OpenVPN 客户端连接到 VPN 服务器，但没有互联网连接

我按照本指南设置了一个 OpenVPN 服务器：

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04

OpenVPN 服务器是 Ubuntu-18.04-x86_64 上的 VPS

客户端是 Raspbian Stretch Lite 上的 Raspberry Pi 3 B+

---

问题：客户端成功连接到服务器（Initialization Sequence Completed）但没有互联网连接。

Ping www.google.com 成功。

询问公网IP有效：输出服务器的IP。

但是下载某些东西（例如使用 wget 或 apt install）不起作用。

编辑：我尝试用另一个客户端（Windows 10）连接到同一台服务器，但遇到了同样的问题，互联网连接不起作用。我猜问题出在服务器（VPS）而不是客户端。

---

服务器配置文件

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1

---

客户端.ovpn

client
dev tun
proto udp
remote XXX.XXX.XXX.XXX 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
auth SHA256
verb 3

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

<ca>
-snip-
</ca>
<cert>
-snip-
</cert>
<key>
-snip-
</key>
<tls-auth>
-snip-
</tls-auth>

---

/etc/sysctl.conf（服务器）

net.ipv4.ip_forward=1

---

/etc/ufw/before.rules（服务器）

我添加了以下几行：

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

---

ufw 状态（服务器）

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     LIMIT IN    Anywhere
1194/udp                   ALLOW IN    Anywhere
22/tcp (v6)                LIMIT IN    Anywhere (v6)
1194/udp (v6)              ALLOW IN    Anywhere (v6)

---

连接期间的 OpenVPN 客户端输出

OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Socket Buffers: R=[163840->163840] S=[163840->163840]
UDP link local: (not bound)
UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=3eb50ad7 3b03202e
VERIFY OK: depth=1, CN=Easy-RSA CA
Validating certificate key usage
++ Certificate has key usage  00a0, expects 00a0
VERIFY KU OK
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
VERIFY EKU OK
VERIFY OK: depth=0, CN=server
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
[server] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
OPTIONS IMPORT: peer-id set
OPTIONS IMPORT: adjusting link_mtu to 1624
OPTIONS IMPORT: data channel crypto options modified
Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
/etc/openvpn/update-resolv-conf tun0 1500 1552 10.8.0.6 10.8.0.5 init
dhcp-option DNS 208.67.222.222
dhcp-option DNS 208.67.220.220
/sbin/ip route add XXX.XXX.XXX.XXX/32 via 192.168.1.1
RTNETLINK answers: File exists
ERROR: Linux route add command failed: external program exited with error status: 2
/sbin/ip route add 0.0.0.0/1 via 10.8.0.5
/sbin/ip route add 128.0.0.0/1 via 10.8.0.5
/sbin/ip route add 10.8.0.1/32 via 10.8.0.5
GID set to nogroup
UID set to nobody
Initialization Sequence Completed

---

断开连接时 OpenVPN 客户端输出

event_wait : Interrupted system call (code=4)
/sbin/ip route del 10.8.0.1/32
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
/sbin/ip route del XXX.XXX.XXX.XXX/32
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
/sbin/ip route del 0.0.0.0/1
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
/sbin/ip route del 128.0.0.0/1
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
Closing TUN/TAP interface
/sbin/ip addr del dev tun0 local 10.8.0.6 peer 10.8.0.5
RTNETLINK answers: Operation not permitted
Linux ip addr del failed: external program exited with error status: 2
/etc/openvpn/update-resolv-conf tun0 1500 1552 10.8.0.6 10.8.0.5 init
Cannot write to /run/resolvconf/lock
WARNING: Failed running command (--up/--down): external program exited with error status: 1
Exiting due to fatal error

---

/etc/resolv.conf（客户端）

# Generated by resolvconf
domain home
nameserver 208.67.222.222
nameserver 208.67.220.220
nameserver 192.168.1.1

---

客户端路由表

VPN 关闭

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
XXX.XXX.XX.XX   192.168.1.1     255.255.255.255 UGH       0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0

VPN 开启

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.8.0.5        128.0.0.0       UG        0 0          0 tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
10.8.0.1        10.8.0.5        255.255.255.255 UGH       0 0          0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
XXX.XXX.XX.XX   192.168.1.1     255.255.255.255 UGH       0 0          0 eth0
128.0.0.0       10.8.0.5        128.0.0.0       UG        0 0          0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0

---

mtr google.com (客户端)

 Host                               Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. 10.8.0.1                         1.6%    62   55.3 541.2  53.9 2056. 669.3
 2.                                  0.0%    62   55.2 561.6  54.0 2277. 685.9
 3. 10.95.48.15                      0.0%    62   56.3 563.4  53.9 2228. 691.4
 4. 10.95.48.10                      0.0%    62   57.5 577.0  55.6 2236. 688.9
 5. be100-1258.gsw-1-a9.fr.eu        0.0%    62   65.4 567.7  63.2 2172. 671.9
 6. ???
 7. 108.170.244.193                  0.0%    62   64.8 563.5  63.4 2163. 672.7
 8. 216.239.59.209                   0.0%    59   65.6 530.8  63.0 2162. 650.7
 9. par21s11-in-f4.1e100.net         0.0%    59   64.4 522.3  63.5 2093. 647.6