Stunnel + OpenVPN 已连接但没有互联网

Stunnel + OpenVPN 已连接但没有互联网

我已经设置

服务器上的隧道


pid = /var/run/stunnel4/stunnel.pid
output = /var/log/stunnel4/stunnel.log
setuid = root
setgid = root
[openvpn]
cert=/etc/stunnel/cert.pem
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
sslVersion = TLSv1.2
key=/etc/stunnel/key.pem
accept = 0.0.0.0:8080
connect = 127.0.0.1:1194

客户端上的隧道


output = /Volumes/HDD/Users/steve/Desktop/stunnel/stunnel.log
pid = /Volumes/HDD/Users/steve/Desktop/stunnel/stunnel.pid
client = yes
[openvpn]
sni = www.bing.com
accept = 127.0.0.1:1194
connect = 23.95.191.205:8080

在我通过 OpenVPN 连接之前,使用以下命令将 IP 添加到网关(在 macOS 上)

sudo route -n add -net 23.95.191.254/27 192.168.1.1
sudo route -n add -net 23.95.191.205/27 192.168.1.1

然后我按下 OpenVPN 中的连接按钮(设置为使用 127.0.0.1 而不是服务器的公共 IP),它就连接了(非常快,没有问题,每次尝试它都会连接):

在此处输入图片描述

但我无法加载任何网站!

以下是服务器上的 stunnel 日志

2022.12.14 22:43:03 LOG5[27948:140462685611776]: Service [openvpn] accepted connection from 78.39.186.44:52571
2022.12.14 22:43:03 LOG5[27948:140462685611776]: connect_blocking: connected 127.0.0.1:1194
2022.12.14 22:43:03 LOG5[27948:140462685611776]: Service [openvpn] connected remote server from 127.0.0.1:46476

和客户

2022.12.15 02:13:03 LOG5[29]: Service [openvpn] accepted connection from 127.0.0.1:52570
2022.12.15 02:13:03 LOG5[29]: s_connect: connected 23.95.191.205:8080
2022.12.15 02:13:03 LOG5[29]: Service [openvpn] connected remote server from 192.168.1.100:52571

这是 iptables

 iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
   76  3114 udp2rawDwrW_46cc7010_C0  icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
 285K  295M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  802 48092 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 4239  300K INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 4239  300K INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 4239  300K INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  399 18215 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
 1640  150K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0           
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
   19  1596 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 7791  506K FORWARD_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 7791  506K FORWARD_IN_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 7791  506K FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 7790  506K FORWARD_OUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 7790  506K FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
 7790  506K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
    0     0 ACCEPT     all  --  wg0    *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      wg0     0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 1709 packets, 212K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68
36495 6037K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
 169K  278M OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_public  all  --  ens160 *       0.0.0.0/0            0.0.0.0/0           [goto] 
 7791  506K FWDI_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 7790  506K FWDO_public  all  --  *      ens160  0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 FWDO_public  all  --  *      +       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 7791  506K FWDI_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 7791  506K FWDI_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 7791  506K FWDI_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    1    84 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDI_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 7790  506K FWDO_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 7790  506K FWDO_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 7790  506K FWDO_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDO_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       10.66.66.0/24        0.0.0.0/0            ctstate NEW,UNTRACKED

Chain FWDO_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 4216  297K IN_public  all  --  ens160 *       0.0.0.0/0            0.0.0.0/0           [goto] 
   23  2734 IN_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 4239  300K IN_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 4239  300K IN_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 4239  300K IN_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  175 10260 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED
 1018 61136 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW,UNTRACKED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:22 ctstate NEW,UNTRACKED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW,UNTRACKED
   44  2804 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6969 ctstate NEW,UNTRACKED
  434 25940 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:81 ctstate NEW,UNTRACKED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5903 ctstate NEW,UNTRACKED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6980 ctstate NEW,UNTRACKED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6981 ctstate NEW,UNTRACKED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6982 ctstate NEW,UNTRACKED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:82 ctstate NEW,UNTRACKED
   53  2996 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW,UNTRACKED
    1    64 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:75 ctstate NEW,UNTRACKED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:76 ctstate NEW,UNTRACKED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:77 ctstate NEW,UNTRACKED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:78 ctstate NEW,UNTRACKED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:90 ctstate NEW,UNTRACKED
  375 22484 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2086 ctstate NEW,UNTRACKED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2095 ctstate NEW,UNTRACKED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:202 ctstate NEW,UNTRACKED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:208 ctstate NEW,UNTRACKED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2082 ctstate NEW,UNTRACKED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2052 ctstate NEW,UNTRACKED
  100  6252 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 ctstate NEW,UNTRACKED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8880 ctstate NEW,UNTRACKED
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:64731 ctstate NEW,UNTRACKED

Chain IN_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain udp2rawDwrW_46cc7010_C0 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   76  3114 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0      

tcpdump -i tun0这是连接到 OpenVPN 之前的输出:

tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes

连接之后的情况如下:

tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
22:45:16.360934 IP 10.8.0.2.63499 > one.one.one.one.domain: 6966+ PTR? lb._dns-sd._udp.0.1.168.192.in-addr.arpa. (58)
22:45:16.360982 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 94
22:45:16.361002 IP 10.8.0.2.53716 > one.one.one.one.domain: 47471+ PTR? 100.1.168.192.in-addr.arpa. (44)
22:45:16.361018 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 80
22:45:16.362743 IP 10.8.0.2.52330 > one.one.one.one.domain: 36750+ PTR? lb._dns-sd._udp.0.0.8.10.in-addr.arpa. (55)
22:45:16.362766 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 91
22:45:16.365807 IP 10.8.0.2.63499 > one.one.one.one.domain: 6966+ PTR? lb._dns-sd._udp.0.1.168.192.in-addr.arpa. (58)
22:45:16.365834 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 94
22:45:16.365852 IP 10.8.0.2.53716 > one.one.one.one.domain: 47471+ PTR? 100.1.168.192.in-addr.arpa. (44)
22:45:16.365868 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 80
22:45:16.368288 IP 10.8.0.2.52330 > one.one.one.one.domain: 36750+ PTR? lb._dns-sd._udp.0.0.8.10.in-addr.arpa. (55)
22:45:16.368318 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 91
22:45:16.370302 IP 10.8.0.2.52870 > one.one.one.one.domain: 14412+ PTR? 100.1.168.192.in-addr.arpa. (44)
22:45:16.523890 IP 10.8.0.2.60316 > one.one.one.one.domain: 45399+ A? gsp64-ssl.ls.apple.com. (40)
22:45:16.523967 IP 10.8.0.2.59793 > one.one.one.one.domain: 51359+ A? www.apple.com. (31)
22:45:16.524013 IP 10.8.0.2.51573 > one.one.one.one.domain: 20437+ A? 1-courier.push.apple.com. (42)
22:45:16.525081 IP 10.8.0.2.53960 > one.one.one.one.domain: 21369+ A? api.apple-cloudkit.com. (40)
22:45:16.527192 IP 10.8.0.2.50532 > one.one.one.one.domain: 26438+ A? configuration.ls.apple.com. (44)
22:45:16.529435 IP 10.8.0.2.51882 > one.one.one.one.domain: 37097+ A? 1-courier.sandbox.push.apple.com. (50)
22:45:16.531746 IP 10.8.0.2.53059 > 91.108.56.111.https: Flags [SEW], seq 338450811, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093645577 ecr 0,sackOK,eol], length 0
22:45:16.533099 IP 10.8.0.2.54112 > one.one.one.one.domain: 40715+ A? www.madrau.com. (32)
22:45:16.535849 IP 10.8.0.2.53062 > 91.108.56.111.http: Flags [SEW], seq 2456034833, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093645578 ecr 0,sackOK,eol], length 0
22:45:16.713073 IP 10.8.0.2.56939 > one.one.one.one.domain: 20658+ A? radarsubmissions.apple.com. (44)
22:45:16.713127 IP 10.8.0.2.62667 > one.one.one.one.domain: 22009+ A? init.push.apple.com. (37)
22:45:17.028509 IP 10.8.0.2.51262 > 239.255.255.250.ssdp: UDP, length 176
22:45:17.028544 IP 10.8.0.2.59809 > one.one.one.one.domain: 60079+ A? mtalk.google.com. (34)
22:45:17.132382 IP 10.8.0.2.53065 > 10.10.34.36.https: Flags [SEW], seq 3781149487, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093646161 ecr 0,sackOK,eol], length 0
22:45:17.367617 IP 10.8.0.2.63499 > one.one.one.one.domain: 6966+ PTR? lb._dns-sd._udp.0.1.168.192.in-addr.arpa. (58)
22:45:17.367668 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 94
22:45:17.367688 IP 10.8.0.2.52330 > one.one.one.one.domain: 36750+ PTR? lb._dns-sd._udp.0.0.8.10.in-addr.arpa. (55)
22:45:17.369552 IP 10.8.0.2.52870 > one.one.one.one.domain: 14412+ PTR? 100.1.168.192.in-addr.arpa. (44)
22:45:17.725973 IP 10.8.0.2.59793 > one.one.one.one.domain: 51359+ A? www.apple.com. (31)
22:45:17.726030 IP 10.8.0.2.51573 > one.one.one.one.domain: 20437+ A? 1-courier.push.apple.com. (42)
22:45:17.726055 IP 10.8.0.2.53960 > one.one.one.one.domain: 21369+ A? api.apple-cloudkit.com. (40)
22:45:17.726079 IP 10.8.0.2.50532 > one.one.one.one.domain: 26438+ A? configuration.ls.apple.com. (44)
22:45:17.726103 IP 10.8.0.2.51882 > one.one.one.one.domain: 37097+ A? 1-courier.sandbox.push.apple.com. (50)
22:45:17.726126 IP 10.8.0.2.54112 > one.one.one.one.domain: 40715+ A? www.madrau.com. (32)
22:45:17.726174 IP 10.8.0.2.56939 > one.one.one.one.domain: 20658+ A? radarsubmissions.apple.com. (44)
22:45:17.726200 IP 10.8.0.2.62667 > one.one.one.one.domain: 22009+ A? init.push.apple.com. (37)
22:45:17.726224 IP 10.8.0.2.53059 > 91.108.56.111.https: Flags [S], seq 338450811, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093646577 ecr 0,sackOK,eol], length 0
22:45:17.726249 IP 10.8.0.2.53062 > 91.108.56.111.http: Flags [S], seq 2456034833, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093646578 ecr 0,sackOK,eol], length 0
22:45:17.922321 IP 10.8.0.2.53066 > ams15s21-in-f138.1e100.net.https: Flags [SEW], seq 3014126703, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093646947 ecr 0,sackOK,eol], length 0
22:45:18.203016 IP 10.8.0.2.51262 > 239.255.255.250.ssdp: UDP, length 176
22:45:18.203060 IP 10.8.0.2.59809 > one.one.one.one.domain: 60079+ A? mtalk.google.com. (34)
22:45:18.377713 IP 10.8.0.2.53065 > 10.10.34.36.https: Flags [S], seq 3781149487, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647161 ecr 0,sackOK,eol], length 0
22:45:18.377763 IP 23951912052447552280 > 10.8.0.2: ICMP host 10.10.34.36 unreachable - admin prohibited, length 72
22:45:18.696580 IP 10.8.0.2.63499 > one.one.one.one.domain: 6966+ PTR? lb._dns-sd._udp.0.1.168.192.in-addr.arpa. (58)
22:45:18.696675 IP 10.8.0.2.52330 > one.one.one.one.domain: 36750+ PTR? lb._dns-sd._udp.0.0.8.10.in-addr.arpa. (55)
22:45:18.696711 IP 10.8.0.2.53067 > 91.108.56.111.https: Flags [SEW], seq 2427387506, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647537 ecr 0,sackOK,eol], length 0
22:45:18.696749 IP 10.8.0.2.53070 > 91.108.56.111.http: Flags [SEW], seq 1261704993, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647538 ecr 0,sackOK,eol], length 0
22:45:18.696784 IP 10.8.0.2.53073 > 10.10.34.36.https: Flags [SEW], seq 3210044483, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647568 ecr 0,sackOK,eol], length 0
22:45:18.719281 IP 10.8.0.2.53074 > any-in-2678.1e100.net.https: Flags [SEW], seq 1411185388, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647733 ecr 0,sackOK,eol], length 0
22:45:19.632625 IP 10.8.0.2.53066 > ams15s21-in-f138.1e100.net.https: Flags [S], seq 3014126703, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647947 ecr 0,sackOK,eol], length 0
22:45:19.632682 IP 23951912052447552280 > 10.8.0.2: ICMP host ams15s21-in-f138.1e100.net unreachable - admin prohibited, length 72
22:45:19.632701 IP 10.8.0.2.51262 > 239.255.255.250.ssdp: UDP, length 176
22:45:19.632719 IP 10.8.0.2.52870 > one.one.one.one.domain: 14412+ PTR? 100.1.168.192.in-addr.arpa. (44)
22:45:19.632759 IP 10.8.0.2.53075 > any-in-2678.1e100.net.https: Flags [SEW], seq 2289735527, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093648525 ecr 0,sackOK,eol], length 0
22:45:19.632782 IP 10.8.0.2.59793 > one.one.one.one.domain: 51359+ A? www.apple.com. (31)
22:45:19.632803 IP 10.8.0.2.51573 > one.one.one.one.domain: 20437+ A? 1-courier.push.apple.com. (42)
22:45:19.632823 IP 10.8.0.2.53960 > one.one.one.one.domain: 21369+ A? api.apple-cloudkit.com. (40)
22:45:19.632843 IP 10.8.0.2.50532 > one.one.one.one.domain: 26438+ A? configuration.ls.apple.com. (44)
22:45:19.632863 IP 10.8.0.2.51882 > one.one.one.one.domain: 37097+ A? 1-courier.sandbox.push.apple.com. (50)
22:45:19.632883 IP 10.8.0.2.54112 > one.one.one.one.domain: 40715+ A? www.madrau.com. (32)
22:45:19.632903 IP 10.8.0.2.56939 > one.one.one.one.domain: 20658+ A? radarsubmissions.apple.com. (44)
22:45:19.632923 IP 10.8.0.2.62667 > one.one.one.one.domain: 22009+ A? init.push.apple.com. (37)
22:45:19.632943 IP 10.8.0.2.49661 > one.one.one.one.domain: 30889+ A? self.events.data.microsoft.com. (48)
22:45:19.632963 IP 10.8.0.2.53067 > 91.108.56.111.https: Flags [S], seq 2427387506, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093648537 ecr 0,sackOK,eol], length 0
22:45:19.738242 IP 10.8.0.2.53074 > any-in-2678.1e100.net.https: Flags [S], seq 1411185388, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093648733 ecr 0,sackOK,eol], length 0
22:45:19.810583 IP 10.8.0.2.53076 > ams15s22-in-f170.1e100.net.https: Flags [SEW], seq 2352629644, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093648803 ecr 0,sackOK,eol], length 0
22:45:20.026331 IP 10.8.0.2.51262 > 239.255.255.250.ssdp: UDP, length 176
22:45:20.029851 IP 10.8.0.2.59809 > one.one.one.one.domain: 60079+ A? mtalk.google.com. (34)
22:45:20.321839 IP 10.8.0.2.51039 > one.one.one.one.domain: 27155+ A? www.google.ru. (31)
22:45:20.330333 IP 10.8.0.2.50375 > one.one.one.one.domain: 7439+ A? ident.me. (26)
22:45:20.370704 IP 10.8.0.2.63499 > one.one.one.one.domain: 6966+ PTR? lb._dns-sd._udp.0.1.168.192.in-addr.arpa. (58)
22:45:20.370763 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 94

永远持续下去。

答案1

更仔细地检查 iptable 输出后,我发现 (tun0) 的 openvpn 规则根本没有应用,手动应用它们解决了这个问题,规则位于:

/etc/iptables/add-openvpn-rules.sh

内容是

iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o ens160 -j MASQUERADE
iptables -I INPUT 1 -i tun0 -j ACCEPT
iptables -I FORWARD 1 -i ens160 -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o ens160 -j ACCEPT

所以我做了 :

sh /etc/iptables/add-openvpn-rules.sh

目前。

相关内容