我在 Azure 中托管了一个运行 OpenVPN 的 VM。我已经使用它很多年了,没有出现任何问题。我最近买了一台装有 Windows 11 的新电脑,但不知道为什么连接到 VPN 时会断网。我使用的配置文件与我的旧 Windows 10 电脑和 Linux 电脑上目前使用的配置文件相同。
以下是我的配置文件:
client
proto udp
explicit-exit-notify
remote [MYVPN].com 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_fx[...]IC name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
-----BEGIN CERTIFICATE-----
...
我在 Win11 与 Win10 的日志中看到的唯一区别是 Win10 日志在该行停止Blocking outside dns using service succeeded.,而 Win11 添加了以下内容:
Tue Jun 6 13:08:31 2023 Blocking outside dns using service succeeded.
Tue Jun 6 13:08:31 2023 C:\WINDOWS\system32\route.exe ADD [VPN_IP] MASK 255.255.255.255 192.168.1.1
Tue Jun 6 13:08:31 2023 Route addition via service succeeded
Tue Jun 6 13:08:31 2023 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Jun 6 13:08:31 2023 Route addition via service succeeded
Tue Jun 6 13:08:31 2023 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Jun 6 13:08:31 2023 Route addition via service succeeded
Tue Jun 6 13:08:31 2023 Initialization Sequence Completed
Tue Jun 6 13:08:31 2023 MANAGEMENT: >STATE:1686020911,CONNECTED,SUCCESS,10.8.0.3,[VPN_IP],1194,,
Tue Jun 6 13:08:31 2023 Data Channel: cipher 'AES-128-GCM', peer-id: 0
Tue Jun 6 13:08:31 2023 Timers: ping 10, ping-restart 120
Tue Jun 6 13:08:31 2023 Protocol options: explicit-exit-notify 1
我尝试了一些常见的操作,例如重新安装、禁用防火墙、将 OpenVPN 和 OpenVPN GUI 列入白名单、确保它们以管理员身份运行等。
连接成功,但连接后,我无法浏览任何网站,或者ping 8.8.8.8,或者tracert 8.8.8.8一切都超时,Windows 抱怨我已失去互联网连接。请注意,连接到 VPN 时,我希望所有流量都通过它。
连接时,路由表看起来正在被正确更新:
C:\> route print
===========================================================================
Interface List
20...........................OpenVPN Data Channel O..load
12...........................Wintun Userspace Tunnel
6...00 .. .. .. .. 54 ......TAP-Windows Adapter V9
5...98 .. .. .. .. a5 ......Microsoft Wi-Fi Direct Virtual Adapter
18...9a .. .. .. .. a4 ......Microsoft Wi-Fi Direct Virtual Adapter #2
16...00 .. .. .. .. 01 ......VMware Virtual Ethernet Adapter for VMnet1
23...00 .. .. .. .. 08 ......VMware Virtual Ethernet Adapter for VMnet8
7...98 .. .. .. .. a4 ......Intel(R) Wi-Fi 6E AX211 160MHz
15...98 .. .. .. .. a8 ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.186 40
0.0.0.0 128.0.0.0 10.8.0.1 10.8.0.3 259
10.8.0.0 255.255.255.0 On-link 10.8.0.3 259
10.8.0.3 255.255.255.255 On-link 10.8.0.3 259
10.8.0.255 255.255.255.255 On-link 10.8.0.3 259
[VPN_IP] 255.255.255.255 192.168.1.1 192.168.1.186 296
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
128.0.0.0 128.0.0.0 10.8.0.1 10.8.0.3 259
192.168.1.0 255.255.255.0 On-link 192.168.1.186 296
192.168.1.186 255.255.255.255 On-link 192.168.1.186 296
192.168.1.255 255.255.255.255 On-link 192.168.1.186 296
192.168.60.0 255.255.255.0 On-link 192.168.60.1 291
192.168.60.1 255.255.255.255 On-link 192.168.60.1 291
192.168.60.255 255.255.255.255 On-link 192.168.60.1 291
192.168.88.0 255.255.255.0 On-link 192.168.88.1 291
192.168.88.1 255.255.255.255 On-link 192.168.88.1 291
192.168.88.255 255.255.255.255 On-link 192.168.88.1 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.88.1 291
224.0.0.0 240.0.0.0 On-link 192.168.60.1 291
224.0.0.0 240.0.0.0 On-link 10.8.0.3 259
224.0.0.0 240.0.0.0 On-link 192.168.1.186 296
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.88.1 291
255.255.255.255 255.255.255.255 On-link 192.168.60.1 291
255.255.255.255 255.255.255.255 On-link 10.8.0.3 259
255.255.255.255 255.255.255.255 On-link 192.168.1.186 296
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
16 291 fe80::/64 On-link
23 291 fe80::/64 On-link
20 259 fe80::/64 On-link
7 296 fe80::/64 On-link
7 296 fe80::38b:c8fa:8c0f:e7eb/128
On-link
23 291 fe80::66d1:fa0c:faf:76ae/128
On-link
16 291 fe80::7cee:ec22:fbe6:b4c5/128
On-link
20 259 fe80::9ec1:6dd9:f3c4:130b/128
On-link
1 331 ff00::/8 On-link
16 291 ff00::/8 On-link
23 291 ff00::/8 On-link
20 259 ff00::/8 On-link
7 296 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
不知道还能在哪里查看。它必须是 Windows 11 特有的,因为在运行 Windows 10 和 Linux 的其他设备上,所有内容都是正常工作的文件。完整的 OpenVPN 日志也在下面:
Tue Jun 6 13:08:29 2023 OpenVPN 2.6.4 [git:v2.6.4/b4f749f14a8edc75] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on May 11 2023
Tue Jun 6 13:08:29 2023 Windows version 10.0 (Windows 10 or greater), amd64 executable
Tue Jun 6 13:08:29 2023 library versions: OpenSSL 3.1.0 14 Mar 2023, LZO 2.10
Tue Jun 6 13:08:29 2023 DCO version: v0
Tue Jun 6 13:08:29 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Jun 6 13:08:29 2023 Need hold release from management interface, waiting...
Tue Jun 6 13:08:29 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:59984
Tue Jun 6 13:08:29 2023 MANAGEMENT: CMD 'state on'
Tue Jun 6 13:08:29 2023 MANAGEMENT: CMD 'log on all'
Tue Jun 6 13:08:29 2023 MANAGEMENT: CMD 'echo on all'
Tue Jun 6 13:08:29 2023 MANAGEMENT: CMD 'bytecount 5'
Tue Jun 6 13:08:29 2023 MANAGEMENT: CMD 'state'
Tue Jun 6 13:08:29 2023 MANAGEMENT: CMD 'hold off'
Tue Jun 6 13:08:29 2023 MANAGEMENT: CMD 'hold release'
Tue Jun 6 13:08:29 2023 MANAGEMENT: >STATE:1686020909,RESOLVE,,,,,,
Tue Jun 6 13:08:29 2023 TCP/UDP: Preserving recently used remote address: [AF_INET][VPN_IP]:1194
Tue Jun 6 13:08:29 2023 ovpn-dco device [OpenVPN Data Channel Offload] opened
Tue Jun 6 13:08:29 2023 UDP link local: (not bound)
Tue Jun 6 13:08:29 2023 UDP link remote: [AF_INET][VPN_IP]:1194
Tue Jun 6 13:08:29 2023 MANAGEMENT: >STATE:1686020909,WAIT,,,,,,
Tue Jun 6 13:08:29 2023 MANAGEMENT: >STATE:1686020909,AUTH,,,,,,
Tue Jun 6 13:08:29 2023 TLS: Initial packet from [AF_INET][VPN_IP]:1194, sid=320fdc3e bf8fe132
Tue Jun 6 13:08:29 2023 VERIFY OK: depth=1, CN=cn_Kz[...]Eq
Tue Jun 6 13:08:29 2023 VERIFY KU OK
Tue Jun 6 13:08:29 2023 Validating certificate extended key usage
Tue Jun 6 13:08:29 2023 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Jun 6 13:08:29 2023 VERIFY EKU OK
Tue Jun 6 13:08:29 2023 VERIFY X509NAME OK: CN=server_fx[...]IC
Tue Jun 6 13:08:29 2023 VERIFY OK: depth=0, CN=server_fx[...]IC
Tue Jun 6 13:08:30 2023 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit ECprime256v1, signature: ecdsa-with-SHA256
Tue Jun 6 13:08:30 2023 [server_fx[...]IC] Peer Connection Initiated with [AF_INET][VPN_IP]:1194
Tue Jun 6 13:08:30 2023 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Tue Jun 6 13:08:30 2023 TLS: tls_multi_process: initial untrusted session promoted to trusted
Tue Jun 6 13:08:31 2023 MANAGEMENT: >STATE:1686020911,GET_CONFIG,,,,,,
Tue Jun 6 13:08:31 2023 SENT CONTROL [server_fx[...]IC]: 'PUSH_REQUEST' (status=1)
Tue Jun 6 13:08:31 2023 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,redirect-gateway def1 bypass-dhcp,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.3 255.255.255.0,peer-id 0,cipher AES-128-GCM'
Tue Jun 6 13:08:31 2023 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jun 6 13:08:31 2023 OPTIONS IMPORT: route options modified
Tue Jun 6 13:08:31 2023 OPTIONS IMPORT: route-related options modified
Tue Jun 6 13:08:31 2023 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jun 6 13:08:31 2023 interactive service msg_channel=820
Tue Jun 6 13:08:31 2023 MANAGEMENT: >STATE:1686020911,ASSIGN_IP,,10.8.0.3,,,,
Tue Jun 6 13:08:31 2023 INET address service: add 10.8.0.3/24
Tue Jun 6 13:08:31 2023 IPv4 dns servers set using service
Tue Jun 6 13:08:31 2023 IPv4 MTU set to 1500 on interface 20 using service
Tue Jun 6 13:08:31 2023 Blocking outside dns using service succeeded.
Tue Jun 6 13:08:31 2023 C:\WINDOWS\system32\route.exe ADD [VPN_IP] MASK 255.255.255.255 192.168.1.1
Tue Jun 6 13:08:31 2023 Route addition via service succeeded
Tue Jun 6 13:08:31 2023 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Jun 6 13:08:31 2023 Route addition via service succeeded
Tue Jun 6 13:08:31 2023 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Jun 6 13:08:31 2023 Route addition via service succeeded
Tue Jun 6 13:08:31 2023 Initialization Sequence Completed
Tue Jun 6 13:08:31 2023 MANAGEMENT: >STATE:1686020911,CONNECTED,SUCCESS,10.8.0.3,[VPN_IP],1194,,
Tue Jun 6 13:08:31 2023 Data Channel: cipher 'AES-128-GCM', peer-id: 0
Tue Jun 6 13:08:31 2023 Timers: ping 10, ping-restart 120
Tue Jun 6 13:08:31 2023 Protocol options: explicit-exit-notify 1
编辑:
我注意到的另一个区别是,在 Windows 11 的网络和共享中心中,活动网络显示为“OpenVPN 数据通道卸载 2”,值为Access type: No network access和Connections: OpenVPN Data Channel Offload。而在 Windows 10 上,它显示为“未识别的网络”,值为Access type: Internet和Connections: Ethernet and vEthernet (WSL)。不确定这是否有区别。
答案1
您的 Windows 11 的路由可能存在问题,您将默认网关定义为10.8.0.1(VPN 服务器),但对于 VPN 服务器的路由,它将网关设置为您的本地网关(192.168.1.1),这可能会混淆路由。
让我们尝试更改 OpenVPN 配置文件中的以下几行
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
答案2
OpenVPN 客户端似乎没有正确设置网络配置。连接后,您需要手动更改 vpn 网络适配器参数,就像在服务器上设置它们一样。转到 [TAP Windows 适配器 V9] 网络适配器属性并更改 IP、子网、网关和 DNS。无聊但有效。