我有一位 Mac 用户(macOS Catalina,10.15.7),他可以连接到我们的 AWS Client VPN,但这样做会失去更广泛的互联网访问权限。该用户不是技术人员,也不是远程人员,我也不是 Mac 用户,也没有 Mac 可以测试这一点。
AWS 客户端 VPN 通过 OpenVPN 客户端和 AWS 客户端保留对 Windows 10 (19041) 的访问。我们使用相同的配置文件。
VPN 的作用是保护用户在未知网络上的安全,因此是一种直通方式。用户不需要访问我们的 AWS 资源。
当 VPN 处于活动状态时,我需要所有流量都通过它进行路由。我认为相关行(完整日志如下)是:
2020-11-24 16:14:23.404 +00:00 [DBG] CM received: >LOG:1606234460,,PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route-gateway 10.0.5.33,topology subnet,ping 1,ping-restart 20,ifconfig 10.0.5.34 255.255.255.224'
这是 AWS 客户端 VPN 服务器,告诉客户端所有流量都必须通过网关 ( redirect-gateway def1
)。
Mac 没有其他活动的 VPN 隧道。
鉴于用户不懂技术,并且只有在他们断开 VPN 连接时我才能进行视频屏幕共享,我应该采取什么步骤来解决这个问题?
完整连接日志
来自 AWS Mac 客户端。名称已更改以保护无辜者。
2020-11-24 16:12:46.578 +00:00 [INF] Logger initialized
2020-11-24 16:12:46.795 +00:00 [INF] Current OS Information:
2020-11-24 16:12:46.798 +00:00 [INF] Platform: "Unix"
2020-11-24 16:12:46.805 +00:00 [INF] Version String: Unix 19.6.0.0
2020-11-24 16:12:46.808 +00:00 [INF] OS description: Unix 19.6.0.0
2020-11-24 16:12:46.808 +00:00 [INF] OSX detected.
2020-11-24 16:12:47.117 +00:00 [DBG] Auto culture: en-GB Auto UI culture: en-GB
2020-11-24 16:12:47.286 +00:00 [DBG] openVpnExePath: /Applications/AWS VPN Client/AWS VPN Client.app/Contents/Resources/openvpn/acvc-openvpn
2020-11-24 16:12:47.286 +00:00 [DBG] helperToolExePath: /Applications/AWS VPN Client/AWS VPN Client.app/Contents/Resources/AWS VPN Client/Contents/MacOS/ACVCHelperTool
2020-11-24 16:12:47.293 +00:00 [INF] No existing profile store. Create an empty one in /Users/username/.config/AWSVPNClient/ConnectionProfiles
2020-11-24 16:12:47.315 +00:00 [INF] Saving profile store to /Users/username/.config/AWSVPNClient/ConnectionProfiles
2020-11-24 16:12:47.639 +00:00 [DBG] macOS viewDidLoad
2020-11-24 16:12:48.452 +00:00 [DBG] Current metadata schema version is 1, which is less or equal to current supported version: 1.
2020-11-24 16:14:09.349 +00:00 [INF] Adding profile with name: XXX London, OpenVPN config file: /Users/username/Downloads/Open VPN Configuration File (1).ovpn
2020-11-24 16:14:09.359 +00:00 [INF] Validating OpenVPN config /Users/username/Downloads/Open VPN Configuration File (1).ovpn
2020-11-24 16:14:09.361 +00:00 [INF] File size of /Users/username/Downloads/Open VPN Configuration File (1).ovpn: 4564 bytes
2020-11-24 16:14:09.362 +00:00 [INF] Validating schema for OpenVPN config: /Users/username/Downloads/Open VPN Configuration File (1).ovpn
2020-11-24 16:14:09.386 +00:00 [INF] Successfully validated /Users/username/Downloads/Open VPN Configuration File (1).ovpn
2020-11-24 16:14:09.387 +00:00 [INF] Copying OpenVPN config to application local with name: XXX London, from source: /Users/username/Downloads/Open VPN Configuration File (1).ovpn
2020-11-24 16:14:09.394 +00:00 [INF] For OpenVPN config: /Users/username/Downloads/Open VPN Configuration File (1).ovpn, CvpnEndpointId: cvpn-endpoint-061a750f73ce6c477, CvpnEndpointRegion: eu-west-2
2020-11-24 16:14:09.400 +00:00 [INF] Saving profile store to /Users/username/.config/AWSVPNClient/ConnectionProfiles
2020-11-24 16:14:15.202 +00:00 [INF] Saving profile store to /Users/username/.config/AWSVPNClient/ConnectionProfiles
2020-11-24 16:14:15.211 +00:00 [INF] Connecting /Users/username/.config/AWSVPNClient/OpenVpnConfigs/XXX London
2020-11-24 16:14:15.219 +00:00 [DBG] validationString: /Users/username/.config/AWSVPNClient/OpenVpnConfigs/XXX London
1606234465
2020-11-24 16:14:15.418 +00:00 [INF] Starting OpenVpn process
2020-11-24 16:14:15.421 +00:00 [DBG] Starting process
2020-11-24 16:14:15.453 +00:00 [DBG] Start to read process output
2020-11-24 16:14:18.826 +00:00 [DBG] End reading process output
2020-11-24 16:14:18.884 +00:00 [DBG] Helper app --init output: Kill success.
2020-11-24 16:14:18.884 +00:00 [DBG] Connecting using command /Applications/AWS VPN Client/AWS VPN Client.app/Contents/Resources/AWS VPN Client/Contents/MacOS/ACVCHelperTool --start -c "/Users/username/.config/AWSVPNClient/OpenVpnConfigs/current_connection.txt" -p "/Users/username/.config/AWSVPNClient/acvc-8096.txt"
2020-11-24 16:14:18.884 +00:00 [DBG] Starting process
2020-11-24 16:14:18.889 +00:00 [DBG] Start to read process output
2020-11-24 16:14:19.540 +00:00 [DBG] End reading process output
2020-11-24 16:14:19.594 +00:00 [DBG] Helper app --start output: Start success.
2020-11-24 16:14:19.635 +00:00 [INF] Connecting to management interface... host 127.0.0.1, port 8096
2020-11-24 16:14:19.652 +00:00 [DBG] Socket connected
2020-11-24 16:14:19.652 +00:00 [DBG] Starting to listen to management port
2020-11-24 16:14:19.656 +00:00 [DBG] Called isAliveProcess
2020-11-24 16:14:19.667 +00:00 [INF] Received bytes: 15
2020-11-24 16:14:19.668 +00:00 [DBG] Message marshalling complete
2020-11-24 16:14:19.675 +00:00 [DBG] CM received: ENTER PASSWORD:
2020-11-24 16:14:19.678 +00:00 [DBG] CM processsing: ENTER PASSWORD:
2020-11-24 16:14:19.679 +00:00 [DBG] Port needs password to connect
2020-11-24 16:14:19.680 +00:00 [DBG] Sending port password
2020-11-24 16:14:19.683 +00:00 [INF] Begin receive init again
2020-11-24 16:14:19.683 +00:00 [INF] Received bytes: 105
2020-11-24 16:14:19.684 +00:00 [DBG] Message marshalling complete
2020-11-24 16:14:19.684 +00:00 [DBG] CM received: SUCCESS: password is correct
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
2020-11-24 16:14:19.684 +00:00 [DBG] CM processsing: SUCCESS: password is correct
2020-11-24 16:14:19.684 +00:00 [DBG]
答案1
我遇到了同样的问题。将 IPv6 从自动更改为仅链接本地或禁用 LAN 上的 IPv6 为我解决了这个问题。Win10 没有出现问题,因为 IPv6 被禁用了。mforsetti 查看路由表的想法帮助我发现 IPv6 是我遇到的罪魁祸首
答案2
检查您的 DNS 请求。没有互联网的用户应该可以 ping google 名称服务器(例如 (8.8.8.8)),但解析 google.com dns 名称应该会失败(dig google.com)。
如果这是真的,您需要进入您的 AWS vpn 客户端端点并允许用户访问(通过授权规则)端点将其放入的子网 IP 地址,以便他们的主机可以使用该子网 DNS 服务器。如果您不想这样做,那么您将不得不让 MAC 用户重新配置他们的设备以指向他们实际想要的名称服务器。