我一直在尝试让它工作一段时间,我有一个 openvpn 服务器(使用 Angristan 安装https://github.com/angristan/openvpn-install) 在运行 debian 10 的 Openvz 7 vps 上。因此,大多数配置都由它处理。它创建了一个客户端配置文件 (myClient.ovpn),我在客户端上下载了该文件。在客户端(即 Linux Mint 20.3)上,我正在使用以下方法测试连接:
openvpn --client --config myClient.ovpn
连接正常,我现在可以 ping 通 vpn 网关,即(从客户端):
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=87.9 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=86.6 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=86.6 ms
^C
--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 86.551/87.041/87.946/0.640 ms
但我无法 ping 通谷歌或其他任何东西,显然是它的路由/ NAT 问题,我无法以我有限的知识找出错误:
ping 8.8.8.8失败了。
Dns 工作正常,如果我使用 ping yahoo.com,它会解析为 yahoo IP,但再次无法 ping 通。
$ ping yahoo.com
PING yahoo.com (74.6.143.25) 56(84) bytes of data.
--- yahoo.com ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3154ms```
服务器详细信息:
OpenVPN版本:
~# openvpn --version
OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021
library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Originally developed by James Yonan
uname -a
~#uname -a
Linux mySerer.domainHost.com 4.19.0 #1 SMP Tue Aug 25 11:59:26 MSK 2020 x86_64 GNU/Linux
注意:这是一个基于 openvz 7 的 vps
服务器配置:
server
cat /etc/openvpn/server.conf
port 2220
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_JCJHDggypybdTuKJ.crt
key server_JCJHDggypybdTuKJ.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 4
启动 openvpn 服务器后的网络详细信息:
~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
link/void
inet 127.0.0.1/32 scope host venet0
valid_lft forever preferred_lft forever
inet Y.Y.Y.Y/32 brd Y.Y.Y.Y scope global venet0:0
valid_lft forever preferred_lft forever
inet6 2402:x:x:x:x::dc37/80 scope global
valid_lft forever preferred_lft forever
inet6 ::2/128 scope global
valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::505f:b97:1101:5f33/64 scope link stable-privacy
valid_lft forever preferred_lft forever
在服务器上(iptables 规则)
iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * venet0 10.8.0.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
# Warning: iptables-legacy tables present, use iptables-legacy to see them
在服务器上,ip 路由:
$ ip route
default dev venet0 scope link
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
转发状态(在服务器上)
sysctl -a | grep forwarding
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.conf.venet0.forwarding = 1
net.ipv4.conf.venet0.mc_forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.tun0.forwarding = 0
net.ipv6.conf.tun0.mc_forwarding = 0
net.ipv6.conf.venet0.forwarding = 0
net.ipv6.conf.venet0.mc_forwarding = 0
客户端能够连接到 VPN,我可以 ping 通 VPN 网关(10.8.0.1),正如上面提到的。
连接VPN后客户端上的路由:
route after connecting to VPN:
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
default CLIENT-HOSTNAME 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
128.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
SERVER-HOSTNAME CLIENT-HOSTNAME 255.255.255.255 UGH 0 0 0 eth0
192.168.224.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
我目前没有主意,虽然服务器上的 NAT 规则似乎没问题,客户端路由也显示正确的配置。由于我不熟悉网络,所以搞不懂。设置简单的 VPN 竟然花费了大量时间。这是否与基于 openVZ 7 的服务器有关。
CSF 运行正常,因此我认为服务器上有 iptabless 所需的模块。
perl csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
我已经在 Debian 10 客户端以及 linuxmin 20.x 上尝试过,行为相同,客户端可以连接,可以使用 VPN 局域网,但无法浏览互联网。
如果还有其他需要,请告诉我。