OpenVPN 无法上网

tag-icon tag-icon vpn firewall iptables openvpn
OpenVPN 无法上网

我在设置 OpenVPN 时遇到了问题。我有一个安装了 OpenVPN 服务器的 Linode 盒子,我设法让 Tunnelblick 从我的 Mac 建立 VPN 连接。我按照本指南进行设置(https://www.linode.com/docs/networking/vpn/secure-communications-with-openvpn-on-ubuntu-12-04-precise-and-debian-7

问题是,当我连接到 VPN 时,我失去了互联网访问权限。我不太熟悉 iptables,但我相当确定这是 linode 盒子上的防火墙问题。

我取消注释了 iptables 中的 REJECT 指令,互联网开始工作,但现在我的 linode 不受保护。我希望有人能帮助我进行设置。这是我的 iptable 配置文件现在的样子。

# Generated by iptables-save v1.4.12 on Wed Sep 17 20:16:01 2014
*security
:INPUT ACCEPT [655071:117449311]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [531569:271562663]
COMMIT
# Completed on Wed Sep 17 20:16:01 2014
# Generated by iptables-save v1.4.12 on Wed Sep 17 20:16:01 2014
*raw
:PREROUTING ACCEPT [655387:117519098]
:OUTPUT ACCEPT [531569:271562663]
COMMIT
# Completed on Wed Sep 17 20:16:01 2014
# Generated by iptables-save v1.4.12 on Wed Sep 17 20:16:01 2014
*nat
:PREROUTING ACCEPT [1779:93936]
:INPUT ACCEPT [1778:93888]
:OUTPUT ACCEPT [10:616]
:POSTROUTING ACCEPT [10:616]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Sep 17 20:16:01 2014
# Generated by iptables-save v1.4.12 on Wed Sep 17 20:16:01 2014
*mangle
:PREROUTING ACCEPT [333602:56545923]
:INPUT ACCEPT [333602:56545923]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [269675:131489507]
:POSTROUTING ACCEPT [269675:131489507]
COMMIT
# Completed on Wed Sep 17 20:16:01 2014
# Generated by iptables-save v1.4.12 on Wed Sep 17 20:16:01 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
# -A INPUT -d 127.0.0.0/8 -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8484 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 52698 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 943 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# -A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
# -A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT

请注意,以下几行已被注释掉,但实际上不应该这样:

# -A INPUT -d 127.0.0.0/8 -i lo -j REJECT --reject-with icmp-port-unreachable
# -A INPUT -j REJECT --reject-with icmp-port-unreachable
# -A FORWARD -j REJECT --reject-with icmp-port-unreachable

编辑: sysctl net.ipv4.ip_forward 的输出

net.ipv4.ip_forward = 1

iptables-save 的输出:

# Generated by iptables-save v1.4.12 on Sat Sep 20 03:41:08 2014
*security
:INPUT ACCEPT [14181206:2321341249]
:FORWARD ACCEPT [454424:378929599]
:OUTPUT ACCEPT [11546594:6308759963]
COMMIT
# Completed on Sat Sep 20 03:41:08 2014
# Generated by iptables-save v1.4.12 on Sat Sep 20 03:41:08 2014
*raw
:PREROUTING ACCEPT [14635663:2700275174]
:OUTPUT ACCEPT [11546595:6308760175]
COMMIT
# Completed on Sat Sep 20 03:41:08 2014
# Generated by iptables-save v1.4.12 on Sat Sep 20 03:41:08 2014
*nat
:PREROUTING ACCEPT [1875725:100410074]
:INPUT ACCEPT [1866676:99465105]
:OUTPUT ACCEPT [20810:1333821]
:POSTROUTING ACCEPT [20816:1334245]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Sep 20 03:41:08 2014
# Generated by iptables-save v1.4.12 on Sat Sep 20 03:41:08 2014
*mangle
:PREROUTING ACCEPT [14635664:2700275226]
:INPUT ACCEPT [14181207:2321341301]
:FORWARD ACCEPT [454424:378929599]
:OUTPUT ACCEPT [11546600:6308761475]
:POSTROUTING ACCEPT [12001024:6687691074]
COMMIT
# Completed on Sat Sep 20 03:41:08 2014
# Generated by iptables-save v1.4.12 on Sat Sep 20 03:41:08 2014
*filter
:INPUT ACCEPT [5701:859812]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8484 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 52698 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 943 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT

答案1

您是否尝试过关闭 iptables?尽管规则看起来不错,但您还是应该尝试关闭防火墙。

我找到了这个脚本在 Ubuntu VPS 上安装和配置 OpenVPN。它有效。

相关内容