我在个人 AWS EC2 实例上设置了一个 OpenVPN 服务器,并尝试从 Ubuntu 14.04 客户端连接到它。(我必须将服务器更新为最低版本的 TLS 1.0 才能使握手正常工作)
现在,当我输入时,sudo openvpn --config client.ovpn
它似乎连接起来了,通过以“初始化序列已完成”结束日志消息
但是,在我的网络浏览器中,我的 IP 地址与我的家庭 IP 保持相同。
完成 vpn 连接需要什么?
编辑:我包括“ip route”和 openvpn 命令的日志输出
连接到 openvpn 之前“ip route”输出
default via 192.168.1.1 dev eth0 proto static
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.12 metric 1
注意:在下面的所有输出中,我已将我的 openvpn 服务器的公共 IP 替换为 111.222.333.444,以保持匿名
openvpn 命令的输出
sudo openvpn --config client.ovpn --redirect-gateway def1 --auth-user-pass pass.txt
Tue Apr 12 07:04:20 2022 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jun 22 2017
Tue Apr 12 07:04:20 2022 WARNING: file 'pass.txt' is group or others accessible
Tue Apr 12 07:04:20 2022 Control Channel Authentication: tls-auth using INLINE static key file
Tue Apr 12 07:04:20 2022 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 12 07:04:20 2022 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 12 07:04:20 2022 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Apr 12 07:04:20 2022 UDPv4 link local: [undef]
Tue Apr 12 07:04:20 2022 UDPv4 link remote: [AF_INET]111.222.333.444:1194
Tue Apr 12 07:04:20 2022 TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=2847d960 bd54dabd
Tue Apr 12 07:04:20 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Apr 12 07:04:20 2022 VERIFY OK: depth=1, CN=OpenVPN CA
Tue Apr 12 07:04:20 2022 VERIFY OK: nsCertType=SERVER
Tue Apr 12 07:04:20 2022 VERIFY OK: depth=0, CN=OpenVPN Server
Tue Apr 12 07:04:21 2022 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Apr 12 07:04:21 2022 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 12 07:04:21 2022 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Apr 12 07:04:21 2022 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 12 07:04:21 2022 Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
Tue Apr 12 07:04:21 2022 [OpenVPN Server] Peer Connection Initiated with [AF_INET]111.222.333.444:1194
Tue Apr 12 07:04:23 2022 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Tue Apr 12 07:04:23 2022 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,comp-lzo no,redirect-private def1,redirect-private bypass-dhcp,redirect-private autolocal,redirect-private bypass-dns,route-gateway 172.27.232.1,route 172.27.224.0 255.255.240.0,route 172.31.0.0 255.255.0.0,block-ipv6,ifconfig 172.27.232.15 255.255.248.0,auth-token SESS_ID'
Tue Apr 12 07:04:23 2022 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.3.2)
Tue Apr 12 07:04:23 2022 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.3.2)
Tue Apr 12 07:04:23 2022 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.3.2)
Tue Apr 12 07:04:23 2022 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:18: block-ipv6 (2.3.2)
Tue Apr 12 07:04:23 2022 OPTIONS IMPORT: timers and/or timeouts modified
Tue Apr 12 07:04:23 2022 OPTIONS IMPORT: explicit notify parm(s) modified
Tue Apr 12 07:04:23 2022 OPTIONS IMPORT: LZO parms modified
Tue Apr 12 07:04:23 2022 OPTIONS IMPORT: --ifconfig/up options modified
Tue Apr 12 07:04:23 2022 OPTIONS IMPORT: route options modified
Tue Apr 12 07:04:23 2022 OPTIONS IMPORT: route-related options modified
Tue Apr 12 07:04:23 2022 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=ec:f4:bb:57:57:1a
Tue Apr 12 07:04:23 2022 TUN/TAP device tun0 opened
Tue Apr 12 07:04:23 2022 TUN/TAP TX queue length set to 100
Tue Apr 12 07:04:23 2022 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Apr 12 07:04:23 2022 /sbin/ip link set dev tun0 up mtu 1500
Tue Apr 12 07:04:23 2022 /sbin/ip addr add dev tun0 172.27.232.15/21 broadcast 172.27.239.255
Tue Apr 12 07:04:28 2022 ROUTE remote_host is NOT LOCAL
Tue Apr 12 07:04:28 2022 /sbin/ip route add 111.222.333.444/32 via 192.168.1.1
Tue Apr 12 07:04:28 2022 /sbin/ip route add 0.0.0.0/1 via 172.27.232.1
Tue Apr 12 07:04:28 2022 /sbin/ip route add 128.0.0.0/1 via 172.27.232.1
Tue Apr 12 07:04:28 2022 /sbin/ip route add 172.27.224.0/20 via 172.27.232.1 metric 101
Tue Apr 12 07:04:28 2022 /sbin/ip route add 172.31.0.0/16 via 172.27.232.1 metric 101
Tue Apr 12 07:04:28 2022 Initialization Sequence Completed
连接到 openvpn 后的“ip route”输出
0.0.0.0/1 via 172.27.232.1 dev tun0
default via 192.168.1.1 dev eth0 proto static
111.222.333.444 via 192.168.1.1 dev eth0
128.0.0.0/1 via 172.27.232.1 dev tun0
172.27.224.0/20 via 172.27.232.1 dev tun0 metric 101
172.27.232.0/21 dev tun0 proto kernel scope link src 172.27.232.15
172.31.0.0/16 via 172.27.232.1 dev tun0 metric 101
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.12 metric 1
答案1
根据文档,以便路由全部通过服务器的流量(而不仅仅是流向 VPN 网络的流量),服务器需要设置指令push "redirect-gateway def1"
,并且服务器需要适当地路由流量:
将以下指令添加到服务器配置文件:
push "redirect-gateway def1"
如果您的 VPN 设置是通过无线网络进行的,其中所有客户端和服务器都在同一个无线子网上,请添加本地标志:
push "redirect-gateway local def1"
将重定向网关选项推送到客户端将导致所有来自客户端计算机的 IP 网络流量都通过 OpenVPN 服务器。需要配置服务器以某种方式处理此流量,例如通过 NAT 将其发送到互联网,或通过服务器站点的 HTTP 代理进行路由。
在 Linux 上,您可以使用如下命令将 VPN 客户端流量通过 NAT 传输到互联网:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
此命令假定 VPN 子网为 10.8.0.0/24(取自 OpenVPN 服务器配置中的服务器指令)并且本地以太网接口为 eth0。
编辑:
0.0.0.0/1 via 172.27.232.1 dev tun0
我相信 Daniel 的评论。VPN 处于活动状态时,路由表应该会根据和行将您推过 VPN 128.0.0.0/1 via 172.27.232.1 dev tun0
。跟踪路由的输出8.8.8.8
可以确认。