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 2a00:1398:8:203::10e8/64 2a00:1398:8:203::1,ifconfig 141.52.120.234 255.255.255.0,peer-id 56,cipher AES-256-GCM'
Mon Apr 2 12:30:12 2018 OPTIONS IMPORT: timers and/or timeouts modified
Mon Apr 2 12:30:12 2018 OPTIONS IMPORT: --ifconfig/up options modified
Mon Apr 2 12:30:12 2018 OPTIONS IMPORT: route options modified
Mon Apr 2 12:30:12 2018 OPTIONS IMPORT: route-related options modified
Mon Apr 2 12:30:12 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Apr 2 12:30:12 2018 OPTIONS IMPORT: peer-id set
Mon Apr 2 12:30:12 2018 OPTIONS IMPORT: adjusting link_mtu to 1625
Mon Apr 2 12:30:12 2018 OPTIONS IMPORT: data channel crypto options modified
Mon Apr 2 12:30:12 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Apr 2 12:30:12 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Apr 2 12:30:12 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Apr 2 12:30:12 2018 ROUTE_GATEWAY 192.168.178.1/255.255.255.0 IFACE=enp30s0 HWADDR=b0:6e:bf:d3:02:68
Mon Apr 2 12:30:12 2018 GDG6: remote_host_ipv6=n/a
Mon Apr 2 12:30:12 2018 ROUTE6_GATEWAY fe80::e228:6dff:fecd:a276 IFACE=enp30s0
Mon Apr 2 12:30:12 2018 TUN/TAP device tun0 opened
Mon Apr 2 12:30:12 2018 TUN/TAP TX queue length set to 100
Mon Apr 2 12:30:12 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Mon Apr 2 12:30:12 2018 /usr/bin/ip link set dev tun0 up mtu 1500
Mon Apr 2 12:30:12 2018 /usr/bin/ip addr add dev tun0 141.52.120.234/24 broadcast 141.52.120.255
Mon Apr 2 12:30:12 2018 /usr/bin/ip -6 addr add 2a00:1398:8:203::10e8/64 dev tun0
Mon Apr 2 12:30:12 2018 /usr/bin/ip route add 141.52.8.20/32 via 192.168.178.1
Mon Apr 2 12:30:12 2018 /usr/bin/ip route add 0.0.0.0/1 via 141.52.120.1
Mon Apr 2 12:30:12 2018 /usr/bin/ip route add 128.0.0.0/1 via 141.52.120.1
Mon Apr 2 12:30:12 2018 add_route_ipv6(2000::/3 -> 2a00:1398:8:203::1 metric -1) dev tun0
Mon Apr 2 12:30:12 2018 /usr/bin/ip -6 route add 2000::/3 dev tun0
Mon Apr 2 12:30:12 2018 Initialization Sequence Completed
所以看来连接是有效的。但我无法 ssh 进入任何服务器。我总是收到错误
ssh: Could not resolve hostname server.blabla.de: Name of service not known
但互联网运行良好(互联网使用 VPN 吗?我如何检查?)
我怎样才能调试这个?我真的不知道从哪里开始。
答案1
问题是服务器尝试将名称服务器地址推送到客户端 ( dhcp-option DNS 141.3.175.71,dhcp-option DNS 141.3.175.72
),但是客户端未配置为解释这些参数。
如果您已经安装resolvconf
或openresolv
安装了,那么值得使用一个通常与 OpenVPN 安装一起附带的脚本/etc/openvpn/update-resolv-conf
,要使用它,只需将以下行添加到配置文件中
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
/etc/resolv.conf
如果没有,您可以通过更改为临时解决此问题
nameserver 141.3.175.71
nameserver 141.3.175.72