我已经设置
服务器上的隧道
pid = /var/run/stunnel4/stunnel.pid
output = /var/log/stunnel4/stunnel.log
setuid = root
setgid = root
[openvpn]
cert=/etc/stunnel/cert.pem
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
sslVersion = TLSv1.2
key=/etc/stunnel/key.pem
accept = 0.0.0.0:8080
connect = 127.0.0.1:1194
客户端上的隧道
output = /Volumes/HDD/Users/steve/Desktop/stunnel/stunnel.log
pid = /Volumes/HDD/Users/steve/Desktop/stunnel/stunnel.pid
client = yes
[openvpn]
sni = www.bing.com
accept = 127.0.0.1:1194
connect = 23.95.191.205:8080
在我通过 OpenVPN 连接之前,使用以下命令将 IP 添加到网关(在 macOS 上)
sudo route -n add -net 23.95.191.254/27 192.168.1.1
sudo route -n add -net 23.95.191.205/27 192.168.1.1
然后我按下 OpenVPN 中的连接按钮(设置为使用 127.0.0.1 而不是服务器的公共 IP),它就连接了(非常快,没有问题,每次尝试它都会连接):
但我无法加载任何网站!
以下是服务器上的 stunnel 日志
2022.12.14 22:43:03 LOG5[27948:140462685611776]: Service [openvpn] accepted connection from 78.39.186.44:52571
2022.12.14 22:43:03 LOG5[27948:140462685611776]: connect_blocking: connected 127.0.0.1:1194
2022.12.14 22:43:03 LOG5[27948:140462685611776]: Service [openvpn] connected remote server from 127.0.0.1:46476
和客户
2022.12.15 02:13:03 LOG5[29]: Service [openvpn] accepted connection from 127.0.0.1:52570
2022.12.15 02:13:03 LOG5[29]: s_connect: connected 23.95.191.205:8080
2022.12.15 02:13:03 LOG5[29]: Service [openvpn] connected remote server from 192.168.1.100:52571
这是 iptables
iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
76 3114 udp2rawDwrW_46cc7010_C0 icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
285K 295M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
802 48092 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4239 300K INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4239 300K INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
4239 300K INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
399 18215 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
1640 150K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
19 1596 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
7791 506K FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
7791 506K FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
7791 506K FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
7790 506K FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
7790 506K FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7790 506K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 ACCEPT all -- wg0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * wg0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1709 packets, 212K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
36495 6037K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
169K 278M OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- ens160 * 0.0.0.0/0 0.0.0.0/0 [goto]
7791 506K FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
7790 506K FWDO_public all -- * ens160 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (2 references)
pkts bytes target prot opt in out source destination
7791 506K FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
7791 506K FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
7791 506K FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
1 84 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (2 references)
pkts bytes target prot opt in out source destination
7790 506K FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
7790 506K FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
7790 506K FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 10.66.66.0/24 0.0.0.0/0 ctstate NEW,UNTRACKED
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
4216 297K IN_public all -- ens160 * 0.0.0.0/0 0.0.0.0/0 [goto]
23 2734 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (2 references)
pkts bytes target prot opt in out source destination
4239 300K IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
4239 300K IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
4239 300K IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
175 10260 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
1018 61136 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW,UNTRACKED
44 2804 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6969 ctstate NEW,UNTRACKED
434 25940 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:81 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5903 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6980 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6981 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6982 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:82 ctstate NEW,UNTRACKED
53 2996 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW,UNTRACKED
1 64 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:75 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:76 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:77 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:78 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:90 ctstate NEW,UNTRACKED
375 22484 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2086 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2095 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:202 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:208 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2082 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2052 ctstate NEW,UNTRACKED
100 6252 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8880 ctstate NEW,UNTRACKED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:64731 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain udp2rawDwrW_46cc7010_C0 (1 references)
pkts bytes target prot opt in out source destination
76 3114 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
tcpdump -i tun0这是连接到 OpenVPN 之前的输出:
tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
连接之后的情况如下:
tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
22:45:16.360934 IP 10.8.0.2.63499 > one.one.one.one.domain: 6966+ PTR? lb._dns-sd._udp.0.1.168.192.in-addr.arpa. (58)
22:45:16.360982 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 94
22:45:16.361002 IP 10.8.0.2.53716 > one.one.one.one.domain: 47471+ PTR? 100.1.168.192.in-addr.arpa. (44)
22:45:16.361018 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 80
22:45:16.362743 IP 10.8.0.2.52330 > one.one.one.one.domain: 36750+ PTR? lb._dns-sd._udp.0.0.8.10.in-addr.arpa. (55)
22:45:16.362766 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 91
22:45:16.365807 IP 10.8.0.2.63499 > one.one.one.one.domain: 6966+ PTR? lb._dns-sd._udp.0.1.168.192.in-addr.arpa. (58)
22:45:16.365834 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 94
22:45:16.365852 IP 10.8.0.2.53716 > one.one.one.one.domain: 47471+ PTR? 100.1.168.192.in-addr.arpa. (44)
22:45:16.365868 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 80
22:45:16.368288 IP 10.8.0.2.52330 > one.one.one.one.domain: 36750+ PTR? lb._dns-sd._udp.0.0.8.10.in-addr.arpa. (55)
22:45:16.368318 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 91
22:45:16.370302 IP 10.8.0.2.52870 > one.one.one.one.domain: 14412+ PTR? 100.1.168.192.in-addr.arpa. (44)
22:45:16.523890 IP 10.8.0.2.60316 > one.one.one.one.domain: 45399+ A? gsp64-ssl.ls.apple.com. (40)
22:45:16.523967 IP 10.8.0.2.59793 > one.one.one.one.domain: 51359+ A? www.apple.com. (31)
22:45:16.524013 IP 10.8.0.2.51573 > one.one.one.one.domain: 20437+ A? 1-courier.push.apple.com. (42)
22:45:16.525081 IP 10.8.0.2.53960 > one.one.one.one.domain: 21369+ A? api.apple-cloudkit.com. (40)
22:45:16.527192 IP 10.8.0.2.50532 > one.one.one.one.domain: 26438+ A? configuration.ls.apple.com. (44)
22:45:16.529435 IP 10.8.0.2.51882 > one.one.one.one.domain: 37097+ A? 1-courier.sandbox.push.apple.com. (50)
22:45:16.531746 IP 10.8.0.2.53059 > 91.108.56.111.https: Flags [SEW], seq 338450811, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093645577 ecr 0,sackOK,eol], length 0
22:45:16.533099 IP 10.8.0.2.54112 > one.one.one.one.domain: 40715+ A? www.madrau.com. (32)
22:45:16.535849 IP 10.8.0.2.53062 > 91.108.56.111.http: Flags [SEW], seq 2456034833, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093645578 ecr 0,sackOK,eol], length 0
22:45:16.713073 IP 10.8.0.2.56939 > one.one.one.one.domain: 20658+ A? radarsubmissions.apple.com. (44)
22:45:16.713127 IP 10.8.0.2.62667 > one.one.one.one.domain: 22009+ A? init.push.apple.com. (37)
22:45:17.028509 IP 10.8.0.2.51262 > 239.255.255.250.ssdp: UDP, length 176
22:45:17.028544 IP 10.8.0.2.59809 > one.one.one.one.domain: 60079+ A? mtalk.google.com. (34)
22:45:17.132382 IP 10.8.0.2.53065 > 10.10.34.36.https: Flags [SEW], seq 3781149487, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093646161 ecr 0,sackOK,eol], length 0
22:45:17.367617 IP 10.8.0.2.63499 > one.one.one.one.domain: 6966+ PTR? lb._dns-sd._udp.0.1.168.192.in-addr.arpa. (58)
22:45:17.367668 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 94
22:45:17.367688 IP 10.8.0.2.52330 > one.one.one.one.domain: 36750+ PTR? lb._dns-sd._udp.0.0.8.10.in-addr.arpa. (55)
22:45:17.369552 IP 10.8.0.2.52870 > one.one.one.one.domain: 14412+ PTR? 100.1.168.192.in-addr.arpa. (44)
22:45:17.725973 IP 10.8.0.2.59793 > one.one.one.one.domain: 51359+ A? www.apple.com. (31)
22:45:17.726030 IP 10.8.0.2.51573 > one.one.one.one.domain: 20437+ A? 1-courier.push.apple.com. (42)
22:45:17.726055 IP 10.8.0.2.53960 > one.one.one.one.domain: 21369+ A? api.apple-cloudkit.com. (40)
22:45:17.726079 IP 10.8.0.2.50532 > one.one.one.one.domain: 26438+ A? configuration.ls.apple.com. (44)
22:45:17.726103 IP 10.8.0.2.51882 > one.one.one.one.domain: 37097+ A? 1-courier.sandbox.push.apple.com. (50)
22:45:17.726126 IP 10.8.0.2.54112 > one.one.one.one.domain: 40715+ A? www.madrau.com. (32)
22:45:17.726174 IP 10.8.0.2.56939 > one.one.one.one.domain: 20658+ A? radarsubmissions.apple.com. (44)
22:45:17.726200 IP 10.8.0.2.62667 > one.one.one.one.domain: 22009+ A? init.push.apple.com. (37)
22:45:17.726224 IP 10.8.0.2.53059 > 91.108.56.111.https: Flags [S], seq 338450811, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093646577 ecr 0,sackOK,eol], length 0
22:45:17.726249 IP 10.8.0.2.53062 > 91.108.56.111.http: Flags [S], seq 2456034833, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093646578 ecr 0,sackOK,eol], length 0
22:45:17.922321 IP 10.8.0.2.53066 > ams15s21-in-f138.1e100.net.https: Flags [SEW], seq 3014126703, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093646947 ecr 0,sackOK,eol], length 0
22:45:18.203016 IP 10.8.0.2.51262 > 239.255.255.250.ssdp: UDP, length 176
22:45:18.203060 IP 10.8.0.2.59809 > one.one.one.one.domain: 60079+ A? mtalk.google.com. (34)
22:45:18.377713 IP 10.8.0.2.53065 > 10.10.34.36.https: Flags [S], seq 3781149487, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647161 ecr 0,sackOK,eol], length 0
22:45:18.377763 IP 23951912052447552280 > 10.8.0.2: ICMP host 10.10.34.36 unreachable - admin prohibited, length 72
22:45:18.696580 IP 10.8.0.2.63499 > one.one.one.one.domain: 6966+ PTR? lb._dns-sd._udp.0.1.168.192.in-addr.arpa. (58)
22:45:18.696675 IP 10.8.0.2.52330 > one.one.one.one.domain: 36750+ PTR? lb._dns-sd._udp.0.0.8.10.in-addr.arpa. (55)
22:45:18.696711 IP 10.8.0.2.53067 > 91.108.56.111.https: Flags [SEW], seq 2427387506, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647537 ecr 0,sackOK,eol], length 0
22:45:18.696749 IP 10.8.0.2.53070 > 91.108.56.111.http: Flags [SEW], seq 1261704993, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647538 ecr 0,sackOK,eol], length 0
22:45:18.696784 IP 10.8.0.2.53073 > 10.10.34.36.https: Flags [SEW], seq 3210044483, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647568 ecr 0,sackOK,eol], length 0
22:45:18.719281 IP 10.8.0.2.53074 > any-in-2678.1e100.net.https: Flags [SEW], seq 1411185388, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647733 ecr 0,sackOK,eol], length 0
22:45:19.632625 IP 10.8.0.2.53066 > ams15s21-in-f138.1e100.net.https: Flags [S], seq 3014126703, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647947 ecr 0,sackOK,eol], length 0
22:45:19.632682 IP 23951912052447552280 > 10.8.0.2: ICMP host ams15s21-in-f138.1e100.net unreachable - admin prohibited, length 72
22:45:19.632701 IP 10.8.0.2.51262 > 239.255.255.250.ssdp: UDP, length 176
22:45:19.632719 IP 10.8.0.2.52870 > one.one.one.one.domain: 14412+ PTR? 100.1.168.192.in-addr.arpa. (44)
22:45:19.632759 IP 10.8.0.2.53075 > any-in-2678.1e100.net.https: Flags [SEW], seq 2289735527, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093648525 ecr 0,sackOK,eol], length 0
22:45:19.632782 IP 10.8.0.2.59793 > one.one.one.one.domain: 51359+ A? www.apple.com. (31)
22:45:19.632803 IP 10.8.0.2.51573 > one.one.one.one.domain: 20437+ A? 1-courier.push.apple.com. (42)
22:45:19.632823 IP 10.8.0.2.53960 > one.one.one.one.domain: 21369+ A? api.apple-cloudkit.com. (40)
22:45:19.632843 IP 10.8.0.2.50532 > one.one.one.one.domain: 26438+ A? configuration.ls.apple.com. (44)
22:45:19.632863 IP 10.8.0.2.51882 > one.one.one.one.domain: 37097+ A? 1-courier.sandbox.push.apple.com. (50)
22:45:19.632883 IP 10.8.0.2.54112 > one.one.one.one.domain: 40715+ A? www.madrau.com. (32)
22:45:19.632903 IP 10.8.0.2.56939 > one.one.one.one.domain: 20658+ A? radarsubmissions.apple.com. (44)
22:45:19.632923 IP 10.8.0.2.62667 > one.one.one.one.domain: 22009+ A? init.push.apple.com. (37)
22:45:19.632943 IP 10.8.0.2.49661 > one.one.one.one.domain: 30889+ A? self.events.data.microsoft.com. (48)
22:45:19.632963 IP 10.8.0.2.53067 > 91.108.56.111.https: Flags [S], seq 2427387506, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093648537 ecr 0,sackOK,eol], length 0
22:45:19.738242 IP 10.8.0.2.53074 > any-in-2678.1e100.net.https: Flags [S], seq 1411185388, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093648733 ecr 0,sackOK,eol], length 0
22:45:19.810583 IP 10.8.0.2.53076 > ams15s22-in-f170.1e100.net.https: Flags [SEW], seq 2352629644, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093648803 ecr 0,sackOK,eol], length 0
22:45:20.026331 IP 10.8.0.2.51262 > 239.255.255.250.ssdp: UDP, length 176
22:45:20.029851 IP 10.8.0.2.59809 > one.one.one.one.domain: 60079+ A? mtalk.google.com. (34)
22:45:20.321839 IP 10.8.0.2.51039 > one.one.one.one.domain: 27155+ A? www.google.ru. (31)
22:45:20.330333 IP 10.8.0.2.50375 > one.one.one.one.domain: 7439+ A? ident.me. (26)
22:45:20.370704 IP 10.8.0.2.63499 > one.one.one.one.domain: 6966+ PTR? lb._dns-sd._udp.0.1.168.192.in-addr.arpa. (58)
22:45:20.370763 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 94
永远持续下去。
答案1
更仔细地检查 iptable 输出后,我发现 (tun0) 的 openvpn 规则根本没有应用,手动应用它们解决了这个问题,规则位于:
/etc/iptables/add-openvpn-rules.sh
内容是
iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o ens160 -j MASQUERADE
iptables -I INPUT 1 -i tun0 -j ACCEPT
iptables -I FORWARD 1 -i ens160 -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o ens160 -j ACCEPT
所以我做了 :
sh /etc/iptables/add-openvpn-rules.sh
目前。