AWS 客户端 VPN 已连接但无法访问互联网

AWS 客户端 VPN 已连接但无法访问互联网

我已经能够创建 aws 客户端 vpn 端点,并且能够访问 vpc 内的服务器,但看起来我无法访问互联网。

连接到 vpn 时 DNS 解析不起作用。

以下是详细信息

在此处输入图片描述

在此处输入图片描述

在此处输入图片描述

在此处输入图片描述 在此处输入图片描述

隧道扫描日志

 023-01-03 22:43:08.497342 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-01-03 22:43:08.503457 MANAGEMENT: >STATE:1672765988,RESOLVE,,,,,,
2023-01-03 22:43:08.724886 TCP/UDP: Preserving recently used remote address: [AF_INET]*****:443
2023-01-03 22:43:08.732514 Socket Buffers: R=[786896->786896] S=[9216->9216]
2023-01-03 22:43:08.732753 UDP link local: (not bound)
2023-01-03 22:43:08.732777 UDP link remote: [AF_INET]*****:443
2023-01-03 22:43:08.732815 MANAGEMENT: >STATE:1672765988,WAIT,,,,,,
2023-01-03 22:43:08.976379 MANAGEMENT: >STATE:1672765988,AUTH,,,,,,
2023-01-03 22:43:08.976486 TLS: Initial packet from [AF_INET]*****:443, sid=dd6ef088 3ed5ee33
2023-01-03 22:43:09.226709 VERIFY OK: depth=1, CN=***.com
2023-01-03 22:43:09.230330 VERIFY KU OK
2023-01-03 22:43:09.230440 Validating certificate extended key usage
2023-01-03 22:43:09.230454 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-01-03 22:43:09.230465 VERIFY EKU OK
2023-01-03 22:43:09.230478 VERIFY OK: depth=0, CN=server.***.com
2023-01-03 22:43:09.751110 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-01-03 22:43:09.751323 [server.*****.com] Peer Connection Initiated with [AF_INET]****:443
2023-01-03 22:43:10.934390 MANAGEMENT: >STATE:1672765990,GET_CONFIG,,,,,,
2023-01-03 22:43:10.946185 SENT CONTROL [server.*****.com]: 'PUSH_REQUEST' (status=1)
2023-01-03 22:43:11.190001 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.0.0.2,route 0.0.0.0 0.0.0.0,route 10.0.0.0 255.255.0.0,route-gateway 11.0.0.1,topology subnet,ping 1,ping-restart 20,ifconfig 11.0.0.2 255.255.255.224,peer-id 0,cipher AES-256-GCM'
2023-01-03 22:43:11.197839 OPTIONS IMPORT: timers and/or timeouts modified
2023-01-03 22:43:11.198115 OPTIONS IMPORT: --ifconfig/up options modified
2023-01-03 22:43:11.198141 OPTIONS IMPORT: route options modified
2023-01-03 22:43:11.198155 OPTIONS IMPORT: route-related options modified
2023-01-03 22:43:11.198167 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-01-03 22:43:11.198179 OPTIONS IMPORT: peer-id set
2023-01-03 22:43:11.198190 OPTIONS IMPORT: adjusting link_mtu to 1624
2023-01-03 22:43:11.198203 OPTIONS IMPORT: data channel crypto options modified
2023-01-03 22:43:11.198329 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-03 22:43:11.198347 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-03 22:43:11.220497 Opened utun device utun7
2023-01-03 22:43:11.220627 MANAGEMENT: >STATE:1672765991,ASSIGN_IP,,11.0.0.2,,,,
2023-01-03 22:43:11.220653 /sbin/ifconfig utun7 delete
                           ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2023-01-03 22:43:11.238044 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2023-01-03 22:43:11.238122 /sbin/ifconfig utun7 11.0.0.2 11.0.0.2 netmask 255.255.255.224 mtu 1500 up
2023-01-03 22:43:11.253953 /sbin/route add -net 11.0.0.0 11.0.0.2 255.255.255.224
                           add net 11.0.0.0: gateway 11.0.0.2
2023-01-03 22:43:11.269657 /sbin/route add -net ***** 192.168.29.1 255.255.255.255
                           add net *****: gateway 192.168.29.1
2023-01-03 22:43:11.335276 /sbin/route delete -net 0.0.0.0 192.168.29.1 0.0.0.0
                           delete net 0.0.0.0: gateway 192.168.29.1
2023-01-03 22:43:11.380416 /sbin/route add -net 0.0.0.0 11.0.0.1 0.0.0.0
                           add net 0.0.0.0: gateway 11.0.0.1
2023-01-03 22:43:11.414312 MANAGEMENT: >STATE:1672765991,ADD_ROUTES,,,,,,
2023-01-03 22:43:11.414391 /sbin/route add -net 0.0.0.0 11.0.0.1 0.0.0.0
                           route: writing to routing socket: File exists
                           add net 0.0.0.0: gateway 11.0.0.1: File exists
2023-01-03 22:43:11.427638 /sbin/route add -net 10.0.0.0 11.0.0.1 255.255.0.0
                           add net 10.0.0.0: gateway 11.0.0.1
                           22:43:11 *Tunnelblick:  **********************************************
                           22:43:11 *Tunnelblick:  Start of output from client.up.tunnelblick.sh
                           22:43:13 *Tunnelblick:  Retrieved from OpenVPN: name server(s) [ 10.0.0.2 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
                           22:43:13 *Tunnelblick:  WARNING: Ignoring ServerAddresses '10.0.0.2' because ServerAddresses was set manually and '-allowChangesToManuallySetNetworkSettings' was not specified
                           22:43:13 *Tunnelblick:  Setting search domains to 'openvpn' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
                           22:43:15 *Tunnelblick:  Saved the DNS and SMB configurations so they can be restored
                           22:43:15 *Tunnelblick:  Did not change DNS ServerAddresses setting of '11.0.0.1' (but re-set it)
                           22:43:15 *Tunnelblick:  Changed DNS SearchDomains setting from '' to 'openvpn'
                           22:43:15 *Tunnelblick:  Changed DNS DomainName setting from '' to 'openvpn'
                           22:43:15 *Tunnelblick:  Did not change SMB NetBIOSName setting of ''
                           22:43:15 *Tunnelblick:  Did not change SMB Workgroup setting of ''
                           22:43:15 *Tunnelblick:  Did not change SMB WINSAddresses setting of ''
                           22:43:15 *Tunnelblick:  DNS servers '11.0.0.1' were set manually
                           22:43:15 *Tunnelblick:  DNS servers '11.0.0.1' will be used for DNS queries when the VPN is active
                           22:43:15 *Tunnelblick:  NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
                           22:43:15 *Tunnelblick:  Flushed the DNS cache via dscacheutil
                           22:43:15 *Tunnelblick:  /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
                           22:43:15 *Tunnelblick:  Notified mDNSResponder that the DNS cache was flushed
                           22:43:15 *Tunnelblick:  Not notifying mDNSResponderHelper that the DNS cache was flushed because it is not running
                           22:43:15 *Tunnelblick:  Setting up to monitor system configuration with process-network-changes
                           22:43:15 *Tunnelblick:  End of output from client.up.tunnelblick.sh
                           22:43:15 *Tunnelblick:  **********************************************
2023-01-03 22:43:15.324027 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-01-03 22:43:15.324045 Initialization Sequence Completed
2023-01-03 22:43:15.324064 MANAGEMENT: >STATE:1672765995,CONNECTED,SUCCESS,11.0.0.2,*****,443,,
2023-01-03 22:43:16.548770 *Tunnelblick: DNS address 11.0.0.1 is being routed through the VPN
2023-01-03 22:43:39.228943 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed

无VPN路由表

Internet:
Destination        Gateway            Flags           Netif Expire
default            192.168.29.1       UGScg             en0
127                127.0.0.1          UCS               lo0
127.0.0.1          127.0.0.1          UH                lo0
169.254            link#15            UCS               en0      !
192.168.29         link#15            UCS               en0      !
192.168.29.1/32    link#15            UCS               en0      !
192.168.29.1       8c:a3:99:43:d4:c6  UHLWIir           en0   1189
192.168.29.3       62:86:e7:b7:95:3   UHLWIi            en0     46
192.168.29.41      d6:e3:d9:51:75:9f  UHLWI             en0    325
192.168.29.50/32   link#15            UCS               en0      !
192.168.29.53      16:c2:44:9f:bd:5c  UHLWI             en0     82
192.168.29.130     9e:df:ca:48:30:f1  UHLWI             en0     84
192.168.29.223     d6:78:7e:8a:b1:1   UHLWI             en0    934
192.168.29.255     ff:ff:ff:ff:ff:ff  UHLWbI            en0      !
224.0.0/4          link#15            UmCS              en0      !
224.0.0.251        1:0:5e:0:0:fb      UHmLWI            en0
239.255.255.250    1:0:5e:7f:ff:fa    UHmLWI            en0
255.255.255.255/32 link#15            UCS               en0      !

带有 VPN 表

Internet:
Destination        Gateway            Flags           Netif Expire
default            192.168.29.1       UGScg             en0
10/16              11.0.0.129         UGSc            utun7
11.0.0.128/27      11.0.0.130         UGSc            utun7
11.0.0.130         11.0.0.130         UH              utun7
127                127.0.0.1          UCS               lo0
127.0.0.1          127.0.0.1          UH                lo0
169.254            link#15            UCS               en0      !
192.168.29         link#15            UCS               en0      !
192.168.29.1/32    link#15            UCS               en0      !
192.168.29.1       8c:a3:99:43:d4:c6  UHLWIir           en0   1200
192.168.29.3       62:86:e7:b7:95:3   UHLWIi            en0   1168
192.168.29.41      d6:e3:d9:51:75:9f  UHLWI             en0    247
192.168.29.50/32   link#15            UCS               en0      !
192.168.29.53      16:c2:44:9f:bd:5c  UHLWI             en0      4
192.168.29.130     9e:df:ca:48:30:f1  UHLWI             en0      6
192.168.29.223     d6:78:7e:8a:b1:1   UHLWI             en0    856
192.168.29.255     ff:ff:ff:ff:ff:ff  UHLWbI            en0      !
224.0.0/4          link#15            UmCS              en0      !
224.0.0.251        1:0:5e:0:0:fb      UHmLWI            en0
239.255.255.250    1:0:5e:7f:ff:fa    UHmLWI            en0
255.255.255.255/32 link#15            UCS               en0      !

答案1

检查您用于客户端 VPN 终端节点的安全组规则。是否应允许出站流量流向 Internet。如果不允许,请添加允许流量流向 0.0.0.0/0 的出站规则,以用于 HTTP 和 HTTPS 流量。

你还需要创建互联网网关并将其附加到您的 VPC,因此您的解决方案将如下所示:

在此处输入图片描述


AWS VPN 访问互联网管理员指南更多细节。

答案2

我也遇到了同样的问题。我启用了自定义 DNS 并设置了 Google DNS 服务器 - 8.8.8.8 和 8.8.4.4,它开始正常工作了

相关内容