我按照本指南设置了一个 OpenVPN 服务器:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04
OpenVPN 服务器是 Ubuntu-18.04-x86_64 上的 VPS
客户端是 Raspbian Stretch Lite 上的 Raspberry Pi 3 B+
问题:客户端成功连接到服务器(Initialization Sequence Completed
)但没有互联网连接。
Ping www.google.com 成功。
询问公网IP有效:输出服务器的IP。
但是下载某些东西(例如使用 wget 或 apt install)不起作用。
编辑:我尝试用另一个客户端(Windows 10)连接到同一台服务器,但遇到了同样的问题,互联网连接不起作用。我猜问题出在服务器(VPS)而不是客户端。
服务器配置文件
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
客户端.ovpn
client
dev tun
proto udp
remote XXX.XXX.XXX.XXX 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
auth SHA256
verb 3
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
<ca>
-snip-
</ca>
<cert>
-snip-
</cert>
<key>
-snip-
</key>
<tls-auth>
-snip-
</tls-auth>
/etc/sysctl.conf(服务器)
net.ipv4.ip_forward=1
/etc/ufw/before.rules(服务器)
我添加了以下几行:
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
ufw 状态(服务器)
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp LIMIT IN Anywhere
1194/udp ALLOW IN Anywhere
22/tcp (v6) LIMIT IN Anywhere (v6)
1194/udp (v6) ALLOW IN Anywhere (v6)
连接期间的 OpenVPN 客户端输出
OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Socket Buffers: R=[163840->163840] S=[163840->163840]
UDP link local: (not bound)
UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=3eb50ad7 3b03202e
VERIFY OK: depth=1, CN=Easy-RSA CA
Validating certificate key usage
++ Certificate has key usage 00a0, expects 00a0
VERIFY KU OK
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
VERIFY EKU OK
VERIFY OK: depth=0, CN=server
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
[server] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
OPTIONS IMPORT: peer-id set
OPTIONS IMPORT: adjusting link_mtu to 1624
OPTIONS IMPORT: data channel crypto options modified
Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
/etc/openvpn/update-resolv-conf tun0 1500 1552 10.8.0.6 10.8.0.5 init
dhcp-option DNS 208.67.222.222
dhcp-option DNS 208.67.220.220
/sbin/ip route add XXX.XXX.XXX.XXX/32 via 192.168.1.1
RTNETLINK answers: File exists
ERROR: Linux route add command failed: external program exited with error status: 2
/sbin/ip route add 0.0.0.0/1 via 10.8.0.5
/sbin/ip route add 128.0.0.0/1 via 10.8.0.5
/sbin/ip route add 10.8.0.1/32 via 10.8.0.5
GID set to nogroup
UID set to nobody
Initialization Sequence Completed
断开连接时 OpenVPN 客户端输出
event_wait : Interrupted system call (code=4)
/sbin/ip route del 10.8.0.1/32
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
/sbin/ip route del XXX.XXX.XXX.XXX/32
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
/sbin/ip route del 0.0.0.0/1
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
/sbin/ip route del 128.0.0.0/1
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
Closing TUN/TAP interface
/sbin/ip addr del dev tun0 local 10.8.0.6 peer 10.8.0.5
RTNETLINK answers: Operation not permitted
Linux ip addr del failed: external program exited with error status: 2
/etc/openvpn/update-resolv-conf tun0 1500 1552 10.8.0.6 10.8.0.5 init
Cannot write to /run/resolvconf/lock
WARNING: Failed running command (--up/--down): external program exited with error status: 1
Exiting due to fatal error
/etc/resolv.conf(客户端)
# Generated by resolvconf
domain home
nameserver 208.67.222.222
nameserver 208.67.220.220
nameserver 192.168.1.1
客户端路由表
VPN 关闭
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
XXX.XXX.XX.XX 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
VPN 开启
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
XXX.XXX.XX.XX 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
128.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
mtr google.com (客户端)
Host Loss% Snt Last Avg Best Wrst StDev
1. 10.8.0.1 1.6% 62 55.3 541.2 53.9 2056. 669.3
2. 0.0% 62 55.2 561.6 54.0 2277. 685.9
3. 10.95.48.15 0.0% 62 56.3 563.4 53.9 2228. 691.4
4. 10.95.48.10 0.0% 62 57.5 577.0 55.6 2236. 688.9
5. be100-1258.gsw-1-a9.fr.eu 0.0% 62 65.4 567.7 63.2 2172. 671.9
6. ???
7. 108.170.244.193 0.0% 62 64.8 563.5 63.4 2163. 672.7
8. 216.239.59.209 0.0% 59 65.6 530.8 63.0 2162. 650.7
9. par21s11-in-f4.1e100.net 0.0% 59 64.4 522.3 63.5 2093. 647.6
答案1
实际上,我认为这是cipher AES-256-CBC
其他人遇到的遗留问题。这不是由于某种原因,安装 OpenVPN3 Linux 客户端的权限?因为它没有创建一个隧道。 所以我自己做了一个(这是实际问题):
sudo ip tuntap add name tun0 mode tun
sudo ip link show
在询问 VPN 用户名和密码后,它终于连接上了,现在可以连接互联网了。
来源:https://github.com/OpenVPN/openvpn3-linux/issues?q=cipher
答案2
解决了我只需要dev tun
替换dev tap