使用 squid 和 ssh-tunnel 建立 VPN 隧道

tag-icon tag-icon ssh vpn squid tunneling
使用 squid 和 ssh-tunnel 建立 VPN 隧道

介绍:

为了访问某个数据中心的管理控制台,我应该使用 VPN。但是由于公司网络设置,我无法建立 VPN 连接(他们告诉我他们不会为我设置所需的隧道。同时我被允许找到一条旁路)。为了绕过它,我使用谷歌浏览器,并将代理设置为 localhost:9999。有一个 ssh 隧道将 localhost:9999 与专用服务器上的 squid 实例连接起来。专用服务器已使用 vpnc 建立了 VPN 连接。

当我测试网页浏览时 - 通过此代理登录 Gmail 帐户没有任何问题。因此 http 和 https 被正确重定向。

当我尝试访问 https:///login.html 时,chrome 告诉我错误 7 (net::ERR_TIMED_OUT): 操作超时

ifconfig tun0(tun0 是 vpn 连接)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.237.1  P-t-P:192.168.237.1  Mask:255.255.255.255

squid access.log摘录:

1322248499.456  29972 94.23.35.103 TCP_MISS/000 0 CONNECT 172.30.3.93:443 - NONE/- -
1322248499.484  30000 94.23.35.103 TCP_MISS/000 0 CONNECT 172.30.3.93:443 - NONE/- -
1322248529.478  29905 94.23.35.103 TCP_MISS/000 0 CONNECT 172.30.3.93:443 - NONE/- -

ip r 命令

180.150.133.253 via 94.23.35.254 dev eth0  src 94.23.35.103 
192.168.237.0/24 dev tun0  scope link 
192.168.122.0/24 dev virbr0  proto kernel  scope link  src 192.168.122.1 
94.23.35.0/24 dev eth0  proto kernel  scope link  src 94.23.35.103 
172.30.0.0/22 dev tun0  scope link 
default via 94.23.35.254 dev eth0  metric 100

tcpdump -i tun0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
20:39:41.146346 IP 192.168.237.1.33810 > 172.30.3.93.https: Flags [S], seq 2990531692, win 13720, options [mss 1372,sackOK,TS val 34961006 ecr 0,nop,wscale 7], length 0
20:39:41.206331 IP 192.168.237.1.50869 > 172.30.3.93.https: Flags [S], seq 1974326041, win 13720, options [mss 1372,sackOK,TS val 34961012 ecr 0,nop,wscale 7], length 0
20:39:41.370436 IP 172.30.3.93.https > 192.168.237.1.33810: Flags [S.], seq 953273047, ack 2990531693, win 5792, options [mss 1380,sackOK,TS val 4294958113 ecr 34961006,nop,wscale 2], length 0
20:39:41.370458 IP 192.168.237.1 > 172.30.3.93: ICMP 192.168.237.1 tcp port 33810 unreachable, length 68
20:39:41.427724 IP 172.30.3.93.https > 192.168.237.1.50869: Flags [S.], seq 3867774677, ack 1974326042, win 5792, options [mss 1380,sackOK,TS val 4294958118 ecr 34961012,nop,wscale 2], length 0
20:39:41.427743 IP 192.168.237.1 > 172.30.3.93: ICMP 192.168.237.1 tcp port 50869 unreachable, length 68
20:39:44.147985 IP 192.168.237.1.33810 > 172.30.3.93.https: Flags [S], seq 2990531692, win 13720, options [mss 1372,sackOK,TS val 34961307 ecr 0,nop,wscale 7], length 0
20:39:44.207981 IP 192.168.237.1.50869 > 172.30.3.93.https: Flags [S], seq 1974326041, win 13720, options [mss 1372,sackOK,TS val 34961313 ecr 0,nop,wscale 7], length 0
20:39:50.157964 IP 192.168.237.1.33810 > 172.30.3.93.https: Flags [S], seq 2990531692, win 13720, options [mss 1372,sackOK,TS val 34961908 ecr 0,nop,wscale 7], length 0
20:39:50.217978 IP 192.168.237.1.50869 > 172.30.3.93.https: Flags [S], seq 1974326041, win 13720, options [mss 1372,sackOK,TS val 34961914 ecr 0,nop,wscale 7], length 0
20:40:02.197916 IP 192.168.237.1.33810 > 172.30.3.93.https: Flags [S], seq 2990531692, win 13720, options [mss 1372,sackOK,TS val 34963112 ecr 0,nop,wscale 7], length 0
20:40:02.237994 IP 192.168.237.1.50869 > 172.30.3.93.https: Flags [S], seq 1974326041, win 13720, options [mss 1372,sackOK,TS val 34963116 ecr 0,nop,wscale 7], length 0
20:40:11.245849 IP 192.168.237.1.43253 > 172.30.3.93.https: Flags [S], seq 885758311, win 13720, options [mss 1372,sackOK,TS val 34964016 ecr 0,nop,wscale 7], length 0
20:40:11.467567 IP 172.30.3.93.https > 192.168.237.1.43253: Flags [S.], seq 1102840217, ack 885758312, win 5792, options [mss 1380,sackOK,TS val 4294961122 ecr 34964016,nop,wscale 2], length 0
20:40:11.467591 IP 192.168.237.1 > 172.30.3.93: ICMP 192.168.237.1 tcp port 43253 unreachable, length 68
20:40:14.247958 IP 192.168.237.1.43253 > 172.30.3.93.https: Flags [S], seq 885758311, win 13720, options [mss 1372,sackOK,TS val 34964317 ecr 0,nop,wscale 7], length 0

我可以 ping 通该机器。

PING 172.30.3.93 (172.30.3.93) 56(84) bytes of data.
64 bytes from 172.30.3.93: icmp_req=1 ttl=64 time=221 ms
64 bytes from 172.30.3.93: icmp_req=2 ttl=64 time=222 ms
64 bytes from 172.30.3.93: icmp_req=3 ttl=64 time=221 ms
64 bytes from 172.30.3.93: icmp_req=4 ttl=64 time=226 ms
64 bytes from 172.30.3.93: icmp_req=5 ttl=64 time=221 ms
64 bytes from 172.30.3.93: icmp_req=6 ttl=64 time=221 ms
^C
--- 172.30.3.93 ping statistics ---
7 packets transmitted, 6 received, 14% packet loss, time 6001ms
rtt min/avg/max/mdev = 221.068/222.406/226.608/1.991 ms

有人可以给我提示一下: - 这里明显的错误是什么(我希望有一个;))? - 要查看哪些日志来调试该问题?

答案1

20:40:11.245849 IP 192.168.237.1.43253 > 172.30.3.93.https: Flags [S], seq 885758311, win 13720, options [mss 1372,sackOK,TS val 34964016 ecr 0,nop,wscale 7], length 0
20:40:11.467567 IP 172.30.3.93.https > 192.168.237.1.43253: Flags [S.], seq 1102840217, ack 885758312, win 5792, options [mss 1380,sackOK,TS val 4294961122 ecr 34964016,nop,wscale 2], length 0
20:40:11.467591 IP 192.168.237.1 > 172.30.3.93: ICMP 192.168.237.1 tcp port 43253 unreachable, length 68

第一行表示您的机器发送了 SYN 标志(即 [S])来启动与服务器的握手(段序列号 885758311)。

第二行表示服务器已经使用标志 [S.] 确认了您的机器的 SYN 请求(ack 885758312 即 885758311+1)。

我不太确定第三行,但我认为它表示目标主机(您的机器)正在通知发送主机(远程机器)无法访问请求的端口 43253。因此您的防火墙中一定有某些东西拒绝了此连接。检查防火墙规则。

相关内容