Centos
OpenVPN TLS 握手失敗
我嘗試解決這個問題已經很長時間了,但是,也嘗試了在這個網站上找到的所有建議,我沒有解決我的問題。
我在 CentOS 伺服器上安裝了 OpenVPN。該伺服器還可以與 squid 代理一起使用。安裝很順利,當我啟動服務時,我可以在 ifconfig 輸出中看到 tun0 設備:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.1 P-t-P:10.8.0.1 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)但是,當我嘗試從客戶端連接時,我得到了這個日誌(有錯誤):
Thu Dec 29 17:02:17 2016 us=212571 OpenVPN 2.3.14 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec 7 2016 Thu Dec 29 17:02:17 2016 us=212571 Windows version 6.1 (Windows 7) 32bit Thu Dec 29 17:02:17 2016 us=212571 library versions: OpenSSL 1.0.2i 22 Sep 2016, LZO 2.09 Enter Management Password: Thu Dec 29 17:02:17 2016 us=213571 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 Thu Dec 29 17:02:17 2016 us=213571 Need hold release from management interface, waiting... Thu Dec 29 17:02:17 2016 us=686598 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 Thu Dec 29 17:02:17 2016 us=787603 MANAGEMENT: CMD 'state on' Thu Dec 29 17:02:17 2016 us=788603 MANAGEMENT: CMD 'log all on' Thu Dec 29 17:02:17 2016 us=918611 MANAGEMENT: CMD 'hold off' Thu Dec 29 17:02:17 2016 us=919611 MANAGEMENT: CMD 'hold release' Thu Dec 29 17:02:17 2016 us=920611 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Thu Dec 29 17:02:18 2016 us=124623 Control Channel Authentication: using 'tls.key' as a OpenVPN static key file Thu Dec 29 17:02:18 2016 us=124623 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Thu Dec 29 17:02:18 2016 us=124623 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Thu Dec 29 17:02:18 2016 us=124623 Control Channel MTU parms [ L:1585 D:1140 EF:110 EB:0 ET:0 EL:3 ] Thu Dec 29 17:02:18 2016 us=124623 Socket Buffers: R=[8192->8192] S=[8192->8192] Thu Dec 29 17:02:18 2016 us=124623 Data Channel MTU parms [ L:1585 D:1450 EF:85 EB:12 ET:0 EL:3 ] Thu Dec 29 17:02:18 2016 us=124623 Local Options String: 'V4,dev-type tun,link-mtu 1585,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-client' Thu Dec 29 17:02:18 2016 us=124623 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1585,tun-mtu 1500,proto UDPv4,keydir 0,cipher BF-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-server' Thu Dec 29 17:02:18 2016 us=124623 Local Options hash (VER=V4): 'bb179ba9' Thu Dec 29 17:02:18 2016 us=124623 Expected Remote Options hash (VER=V4): '046f7c73' Thu Dec 29 17:02:18 2016 us=124623 UDPv4 link local: [undef] Thu Dec 29 17:02:18 2016 us=124623 UDPv4 link remote: [AF_INET]xxx.xx.xxx.xxx:1194 Thu Dec 29 17:02:18 2016 us=124623 MANAGEMENT: >STATE:1483048938,WAIT,,, Thu Dec 29 17:02:18 2016 us=125623 UDPv4 WRITE [86] to [AF_INET]xxx.xx.xxx.xxx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0 Thu Dec 29 17:02:18 2016 us=125623 UDPv4 READ [0] from [undef]: DATA UNDEF len=-1 Thu Dec 29 17:02:20 2016 us=541761 UDPv4 WRITE [86] to [AF_INET]xxx.xx.xxx.xxx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0 Thu Dec 29 17:02:24 2016 us=165968 UDPv4 WRITE [86] to [AF_INET]xxx.xx.xxx.xxx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0 Thu Dec 29 17:02:32 2016 us=415440 UDPv4 WRITE [86] to [AF_INET]xxx.xx.xxx.xxx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0 Thu Dec 29 17:02:48 2016 us=947386 UDPv4 WRITE [86] to [AF_INET]xxx.xx.xxx.xxx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #5 ] [ ] pid=0 DATA len=0 Thu Dec 29 17:03:18 2016 us=987104 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Thu Dec 29 17:03:18 2016 us=987104 TLS Error: TLS handshake failed Thu Dec 29 17:03:18 2016 us=988104 TCP/UDP: Closing socket Thu Dec 29 17:03:18 2016 us=988104 SIGUSR1[soft,tls-error] received, process restarting Thu Dec 29 17:03:18 2016 us=988104 MANAGEMENT: >STATE:1483048998,RECONNECTING,tls-error,,在伺服器上,tcpdump 的輸出是這樣的:
12:02:47.276282 IP xxx.xx.xxx.xxx.25622 > 181.176.91.192.40013: tcp 144 0x0000: 4510 00b8 9c73 4000 4006 5575 ba40 7c96 E....s@.@.Uu.@|. 0x0010: b5b0 5bc0 6416 9c4d 24c2 7d0e 99e2 732d ..[.d..M$.}...s- 0x0020: 5018 46e0 48f2 0000 a5d6 0b6d 2b40 1773 P.F.H......m+@.s 0x0030: c860 d01c ee9f ae4b 5acb b2f5 ad22 c8c1 .`.....KZ....".. 0x0040: 529d 4fc8 e31a 5f11 dda7 238a db9e ffef R.O..._...#..... 0x0050: ba62 23a7 4bbe 460e e155 ffb1 ea38 2098 .b#.K.F..U...8.. 0x0060: fd60 0313 5b76 3e38 802a e272 3b35 03d4 .`..[v>8.*.r;5.. 0x0070: ef36 7ae5 0dfc b71a e989 8182 7420 be49 .6z.........t..I 0x0080: d1b3 2bf0 8c62 f28d c3b9 a59c d29a 51c3 ..+..b........Q. 0x0090: d77d 7c59 d45b e8e7 002e 0669 f28b 3c7f .}|Y.[.....i..<. 0x00a0: 7b66 ea6c a8ec 7f02 7a40 93e4 b754 6351 {f.l....z@...TcQ 0x00b0: 59da 9dbc 75e3 b9de Y...u... 12:02:47.284985 IP 181.176.91.192.40013 > xxx.xx.xxx.xxx.25622: tcp 0 0x0000: 4500 0028 bf4b 4000 7e06 f53c b5b0 5bc0 E..(.K@.~..<..[. 0x0010: ba40 7c96 9c4d 6416 99e2 732d 24c2 7d0e .@|..Md...s-$.}. 0x0020: 5010 faf0 bd57 0000 0000 0000 0000 P....W........ 12:02:47.311158 IP 181.176.91.192.40013 > xxx.xx.xxx.xxx.25622: tcp 0 0x0000: 4500 0028 bf4c 4000 7e06 f53b b5b0 5bc0 E..(.L@.~..;..[. 0x0010: ba40 7c96 9c4d 6416 99e2 732d 24c2 7d9e .@|..Md...s-$.}. 0x0020: 5010 faf0 bcc7 0000 0000 0000 0000 P............. 12:02:52.439348 IP 181.176.91.192.35608 > xxx.xx.xxx.xxx.openvpn: UDP, length 86 0x0000: 4500 0072 335a 0000 7011 ced9 b5b0 5bc0 E..r3Z..p.....[. 0x0010: ba40 7c96 8b18 04aa 005e c61c 3843 856f .@|......^..8C.o 0x0020: 98f4 be31 60c3 dad2 9829 473c 43db d536 ...1`....)G<C..6 0x0030: bd2a adac a1c4 fbcf d137 a780 13cb b24a .*.......7.....J 0x0040: 6239 4d2b d845 f476 e144 7c65 4149 399b b9M+.E.v.D|eAI9. 0x0050: c537 17a4 883c 393d af65 1dbd bd43 357f .7...<9=.e...C5. 0x0060: 3fc3 865a 0700 0000 0158 6587 ea00 0000 ?..Z.....Xe..... 0x0070: 0000 .. 12:02:54.891441 IP 181.176.91.192.35608 > xxx.xx.xxx.xxx.openvpn: UDP, length 86 0x0000: 4500 0072 335c 0000 7011 ced7 b5b0 5bc0 E..r3\..p.....[. 0x0010: ba40 7c96 8b18 04aa 005e be98 3843 856f .@|......^..8C.o 0x0020: 98f4 be31 6034 88b5 52da 39db e3dd 55a0 ...1`4..R.9...U. 0x0030: cbb8 447f 63f2 da12 bafc 0814 4bde be64 ..D.c.......K..d 0x0040: 3adb ffe9 0fcf e9f1 343a 9c50 7d81 ff1e :.......4:.P}... 0x0050: 8e8a e2b8 6429 1522 7364 9f59 7158 32af ....d)."sd.YqX2. 0x0060: 3d71 9faf 3700 0000 0258 6587 ea00 0000 =q..7....Xe..... 0x0070: 0000 .. 12:02:58.539489 IP 181.176.91.192.35608 > xxx.xx.xxx.xxx.openvpn: UDP, length 86 0x0000: 4500 0072 335f 0000 7011 ced4 b5b0 5bc0 E..r3_..p.....[. 0x0010: ba40 7c96 8b18 04aa 005e f52f 3843 856f .@|......^./8C.o 0x0020: 98f4 be31 6001 d6d3 e7df a037 2c2a 0e00 ...1`......7,*.. 0x0030: db6b 1389 45ef 9324 4938 d358 2d5c 5e8f .k..E..$I8.X-\^. 0x0040: 49e7 c9e3 15c4 4346 4843 de86 3613 c330 I.....CFHC..6..0 0x0050: 11e4 d240 350f 7ea3 c4ab 3adc 94e9 3066 ...@5.~...:...0f 0x0060: 8e61 f8ac f000 0000 0358 6587 ea00 0000 .a.......Xe..... 0x0070: 0000 .. 12:03:06.750443 IP 181.176.91.192.35608 > xxx.xx.xxx.xxx.openvpn: UDP, length 86 0x0000: 4500 0072 3362 0000 7011 ced1 b5b0 5bc0 E..r3b..p.....[. 0x0010: ba40 7c96 8b18 04aa 005e 4098 3843 856f .@|......^@.8C.o 0x0020: 98f4 be31 6018 0a6f 35fd 5ed8 7d5d 3f10 ...1`..o5.^.}]?. 0x0030: d233 40c3 96d0 654e 4745 9c68 e312 bc51 .3@...eNGE.h...Q 0x0040: dd28 dee1 4299 42ee 7a37 c32a 34ce 4622 .(..B.B.z7.*4.F" 0x0050: 844a 6d1b bba9 c3f1 3157 6a95 58a0 dd20 .Jm.....1Wj.X... 0x0060: ce2f 831e a200 0000 0458 6587 ea00 0000 ./.......Xe..... 0x0070: 0000 .. 12:03:24.534761 IP 181.176.91.192.35608 > xxx.xx.xxx.xxx.openvpn: UDP, length 86 0x0000: 4500 0072 3364 0000 7011 cecf b5b0 5bc0 E..r3d..p.....[. 0x0010: ba40 7c96 8b18 04aa 005e b8b4 3843 856f .@|......^..8C.o 0x0020: 98f4 be31 6099 8eaa c196 29e3 3f81 7710 ...1`.....).?.w. 0x0030: 7bf4 8fee a7fd a504 131a 8eb5 1ee5 abf8 {............... 0x0040: 6cee bc60 7e8c ccbf bc88 f958 b075 9524 l..`~......X.u.$ 0x0050: f7b8 2700 20ee 8af6 1dbd 431d 645c 3cf1 ..'.......C.d\<. 0x0060: fd8d 626c 1100 0000 0558 6587 ea00 0000 ..bl.....Xe..... 0x0070: 0000 .. 12:03:55.333430 IP 181.176.91.192.20300 > xxx.xx.xxx.xxx.openvpn: UDP, length 86 0x0000: 4500 0072 33d3 0000 7011 ce60 b5b0 5bc0 E..r3...p..`..[. 0x0010: ba40 7c96 4f4c 04aa 005e 5c81 3863 bcab .@|.OL...^\.8c.. 0x0020: df5b f2b7 6130 a9cf 64ea 96d8 87f8 e255 .[..a0..d......U 0x0030: 3c5b 8469 5def 25b8 b46f 7457 9315 02ae <[.i].%..otW.... 0x0040: 725f 69e9 7ee9 efec 69df 31c4 3e05 d686 r_i.~...i.1.>... 0x0050: a289 7bbf 2ae3 4098 ac63 5e29 60a8 a793 ..{.*.@..c^)`... 0x0060: e403 9986 2700 0000 0158 6588 2800 0000 ....'....Xe.(... 0x0070: 0000 .. 12:03:55.967427 IP 181.176.91.192.40013 > xxx.xx.xxx.xxx.25622: tcp 64 0x0000: 4500 0068 33d4 0000 7006 ce74 b5b0 5bc0 E..h3...p..t..[. 0x0010: ba40 7c96 9c4d 6416 99e2 732d 24c2 7d9e .@|..Md...s-$.}. 0x0020: 5018 faf0 0443 0000 8314 35df cec3 f16d P....C....5....m 0x0030: e0d9 ee30 8c57 d8eb d737 7c86 7a0c 09d4 ...0.W...7|.z... 0x0040: 9dfc d4b6 f3e4 7349 80a3 4fd6 7cb0 e977 ......sI..O.|..w 0x0050: 22e4 c393 52d9 1f8e 2f5c bbf0 dae5 18da "...R.../\...... 0x0060: 4dac 8148 e5b1 3613 M..H..6.這是我的 test.ovpn 文件(客戶端配置):
client dev tun proto udp remote xxx.xx.xxx.xxx 1194 resolv-retry infinite nobind ca ca.crt cert test.crt key test.key tls-auth tls.key 1 # This file is secret auth SHA512 verb 6這是我的 server.conf 文件:
port 1194 proto udp dev tun tls-server ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh2048.pem topology subnet server 10.8.0.0 255.255.255.0 push "route 192.168.4.0 255.255.255.0" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 tls-auth tls.key 0 # This file is secret auth SHA512 cipher AES-256-CBC status /var/log/openvpn-status.log log-append /var/log/openvpn.log verb 6我的 iptables 鍊是:
Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 192.168.0.0/21 192.168.0.1 tcp spts:1024:65535 dpt:25622 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 xxx.xx.xxx.xxx tcp spts:1024:65535 dpt:25622 state NEW,RELATED,ESTABLISHED ACCEPT icmp -- 192.168.0.0/21 0.0.0.0/0 icmp type 8 ACCEPT udp -- 8.8.8.8 xxx.xx.xxx.xxx udp spt:53 dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT udp -- 8.8.4.4 xxx.xx.xxx.xxx udp spt:53 dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT udp -- 8.8.8.8 xxx.xx.xxx.xxx udp spt:53 dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT udp -- 8.8.4.4 xxx.xx.xxx.xxx udp spt:53 dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT udp -- 192.168.0.0/21 192.168.0.1 udp spts:1024:65535 dpt:53 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- 192.168.0.0/21 192.168.0.1 tcp spts:1024:65535 dpt:80 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 xxx.xx.xxx.xxx multiport dports 1024:65535 multiport sports 80,443,7777,9443,8080,8081,2082 state RELATED,ESTABLISHED ACCEPT tcp -- 192.168.0.0/21 192.168.0.1 tcp spts:1024:65535 dpt:3128 state NEW,RELATED,ESTABLISHED ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:1194 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,ESTABLISHED /* Allow ftp connections on port 21 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpts:1024:65535 ctstate ESTABLISHED /* Allow passive inbound connections */ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 Chain FORWARD (policy DROP) target prot opt source destination ACCEPT tcp -- 192.168.0.0/21 0.0.0.0/0 tcp spts:1024:65535 dpt:25622 ACCEPT tcp -- 0.0.0.0/0 192.168.0.0/21 tcp spt:25622 dpts:1024:65535 ACCEPT tcp -- 192.168.0.0/21 0.0.0.0/0 tcp spts:1024:65535 dpt:22 ACCEPT tcp -- 0.0.0.0/0 192.168.0.0/21 tcp spt:22 dpts:1024:65535 ACCEPT tcp -- 192.168.0.0/21 0.0.0.0/0 tcp spts:1024:65535 dpt:465 ACCEPT tcp -- 0.0.0.0/0 192.168.0.0/21 tcp spt:465 dpts:1024:65535 ACCEPT tcp -- 192.168.0.0/21 0.0.0.0/0 tcp spts:1024:65535 dpt:995 ACCEPT tcp -- 0.0.0.0/0 192.168.0.0/21 tcp spt:995 dpts:1024:65535 ACCEPT icmp -- 192.168.0.0/21 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 192.168.0.0/21 ACCEPT all -- 192.168.4.129 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.4.129 ACCEPT all -- 192.168.5.240 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.5.240 ACCEPT all -- 192.168.6.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.6.0/24 ACCEPT all -- 192.168.4.130 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.4.130 ACCEPT all -- 192.168.6.30 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.6.30 ACCEPT all -- 192.168.4.147 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.4.147 ACCEPT all -- 192.168.4.207 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.4.207 ACCEPT all -- 192.168.4.236 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.4.236 ACCEPT all -- 192.168.4.173 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.4.173 ACCEPT all -- 192.168.4.249 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.4.249 ACCEPT all -- 0.0.0.0/0 200.4.212.77 ACCEPT all -- 200.4.212.77 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 190.116.32.20 ACCEPT all -- 190.116.32.20 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 190.116.32.80 ACCEPT all -- 190.116.32.80 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 200.4.212.4 ACCEPT all -- 200.4.212.4 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 190.116.32.18 ACCEPT all -- 190.116.32.18 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 190.116.32.78 ACCEPT all -- 190.116.32.78 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 200.4.212.60 ACCEPT all -- 200.4.212.60 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 190.116.32.19 ACCEPT all -- 190.116.32.19 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 190.116.32.79 ACCEPT all -- 190.116.32.79 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 200.4.212.9 ACCEPT all -- 200.4.212.9 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 190.102.140.150 ACCEPT all -- 190.102.140.150 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 200.60.55.86 ACCEPT all -- 200.60.55.86 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 190.116.49.150 ACCEPT all -- 190.116.49.150 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 54.200.140.126 ACCEPT all -- 54.200.140.126 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 190.116.32.16 ACCEPT all -- 190.116.32.16 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 190.116.32.126 ACCEPT all -- 190.116.32.126 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 181.65.139.4 ACCEPT all -- 181.65.139.4 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.230.79.80 ACCEPT all -- 192.230.79.80 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 54.200.140.126 ACCEPT all -- 54.200.140.126 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 37.187.173.57 ACCEPT all -- 37.187.173.57 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 162.254.192.0/24 ACCEPT all -- 162.254.192.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 162.254.193.0/24 ACCEPT all -- 162.254.193.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 162.254.195.0/24 ACCEPT all -- 162.254.195.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 200.37.186.41 ACCEPT all -- 200.37.186.41 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 200.37.186.41 ACCEPT all -- 200.37.186.41 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 54.213.244.47 ACCEPT all -- 54.213.244.47 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 54.68.11.110 ACCEPT all -- 54.68.11.110 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 91.121.243.46 ACCEPT all -- 91.121.243.46 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 91.121.243.46 ACCEPT all -- 91.121.243.46 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 174.142.68.52 ACCEPT all -- 174.142.68.52 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 200.37.186.41 ACCEPT all -- 200.37.186.41 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 190.116.32.47 ACCEPT all -- 190.116.32.47 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 216.58.222.0/24 ACCEPT all -- 216.58.222.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 64.233.186.0/24 ACCEPT all -- 64.233.186.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 64.233.190.147 ACCEPT all -- 64.233.190.147 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 200.48.202.52 ACCEPT all -- 200.48.202.52 0.0.0.0/0 ACCEPT all -- 192.168.4.129 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.4.129 ACCEPT all -- 192.168.5.240 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.5.240 ACCEPT all -- 192.168.6.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.6.0/24 ACCEPT all -- 192.168.4.130 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.4.130 ACCEPT all -- 192.168.6.30 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.6.30 ACCEPT all -- 192.168.4.147 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.4.147 ACCEPT all -- 192.168.4.207 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.4.207 ACCEPT all -- 192.168.4.236 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.4.236 ACCEPT all -- 192.168.4.173 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.4.173 ACCEPT all -- 192.168.4.249 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.4.249 ACCEPT all -- 0.0.0.0/0 192.168.0.8 ACCEPT all -- 192.168.0.8 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.0.8 ACCEPT all -- 192.168.0.8 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.1.246 ACCEPT all -- 192.168.1.246 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 192.168.0.1 192.168.0.0/21 tcp spt:25622 dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT tcp -- xxx.xx.xxx.xxx 0.0.0.0/0 tcp spt:25622 dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 192.168.0.0/21 icmp type 0 ACCEPT udp -- xxx.xx.xxx.xxx 8.8.8.8 udp spts:1024:65535 dpt:53 state NEW,RELATED,ESTABLISHED ACCEPT udp -- xxx.xx.xxx.xxx 8.8.4.4 udp spts:1024:65535 dpt:53 state NEW,RELATED,ESTABLISHED ACCEPT udp -- xxx.xx.xxx.xxx 8.8.8.8 udp spts:1024:65535 dpt:53 state NEW,RELATED,ESTABLISHED ACCEPT udp -- xxx.xx.xxx.xxx 8.8.4.4 udp spts:1024:65535 dpt:53 state NEW,RELATED,ESTABLISHED ACCEPT udp -- 192.168.0.1 192.168.0.0/21 udp spt:53 dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT tcp -- 192.168.0.1 192.168.0.0/21 tcp spt:80 dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT tcp -- xxx.xx.xxx.xxx 0.0.0.0/0 multiport sports 1024:65535 multiport dports 80,443,7777,9443,8080,8081,2082 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- 192.168.0.1 192.168.0.0/21 tcp spt:3128 dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,ESTABLISHED /* Allow ftp connections on port 21 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpts:1024:65535 ctstate RELATED,ESTABLISHED /* Allow passive inbound connections */哪個可能是問題?是不是我被這個困住了,我快瘋了。
謝謝你的幫助。
**編輯:**正如 Steffen Ullrich 所建議的,我在這裡發布了我的伺服器文件 openvpn.log。這個日誌的問題是它沒有記錄任何關於連接的內容。此日誌是在 openvpn 服務啟動時寫入的,當我嘗試從客戶端連接時不會更改:
Fri Dec 30 04:16:58 2016 us=153406 OpenVPN 2.3.13 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 3 2016 Fri Dec 30 04:16:58 2016 us=153428 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03 Fri Dec 30 04:16:58 2016 us=169851 Diffie-Hellman initialized with 2048 bit key Fri Dec 30 04:16:58 2016 us=170840 Control Channel Authentication: using 'tls.key' as a OpenVPN static key file Fri Dec 30 04:16:58 2016 us=170882 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Fri Dec 30 04:16:58 2016 us=170905 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Fri Dec 30 04:16:58 2016 us=170945 TLS-Auth MTU parms [ L:1601 D:1140 EF:110 EB:0 ET:0 EL:3 ] Fri Dec 30 04:16:58 2016 us=170992 Socket Buffers: R=[124928->124928] S=[124928->124928] Fri Dec 30 04:16:58 2016 us=171938 TUN/TAP device tun0 opened Fri Dec 30 04:16:58 2016 us=171991 TUN/TAP TX queue length set to 100 Fri Dec 30 04:16:58 2016 us=172020 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Fri Dec 30 04:16:58 2016 us=172066 /sbin/ip link set dev tun0 up mtu 1500 Fri Dec 30 04:16:58 2016 us=174923 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255 Fri Dec 30 04:16:58 2016 us=176804 Data Channel MTU parms [ L:1601 D:1450 EF:101 EB:12 ET:0 EL:3 ] Fri Dec 30 04:16:58 2016 us=176883 UDPv4 link local (bound): [undef] Fri Dec 30 04:16:58 2016 us=176902 UDPv4 link remote: [undef] Fri Dec 30 04:16:58 2016 us=176929 MULTI: multi_init called, r=256 v=256 Fri Dec 30 04:16:58 2016 us=176996 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0 Fri Dec 30 04:16:58 2016 us=177044 Initialization Sequence Completed
它根本沒有解決我的問題,但讓它起作用了。只需打開 INPUT 和 OUTPUT 鏈 op iptables,使用
iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT讓我連接到VPN。我仍然不明白哪個規則阻止我連接,但現在我可以連接了。