Ubuntu
OpenVPN - Linux 客戶端連接但無法訪問網際網路,路由問題
我使用網關選項安裝了 OpenVPN 伺服器很長一段時間,所有網際網路流量都通過該選項路由。
它適用於 Windows 和我的 Android 手機等客戶端機器,但我的 ubuntu 筆記本上的相同 Open VPN 客戶端配置似乎不起作用。客戶端連接到 vpn 伺服器,但網際網路流量似乎沒有被路由。
連接處於活動狀態時 Ping vpn 伺服器確實有效:ping 10.8.0.1
所以我不確定缺少什麼。到目前為止,我嘗試了以下選項
- 向客戶端添加路由配置:路由 10.8.0.0/24
- 嘗試通過控制台添加路由配置: sudo route add -net 10.8.0.0/24 gw 10.8.0.1 dev tun0 但它變成了一個錯誤,即儘管 vpn 已啟動並正在執行,但網路無法訪問
- 在我的 ubuntu 客戶端上關閉防火牆
任何幫助或提示表示讚賞。謝謝
伺服器配置:
port 443 proto tcp dev tun ca ... cert ... key ... dh ... server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypasss-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status ... log ... verb 3客戶端配置:
client dev tun proto tcp remote www.serverdomain.com 443 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 remote-cert-tls server # route 10.8.0.0/24 --> adding such a route made no difference客戶端 ifconfig:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.10 P-t-P:10.8.0.9 Mask:255.255.255.255 inet6 addr: fe80::b393:268c:61db:72d4/64 Scope:Link UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:47 errors:0 dropped:0 overruns:0 frame:0 TX packets:93 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:4394 (4.3 KB) TX bytes:7012 (7.0 KB) wlp1s0 Link encap:Ethernet HWaddr a4:34:d9:5c:9d:06 inet addr:192.168.0.130 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::5e97:3a8f:9596:8c30/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:24879 errors:0 dropped:0 overruns:0 frame:0 TX packets:17473 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:14983497 (14.9 MB) TX bytes:2721828 (2.7 MB)客戶端日誌輸出:
Thu Nov 3 21:03:25 2016 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 2 2016 Thu Nov 3 21:03:25 2016 library versions: OpenSSL 1.0.2g-fips 1 Mar 2016, LZO 2.08 Thu Nov 3 21:03:25 2016 Socket Buffers: R=[87380->87380] S=[16384->16384] Thu Nov 3 21:03:25 2016 Attempting to establish TCP connection with [AF_INET]188.62.xx.xx:443 [nonblock] Thu Nov 3 21:03:26 2016 TCP connection established with [AF_INET]188.62.xx.xx:443 Thu Nov 3 21:03:26 2016 TCPv4_CLIENT link local: [undef] Thu Nov 3 21:03:26 2016 TCPv4_CLIENT link remote: [AF_INET]188.62.xx.xx:443 Thu Nov 3 21:03:26 2016 TLS: Initial packet from [AF_INET]188.62.xx.xx:443, sid=ff1258e5 f87eeaf5 Thu Nov 3 21:03:26 2016 VERIFY OK: depth=1, C=CH, ST=ZH, L=Hinwil, O=xxx, OU=IT, CN=xxxx, name=xxxx, emailAddress=xxxx.ch Thu Nov 3 21:03:26 2016 Validating certificate key usage Thu Nov 3 21:03:26 2016 ++ Certificate has key usage 00a0, expects 00a0 Thu Nov 3 21:03:26 2016 VERIFY KU OK Thu Nov 3 21:03:26 2016 Validating certificate extended key usage Thu Nov 3 21:03:26 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Thu Nov 3 21:03:26 2016 VERIFY EKU OK Thu Nov 3 21:03:26 2016 VERIFY OK: depth=0, C=CH, ST=ZH, L=Hinwil, O=xxxx, OU=IT, CN=xxxx, name=xxxxx, emailAddress=xxxx.ch Thu Nov 3 21:03:26 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Nov 3 21:03:26 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Nov 3 21:03:26 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Nov 3 21:03:26 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Nov 3 21:03:26 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Thu Nov 3 21:03:26 2016 [xxxx] Peer Connection Initiated with [AF_INET]188.62.xx.xx:443 Thu Nov 3 21:03:28 2016 SENT CONTROL [diabolo]: 'PUSH_REQUEST' (status=1) Thu Nov 3 21:03:29 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' Thu Nov 3 21:03:29 2016 OPTIONS IMPORT: timers and/or timeouts modified Thu Nov 3 21:03:29 2016 OPTIONS IMPORT: --ifconfig/up options modified Thu Nov 3 21:03:29 2016 OPTIONS IMPORT: route options modified Thu Nov 3 21:03:29 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Thu Nov 3 21:03:29 2016 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=wlp1s0 HWADDR=a4:34:d9:5c:9d:06 Thu Nov 3 21:03:29 2016 TUN/TAP device tun0 opened Thu Nov 3 21:03:29 2016 TUN/TAP TX queue length set to 100 Thu Nov 3 21:03:29 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Thu Nov 3 21:03:29 2016 /sbin/ip link set dev tun0 up mtu 1500 Thu Nov 3 21:03:29 2016 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5 Thu Nov 3 21:03:29 2016 /sbin/ip route add 188.62.79.43/32 via 192.168.0.1 Thu Nov 3 21:03:29 2016 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5 Thu Nov 3 21:03:29 2016 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5 Thu Nov 3 21:03:29 2016 /sbin/ip route add 10.8.0.0/24 via 10.8.0.5 Thu Nov 3 21:03:29 2016 Initialization Sequence Completed客戶端 netstat -rn
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.8.0.9 128.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 wlp1s0 10.8.0.0 10.8.0.9 255.255.255.0 UG 0 0 0 tun0 10.8.0.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 128.0.0.0 10.8.0.9 128.0.0.0 UG 0 0 0 tun0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 wlp1s0 188.62.xx.xx 192.168.0.1 255.255.255.255 UGH 0 0 0 wlp1s0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlp1s0
我可以通過降低乙太網/wifi 卡的“指標”來解決這個問題。您可以通過“route”命令或使用附加工具“ ifmetric ”(sudo apt-get install ifmetric)降低網卡路由條目的指標(優先級),即 ifmetric eth0 100(0 = 最高優先級)
之後,我意識到在建立 vpn 連接時,來自 openvpn 伺服器的 DNS 條目尚未被接管。所以我四處搜尋,我找到了一個答案,您需要在 ubuntu 客戶端的配置文件中添加以下行:
script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf當使用來自伺服器的推送條目建立 vpn 連接時,這會更新“/etc/resolv.conf”中的 DNS 條目。
所以它現在作為一種魅力發揮作用。