我已将 OpenVPN 服务器设置为路由模式。当我尝试通过 SSH 连接到我的 VPN 服务器时,它会在以下位置挂断:
ssh -i .ssh/mpolitaev_mba [email protected] -vvv
OpenSSH_7.4p1, LibreSSL 2.5.0
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: /etc/ssh/ssh_config line 97: Deprecated option "useroaming"
debug1: /etc/ssh/ssh_config line 105: Applying options for *
debug2: resolving "192.168.200.1" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 192.168.200.1 [192.168.200.1] port 22.
debug1: Connection established.
debug1: identity file .ssh/mpolitaev_mba type 1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/mpolitaev_mba-cert type -1
debug1: identity file /Users/mpolitaev/.ssh/aws_prod type 2
debug1: key_load_public: No such file or directory
debug1: identity file /Users/mpolitaev/.ssh/aws_prod-cert type -1
debug1: identity file /Users/mpolitaev/.ssh/aws_dev type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/mpolitaev/.ssh/aws_dev-cert type -1
debug1: identity file /Users/mpolitaev/.ssh/rackspace type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/mpolitaev/.ssh/rackspace-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.200.1:22 as 'mpolitaev'
debug3: hostkeys_foreach: reading file "/dev/null"
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
Connection to 192.168.200.1 port 22 timed out
我猜测来自 VPN 服务器的数据包因我本地笔记本电脑上的 tcpdump 日志而被破坏:
13:55:01.147863 IP (tos 0x0, ttl 64, id 27443, offset 0, flags [DF], proto TCP (6), length 64)
10.54.108.6.54922 > 192.168.200.1.22: Flags [S], cksum 0xf9bb (correct), seq 3468332659, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 901043415 ecr 0,sackOK,eol], length 0
13:55:01.206537 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.200.1.22 > 10.54.108.6.54922: Flags [S.], cksum 0x167a (correct), seq 1112662382, ack 3468332660, win 14480, options [mss 1288,sackOK,TS val 174689830 ecr 901043415,nop,wscale 7], length 0
13:55:01.206616 IP (tos 0x0, ttl 64, id 2145, offset 0, flags [DF], proto TCP (6), length 52)
10.54.108.6.54922 > 192.168.200.1.22: Flags [.], cksum 0x6ce5 (correct), seq 1, ack 1, win 4107, options [nop,nop,TS val 901043473 ecr 174689830], length 0
13:55:01.211397 IP (tos 0x0, ttl 64, id 27582, offset 0, flags [DF], proto TCP (6), length 73)
10.54.108.6.54922 > 192.168.200.1.22: Flags [P.], cksum 0xa91b (correct), seq 1:22, ack 1, win 4107, options [nop,nop,TS val 901043477 ecr 174689830], length 21
13:55:01.269790 IP (tos 0x0, ttl 64, id 28464, offset 0, flags [DF], proto TCP (6), length 52)
192.168.200.1.22 > 10.54.108.6.54922: Flags [.], cksum 0x7c27 (correct), seq 1, ack 22, win 114, options [nop,nop,TS val 174689892 ecr 901043477], length 0
13:55:01.370906 IP (tos 0x0, ttl 64, id 28465, offset 0, flags [DF], proto TCP (6), length 73)
192.168.200.1.22 > 10.54.108.6.54922: Flags [P.], cksum 0xbafe (correct), seq 1:22, ack 22, win 114, options [nop,nop,TS val 174689991 ecr 901043477], length 21
13:55:01.370968 IP (tos 0x0, ttl 64, id 25885, offset 0, flags [DF], proto TCP (6), length 52)
10.54.108.6.54922 > 192.168.200.1.22: Flags [.], cksum 0x6b7a (correct), seq 22, ack 22, win 4106, options [nop,nop,TS val 901043634 ecr 174689991], length 0
13:55:01.371771 IP (tos 0x0, ttl 64, id 52837, offset 0, flags [DF], proto TCP (6), length 1328)
10.54.108.6.54922 > 192.168.200.1.22: Flags [.], cksum 0xb35c (correct), seq 22:1298, ack 22, win 4106, options [nop,nop,TS val 901043634 ecr 174689991], length 1276
13:55:01.371850 IP (tos 0x0, ttl 64, id 51514, offset 0, flags [DF], proto TCP (6), length 208)
10.54.108.6.54922 > 192.168.200.1.22: Flags [P.], cksum 0x9a41 (correct), seq 1298:1454, ack 22, win 4106, options [nop,nop,TS val 901043634 ecr 174689991], length 156
13:55:01.427768 IP5
13:55:01.442396 IP (tos 0x0, ttl 64, id 28467, offset 0, flags [DF], proto TCP (6), length 52)
192.168.200.1.22 > 10.54.108.6.54922: Flags [.], cksum 0x7278 (correct), seq 862, ack 1298, win 136, options [nop,nop,TS val 174690055 ecr 901043634], length 0
13:55:01.442563 IP (tos 0x0, ttl 64, id 28468, offset 0, flags [DF], proto TCP (6), length 52)
192.168.200.1.22 > 10.54.108.6.54922: Flags [.], cksum 0x71c8 (correct), seq 862, ack 1454, win 156, options [nop,nop,TS val 174690055 ecr 901043634], length 0
13:55:01.686620 IP5
13:55:02.198083 IP5
13:55:03.226019 IP5
13:55:05.284218 IP5
13:55:09.644658 IP5
13:55:17.633380 IP5
13:55:34.225695 IP5
13:56:06.963920 IP5
13:57:01.368988 IP (tos 0x0, ttl 64, id 28477, offset 0, flags [DF], proto TCP (6), length 52)
192.168.200.1.22 > 10.54.108.6.54922: Flags [F.], cksum 0x9d44 (correct), seq 862, ack 1454, win 156, options [nop,nop,TS val 174809992 ecr 901043634], length 0
13:57:01.369106 IP (tos 0x0, ttl 64, id 4567, offset 0, flags [DF], proto TCP (6), length 64)
10.54.108.6.54922 > 192.168.200.1.22: Flags [.], cksum 0x0e83 (correct), seq 1454, ack 22, win 4106, options [nop,nop,TS val 901163195 ecr 174689991,nop,nop,sack 1 {862:863}], length 0
“IP5” 是什么意思?
从服务器端:
tcpdump -i tun1 -nn -vv
tcpdump: listening on tun1, link-type RAW (Raw IP), capture size 65535 bytes
13:55:01.226101 IP (tos 0x0, ttl 64, id 27443, offset 0, flags [DF], proto TCP (6), length 64)
10.54.108.6.54922 > 192.168.200.1.22: Flags [S], cksum 0xfa67 (correct), seq 3468332659, win 65535, options [mss 1288,nop,wscale 5,nop,nop,TS val 901043415 ecr 0,sackOK,eol], length 0
13:55:01.226120 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.200.1.22 > 10.54.108.6.54922: Flags [S.], cksum 0x15ce (correct), seq 1112662382, ack 3468332660, win 14480, options [mss 1460,sackOK,TS val 174689830 ecr 901043415,nop,wscale 7], length 0
13:55:01.282564 IP (tos 0x0, ttl 64, id 2145, offset 0, flags [DF], proto TCP (6), length 52)
10.54.108.6.54922 > 192.168.200.1.22: Flags [.], cksum 0x6ce5 (correct), seq 1, ack 1, win 4107, options [nop,nop,TS val 901043473 ecr 174689830], length 0
13:55:01.287821 IP (tos 0x0, ttl 64, id 27582, offset 0, flags [DF], proto TCP (6), length 73)
10.54.108.6.54922 > 192.168.200.1.22: Flags [P.], cksum 0xa91b (correct), seq 1:22, ack 1, win 4107, options [nop,nop,TS val 901043477 ecr 174689830], length 21
13:55:01.287829 IP (tos 0x0, ttl 64, id 28464, offset 0, flags [DF], proto TCP (6), length 52)
192.168.200.1.22 > 10.54.108.6.54922: Flags [.], cksum 0x7c27 (correct), seq 1, ack 22, win 114, options [nop,nop,TS val 174689892 ecr 901043477], length 0
13:55:01.387274 IP (tos 0x0, ttl 64, id 28465, offset 0, flags [DF], proto TCP (6), length 73)
192.168.200.1.22 > 10.54.108.6.54922: Flags [P.], cksum 0xbafe (correct), seq 1:22, ack 22, win 114, options [nop,nop,TS val 174689991 ecr 901043477], length 21
13:55:01.446675 IP (tos 0x0, ttl 64, id 25885, offset 0, flags [DF], proto TCP (6), length 52)
10.54.108.6.54922 > 192.168.200.1.22: Flags [.], cksum 0x6b7a (correct), seq 22, ack 22, win 4106, options [nop,nop,TS val 901043634 ecr 174689991], length 0
13:55:01.446684 IP (tos 0x0, ttl 64, id 28466, offset 0, flags [DF], proto TCP (6), length 892)
192.168.200.1.22 > 10.54.108.6.54922: Flags [P.], cksum 0x76dc (correct), seq 22:862, ack 22, win 114, options [nop,nop,TS val 174690051 ecr 901043634], length 840
13:55:01.450341 IP (tos 0x0, ttl 64, id 52837, offset 0, flags [DF], proto TCP (6), length 1328)
10.54.108.6.54922 > 192.168.200.1.22: Flags [.], cksum 0xb35c (correct), seq 22:1298, ack 22, win 4106, options [nop,nop,TS val 901043634 ecr 174689991], length 1276
13:55:01.450348 IP (tos 0x0, ttl 64, id 28467, offset 0, flags [DF], proto TCP (6), length 52)
192.168.200.1.22 > 10.54.108.6.54922: Flags [.], cksum 0x7278 (correct), seq 862, ack 1298, win 136, options [nop,nop,TS val 174690055 ecr 901043634], length 0
13:55:01.450356 IP (tos 0x0, ttl 64, id 51514, offset 0, flags [DF], proto TCP (6), length 208)
10.54.108.6.54922 > 192.168.200.1.22: Flags [P.], cksum 0x9a41 (correct), seq 1298:1454, ack 22, win 4106, options [nop,nop,TS val 901043634 ecr 174689991], length 156
13:55:01.450359 IP (tos 0x0, ttl 64, id 28468, offset 0, flags [DF], proto TCP (6), length 52)
192.168.200.1.22 > 10.54.108.6.54922: Flags [.], cksum 0x71c8 (correct), seq 862, ack 1454, win 156, options [nop,nop,TS val 174690055 ecr 901043634], length 0
13:55:01.703311 IP (tos 0x0, ttl 64, id 28469, offset 0, flags [DF], proto TCP (6), length 892)
192.168.200.1.22 > 10.54.108.6.54922: Flags [P.], cksum 0x7019 (correct), seq 22:862, ack 1454, win 156, options [nop,nop,TS val 174690308 ecr 901043634], length 840
13:55:02.217306 IP (tos 0x0, ttl 64, id 28470, offset 0, flags [DF], proto TCP (6), length 892)
192.168.200.1.22 > 10.54.108.6.54922: Flags [P.], cksum 0x6e17 (correct), seq 22:862, ack 1454, win 156, options [nop,nop,TS val 174690822 ecr 901043634], length 840
13:55:03.245283 IP (tos 0x0, ttl 64, id 28471, offset 0, flags [DF], proto TCP (6), length 892)
192.168.200.1.22 > 10.54.108.6.54922: Flags [P.], cksum 0x6a13 (correct), seq 22:862, ack 1454, win 156, options [nop,nop,TS val 174691850 ecr 901043634], length 840
13:55:05.301311 IP (tos 0x0, ttl 64, id 28472, offset 0, flags [DF], proto TCP (6), length 892)
192.168.200.1.22 > 10.54.108.6.54922: Flags [P.], cksum 0x620b (correct), seq 22:862, ack 1454, win 156, options [nop,nop,TS val 174693906 ecr 901043634], length 840
13:55:09.413283 IP (tos 0x0, ttl 64, id 28473, offset 0, flags [DF], proto TCP (6), length 892)
192.168.200.1.22 > 10.54.108.6.54922: Flags [P.], cksum 0x51fb (correct), seq 22:862, ack 1454, win 156, options [nop,nop,TS val 174698018 ecr 901043634], length 840
13:55:17.637285 IP (tos 0x0, ttl 64, id 28474, offset 0, flags [DF], proto TCP (6), length 892)
192.168.200.1.22 > 10.54.108.6.54922: Flags [P.], cksum 0x31db (correct), seq 22:862, ack 1454, win 156, options [nop,nop,TS val 174706242 ecr 901043634], length 840
13:55:34.085309 IP (tos 0x0, ttl 64, id 28475, offset 0, flags [DF], proto TCP (6), length 892)
192.168.200.1.22 > 10.54.108.6.54922: Flags [P.], cksum 0xf19a (correct), seq 22:862, ack 1454, win 156, options [nop,nop,TS val 174722690 ecr 901043634], length 840
虽然 ping 192.168.200.1 没问题。我以为大数据包无法通过 VPN 隧道,但我在本地 PC 上看到大数据包 (1276) 来自 VPN 服务器,而小数据包 (892) 则无法到达我的笔记本电脑。
问题出在哪里?
答案1
原因在于新一代压缩类型。我已禁用它,并且 ssh 登录正常。
答案2
如果您搜索过这个,那么您需要关闭压缩,因为它会破坏连接并且容易受到攻击。更多信息 解决方案:
OpenVPN 2.4.0 以上版本,且仅限 OpenVPN 2.4.x 或以上客户端:使用 --compress stub-v2 和 --push "compress stub-v2"
OpenVPN 2.3.X 及更早版本:使用 --comp-lzo no 和 --push "comp-lzo no"