我按照本指南在 Ubuntu 18.04 上设置了一个 OpenVPN 服务器:https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04
与该指南相比,主要变化在于它无法使用 UDP,因此我不得不将其切换到 TCP(使用端口 1194)。我们的网络设置方式是,一台服务器接收来自我们 4 个公共 IP 地址的所有流量,然后将流量端口转发到适当的服务器。我最初端口转发了 UDP 端口 1194,但它无法连接。我认为上游的某些东西阻止了它。
到目前为止它运行良好:
- 我的 iPhone(使用家里的 WiFi 和 4G)
- 我同事的 iPhone
- 我同事家里的 Mac(他可以 ping 15 分钟而不会丢失任何数据包)
我尝试过将它连接到家里的任何电脑(WiFi 上的 Mac、以太网上的 Windows 和 Linux),但都无法正常工作。我还尝试将 Mac 连接到我的 iPhone 个人热点(WiFi 和 USB),但仍然无法正常工作。
所有无法工作的计算机都有以下症状:
- OpenVPN 客户端软件显示连接成功
- 计算机获取一个 OpenVPN IP 地址(例如 10.8.0.6)
- 尝试 ping 其中一个 DNS 服务器(也是 Active Directory 服务器)90% 以上都会失败,并且当它成功时,ping 时间约为 30,000 毫秒(30 秒!)
- DNS 和 Web 无法通过 VPN 运行
以下是我 Mac 上 Tunnelblick 的最新日志。我删除的只是我们 OpenVPN 服务器的公共 IP 地址。
2020-03-23 07:34:55.351272 *Tunnelblick: macOS 10.14.6 (18G3020); Tunnelblick 3.8.2 (build 5480); prior version 3.8.1 (build 5400)
2020-03-23 07:23:04.642958 *Tunnelblick: openvpnstart starting OpenVPN
2020-03-23 07:23:04.916999 OpenVPN 2.4.8 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 22 2020
2020-03-23 07:23:04.917053 library versions: OpenSSL 1.1.1e 17 Mar 2020, LZO 2.10
2020-03-23 07:23:04.918394 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:50826
2020-03-23 07:23:04.918430 Need hold release from management interface, waiting...
2020-03-23 07:23:05.251198 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:50826
2020-03-23 07:23:05.267574 MANAGEMENT: CMD 'pid'
2020-03-23 07:23:05.267622 MANAGEMENT: CMD 'auth-retry interact'
2020-03-23 07:23:05.267644 MANAGEMENT: CMD 'state on'
2020-03-23 07:23:05.267678 MANAGEMENT: CMD 'state'
2020-03-23 07:23:05.267707 MANAGEMENT: CMD 'bytecount 1'
2020-03-23 07:23:05.272094 MANAGEMENT: CMD 'hold release'
2020-03-23 07:23:05.272204 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2020-03-23 07:23:05.272267 PLUGIN_INIT: POST /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.8-openssl-1.1.1e/openvpn-down-root.so '[/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.8-openssl-1.1.1e/openvpn-down-root.so] [/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh] [-9] [-d] [-f] [-m] [-w] [-ptADGNWradsgnw]' intercepted=PLUGIN_UP|PLUGIN_DOWN
2020-03-23 07:23:05.276207 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-03-23 07:23:05.276229 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-03-23 07:23:05.279431 TCP/UDP: Preserving recently used remote address: [AF_INET]<PUBLICIP>:1194
2020-03-23 07:23:05.279491 Socket Buffers: R=[131072->131072] S=[131072->131072]
2020-03-23 07:23:05.279526 Attempting to establish TCP connection with [AF_INET]<PUBLICIP>:1194 [nonblock]
2020-03-23 07:23:05.279538 MANAGEMENT: >STATE:1584908585,TCP_CONNECT,,,,,,
2020-03-23 07:23:06.335829 TCP connection established with [AF_INET]<PUBLICIP>:1194
2020-03-23 07:23:06.335906 TCP_CLIENT link local: (not bound)
2020-03-23 07:23:06.335941 TCP_CLIENT link remote: [AF_INET]<PUBLICIP>:1194
2020-03-23 07:23:06.335964 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2020-03-23 07:23:06.336089 MANAGEMENT: >STATE:1584908586,WAIT,,,,,,
2020-03-23 07:23:06.358596 MANAGEMENT: >STATE:1584908586,AUTH,,,,,,
2020-03-23 07:23:06.358716 TLS: Initial packet from [AF_INET]<PUBLICIP>:1194, sid=0e863ba9 ff390d97
2020-03-23 07:23:07.054438 VERIFY OK: depth=1, CN=Easy-RSA CA
2020-03-23 07:23:07.054780 VERIFY KU OK
2020-03-23 07:23:07.054796 Validating certificate extended key usage
2020-03-23 07:23:07.054806 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2020-03-23 07:23:07.054814 VERIFY EKU OK
2020-03-23 07:23:07.054821 VERIFY OK: depth=0, CN=vpn1
2020-03-23 07:23:07.798702 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2020-03-23 07:23:07.798811 [vpn1] Peer Connection Initiated with [AF_INET]<PUBLICIP>:1194
2020-03-23 07:23:08.995275 MANAGEMENT: >STATE:1584908588,GET_CONFIG,,,,,,
2020-03-23 07:23:08.997181 SENT CONTROL [vpn1]: 'PUSH_REQUEST' (status=1)
2020-03-23 07:23:11.410325 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway autolocal def1 bypass-dhcp,dhcp-option DNS 10.179.144.201,dhcp-option DNS 10.179.144.202,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
2020-03-23 07:23:11.410525 OPTIONS IMPORT: timers and/or timeouts modified
2020-03-23 07:23:11.410555 OPTIONS IMPORT: --ifconfig/up options modified
2020-03-23 07:23:11.410575 OPTIONS IMPORT: route options modified
2020-03-23 07:23:11.410595 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2020-03-23 07:23:11.410614 OPTIONS IMPORT: peer-id set
2020-03-23 07:23:11.410633 OPTIONS IMPORT: adjusting link_mtu to 1626
2020-03-23 07:23:11.410652 OPTIONS IMPORT: data channel crypto options modified
2020-03-23 07:23:11.410673 Data Channel: using negotiated cipher 'AES-256-GCM'
2020-03-23 07:23:11.410926 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-03-23 07:23:11.410949 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-03-23 07:23:11.411380 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2020-03-23 07:23:11.411576 Opened utun device utun1
2020-03-23 07:23:11.411611 MANAGEMENT: >STATE:1584908591,ASSIGN_IP,,10.8.0.6,,,,
2020-03-23 07:23:11.411651 /sbin/ifconfig utun1 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2020-03-23 07:23:11.415348 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2020-03-23 07:23:11.415397 /sbin/ifconfig utun1 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up
2020-03-23 07:23:11.419458 PLUGIN_CALL: POST /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.8-openssl-1.1.1e/openvpn-down-root.so/PLUGIN_UP status=0
2020-03-23 07:23:11.419636 /sbin/route add -net <PUBLICIP> 192.168.254.254 255.255.255.255
add net <PUBLICIP>: gateway 192.168.254.254
2020-03-23 07:23:11.422008 /sbin/route add -net 0.0.0.0 10.8.0.5 128.0.0.0
add net 0.0.0.0: gateway 10.8.0.5
2020-03-23 07:23:11.424335 /sbin/route add -net 128.0.0.0 10.8.0.5 128.0.0.0
add net 128.0.0.0: gateway 10.8.0.5
2020-03-23 07:23:11.426268 MANAGEMENT: >STATE:1584908591,ADD_ROUTES,,,,,,
2020-03-23 07:23:11.426320 /sbin/route add -net 10.8.0.1 10.8.0.5 255.255.255.255
add net 10.8.0.1: gateway 10.8.0.5
07:23:11 *Tunnelblick: **********************************************
07:23:11 *Tunnelblick: Start of output from client.up.tunnelblick.sh
07:23:14 *Tunnelblick: Disabled IPv6 for 'Wi-Fi'
07:23:14 *Tunnelblick: Disabled IPv6 for 'Bluetooth PAN'
07:23:14 *Tunnelblick: Disabled IPv6 for 'Thunderbolt Bridge'
07:23:14 *Tunnelblick: Disabled IPv6 for 'Server VLAN'
07:23:14 *Tunnelblick: Disabled IPv6 for 'Servers 20'
07:23:14 *Tunnelblick: Disabled IPv6 for 'Attendance'
07:23:14 *Tunnelblick: Disabled IPv6 for 'CASES'
07:23:14 *Tunnelblick: Retrieved from OpenVPN: name server(s) [ 10.179.144.201 10.179.144.202 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
07:23:14 *Tunnelblick: Not aggregating ServerAddresses because running on macOS 10.6 or higher
07:23:14 *Tunnelblick: Setting search domains to 'openvpn' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
07:23:15 *Tunnelblick: Saved the DNS and SMB configurations so they can be restored
07:23:15 *Tunnelblick: Changed DNS ServerAddresses setting from '192.168.254.7' to '10.179.144.201 10.179.144.202'
07:23:15 *Tunnelblick: Changed DNS SearchDomains setting from '' to 'openvpn'
07:23:15 *Tunnelblick: Changed DNS DomainName setting from '' to 'openvpn'
07:23:15 *Tunnelblick: Did not change SMB NetBIOSName setting of ''
07:23:15 *Tunnelblick: Did not change SMB Workgroup setting of ''
07:23:15 *Tunnelblick: Did not change SMB WINSAddresses setting of ''
07:23:15 *Tunnelblick: DNS servers '10.179.144.201 10.179.144.202' will be used for DNS queries when the VPN is active
07:23:15 *Tunnelblick: NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
07:23:15 *Tunnelblick: Flushed the DNS cache via dscacheutil
07:23:15 *Tunnelblick: /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
07:23:15 *Tunnelblick: Notified mDNSResponder that the DNS cache was flushed
07:23:15 *Tunnelblick: Notified mDNSResponderHelper that the DNS cache was flushed
07:23:15 *Tunnelblick: Setting up to monitor system configuration with process-network-changes
07:23:15 *Tunnelblick: End of output from client.up.tunnelblick.sh
07:23:15 *Tunnelblick: **********************************************
2020-03-23 07:23:15.877205 GID set to nogroup
2020-03-23 07:23:15.877250 UID set to nobody
2020-03-23 07:23:15.877259 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2020-03-23 07:23:15.877279 Initialization Sequence Completed
2020-03-23 07:23:15.877307 MANAGEMENT: >STATE:1584908595,CONNECTED,SUCCESS,10.8.0.6,<PUBLICIP>,1194,192.168.254.29,50195
2020-03-23 07:23:22.727626 *Tunnelblick: process-network-changes: A system configuration change was ignored