我正在托管一个 OpenVPN 服务器(我遵循本教程) 并且我在客户端遇到了一些问题。
当我使用手机作为热点并从 Mac 登录 VPN(使用手机的连接)时,一切都运行正常。
但是,当我从家里的 WiFi 登录 VPN 时,行为非常奇怪:我可以运行 ssh 会话、ping 我想要的任何位置等……(DNS 正在运行)。但是,每当我尝试发送 HTTP/HTTPS 请求时,它就会被阻止,不知何故……这很奇怪,因为我使用相同的 VPN 配置!为什么服务器这次会阻止它?
我一直在尝试使用 OpenVPN 客户端和 Tunnelblick(在所有情况下,客户端都在装有 macOS Big Sur 的 Macbook Pro 上运行),但两者都遇到了同样的问题。当我查看从一个连接到另一个(手机热点与 Wifi)的日志时,它们非常相似,我看不出有什么区别(除了默认网关的 IP,这是有道理的)。
知道这是什么原因造成的吗?
以下是 Tunnelblick 的日志,以防万一(我用 SE.RV.ER.IP 替换了 OpenVPN 服务器 IP):
2020-12-30 22:32:07.120527 *Tunnelblick: macOS 11.1 (20C69); Tunnelblick 3.8.4a (build 5601)
2020-12-30 22:32:07.630497 *Tunnelblick: Attempting connection with emmanuel-mac using shadow copy; Set nameserver = 769; monitoring connection
2020-12-30 22:32:07.631264 *Tunnelblick: openvpnstart start emmanuel-mac.tblk 49877 769 0 1 0 1098032 -ptADGNWradsgnw 2.4.9-openssl-1.1.1i
2020-12-30 22:32:07.653760 *Tunnelblick: openvpnstart starting OpenVPN
2020-12-30 22:32:08.015592 OpenVPN 2.4.9 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Dec 14 2020
2020-12-30 22:32:08.015704 library versions: OpenSSL 1.1.1i 8 Dec 2020, LZO 2.10
2020-12-30 22:32:08.017154 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:49877
2020-12-30 22:32:08.017191 Need hold release from management interface, waiting...
2020-12-30 22:32:08.257068 *Tunnelblick: openvpnstart log:
OpenVPN started successfully.
Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.9-openssl-1.1.1i/openvpn
--daemon
--log /Library/Application Support/Tunnelblick/Logs/-SUsers-Semmanuel-SLibrary-SApplication Support-STunnelblick-SConfigurations-Semmanuel--mac.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1098032.49877.openvpn.log
--cd /Library/Application Support/Tunnelblick/Users/emmanuel/emmanuel-mac.tblk/Contents/Resources
--machine-readable-output
--setenv IV_GUI_VER "net.tunnelblick.tunnelblick 5601 3.8.4a (build 5601)"
--verb 3
--config /Library/Application Support/Tunnelblick/Users/emmanuel/emmanuel-mac.tblk/Contents/Resources/config.ovpn
--setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Users/emmanuel/emmanuel-mac.tblk/Contents/Resources
--verb 3
--cd /Library/Application Support/Tunnelblick/Users/emmanuel/emmanuel-mac.tblk/Contents/Resources
--management 127.0.0.1 49877 /Library/Application Support/Tunnelblick/dajnhpfeahklmohhfdnalmmjkfndbajhjflgbmin.mip
--management-query-passwords
--management-hold
--script-security 2
--route-up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2020-12-30 22:32:08.268874 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:49877
2020-12-30 22:32:08.323857 MANAGEMENT: CMD 'pid'
2020-12-30 22:32:08.324000 MANAGEMENT: CMD 'auth-retry interact'
2020-12-30 22:32:08.324053 MANAGEMENT: CMD 'state on'
2020-12-30 22:32:08.324098 MANAGEMENT: CMD 'state'
2020-12-30 22:32:08.324151 MANAGEMENT: CMD 'bytecount 1'
2020-12-30 22:32:08.324988 *Tunnelblick: Established communication with OpenVPN
2020-12-30 22:32:08.355199 *Tunnelblick: >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
2020-12-30 22:32:08.358526 MANAGEMENT: CMD 'hold release'
2020-12-30 22:32:08.358727 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2020-12-30 22:32:08.361291 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2020-12-30 22:32:08.361329 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2020-12-30 22:32:08.361568 TCP/UDP: Preserving recently used remote address: [AF_INET]SE.RV.ER.IP:3000
2020-12-30 22:32:08.361690 Socket Buffers: R=[786896->786896] S=[9216->9216]
2020-12-30 22:32:08.361726 UDP link local: (not bound)
2020-12-30 22:32:08.361750 UDP link remote: [AF_INET]SE.RV.ER.IP:3000
2020-12-30 22:32:08.361793 MANAGEMENT: >STATE:1609360328,WAIT,,,,,,
2020-12-30 22:32:08.427380 MANAGEMENT: >STATE:1609360328,AUTH,,,,,,
2020-12-30 22:32:08.427445 TLS: Initial packet from [AF_INET]SE.RV.ER.IP:3000, sid=a1c1b644 16b7bcc4
2020-12-30 22:32:08.502026 VERIFY OK: depth=1, CN=OpenVPN-Homemade CA
2020-12-30 22:32:08.507011 VERIFY KU OK
2020-12-30 22:32:08.507082 Validating certificate extended key usage
2020-12-30 22:32:08.507107 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2020-12-30 22:32:08.507129 VERIFY EKU OK
2020-12-30 22:32:08.507150 VERIFY OK: depth=0, CN=SE.RV.ER.IP
2020-12-30 22:32:08.587610 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
2020-12-30 22:32:08.587887 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2020-12-30 22:32:08.588274 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2020-12-30 22:32:08.588362 [SE.RV.ER.IP] Peer Connection Initiated with [AF_INET]SE.RV.ER.IP:3000
2020-12-30 22:32:09.876934 MANAGEMENT: >STATE:1609360329,GET_CONFIG,,,,,,
2020-12-30 22:32:09.877057 SENT CONTROL [SE.RV.ER.IP]: 'PUSH_REQUEST' (status=1)
2020-12-30 22:32:09.940358 PUSH: Received control message: 'PUSH_REPLY,block-outside-dns,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,comp-lzo no,route 192.168.255.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.255.6 192.168.255.5,peer-id 2,cipher AES-256-GCM'
2020-12-30 22:32:09.940554 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: block-outside-dns (2.4.9)
2020-12-30 22:32:09.940724 OPTIONS IMPORT: timers and/or timeouts modified
2020-12-30 22:32:09.940772 OPTIONS IMPORT: compression parms modified
2020-12-30 22:32:09.940808 OPTIONS IMPORT: --ifconfig/up options modified
2020-12-30 22:32:09.940839 OPTIONS IMPORT: route options modified
2020-12-30 22:32:09.940867 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2020-12-30 22:32:09.940896 OPTIONS IMPORT: peer-id set
2020-12-30 22:32:09.940924 OPTIONS IMPORT: adjusting link_mtu to 1624
2020-12-30 22:32:09.947147 OPTIONS IMPORT: data channel crypto options modified
2020-12-30 22:32:09.947187 Data Channel: using negotiated cipher 'AES-256-GCM'
2020-12-30 22:32:09.947397 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-12-30 22:32:09.947428 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-12-30 22:32:09.947790 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2020-12-30 22:32:09.947822 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2020-12-30 22:32:09.947868 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2020-12-30 22:32:09.947883 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2020-12-30 22:32:09.950540 Opened utun device utun4
2020-12-30 22:32:09.951157 MANAGEMENT: >STATE:1609360329,ASSIGN_IP,,192.168.255.6,,,,
2020-12-30 22:32:09.951198 /sbin/ifconfig utun4 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2020-12-30 22:32:09.969424 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2020-12-30 22:32:09.969649 /sbin/ifconfig utun4 192.168.255.6 192.168.255.5 mtu 1500 netmask 255.255.255.255 up
2020-12-30 22:32:09.974095 /sbin/route add -net SE.RV.ER.IP 10.0.0.138 255.255.255.255
add net SE.RV.ER.IP: gateway 10.0.0.138
2020-12-30 22:32:09.982603 /sbin/route add -net 0.0.0.0 192.168.255.5 128.0.0.0
add net 0.0.0.0: gateway 192.168.255.5
2020-12-30 22:32:09.985841 /sbin/route add -net 128.0.0.0 192.168.255.5 128.0.0.0
add net 128.0.0.0: gateway 192.168.255.5
2020-12-30 22:32:09.989094 MANAGEMENT: >STATE:1609360329,ADD_ROUTES,,,,,,
2020-12-30 22:32:09.989758 /sbin/route add -net 192.168.255.1 192.168.255.5 255.255.255.255
add net 192.168.255.1: gateway 192.168.255.5
22:32:10 *Tunnelblick: **********************************************
22:32:10 *Tunnelblick: Start of output from client.up.tunnelblick.sh
22:32:12 *Tunnelblick: Disabled IPv6 for 'LPSS Serial Adapter (1)'
22:32:12 *Tunnelblick: Disabled IPv6 for 'LPSS Serial Adapter (2)'
22:32:12 *Tunnelblick: Disabled IPv6 for 'USB 10/100/1000 LAN'
22:32:12 *Tunnelblick: Disabled IPv6 for 'Wi-Fi'
22:32:12 *Tunnelblick: Disabled IPv6 for 'Bluetooth PAN'
22:32:12 *Tunnelblick: Disabled IPv6 for 'Thunderbolt Bridge'
22:32:12 *Tunnelblick: Retrieved from OpenVPN: name server(s) [ 8.8.8.8 8.8.4.4 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
22:32:12 *Tunnelblick: Not aggregating ServerAddresses because running on macOS 10.6 or higher
22:32:12 *Tunnelblick: Setting search domains to 'openvpn' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
22:32:14 *Tunnelblick: Saved the DNS and SMB configurations so they can be restored
22:32:14 *Tunnelblick: Changed DNS ServerAddresses setting from '10.0.0.138' to '8.8.8.8 8.8.4.4'
22:32:14 *Tunnelblick: Changed DNS SearchDomains setting from 'Home' to 'openvpn'
22:32:14 *Tunnelblick: Changed DNS DomainName setting from '' to 'openvpn'
22:32:14 *Tunnelblick: Did not change SMB NetBIOSName setting of ''
22:32:14 *Tunnelblick: Did not change SMB Workgroup setting of ''
22:32:14 *Tunnelblick: Did not change SMB WINSAddresses setting of ''
22:32:14 *Tunnelblick: DNS servers '8.8.8.8 8.8.4.4' will be used for DNS queries when the VPN is active
22:32:14 *Tunnelblick: The DNS servers include only free public DNS servers known to Tunnelblick.
22:32:14 *Tunnelblick: Flushed the DNS cache via dscacheutil
22:32:14 *Tunnelblick: /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
22:32:14 *Tunnelblick: Notified mDNSResponder that the DNS cache was flushed
22:32:14 *Tunnelblick: Not notifying mDNSResponderHelper that the DNS cache was flushed because it is not running
22:32:14 *Tunnelblick: Setting up to monitor system configuration with process-network-changes
22:32:14 *Tunnelblick: End of output from client.up.tunnelblick.sh
22:32:14 *Tunnelblick: **********************************************
2020-12-30 22:32:14.354487 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2020-12-30 22:32:14.354550 Initialization Sequence Completed
2020-12-30 22:32:14.354625 MANAGEMENT: >STATE:1609360334,CONNECTED,SUCCESS,192.168.255.6,SE.RV.ER.IP,3000,,
2020-12-30 22:32:15.585018 *Tunnelblick: Routing info stdout:
route to: 127.0.0.1
destination: 127.0.0.1
interface: lo0
flags: <UP,HOST,DONE,LOCAL>
recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire
49152 49152 0 7 14 0 16384 0
stderr:
2020-12-30 22:32:15.589686 *Tunnelblick: Warning: DNS server address 127.0.0.1 is not a public IP address and is not being routed through the VPN.
2020-12-30 22:32:15.689957 *Tunnelblick: DNS address 8.8.4.4 is being routed through the VPN
2020-12-30 22:32:15.796318 *Tunnelblick: DNS address 8.8.8.8 is being routed through the VPN
2020-12-30 22:32:58.125526 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's name after connecting.
2020-12-30 22:33:36.295807 *Tunnelblick: An error occurred fetching IP address information using the ipInfo host's IP address after connecting
感谢您的帮助!
答案1
@bitinerant 的评论帮助我找到了解决方案。
下列的本文,我能够将 MTU 设置为正确的值,这将使连接正常工作。