我在 Amazon 弹性计算云中的 Ubuntu 虚拟机上配置了一个 OpenVPN (2.2.1) 服务器。该服务器已启动并正在运行。我在 Mac OS X (10.8.2) 客户端上安装了 OpenVPN (2.2.1),并使用 openvpn2 二进制文件进行连接(与 Tunnelblick 或 Viscosity 等其他客户端相反)。我可以连接客户端并通过隧道成功 ping 或 ssh 服务器。
但是,即使我在 server.conf 配置中使用推送“redirect-gateway def1bypass-dhcp”选项,我也无法通过 VPN 重定向所有互联网流量。当我使用这些配置连接到服务器时,我获得了成功的连接,但随后出现了一系列无限的错误消息:“write UDPv4:没有到主机的路由(代码=65)”。流量路由似乎受到了损害,因为我无法再访问任何东西,甚至无法访问 OpenVPN 服务器(例如通过 ping 10.8.0.1)。
这超出了我的能力范围。我在网上找不到什么帮助,不知道下一步该怎么做。我认为这不是服务器上转发流量的问题,因为首先,我也处理过这个问题,其次,我甚至无法通过隧道在本地 ping VPN 服务器(或者根本 ping 不了任何东西)。
感谢您的帮助。
这是 server.conf 文件:
port 1194
proto udp
dev tun
ca ca.crt
cert ec2-server.crt
key ec2-server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
以及client.conf文件:
client
dev tun
proto udp
remote servername.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Toto5.crt
key Toto5.key
ns-cert-type server
comp-lzo
verb 3
以下是包含错误消息的连接日志:
$ sudo openvpn2 --config client.conf
Wed Mar 13 22:58:22 2013 OpenVPN 2.2.1 x86_64-apple-darwin12.2.0 [SSL] [LZO2] [eurephia] built on Mar 4 2013
Wed Mar 13 22:58:22 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Mar 13 22:58:22 2013 LZO compression initialized
Wed Mar 13 22:58:22 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Mar 13 22:58:22 2013 Socket Buffers: R=[196724->65536] S=[9216->65536]
Wed Mar 13 22:58:22 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Mar 13 22:58:22 2013 Local Options hash (VER=V4): '41690919'
Wed Mar 13 22:58:22 2013 Expected Remote Options hash (VER=V4): '530fdded'
Wed Mar 13 22:58:22 2013 UDPv4 link local: [undef]
Wed Mar 13 22:58:22 2013 UDPv4 link remote: 54.234.43.171:1194
Wed Mar 13 22:58:22 2013 TLS: Initial packet from 54.234.43.171:1194, sid=ffbaf343 d0c1a266
Wed Mar 13 22:58:22 2013 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funst ... ost.domain
Wed Mar 13 22:58:22 2013 VERIFY OK: nsCertType=SERVER
Wed Mar 13 22:58:22 2013 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funst ... ost.domain
Wed Mar 13 22:58:23 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Mar 13 22:58:23 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 13 22:58:23 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Mar 13 22:58:23 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 13 22:58:23 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Mar 13 22:58:23 2013 [ec2-server] Peer Connection Initiated with 54.234.43.171:1194
Wed Mar 13 22:58:25 2013 SENT CONTROL [ec2-server]: 'PUSH_REQUEST' (status=1)
Wed Mar 13 22:58:25 2013 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Wed Mar 13 22:58:25 2013 OPTIONS IMPORT: timers and/or timeouts modified
Wed Mar 13 22:58:25 2013 OPTIONS IMPORT: --ifconfig/up options modified
Wed Mar 13 22:58:25 2013 OPTIONS IMPORT: route options modified
Wed Mar 13 22:58:25 2013 ROUTE default_gateway=0.0.0.0
Wed Mar 13 22:58:25 2013 TUN/TAP device /dev/tun0 opened
Wed Mar 13 22:58:25 2013 /sbin/ifconfig tun0 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
Wed Mar 13 22:58:25 2013 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Wed Mar 13 22:58:25 2013 /sbin/ifconfig tun0 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up
Wed Mar 13 22:58:25 2013 /sbin/route add -net 10.8.0.0 10.8.0.5 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.5
Wed Mar 13 22:58:25 2013 Initialization Sequence Completed
^CWed Mar 13 22:58:30 2013 event_wait : Interrupted system call (code=4)
Wed Mar 13 22:58:30 2013 TCP/UDP: Closing socket
Wed Mar 13 22:58:30 2013 /sbin/route delete -net 10.8.0.0 10.8.0.5 255.255.255.0
delete net 10.8.0.0: gateway 10.8.0.5
Wed Mar 13 22:58:30 2013 Closing TUN/TAP interface
Wed Mar 13 22:58:30 2013 SIGINT[hard,] received, process exiting
toto5:ttntec2 Dominic$ sudo openvpn2 --config client.conf --remote ec2-54-234-43-171.compute-1.amazonaws.com
Wed Mar 13 22:58:57 2013 OpenVPN 2.2.1 x86_64-apple-darwin12.2.0 [SSL] [LZO2] [eurephia] built on Mar 4 2013
Wed Mar 13 22:58:57 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Mar 13 22:58:57 2013 LZO compression initialized
Wed Mar 13 22:58:57 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Mar 13 22:58:57 2013 Socket Buffers: R=[196724->65536] S=[9216->65536]
Wed Mar 13 22:58:57 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Mar 13 22:58:57 2013 Local Options hash (VER=V4): '41690919'
Wed Mar 13 22:58:57 2013 Expected Remote Options hash (VER=V4): '530fdded'
Wed Mar 13 22:58:57 2013 UDPv4 link local: [undef]
Wed Mar 13 22:58:57 2013 UDPv4 link remote: 54.234.43.171:1194
Wed Mar 13 22:58:57 2013 TLS: Initial packet from 54.234.43.171:1194, sid=a0d75468 ec26de14
Wed Mar 13 22:58:58 2013 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funst ... ost.domain
Wed Mar 13 22:58:58 2013 VERIFY OK: nsCertType=SERVER
Wed Mar 13 22:58:58 2013 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funst ... ost.domain
Wed Mar 13 22:58:58 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Mar 13 22:58:58 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 13 22:58:58 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Mar 13 22:58:58 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 13 22:58:58 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Mar 13 22:58:58 2013 [ec2-server] Peer Connection Initiated with 54.234.43.171:1194
Wed Mar 13 22:59:00 2013 SENT CONTROL [ec2-server]: 'PUSH_REQUEST' (status=1)
Wed Mar 13 22:59:00 2013 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Wed Mar 13 22:59:00 2013 OPTIONS IMPORT: timers and/or timeouts modified
Wed Mar 13 22:59:00 2013 OPTIONS IMPORT: --ifconfig/up options modified
Wed Mar 13 22:59:00 2013 OPTIONS IMPORT: route options modified
Wed Mar 13 22:59:00 2013 ROUTE default_gateway=0.0.0.0
Wed Mar 13 22:59:00 2013 TUN/TAP device /dev/tun0 opened
Wed Mar 13 22:59:00 2013 /sbin/ifconfig tun0 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
Wed Mar 13 22:59:00 2013 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Wed Mar 13 22:59:00 2013 /sbin/ifconfig tun0 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up
Wed Mar 13 22:59:00 2013 /sbin/route add -net 54.234.43.171 0.0.0.0 255.255.255.255
add net 54.234.43.171: gateway 0.0.0.0
Wed Mar 13 22:59:00 2013 /sbin/route add -net 0.0.0.0 10.8.0.5 128.0.0.0
add net 0.0.0.0: gateway 10.8.0.5
Wed Mar 13 22:59:00 2013 /sbin/route add -net 128.0.0.0 10.8.0.5 128.0.0.0
add net 128.0.0.0: gateway 10.8.0.5
Wed Mar 13 22:59:00 2013 /sbin/route add -net 10.8.0.0 10.8.0.5 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.5
Wed Mar 13 22:59:00 2013 Initialization Sequence Completed
Wed Mar 13 22:59:00 2013 write UDPv4: No route to host (code=65)
Wed Mar 13 22:59:00 2013 write UDPv4: No route to host (code=65)
Wed Mar 13 22:59:01 2013 write UDPv4: No route to host (code=65)
Wed Mar 13 22:59:01 2013 write UDPv4: No route to host (code=65)
Wed Mar 13 22:59:01 2013 write UDPv4: No route to host (code=65)
Wed Mar 13 22:59:02 2013 write UDPv4: No route to host (code=65)
Wed Mar 13 22:59:02 2013 write UDPv4: No route to host (code=65)
Wed Mar 13 22:59:02 2013 write UDPv4: No route to host (code=65)
Wed Mar 13 22:59:02 2013 write UDPv4: No route to host (code=65)
Wed Mar 13 22:59:02 2013 write UDPv4: No route to host (code=65)
...
没有推送重定向网关的连接后的路由表(所有流量都未重定向到 VPN,并且一切正常,我可以 ping 或 ssh OpenVPN 服务器并通过我的默认网关访问所有其他 Internet 资源):
Destination Gateway Flags Refs Use Netif Expire
default user148-1.wireless UGSc 50 0 en1
10.8/24 10.8.0.5 UGSc 2 7 tun0
10.8.0.5 10.8.0.6 UH 3 2 tun0
127 localhost UCS 0 0 lo0
localhost localhost UH 6 6692 lo0
client.openvpn.net client.openvpn.net UH 3 18 lo0
142.1.148/22 link#5 UCS 2 0 en1
user148-1.wireless 0:90:b:27:10:71 UHLWIir 50 0 en1 76
user150-173.wirele localhost UHS 0 0 lo0
142.1.151.255 ff:ff:ff:ff:ff:ff UHLWbI 0 2 en1
169.254 link#5 UCS 1 0 en1
169.254.255.255 0:90:b:27:10:71 UHLSWi 0 0 en1 71
启用推送重定向网关选项的连接后的路由表如上面的 server.conf 文件中所示(所有互联网流量都应重定向到 VPN 隧道,但什么都不起作用,我根本无法访问任何互联网资源):
Destination Gateway Flags Refs Use Netif Expire
0/1 10.8.0.5 UGSc 1 0 tun0
default user148-1.wireless UGSc 7 0 en1
10.8/24 10.8.0.5 UGSc 0 0 tun0
10.8.0.5 10.8.0.6 UHr 6 0 tun0
54.234.43.171/32 0.0.0.0 UGSc 1 0 en1
127 localhost UCS 0 0 lo0
localhost localhost UH 3 6698 lo0
client.openvpn.net client.openvpn.net UH 0 27 lo0
128.0/1 10.8.0.5 UGSc 2 0 tun0
142.1.148/22 link#5 UCS 1 0 en1
user148-1.wireless 0:90:b:27:10:71 UHLWIir 1 0 en1 833
user150-173.wirele localhost UHS 0 0 lo0
169.254 link#5 UCS 1 0 en1
169.254.255.255 0:90:b:27:10:71 UHLSW 0 0 en1
答案1
我想我找到了问题所在。解释和可能的解决方案将发布在这里:https://forums.openvpn.net/post28560.html#p28560。