VPN 无法重新连接（无法解析主机地址）

也许有人可以帮助我：

目前，我正在尝试在虚拟机上配置与商业 VPN 提供商的故障安全 VPN 连接。这工作正常，直到我的路由器想要重置我的 IPv4 公共地址（每隔几天）。然后 VM 上的 VPN 客户端无法重新连接到 VPN 服务器，因为它无法连接到 DNS 服务器，这是我的 iptables 设置造成的（只是我的假设）。

我的设置：

VM 在我的本地网络中有一个虚拟 IP 地址。VM 上有一个代理服务器 (squid) 在运行。因此，我的所有客户端（在我的本地网络上）应用程序都可以使用 VM 上的 VPN 连接来访问互联网。

我在我的虚拟机上使用 Debian 7.8、openvpn 2.2.1-8+deb7u3、squid 2.7.STABLE9-4.1+deb7u1 和 iptables 1.4.14-3.1。

配置：

OpenVPN：

client
dev tun
proto udp
remote urlofvpnserver.com 3478
cipher AES-128-CBC
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca TrustedRoot.pem
verb 3
auth-user-pass /root/.secretfile
reneg-sec 0
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log

iptables：

*filter
:INPUT DROP [6:1984]
:FORWARD DROP [0:0]
:OUTPUT DROP [177:11271]


//local communication
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT


//accept local network traffic
-A INPUT -s 192.168.2.0/24 -j ACCEPT
-A OUTPUT -d 192.168.2.0/24 -j ACCEPT


//allow connections to the VPN servers different IP ranges
-A OUTPUT -d hiddenvpnwebsite -j ACCEPT
-A INPUT -s hidden -j ACCEPT
-A INPUT -s hidden -j ACCEPT
-A INPUT -s hidden -j ACCEPT
-A INPUT -s hidden -j ACCEPT
-A INPUT -s hidden -j ACCEPT
-A INPUT -s hidden -j ACCEPT
-A INPUT -s hidden -j ACCEPT
-A INPUT -s hidden -j ACCEPT
-A INPUT -s hidden -j ACCEPT
-A INPUT -s hidden -j ACCEPT
-A OUTPUT -d hidden -j ACCEPT
-A OUTPUT -d hidden -j ACCEPT
-A OUTPUT -d hidden -j ACCEPT
-A OUTPUT -d hidden -j ACCEPT
-A OUTPUT -d hidden -j ACCEPT
-A OUTPUT -d hidden -j ACCEPT
-A OUTPUT -d hidden -j ACCEPT
-A OUTPUT -d hidden -j ACCEPT
-A OUTPUT -d hidden -j ACCEPT
-A OUTPUT -d hidden -j ACCEPT


//squid port
-A INPUT -i eth1 -p tcp -m tcp --dport 3128 -j ACCEPT


//DNS servers
-A INPUT -s 208.67.222.222/32 -j ACCEPT
-A OUTPUT -d 208.67.222.222/32 -j ACCEPT


//allow traffic on tun
-A INPUT -i tun+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT


//open openvpn ports
-A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
COMMIT

/etc/网络/接口

auto lo eth0
iface lo inet loopback
iface eth0 inet static
        address 192.168.2.122
        netmask 255.255.255.0
        gateway 192.168.2.1
        dns-nameservers 208.67.222.222 208.67.220.220 8.8.8.8
        dns-search 208.67.222.222

/etc/resolv.conf

nameserver 208.67.222.222
nameserver 208.67.220.220

/var/log/openvpn/openvpn.log

Wed Jan 28 03:59:46 2015 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec  1 2014
Wed Jan 28 03:59:46 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Jan 28 03:59:46 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Jan 28 03:59:46 2015 Control Channel MTU parms [ L:1557 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jan 28 03:59:46 2015 Socket Buffers: R=[229376->131072] S=[229376->131072]
Wed Jan 28 03:59:47 2015 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
Wed Jan 28 03:59:47 2015 Local Options hash (VER=V4): '8326dbaa'
Wed Jan 28 03:59:47 2015 Expected Remote Options hash (VER=V4): 'b7f67de4'
Wed Jan 28 03:59:47 2015 UDPv4 link local: [undef]
Wed Jan 28 03:59:47 2015 UDPv4 link remote: [AF_INET]one_of_the_hidden_vpn_ips:3478
Wed Jan 28 03:59:47 2015 TLS: Initial packet from [AF_INET]one_of_the_hidden_vpn_ips:3478, sid=68e25514 fb7384de
Wed Jan 28 03:59:47 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jan 28 03:59:47 2015 VERIFY OK: depth=2, hidden_CA
Wed Jan 28 03:59:47 2015 VERIFY OK: depth=1, hidden_CA
Wed Jan 28 03:59:47 2015 VERIFY OK: depth=0, hidden_CA .hidden_vpn_url
Wed Jan 28 03:59:47 2015 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jan 28 03:59:47 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 28 03:59:47 2015 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jan 28 03:59:47 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 28 03:59:47 2015 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jan 28 03:59:47 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 28 03:59:47 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Wed Jan 28 03:59:47 2015 [_.hidden_vpn_url] Peer Connection Initiated with [AF_INET]hidden_vpn_ip:3478
Wed Jan 28 03:59:49 2015 SENT CONTROL [_.hidden_vpn_url]: 'PUSH_REQUEST' (status=1)
Wed Jan 28 03:59:49 2015 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,topology subnet,ping 5,ping-restart 15,explicit-exit-notify,route-gateway 10.3.$
Wed Jan 28 03:59:49 2015 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jan 28 03:59:49 2015 OPTIONS IMPORT: explicit notify parm(s) modified
Wed Jan 28 03:59:49 2015 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jan 28 03:59:49 2015 OPTIONS IMPORT: route options modified
Wed Jan 28 03:59:49 2015 OPTIONS IMPORT: route-related options modified
Wed Jan 28 03:59:49 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jan 28 03:59:49 2015 ROUTE default_gateway=192.168.2.1
Wed Jan 28 03:59:49 2015 TUN/TAP device tun0 opened
Wed Jan 28 03:59:49 2015 TUN/TAP TX queue length set to 100
Wed Jan 28 03:59:49 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Jan 28 03:59:49 2015 /sbin/ifconfig tun0 10.3.134.57 netmask 255.255.255.0 mtu 1500 broadcast 10.3.134.255
Wed Jan 28 03:59:49 2015 /sbin/route add -net hidden_vpn_ip netmask 255.255.255.255 gw 192.168.2.1
Wed Jan 28 03:59:49 2015 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Wed Jan 28 03:59:49 2015 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.3.134.57
Wed Jan 28 03:59:49 2015 Initialization Sequence Completed


Comment: now everything works, until my router disconnects:


Wed Jan 28 05:33:48 2015 [_.hidden_vpn_url] Inactivity timeout (--ping-restart), restarting
Wed Jan 28 05:33:48 2015 TCP/UDP: Closing socket
Wed Jan 28 05:33:48 2015 SIGUSR1[soft,ping-restart] received, process restarting
Wed Jan 28 05:33:48 2015 Restart pause, 2 second(s)
Wed Jan 28 05:33:50 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Jan 28 05:33:50 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Jan 28 05:33:50 2015 Re-using SSL/TLS context
Wed Jan 28 05:33:50 2015 Control Channel MTU parms [ L:1557 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jan 28 05:33:50 2015 Socket Buffers: R=[229376->131072] S=[229376->131072]
Wed Jan 28 05:35:10 2015 RESOLVE: Cannot resolve host address: hidden_vpn_url: [HOST_NOT_FOUND] The specified host is unknown.
Wed Jan 28 05:35:10 2015 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
Wed Jan 28 05:35:10 2015 Local Options hash (VER=V4): '8326dbaa'
Wed Jan 28 05:35:10 2015 Expected Remote Options hash (VER=V4): 'b7f67de4'
Wed Jan 28 05:36:30 2015 RESOLVE: Cannot resolve host address:  hidden_vpn_url: [HOST_NOT_FOUND] The specified host is unknown.
Wed Jan 28 05:37:55 2015 RESOLVE: Cannot resolve host address:  hidden_vpn_url: [HOST_NOT_FOUND] The specified host is unknown.
Wed Jan 28 05:39:20 2015 RESOLVE: Cannot resolve host address:  hidden_vpn_url: [HOST_NOT_FOUND] The specified host is unknown.
Wed Jan 28 05:40:45 2015 RESOLVE: Cannot resolve host address:  hidden_vpn_url: [HOST_NOT_FOUND] The specified host is unknown.

我认为问题如下：在 openvpn 配置中，我必须设置 vpn 提供商的 url，而不是 ip 地址：remote urlofvpnserver.com 3478。

我尝试将其更改为 VPN 提供商的 IP 地址。但他们使用多个 IP 地址和范围。我认为在服务器端，我将连接到一个不太过载的服务器，以保证最佳连接速度。但如果我更改urlofvpnserver.com到他们的一个 IP 地址，连接只有 50% 的时间有效。（一些 vpn 服务器脚本可能会阻止这种情况）

因此，在我断开与 VPN 的连接后，虚拟机会尝试解析urlofvpnserver.com通过询问 DNS 服务器。但是虚拟机无法连接到 DNS 服务器，因为它可能被迫使用 VPN 连接？

抱歉，我编辑了我的配置文件。我只是有点偏执。我刚开始学习 iptables 和网络协议。所以我可能完全错了。

有人知道该如何解决这个问题吗？那么 VPN 客户端可以在路由器 DC 或互联网连接出现问题后重新连接吗？如果有人需要，我很乐意提供更具体的信息。