更新:这是我尝试使用 Verizon 路由器而不是自制的 Ubuntu 路由器访问 OpenVPN 时的输出。插入路由器后它不会立即工作,但大约一天左右就可以工作了。我不明白:
Tue Nov 27 21:31:30 2018 OpenVPN 2.4.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jun 20 2017
Tue Nov 27 21:31:30 2018 Windows version 6.1 (Windows 7) 64bit
Tue Nov 27 21:31:30 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Tue Nov 27 21:31:30 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25343
Tue Nov 27 21:31:30 2018 Need hold release from management interface, waiting...
Tue Nov 27 21:31:30 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25343
Tue Nov 27 21:31:31 2018 MANAGEMENT: CMD 'state on'
Tue Nov 27 21:31:31 2018 MANAGEMENT: CMD 'log all on'
Tue Nov 27 21:31:31 2018 MANAGEMENT: CMD 'echo all on'
Tue Nov 27 21:31:31 2018 MANAGEMENT: CMD 'hold off'
Tue Nov 27 21:31:31 2018 MANAGEMENT: CMD 'hold release'
Tue Nov 27 21:31:43 2018 MANAGEMENT: CMD 'password [...]'
Tue Nov 27 21:31:43 2018 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Nov 27 21:31:43 2018 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Nov 27 21:31:43 2018 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Nov 27 21:31:43 2018 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Nov 27 21:31:43 2018 MANAGEMENT: >STATE:1543372303,RESOLVE,,,,,,
Tue Nov 27 21:31:44 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]96.255.47.75:1194
Tue Nov 27 21:31:44 2018 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Nov 27 21:31:44 2018 UDP link local: (not bound)
Tue Nov 27 21:31:44 2018 UDP link remote: [AF_INET]96.255.47.75:1194
Tue Nov 27 21:31:44 2018 MANAGEMENT: >STATE:1543372304,WAIT,,,,,,
Tue Nov 27 21:31:44 2018 MANAGEMENT: >STATE:1543372304,AUTH,,,,,,
Tue Nov 27 21:31:44 2018 TLS: Initial packet from [AF_INET]96.255.47.75:1194, sid=a595f501 53b59ad2
Tue Nov 27 21:31:44 2018 VERIFY OK: depth=1, CN=ChangeMe
Tue Nov 27 21:31:44 2018 VERIFY KU OK
Tue Nov 27 21:31:44 2018 Validating certificate extended key usage
Tue Nov 27 21:31:44 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Nov 27 21:31:44 2018 VERIFY EKU OK
Tue Nov 27 21:31:44 2018 VERIFY X509NAME OK: CN=server_ulIZjDM5Jfumz3sy
Tue Nov 27 21:31:44 2018 VERIFY OK: depth=0, CN=server_ulIZjDM5Jfumz3sy
Tue Nov 27 21:31:44 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES256-GCM-SHA384
Tue Nov 27 21:31:44 2018 [server_ulIZjDM5Jfumz3sy] Peer Connection Initiated with [AF_INET]96.255.47.75:1194
Tue Nov 27 21:31:45 2018 MANAGEMENT: >STATE:1543372305,GET_CONFIG,,,,,,
Tue Nov 27 21:31:45 2018 SENT CONTROL [server_ulIZjDM5Jfumz3sy]: 'PUSH_REQUEST' (status=1)
Tue Nov 27 21:31:45 2018 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 1800,ping-restart 3600,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Nov 27 21:31:45 2018 OPTIONS IMPORT: timers and/or timeouts modified
Tue Nov 27 21:31:45 2018 OPTIONS IMPORT: --ifconfig/up options modified
Tue Nov 27 21:31:45 2018 OPTIONS IMPORT: route options modified
Tue Nov 27 21:31:45 2018 OPTIONS IMPORT: route-related options modified
Tue Nov 27 21:31:45 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Nov 27 21:31:45 2018 OPTIONS IMPORT: peer-id set
Tue Nov 27 21:31:45 2018 OPTIONS IMPORT: adjusting link_mtu to 1624
Tue Nov 27 21:31:45 2018 OPTIONS IMPORT: data channel crypto options modified
Tue Nov 27 21:31:45 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Nov 27 21:31:45 2018 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Nov 27 21:31:45 2018 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Nov 27 21:31:45 2018 interactive service msg_channel=356
Tue Nov 27 21:31:46 2018 ROUTE_GATEWAY 192.168.86.1/255.255.255.0 I=11 HWADDR=00:21:63:ab:66:38
Tue Nov 27 21:31:46 2018 open_tun
Tue Nov 27 21:31:46 2018 TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{9BFFC2A5-A514-4119-BFF1-94B0F8BCDA6D}.tap
Tue Nov 27 21:31:46 2018 TAP-Windows Driver Version 9.9
Tue Nov 27 21:31:46 2018 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.2/255.255.255.0 [SUCCEEDED]
Tue Nov 27 21:31:46 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on interface {9BFFC2A5-A514-4119-BFF1-94B0F8BCDA6D} [DHCP-serv: 10.8.0.254, lease-time: 31536000]
Tue Nov 27 21:31:46 2018 Successful ARP Flush on interface [34] {9BFFC2A5-A514-4119-BFF1-94B0F8BCDA6D}
Tue Nov 27 21:31:46 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Nov 27 21:31:46 2018 MANAGEMENT: >STATE:1543372306,ASSIGN_IP,,10.8.0.2,,,,
Tue Nov 27 21:31:46 2018 Blocking outside dns using service succeeded.
Tue Nov 27 21:31:51 2018 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Tue Nov 27 21:31:51 2018 C:\Windows\system32\route.exe ADD 96.255.47.75 MASK 255.255.255.255 192.168.86.1
Tue Nov 27 21:31:51 2018 Route addition via service succeeded
Tue Nov 27 21:31:51 2018 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Nov 27 21:31:51 2018 Route addition via service succeeded
Tue Nov 27 21:31:51 2018 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Nov 27 21:31:51 2018 Route addition via service succeeded
Tue Nov 27 21:31:51 2018 Initialization Sequence Completed
Tue Nov 27 21:31:51 2018 MANAGEMENT: >STATE:1543372311,CONNECTED,SUCCESS,10.8.0.2,96.255.47.75,1194,,
Tue Nov 27 21:35:07 2018 C:\Windows\system32\route.exe DELETE 96.255.47.75 MASK 255.255.255.255 192.168.86.1
Tue Nov 27 21:35:07 2018 Route deletion via service succeeded
Tue Nov 27 21:35:07 2018 C:\Windows\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Nov 27 21:35:07 2018 Route deletion via service succeeded
Tue Nov 27 21:35:07 2018 C:\Windows\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Nov 27 21:35:08 2018 Route deletion via service succeeded
Tue Nov 27 21:35:08 2018 Closing TUN/TAP interface
Tue Nov 27 21:35:08 2018 TAP: DHCP address released
Tue Nov 27 21:35:08 2018 Unblocking outside dns using service succeeded.
Tue Nov 27 21:35:08 2018 SIGTERM[hard,] received, process exiting
Tue Nov 27 21:35:08 2018 MANAGEMENT: >STATE:1543372508,EXITING,SIGTERM,,,,,
我无法使用通过 Ubuntu 构建的路由器通过 OpenVPN 将设备连接到家庭网络,其 IP 地址为 192.168.1.1。OpenVPN 服务器是我的 Raspberry Pi,它与路由器分开,地址为 192.168.1.1。我使用了此页面https://arstechnica.com/gadgets/2016/04/the-ars-guide-to-building-a-linux-router-from-scratch/和此页面https://arashmilani.com/post?id=53配置我的路由器并设置路由器的 iptables。我打开了端口 1194 UDP,所以这不是问题。但是,每次我尝试连接时,我都会收到以下信息:
Fri Nov 23 16:44:50 2018 OpenVPN 2.4.3 x86_64-w64-mingw32 [SSL (OpenSSL)]
[LZO] [LZ4] [PKCS11] [AEAD] built on Jun 20 2017
Fri Nov 23 16:44:50 2018 Windows version 6.1 (Windows 7) 64bit
Fri Nov 23 16:44:50 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Fri Nov 23 16:44:50 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25343
Fri Nov 23 16:44:50 2018 Need hold release from management interface, waiting...
Fri Nov 23 16:44:50 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25343
Fri Nov 23 16:44:51 2018 MANAGEMENT: CMD 'state on'
Fri Nov 23 16:44:51 2018 MANAGEMENT: CMD 'log all on'
Fri Nov 23 16:44:51 2018 MANAGEMENT: CMD 'echo all on'
Fri Nov 23 16:44:51 2018 MANAGEMENT: CMD 'hold off'
Fri Nov 23 16:44:51 2018 MANAGEMENT: CMD 'hold release'
Fri Nov 23 16:44:57 2018 MANAGEMENT: CMD 'password [...]'
Fri Nov 23 16:44:57 2018 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Nov 23 16:44:57 2018 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Nov 23 16:44:57 2018 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Nov 23 16:44:57 2018 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Nov 23 16:44:57 2018 MANAGEMENT: >STATE:1543009497,RESOLVE,,,,,,
Fri Nov 23 16:44:57 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]100.15.140.98:1194
Fri Nov 23 16:44:57 2018 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Nov 23 16:44:57 2018 UDP link local: (not bound)
Fri Nov 23 16:44:57 2018 UDP link remote: [AF_INET]100.15.150.28:1194
Fri Nov 23 16:44:57 2018 MANAGEMENT: >STATE:1543009497,WAIT,,,,,,
Fri Nov 23 16:44:57 2018 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Nov 23 16:44:59 2018 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Nov 23 16:45:04 2018 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Nov 23 16:45:12 2018 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Nov 23 16:45:28 2018 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Nov 23 16:45:58 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Nov 23 16:45:58 2018 TLS Error: TLS handshake failed
Fri Nov 23 16:45:58 2018 SIGUSR1[soft,tls-error] received, process restarting
Fri Nov 23 16:45:58 2018 MANAGEMENT: >STATE:1543009558,RECONNECTING,tls-error,,,,,
Fri Nov 23 16:45:58 2018 Restart pause, 5 second(s)
这是我的 Raspberry Pi 上的 server.conf 文件
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_ulIZjDM5Jfumz3sy.crt
key /etc/openvpn/easy-rsa/pki/private/server_ulIZjDM5Jfumz3sy.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
这是我的一个客户端配置文件:
client
dev tun
proto udp
remote shadow.bounceonthis.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_ulIZjDM5Jfumz3sy name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
这是我的 iptable 设置。我将其存储在一个文件 (/etc/network/iptables) 中,每次修改时都会将其推送到 iptables-restore。
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Masquerade vpn tunnel for specific ip source
#-A POSTROUTING -o tun+ -j MASQUERADE --src 10.8.0.0/24
# For OpenVPN
#-A POSTROUTING -s 10.8.0.0/24 -o enp3s0f1 -j MASQUERADE
# enp3s0f0 is WAN interface, #enp3s0f1 is LAN interface
-A POSTROUTING -o enp3s0f0 -j MASQUERADE
# NAT pinhole: HTTP from WAN to LAN
-A PREROUTING -p tcp -m tcp -i enp3s0f0 --dport 80 -j DNAT --to-destination 192.168.1.7:80
#-A PREROUTING -p udp -m udp -i enp3s0f0 --dport 1194 -j DNAT --to-destination 192.168.1.8:1194
-A PREROUTING -p tcp -m tcp -i enp3s0f0 --dport 22 -j DNAT --to-destination 192.168.1.7:22
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Service rules
# basic global accept rules - ICMP, loopback, traceroute, established all accepted
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# enable traceroute rejections to get sent out
-A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable
# DNS - accept from LAN
-A INPUT -i enp3s0f1 -p tcp --dport 53 -j ACCEPT
-A INPUT -i enp3s0f1 -p udp --dport 53 -j ACCEPT
-A INPUT -i enp4s0f0 -p tcp --dport 53 -j ACCEPT
-A INPUT -i enp4s0f0 -p udp --dport 53 -j ACCEPT
-A INPUT -i enp4s0f1 -p tcp --dport 53 -j ACCEPT
-A INPUT -i enp4s0f1 -p udp --dport 53 -j ACCEPT
# SSH - accept from LAN
-A INPUT -i enp3s0f1 -p tcp --dport 22 -j ACCEPT
-A INPUT -i enp4s0f0 -p tcp --dport 22 -j ACCEPT
-A INPUT -i enp4s0f1 -p tcp --dport 22 -j ACCEPT
# DHCP client requests - accept from LAN
-A INPUT -i enp3s0f1 -p udp --dport 67:68 -j ACCEPT
-A INPUT -i enp4s0f0 -p udp --dport 67:68 -j ACCEPT
-A INPUT -i enp4s0f1 -p udp --dport 67:68 -j ACCEPT
#OpenVPN - accept from LAN
-A INPUT -i enp3s0f1 -p udp -m state --state NEW --dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
#-A INPUT -i tun0 -j ACCEPT
#-A INPUT -i enp3s0f1 -j ACCEPT
# drop all other inbound traffic
-A INPUT -j DROP
# Forwarding rules
# forward packets along established/related connections
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# forward from LAN (enp3s0f1) to WAN (enp3s0f0)
-A FORWARD -i enp3s0f1 -o enp3s0f0 -j ACCEPT
-A FORWARD -i enp4s0f0 -o enp3s0f0 -j ACCEPT
-A FORWARD -i enp4s0f1 -o enp3s0f0 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o enp3s0f1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp3s0f1 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A FORWARD -i tun0 -j ACCEPT
#-A FORWARD -i tun0 -o enp3s0f1 -m state --state RELATED,ESTABLISHED -j ACCEPT --src 10.8.0.0/24
#-A FORWARD -i enp3s0f1 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT --src 10.8.0.0/24
#-A FORWARD -i enp3s0f1 -j ACCEPT
# allow traffic from our NAT pinhole
-A FORWARD -p tcp -d 192.168.1.7 --dport 80 -j ACCEPT
-A FORWARD -p tcp -d 192.168.1.8 --dport 22 -j ACCEPT
#-A FORWARD -p udp -d 192.168.1.8 --dport 1194 -j ACCEPT
# drop all other forwarded traffic
-A FORWARD -j DROP
-A OUTPUT -o tun+ -j ACCEPT
COMMIT
这是来自 iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
298 71669 ACCEPT all -- lo any 127.0.0.0/8 127.0.0.0/8
358 21968 ACCEPT icmp -- any any anywhere anywhere
5406 3229K ACCEPT all -- any any anywhere anywhere state ESTABLISHED
0 0 REJECT udp -- any any anywhere anywhere udp dpts:33434:33523 reject-with icmp-port-unreachable
0 0 ACCEPT tcp -- enp3s0f1 any anywhere anywhere tcp dpt:domain
741 46889 ACCEPT udp -- enp3s0f1 any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- enp4s0f0 any anywhere anywhere tcp dpt:domain
0 0 ACCEPT udp -- enp4s0f0 any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- enp4s0f1 any anywhere anywhere tcp dpt:domain
0 0 ACCEPT udp -- enp4s0f1 any anywhere anywhere udp dpt:domain
2 104 ACCEPT tcp -- enp3s0f1 any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- enp4s0f0 any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- enp4s0f1 any anywhere anywhere tcp dpt:ssh
11 4015 ACCEPT udp -- enp3s0f1 any anywhere anywhere udp dpts:bootps:bootpc
0 0 ACCEPT udp -- enp4s0f0 any anywhere anywhere udp dpts:bootps:bootpc
0 0 ACCEPT udp -- enp4s0f1 any anywhere anywhere udp dpts:bootps:bootpc
52 4264 ACCEPT udp -- enp3s0f1 any anywhere anywhere state NEW udp dpt:openvpn
0 0 ACCEPT all -- tun+ any anywhere anywhere
1903 196K DROP all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
380K 421M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
7260 1021K ACCEPT all -- enp3s0f1 enp3s0f0 anywhere anywhere
0 0 ACCEPT all -- enp4s0f0 enp3s0f0 anywhere anywhere
0 0 ACCEPT all -- enp4s0f1 enp3s0f0 anywhere anywhere
0 0 ACCEPT all -- tun+ any anywhere anywhere
0 0 ACCEPT all -- tun+ enp3s0f1 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- enp3s0f1 tun+ anywhere anywhere state RELATED,ESTABLISHED
2 100 ACCEPT tcp -- any any anywhere 192.168.1.7 tcp dpt:http
21 1228 ACCEPT tcp -- any any anywhere 192.168.1.8 tcp dpt:ssh
0 0 DROP all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 10253 packets, 3548K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any tun+ anywhere anywhere
这是来自 iptables -L -t nat -v
Chain PREROUTING (policy ACCEPT 9046 packets, 1163K bytes)
pkts bytes target prot opt in out source destination
5 256 DNAT tcp -- enp3s0f0 any anywhere anywhere tcp dpt:http to:192.168.1.7:80
21 1228 DNAT tcp -- enp3s0f0 any anywhere anywhere tcp dpt:ssh to:192.168.1.8:22
Chain INPUT (policy ACCEPT 799 packets, 54051 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 429 packets, 190K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 230 packets, 17336 bytes)
pkts bytes target prot opt in out source destination
7213 1123K MASQUERADE all -- any enp3s0f0 anywhere anywhere
过去两天我一直在为此绞尽脑汁,但毫无进展。