OpenVPN 503 位于 http 代理之后

tag-icon tag-icon openvpn tcp squid ubuntu-18.04
OpenVPN 503 位于 http 代理之后

我按照这个精彩的教程在数字海洋水滴上成功设置了一个 OpenVPN 服务器:https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04

然后我还在不同的 droplet 上使用 squid 代理创建了一个 http 代理服务器。

当我尝试连接到我的 VPN 服务器时,客户端日志中显示 503 Service Unavailable。此外,当我尝试 curl 我的 VPN 服务器时,结果仍然相同:

curl -I -x myproxy.com:80http://myvpn.com:1194或 curl -I -x myproxy.com:80http://myvpn.com

我关闭了我的 OpenVPN 服务器的 ufw,结果仍然是一样。

我应该修复哪里?我的 OpenVPN 服务器?我的 OpenVPN 服务器的 iptables?我的 squid 代理配置?

请帮忙..

OpenVPN 服务器配置。

服务器配置文件

port 1194

proto udp


dev tun

ca ca.crt
cert server.crt
key server.key  

dh dh.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist /var/log/openvpn/ipp.txt

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"

keepalive 10 120

tls-auth ta.key 0 

cipher AES-256-CBC
auth SHA256

user nobody
group nogroup

persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log

verb 3

explicit-exit-notify 1

客户端配置文件


client

dev tun

proto tcp

remote rl.rltech.xyz 1194 # domain I attached to my vpn server


resolv-retry infinite

nobind

user nobody
group nogroup

persist-key
persist-tun

http-proxy proxy.rltech.xyz 80 # domain I attached my proxy server (squid proxy running on port 80)
http-proxy-retry
http-proxy-timeout 5
http-proxy-option CUSTOM-HEADER Host www.googlevideo.com
http-proxy-option CUSTOM-HEADER X-Forwarded-For www.googlevideo.com




ca ca.crt
cert client.crt
key client.key

remote-cert-tls server


tls-auth ta.key 1


cipher AES-256-CBC
auth SHA256
key-direction 1

verb 3

;mute 20

; script-security 2
; up /etc/openvpn/update-resolv-conf
; down /etc/openvpn/update-resolv-conf
; script-security 2
; up /etc/openvpn/update-systemd-resolved
; down /etc/openvpn/update-systemd-resolved
; down-pre
; dhcp-option DOMAIN-ROUTE .

<ca>
-----BEGIN CERTIFICATE-----
cert here ..
-----END CERTIFICATE-----
</ca>

iptables.sh(我的 VPN 服务器上的唯一规则)

#!/bin/bash
iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A OUTPUT -o tun+ -j ACCEPT

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:openvpn
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

代理服务器

squid配置文件

acl SSL_ports port 1194      # OpenVPN
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 1194      # OpenVPN
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
dns_nameservers 1.1.1.1 1.0.0.1
http_access allow all
http_port 80
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320

答案1

根据文档这里您必须使用带有 http-proxy 指令的 TCP,因此请尝试proto tcp在服务器和客户端配置中进行设置

答案2

根据@demathos

我部署了另一个 openvpn 服务器实例,现在运行的是: openvpn@server - 1194/udp openvpn@server1 - 1194/tcp

netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      733/sshd
tcp        0      0 0.0.0.0:1194            0.0.0.0:*               LISTEN      24288/openvpn
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      616/systemd-resolve
tcp6       0      0 :::22                   :::*                    LISTEN      733/sshd
tcp6       0      0 :::80                   :::*                    LISTEN      20175/(squid-1)
udp        0      0 127.0.0.53:53           0.0.0.0:*                           616/systemd-resolve
udp        0      0 0.0.0.0:33916           0.0.0.0:*                           20175/(squid-1)
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           19762/openvpn
udp6       0      0 :::33573                :::*                                20175/(squid-1)

相关内容