我已经能够创建 aws 客户端 vpn 端点,并且能够访问 vpc 内的服务器,但看起来我无法访问互联网。
连接到 vpn 时 DNS 解析不起作用。
以下是详细信息
隧道扫描日志
023-01-03 22:43:08.497342 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-01-03 22:43:08.503457 MANAGEMENT: >STATE:1672765988,RESOLVE,,,,,,
2023-01-03 22:43:08.724886 TCP/UDP: Preserving recently used remote address: [AF_INET]*****:443
2023-01-03 22:43:08.732514 Socket Buffers: R=[786896->786896] S=[9216->9216]
2023-01-03 22:43:08.732753 UDP link local: (not bound)
2023-01-03 22:43:08.732777 UDP link remote: [AF_INET]*****:443
2023-01-03 22:43:08.732815 MANAGEMENT: >STATE:1672765988,WAIT,,,,,,
2023-01-03 22:43:08.976379 MANAGEMENT: >STATE:1672765988,AUTH,,,,,,
2023-01-03 22:43:08.976486 TLS: Initial packet from [AF_INET]*****:443, sid=dd6ef088 3ed5ee33
2023-01-03 22:43:09.226709 VERIFY OK: depth=1, CN=***.com
2023-01-03 22:43:09.230330 VERIFY KU OK
2023-01-03 22:43:09.230440 Validating certificate extended key usage
2023-01-03 22:43:09.230454 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-01-03 22:43:09.230465 VERIFY EKU OK
2023-01-03 22:43:09.230478 VERIFY OK: depth=0, CN=server.***.com
2023-01-03 22:43:09.751110 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-01-03 22:43:09.751323 [server.*****.com] Peer Connection Initiated with [AF_INET]****:443
2023-01-03 22:43:10.934390 MANAGEMENT: >STATE:1672765990,GET_CONFIG,,,,,,
2023-01-03 22:43:10.946185 SENT CONTROL [server.*****.com]: 'PUSH_REQUEST' (status=1)
2023-01-03 22:43:11.190001 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.0.0.2,route 0.0.0.0 0.0.0.0,route 10.0.0.0 255.255.0.0,route-gateway 11.0.0.1,topology subnet,ping 1,ping-restart 20,ifconfig 11.0.0.2 255.255.255.224,peer-id 0,cipher AES-256-GCM'
2023-01-03 22:43:11.197839 OPTIONS IMPORT: timers and/or timeouts modified
2023-01-03 22:43:11.198115 OPTIONS IMPORT: --ifconfig/up options modified
2023-01-03 22:43:11.198141 OPTIONS IMPORT: route options modified
2023-01-03 22:43:11.198155 OPTIONS IMPORT: route-related options modified
2023-01-03 22:43:11.198167 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-01-03 22:43:11.198179 OPTIONS IMPORT: peer-id set
2023-01-03 22:43:11.198190 OPTIONS IMPORT: adjusting link_mtu to 1624
2023-01-03 22:43:11.198203 OPTIONS IMPORT: data channel crypto options modified
2023-01-03 22:43:11.198329 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-03 22:43:11.198347 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-03 22:43:11.220497 Opened utun device utun7
2023-01-03 22:43:11.220627 MANAGEMENT: >STATE:1672765991,ASSIGN_IP,,11.0.0.2,,,,
2023-01-03 22:43:11.220653 /sbin/ifconfig utun7 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2023-01-03 22:43:11.238044 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2023-01-03 22:43:11.238122 /sbin/ifconfig utun7 11.0.0.2 11.0.0.2 netmask 255.255.255.224 mtu 1500 up
2023-01-03 22:43:11.253953 /sbin/route add -net 11.0.0.0 11.0.0.2 255.255.255.224
add net 11.0.0.0: gateway 11.0.0.2
2023-01-03 22:43:11.269657 /sbin/route add -net ***** 192.168.29.1 255.255.255.255
add net *****: gateway 192.168.29.1
2023-01-03 22:43:11.335276 /sbin/route delete -net 0.0.0.0 192.168.29.1 0.0.0.0
delete net 0.0.0.0: gateway 192.168.29.1
2023-01-03 22:43:11.380416 /sbin/route add -net 0.0.0.0 11.0.0.1 0.0.0.0
add net 0.0.0.0: gateway 11.0.0.1
2023-01-03 22:43:11.414312 MANAGEMENT: >STATE:1672765991,ADD_ROUTES,,,,,,
2023-01-03 22:43:11.414391 /sbin/route add -net 0.0.0.0 11.0.0.1 0.0.0.0
route: writing to routing socket: File exists
add net 0.0.0.0: gateway 11.0.0.1: File exists
2023-01-03 22:43:11.427638 /sbin/route add -net 10.0.0.0 11.0.0.1 255.255.0.0
add net 10.0.0.0: gateway 11.0.0.1
22:43:11 *Tunnelblick: **********************************************
22:43:11 *Tunnelblick: Start of output from client.up.tunnelblick.sh
22:43:13 *Tunnelblick: Retrieved from OpenVPN: name server(s) [ 10.0.0.2 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
22:43:13 *Tunnelblick: WARNING: Ignoring ServerAddresses '10.0.0.2' because ServerAddresses was set manually and '-allowChangesToManuallySetNetworkSettings' was not specified
22:43:13 *Tunnelblick: Setting search domains to 'openvpn' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
22:43:15 *Tunnelblick: Saved the DNS and SMB configurations so they can be restored
22:43:15 *Tunnelblick: Did not change DNS ServerAddresses setting of '11.0.0.1' (but re-set it)
22:43:15 *Tunnelblick: Changed DNS SearchDomains setting from '' to 'openvpn'
22:43:15 *Tunnelblick: Changed DNS DomainName setting from '' to 'openvpn'
22:43:15 *Tunnelblick: Did not change SMB NetBIOSName setting of ''
22:43:15 *Tunnelblick: Did not change SMB Workgroup setting of ''
22:43:15 *Tunnelblick: Did not change SMB WINSAddresses setting of ''
22:43:15 *Tunnelblick: DNS servers '11.0.0.1' were set manually
22:43:15 *Tunnelblick: DNS servers '11.0.0.1' will be used for DNS queries when the VPN is active
22:43:15 *Tunnelblick: NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
22:43:15 *Tunnelblick: Flushed the DNS cache via dscacheutil
22:43:15 *Tunnelblick: /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
22:43:15 *Tunnelblick: Notified mDNSResponder that the DNS cache was flushed
22:43:15 *Tunnelblick: Not notifying mDNSResponderHelper that the DNS cache was flushed because it is not running
22:43:15 *Tunnelblick: Setting up to monitor system configuration with process-network-changes
22:43:15 *Tunnelblick: End of output from client.up.tunnelblick.sh
22:43:15 *Tunnelblick: **********************************************
2023-01-03 22:43:15.324027 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-01-03 22:43:15.324045 Initialization Sequence Completed
2023-01-03 22:43:15.324064 MANAGEMENT: >STATE:1672765995,CONNECTED,SUCCESS,11.0.0.2,*****,443,,
2023-01-03 22:43:16.548770 *Tunnelblick: DNS address 11.0.0.1 is being routed through the VPN
2023-01-03 22:43:39.228943 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed
无VPN路由表
Internet:
Destination Gateway Flags Netif Expire
default 192.168.29.1 UGScg en0
127 127.0.0.1 UCS lo0
127.0.0.1 127.0.0.1 UH lo0
169.254 link#15 UCS en0 !
192.168.29 link#15 UCS en0 !
192.168.29.1/32 link#15 UCS en0 !
192.168.29.1 8c:a3:99:43:d4:c6 UHLWIir en0 1189
192.168.29.3 62:86:e7:b7:95:3 UHLWIi en0 46
192.168.29.41 d6:e3:d9:51:75:9f UHLWI en0 325
192.168.29.50/32 link#15 UCS en0 !
192.168.29.53 16:c2:44:9f:bd:5c UHLWI en0 82
192.168.29.130 9e:df:ca:48:30:f1 UHLWI en0 84
192.168.29.223 d6:78:7e:8a:b1:1 UHLWI en0 934
192.168.29.255 ff:ff:ff:ff:ff:ff UHLWbI en0 !
224.0.0/4 link#15 UmCS en0 !
224.0.0.251 1:0:5e:0:0:fb UHmLWI en0
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI en0
255.255.255.255/32 link#15 UCS en0 !
带有 VPN 表
Internet:
Destination Gateway Flags Netif Expire
default 192.168.29.1 UGScg en0
10/16 11.0.0.129 UGSc utun7
11.0.0.128/27 11.0.0.130 UGSc utun7
11.0.0.130 11.0.0.130 UH utun7
127 127.0.0.1 UCS lo0
127.0.0.1 127.0.0.1 UH lo0
169.254 link#15 UCS en0 !
192.168.29 link#15 UCS en0 !
192.168.29.1/32 link#15 UCS en0 !
192.168.29.1 8c:a3:99:43:d4:c6 UHLWIir en0 1200
192.168.29.3 62:86:e7:b7:95:3 UHLWIi en0 1168
192.168.29.41 d6:e3:d9:51:75:9f UHLWI en0 247
192.168.29.50/32 link#15 UCS en0 !
192.168.29.53 16:c2:44:9f:bd:5c UHLWI en0 4
192.168.29.130 9e:df:ca:48:30:f1 UHLWI en0 6
192.168.29.223 d6:78:7e:8a:b1:1 UHLWI en0 856
192.168.29.255 ff:ff:ff:ff:ff:ff UHLWbI en0 !
224.0.0/4 link#15 UmCS en0 !
224.0.0.251 1:0:5e:0:0:fb UHmLWI en0
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI en0
255.255.255.255/32 link#15 UCS en0 !
答案1
检查您用于客户端 VPN 终端节点的安全组规则。是否应允许出站流量流向 Internet。如果不允许,请添加允许流量流向 0.0.0.0/0 的出站规则,以用于 HTTP 和 HTTPS 流量。
你还需要创建互联网网关并将其附加到您的 VPC,因此您的解决方案将如下所示:
读AWS VPN 访问互联网管理员指南更多细节。
答案2
我也遇到了同样的问题。我启用了自定义 DNS 并设置了 Google DNS 服务器 - 8.8.8.8 和 8.8.4.4,它开始正常工作了