OpenVPN LAN 已连接-但客户端没有互联网

OpenVPN LAN 已连接-但客户端没有互联网

我一直在尝试让它工作一段时间,我有一个 openvpn 服务器(使用 Angristan 安装https://github.com/angristan/openvpn-install) 在运行 debian 10 的 Openvz 7 vps 上。因此,大多数配置都由它处理。它创建了一个客户端配置文件 (myClient.ovpn),我在客户端上下载了该文件。在客户端(即 Linux Mint 20.3)上,我正在使用以下方法测试连接:

openvpn --client --config myClient.ovpn

连接正常,我现在可以 ping 通 vpn 网关,即(从客户端):

PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=87.9 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=86.6 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=86.6 ms
^C
--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 86.551/87.041/87.946/0.640 ms

但我无法 ping 通谷歌或其他任何东西,显然是它的路由/ NAT 问题,我无法以我有限的知识找出错误:

ping 8.8.8.8失败了。

Dns 工作正常,如果我使用 ping yahoo.com,它会解析为 yahoo IP,但再次无法 ping 通。

$ ping yahoo.com
PING yahoo.com (74.6.143.25) 56(84) bytes of data.

--- yahoo.com ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3154ms```

服务器详细信息:

OpenVPN版本:

~# openvpn --version
OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021
library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Originally developed by James Yonan

uname -a

~#uname -a
Linux mySerer.domainHost.com 4.19.0 #1 SMP Tue Aug 25 11:59:26 MSK 2020 x86_64 GNU/Linux

注意:这是一个基于 openvz 7 的 vps

服务器配置:

server
cat /etc/openvpn/server.conf
port 2220
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_JCJHDggypybdTuKJ.crt
key server_JCJHDggypybdTuKJ.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 4 

启动 openvpn 服务器后的网络详细信息:

~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
    link/void
    inet 127.0.0.1/32 scope host venet0
       valid_lft forever preferred_lft forever
    inet Y.Y.Y.Y/32 brd Y.Y.Y.Y scope global venet0:0
       valid_lft forever preferred_lft forever
    inet6 2402:x:x:x:x::dc37/80 scope global
       valid_lft forever preferred_lft forever
    inet6 ::2/128 scope global
       valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none
    inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::505f:b97:1101:5f33/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

在服务器上(iptables 规则)

  iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      venet0  10.8.0.0/24          0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
# Warning: iptables-legacy tables present, use iptables-legacy to see them 

在服务器上,ip 路由:

 $ ip route
default dev venet0 scope link
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1

转发状态(在服务器上)

sysctl -a | grep forwarding
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.conf.venet0.forwarding = 1
net.ipv4.conf.venet0.mc_forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.tun0.forwarding = 0
net.ipv6.conf.tun0.mc_forwarding = 0
net.ipv6.conf.venet0.forwarding = 0
net.ipv6.conf.venet0.mc_forwarding = 0

客户端能够连接到 VPN,我可以 ping 通 VPN 网关(10.8.0.1),正如上面提到的。

连接VPN后客户端上的路由:

route after connecting to VPN: 
$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.0.1        128.0.0.0       UG    0      0        0 tun0
default         CLIENT-HOSTNAME  0.0.0.0         UG    0      0        0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
128.0.0.0       10.8.0.1        128.0.0.0       UG    0      0        0 tun0
SERVER-HOSTNAME  CLIENT-HOSTNAME 255.255.255.255 UGH   0      0        0 eth0
192.168.224.0   0.0.0.0         255.255.240.0   U     0      0        0 eth0

我目前没有主意,虽然服务器上的 NAT 规则似乎没问题,客户端路由也显示正确的配置。由于我不熟悉网络,所以搞不懂。设置简单的 VPN 竟然花费了大量时间。这是否与基于 openVZ 7 的服务器有关。

CSF 运行正常,因此我认为服务器上有 iptabless 所需的模块。

perl csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

我已经在 Debian 10 客户端以及 linuxmin 20.x 上尝试过,行为相同,客户端可以连接,可以使用 VPN 局域网,但无法浏览互联网。

如果还有其他需要,请告诉我。

相关内容