我有一个正在运行的 OpenVPN 服务器(93.xxx.xxx.xxx 是公共 IP),不同的 android 和 windows 客户端可以连接并访问互联网,但我的 Windows 10 PC 上的 OpenVPN 客户端行为异常:
- 它成功连接并验证。
Sun Nov 08 10:50:38 2015 NOTE: --user option is not implemented on Windows
Sun Nov 08 10:50:38 2015 NOTE: --group option is not implemented on Windows
Sun Nov 08 10:50:38 2015 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 4 2015
Sun Nov 08 10:50:38 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
Sun Nov 08 10:50:38 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Sun Nov 08 10:50:38 2015 Need hold release from management interface, waiting...
Sun Nov 08 10:50:39 2015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342
Sun Nov 08 10:50:39 2015 MANAGEMENT: CMD 'state on'
Sun Nov 08 10:50:39 2015 MANAGEMENT: CMD 'log all on'
Sun Nov 08 10:50:39 2015 MANAGEMENT: CMD 'hold off'
Sun Nov 08 10:50:39 2015 MANAGEMENT: CMD 'hold release'
Sun Nov 08 10:50:43 2015 MANAGEMENT: CMD 'username "Auth" "qwerty"'
Sun Nov 08 10:50:43 2015 MANAGEMENT: CMD 'password [...]'
Sun Nov 08 10:50:43 2015 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Nov 08 10:50:43 2015 UDPv4 link local: [undef]
Sun Nov 08 10:50:43 2015 UDPv4 link remote: [AF_INET]93.xxx.xxx.xxx:50005
Sun Nov 08 10:50:43 2015 MANAGEMENT: >STATE:1446979843,WAIT,,,
Sun Nov 08 10:50:43 2015 MANAGEMENT: >STATE:1446979843,AUTH,,,
Sun Nov 08 10:50:43 2015 TLS: Initial packet from [AF_INET]93.xxx.xxx.xxx:50005, sid=48bd669d fdf76b86
Sun Nov 08 10:50:43 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Nov 08 10:50:43 2015 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=server, [email protected]
Sun Nov 08 10:50:43 2015 Validating certificate key usage
Sun Nov 08 10:50:43 2015 ++ Certificate has key usage 00a0, expects 00a0
Sun Nov 08 10:50:43 2015 VERIFY KU OK
Sun Nov 08 10:50:43 2015 Validating certificate extended key usage
Sun Nov 08 10:50:43 2015 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Nov 08 10:50:43 2015 VERIFY EKU OK
Sun Nov 08 10:50:43 2015 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=server, name=server, [email protected]
Sun Nov 08 10:50:43 2015 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Nov 08 10:50:43 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov 08 10:50:43 2015 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Nov 08 10:50:43 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov 08 10:50:43 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Nov 08 10:50:43 2015 [server] Peer Connection Initiated with [AF_INET]93.xxx.xxx.xxx:50005
Sun Nov 08 10:50:44 2015 MANAGEMENT: >STATE:1446979844,GET_CONFIG,,,
Sun Nov 08 10:50:45 2015 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Nov 08 10:50:45 2015 PUSH: Received control message: 'PUSH_REPLY,route 172.16.101.0 255.0.0.0,redirect-gateway def1 bypass-dhcp,route 172.16.101.0 255.255.255.0,topology net30,ping 3,ping-restart 10,ifconfig 172.16.101.6 172.16.101.5'
Sun Nov 08 10:50:45 2015 OPTIONS IMPORT: timers and/or timeouts modified
Sun Nov 08 10:50:45 2015 OPTIONS IMPORT: --ifconfig/up options modified
Sun Nov 08 10:50:45 2015 OPTIONS IMPORT: route options modified
Sun Nov 08 10:50:45 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Nov 08 10:50:45 2015 MANAGEMENT: >STATE:1446979845,ASSIGN_IP,,172.16.101.6,
Sun Nov 08 10:50:45 2015 open_tun, tt->ipv6=0
Sun Nov 08 10:50:45 2015 TAP-WIN32 device [Ethernet 6] opened: \\.\Global\{B3106E59-6B92-4B4D-8A96-B9476295FF36}.tap
Sun Nov 08 10:50:45 2015 TAP-Windows Driver Version 9.9
Sun Nov 08 10:50:45 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.16.101.6/255.255.255.252 on interface {B3106E59-6B92-4B4D-8A96-B9476295FF36} [DHCP-serv: 172.16.101.5, lease-time: 31536000]
Sun Nov 08 10:50:45 2015 Successful ARP Flush on interface [79] {B3106E59-6B92-4B4D-8A96-B9476295FF36}
Sun Nov 08 10:50:50 2015 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 93.xxx.xxx.xxx MASK 255.255.255.255 192.168.10.1
Sun Nov 08 10:50:50 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Sun Nov 08 10:50:50 2015 Route addition via IPAPI succeeded [adaptive]
Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 192.168.10.1 MASK 255.255.255.255 192.168.10.1 IF 24
Sun Nov 08 10:50:50 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Sun Nov 08 10:50:50 2015 Route addition via IPAPI succeeded [adaptive]
Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 172.16.101.5
Sun Nov 08 10:50:50 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sun Nov 08 10:50:50 2015 Route addition via IPAPI succeeded [adaptive]
Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 172.16.101.5
Sun Nov 08 10:50:50 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sun Nov 08 10:50:50 2015 Route addition via IPAPI succeeded [adaptive]
Sun Nov 08 10:50:50 2015 MANAGEMENT: >STATE:1446979850,ADD_ROUTES,,,
Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 172.16.101.0 MASK 255.0.0.0 172.16.101.5
Sun Nov 08 10:50:50 2015 Warning: address 172.16.101.0 is not a network address in relation to netmask 255.0.0.0
Sun Nov 08 10:50:50 2015 ROUTE: route addition failed using CreateIpForwardEntry: The parameter is incorrect. [status=87 if_index=79]
Sun Nov 08 10:50:50 2015 Route addition via IPAPI failed [adaptive]
Sun Nov 08 10:50:50 2015 Route addition fallback to route.exe
Sun Nov 08 10:50:50 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 172.16.101.0 MASK 255.255.255.0 172.16.101.5
Sun Nov 08 10:50:50 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sun Nov 08 10:50:50 2015 Route addition via IPAPI succeeded [adaptive]
Sun Nov 08 10:50:50 2015 Initialization Sequence Completed
Sun Nov 08 10:50:50 2015 MANAGEMENT: >STATE:1446979850,CONNECTED,SUCCESS,172.16.101.6,93.xxx.xxx.xxx
- 它可以 ping google、8.8.8.8 等,但无法浏览网页(页面在前 3-5 秒内加载,然后就停止了。)这主要是 Chrome 和 Firefox。Edge 似乎运行得更好,但仍然表现得很奇怪(页面加载缓慢,需要刷新才能完全加载页面)[ 页面无限加载的屏幕截图]
SSH 似乎也不起作用,FTP 也是如此:
Status: Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Status: Connected
Status: Retrieving directory listing...
*Nothing happens*
在线游戏(UDP?)之类的东西运行良好。
另请注意:
- 其他不同的客户端可以连接到服务器并且没有任何问题(Windows 客户端也是如此)(以及使用相同凭据登录的客户端)。
- 客户端和服务器之间没有防火墙。
- 当客户端尝试连接到类似的服务器时,也会出现同样的问题(即使是之前运行良好的服务器)。
- 即使使用 VPN 连接,ping 也显示 0% 数据包丢失。
- 实际的互联网连接正常,客户端能够毫无问题地连接到非 openvpn VPN。
所有服务器的 iptables(只有一个)
[email protected]:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.16.101.0/24 anywhere
[email protected]:~# cat /proc/sys/net/ipv4/ip_forward
1
客户端路由(连接到vpn):
>cmd /k route print
===========================================================================
Interface List
24...10 c3 7b 96 51 7c ......Realtek PCIe GBE Family Controller
79...00 ff b3 10 6e 59 ......TAP-Windows Adapter V9 #2
1...........................Software Loopback Interface 1
47...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
45...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
52...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.116 20
0.0.0.0 128.0.0.0 172.16.101.9 172.16.101.10 30
93.xxx.xxx.xxx 255.255.255.255 192.168.10.1 192.168.10.116 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
128.0.0.0 128.0.0.0 172.16.101.9 172.16.101.10 30
172.16.101.0 255.255.255.0 172.16.101.9 172.16.101.10 30
172.16.101.8 255.255.255.252 On-link 172.16.101.10 286
172.16.101.10 255.255.255.255 On-link 172.16.101.10 286
172.16.101.11 255.255.255.255 On-link 172.16.101.10 286
192.168.10.0 255.255.255.0 On-link 192.168.10.116 276
192.168.10.1 255.255.255.255 192.168.10.1 192.168.10.116 20
192.168.10.116 255.255.255.255 On-link 192.168.10.116 276
192.168.10.255 255.255.255.255 On-link 192.168.10.116 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.10.116 276
224.0.0.0 240.0.0.0 On-link 172.16.101.10 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.10.116 276
255.255.255.255 255.255.255.255 On-link 172.16.101.10 286
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
24 276 fe80::/64 On-link
79 286 fe80::/64 On-link
24 276 fe80::5990:eaa3:40fd:4a6d/128
On-link
79 286 fe80::8dce:5ebc:c720:2d68/128
On-link
1 306 ff00::/8 On-link
24 276 ff00::/8 On-link
79 286 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
客户端路由(已与 VPN 断开连接):
>cmd /k route print
===========================================================================
Interface List
24...10 c3 7b 96 51 7c ......Realtek PCIe GBE Family Controller
79...00 ff b3 10 6e 59 ......TAP-Windows Adapter V9 #2
1...........................Software Loopback Interface 1
45...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
52...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.116 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.10.0 255.255.255.0 On-link 192.168.10.116 276
192.168.10.116 255.255.255.255 On-link 192.168.10.116 276
192.168.10.255 255.255.255.255 On-link 192.168.10.116 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.10.116 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.10.116 276
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
45 306 ::/0 On-link
1 306 ::1/128 On-link
45 306 2001::/32 On-link
45 306 2001:0:9d38:6abd:107a:364f:9711:5573/128
On-link
24 276 fe80::/64 On-link
45 306 fe80::/64 On-link
45 306 fe80::107a:364f:9711:5573/128
On-link
24 276 fe80::5990:eaa3:40fd:4a6d/128
On-link
1 306 ff00::/8 On-link
24 276 ff00::/8 On-link
45 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
客户端配置:
client
dev tun
proto udp
remote 93.xxx.xxx.xxx 50005
resolv-retry infinite
user nobody
group nobody
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
auth-user-pass
cipher AES-128-CBC
auth SHA1
remote-cert-tls server
comp-lzo
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
服务器配置:
port 50005
proto udp
dev tun
server 172.16.101.0 255.255.255.0
duplicate-cn
client-to-client
cipher AES-128-CBC
auth SHA1
comp-lzo
username-as-common-name
client-cert-not-required
auth-user-pass-verify /etc/openvpn/script/login.sh via-env
comp-lzo
user nobody
;group nogroup
username-as-common-name
client-cert-not-required
auth-user-pass-verify /etc/openvpn/script/login.sh via-env
keepalive 3 10
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 172.16.101.0 255.0.0.0"
push "redirect-gateway def1 bypass-dhcp"
script-security 3 system
client-connect /etc/openvpn/script/connect.sh
client-disconnect /etc/openvpn/script/disconnect.sh
persist-key
persist-tun
status openvpn-status.log
verb 5
management localhost 7555
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
<dh>
...
</dh>
任何建议都将不胜感激。谢谢。
答案1
将客户端的 MTU 稍微调低一点。使用 ping 和 -l 来设置有效负载大小并找到要设置的正确大小。https://www.sonassi.com/help/magestack/setting-correct-mtu-for-openvpn