AWS EC2 - OpenVPN - VPN 正常,但客户端无互联网连接

tag-icon tag-icon amazon-ec2 iptables openvpn nat ufw
AWS EC2 - OpenVPN - VPN 正常,但客户端无互联网连接

我已经为此烦恼了好几天,尝试了网上能搜索到的所有方法,但似乎没有任何效果。

客户连接到 VPN 服务器并接收来自该服务器的 ping 响应,我在日志中没有看到任何错误。只是客户端没有互联网连接。

每当我评论时push "redirect-gateway def1 bypass-dhcp"server.conf一切都很顺利,但互联网没有被过滤。如果启用了它,网站可以连接,但无法检索内容。

在客户端: $ wget google.com

--2016-10-30 13:39:44--  http://google.com/
Resolving google.com (google.com)... 216.58.217.174
Connecting to google.com (google.com)|216.58.217.174|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.google.com/ [following]
--2016-10-30 13:39:44--  http://www.google.com/
Resolving www.google.com (www.google.com)... 216.58.217.164
Connecting to www.google.com (www.google.com)|216.58.217.164|:80... connected.
HTTP request sent, awaiting response...

...并停留在那里直到超时。

这是我的配置和设置:

系统:

Ubuntu 16.04.1 on EC2, OpenVPN 2.3.10 x86_64

AWS EC2 设置:

Security Group: Allow Inbound: ports 22/tcp and 1194/udp
                Allow Outbound: all

Source/Destination Check: Disabled # (Is this really necessary?)

服务器:

$ cat /etc/openvpn/server.conf | grep -v '#' | grep -v ';' | tr -s '\n'

port 1194
proto udp
dev tun
ca ca.crt
cert AWS-01.crt
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.0.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
client-to-client
keepalive 10 120
key-direction 0
auth SHA256
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

$ cat /proc/sys/net/ipv4/ip_forward

1

$ sudo cat /etc/ufw/before.rules

...

# First entry
*nat
:POSTROUTING ACCEPT [0:0] 
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT

...

$ cat /etc/default/ufw | grep -v '#' | tr -s '\n'

IPV6=yes
DEFAULT_INPUT_POLICY="DROP"
DEFAULT_OUTPUT_POLICY="ACCEPT"
DEFAULT_FORWARD_POLICY="ACCEPT"
DEFAULT_APPLICATION_POLICY="SKIP"
MANAGE_BUILTINS=no
IPT_SYSCTL=/etc/ufw/sysctl.conf
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"

$ sudo ufw status

Status: active

To                         Action      From
--                         ------      ----
22                         LIMIT       Anywhere                  
1194/udp                   LIMIT       Anywhere                  
22 (v6)                    LIMIT       Anywhere (v6)             
1194/udp (v6)              LIMIT       Anywhere (v6)

关联:粘贴箱服务器的$ sudo iptables -L -v -n

客户:

client.ovpn在 Ubuntu 16.10 和 Android 7.0 上进行了测试结果相同。

client
dev tun
proto udp
remote XXX.XXX.public.ip 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
auth SHA256
key-direction 1
comp-lzo
verb 3
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>

有人能帮我解决我遗漏的问题吗?谢谢!

附加信息:

客户端、VPN 前后防火墙规则:
http://pastebin.com/vJRRwzpehttp://pastebin.com/DJ6Wv5q0

客户端路由表$ route -n
preVPN:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.254.254 0.0.0.0         UG    600    0        0 wlp3s0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 docker0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0
192.168.254.0   0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0

后VPN:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.0.5        128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.254.254 0.0.0.0         UG    600    0        0 wlp3s0
10.0.0.0        10.8.0.5        255.255.0.0     UG    0      0        0 tun0
10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
52.45.164.133   192.168.254.254 255.255.255.255 UGH   0      0        0 wlp3s0
128.0.0.0       10.8.0.5        128.0.0.0       UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 docker0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0
192.168.254.0   0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0

答案1

由于您可以在 处获取页面google.com,并返回重定向到www.google.com,因此您的配置没有任何问题。这意味着客户端能够打开与 的 TCP 连接google.com,并发出 HTTP 请求并接收响应。

其他网站也发生这种情况吗?

答案2

在 Ubuntu 18.04 上你必须:

  1. 安装openvpn-systemd-resolved包:
   sudo apt install openvpn-systemd-resolved
  1. 添加到您的 .ovpn 配置文件中:
    script-security 2
    up /etc/openvpn/update-systemd-resolved
    down /etc/openvpn/update-systemd-resolved
    down-pre
    dhcp-option DOMAIN-ROUTE .
  1. 在AWS控制台中检查Client VPN endpoint配置,您是否已填写DNS服务器IP

答案3

您应该启用分割隧道在您的 VPN 端点上。

相关内容