Linux

OpenVPN:連接時客戶端無法 ping 4.2.2.2

  • August 10, 2020

我的客戶端連接到 vpn 時無法上網。我有

push "redirect-gateway def1"


root@vortex:/home# cat /proc/sys/net/ipv4/ip_forward
1

放。

Sserver 和客戶端連接良好且無錯誤,並且可以通過 VPN 相互 ping,但僅此而已。

root@vortex:/home# cat /etc/openvpn/server.conf

mode server
tls-server
port 1194
proto udp
dev tun

#ca      /usr/share/easy-rsa/keys/ca.crt    # generated keys
#cert    /usr/share/easy-rsa/keys/server.crt
#key     /usr/share/easy-rsa/keys/server.key  # keep secret
#dh      /usr/share/easy-rsa/keys/dh2048.pem

ca      /pki/ca.crt
cert    /pki/issued/vortex.trade.com.crt
key     /pki/private/vortex.trade.com.key
dh      /pki/dh.pem

server 10.9.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo         # Compression - must be turned on at both end
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 1  # verbose mode
user nobody
group nogroup
client-config-dir /etc/openvpn/ccd
client-to-client
push "redirect-gateway def1"
push "redirect-gateway bypass-dhcp"
push "route 192.168.0.0 255.255.255.0"
#push "dhcp-option DNS 188.120.247.2"
#push "dhcp-option DNS 188.120.247.8"
#push "dhcp-option DNS 82.146.59.250"
push "dhcp-option DNS 4.2.2.2"

log /var/log/openvpn/openvpn.log

root@vortex:/home# cat /etc/iptables/rules.v4

# Generated by iptables-save v1.6.0 on Mon Jul 20 07:13:41 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -j DROP
-A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 443 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 695 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 3128 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 6667 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 9001 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 9030 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: "
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -s 10.9.8.0/24 -i tun0 -o eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.9.8.14/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "iptables_FORWARD_denied: "
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 2222 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED -m udp --sport 1194 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 695 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 3128 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 6667 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 9001 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 9030 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_OUTPUT_denied: "
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Mon Jul 20 07:13:41 2020
# Generated by iptables-save v1.6.0 on Mon Jul 20 07:13:41 2020
*nat
:PREROUTING ACCEPT [58:7571]
:INPUT ACCEPT [8:2109]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [2:120]
COMMIT
# Completed on Mon Jul 20 07:13:41 2020
# Generated by iptables-save v1.6.0 on Mon Jul 20 07:13:41 2020
*mangle
:PREROUTING ACCEPT [254:43256]
:INPUT ACCEPT [216:40502]
:FORWARD ACCEPT [7:420]
:OUTPUT ACCEPT [93:16424]
:POSTROUTING ACCEPT [100:16844]
COMMIT
# Completed on Mon Jul 20 07:13:41 2020

這個問題似乎確實出現在敲門安裝之後,但不確定。

root@vortex:/home# cat /etc/knockd.conf

[options]
       UseSyslog
   Interface = IFACE
[SSH]
       sequence = 90,90,90
       seq_timeout = 15
       tcpflags = syn
       start_command = /sbin/iptables -I INPUT -i eth0 -s %IP% -p tcp --dport 2222 -j ACCEPT
       stop_command = /sbin/iptables -D INPUT -i eth0 -s %IP% -p tcp --dport 2222 -j ACCEPT
       cmd_timeout = 20

客戶:

root@Inspiron-laptop:/home/# cat /etc/openvpn/client.conf 
client
remote 188.120.224.182
dev tun
#ifconfig 10.9.8.2 10.9.8.1
nobind
#persist-key
#persist-tun
tls-client
ca /etc/openvpn/ca.crt
cert /etc/openvpn/dell.trade.com.crt
key /etc/openvpn/dell.trade.com.key
comp-lzo
verb 3
redirect-gateway def1
ping-restart 60
log /var/log/openvpn/openvpn.log

隧道介面正常

root@Inspiron 筆記型電腦:/home/# ifconfig

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
       inet 127.0.0.1  netmask 255.0.0.0
       inet6 ::1  prefixlen 128  scopeid 0x10<host>
       loop  txqueuelen 1000  (Local Loopback)
       RX packets 1044649  bytes 565199288 (565.1 MB)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 1044649  bytes 565199288 (565.1 MB)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
       inet 10.9.8.10  netmask 255.255.255.255  destination 10.9.8.9
       inet6 fe80::82a9:e454:8136:6d9f  prefixlen 64  scopeid 0x20<link>
       unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
       RX packets 0  bytes 0 (0.0 B)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 29  bytes 4077 (4.0 KB)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
       inet 192.168.43.160  netmask 255.255.255.0  broadcast 192.168.43.255
       inet6 fe80::3fdf:a130:31c3:32eb  prefixlen 64  scopeid 0x20<link>
       inet6 2600:100a:b128:d429:ef84:249c:a98d:f078  prefixlen 64  scopeid 0x0<global>
       inet6 2600:100a:b128:d429:9cdb:5dbf:2415:6022  prefixlen 64  scopeid 0x0<global>
       ether dc:53:60:6d:f3:62  txqueuelen 1000  (Ethernet)
       RX packets 7446346  bytes 5129002739 (5.1 GB)
       RX errors 0  dropped 212149  overruns 0  frame 0
       TX packets 4900063  bytes 859603059 (859.6 MB)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlx1cbfcebf5fba: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
       inet 192.168.43.25  netmask 255.255.255.0  broadcast 192.168.43.255
       inet6 2600:100a:b128:d429:fc6e:cdca:d721:6d6c  prefixlen 64  scopeid 0x0<global>
       inet6 fe80::fde3:a1d3:3dc5:56ec  prefixlen 64  scopeid 0x20<link>
       inet6 2600:100a:b128:d429:c93:106a:f84a:4f78  prefixlen 64  scopeid 0x0<global>
       ether 1c:bf:ce:bf:5f:ba  txqueuelen 1000  (Ethernet)
       RX packets 526561  bytes 480490738 (480.4 MB)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 456675  bytes 94595265 (94.5 MB)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

連接後,我可以從客戶端的隧道 ping VPN 的 WAN 介面。

root@Inspiron-laptop:/home/# ping 188.120.224.182
PING 188.120.224.182 (188.120.224.182) 56(84) bytes of data.
64 bytes from 188.120.224.182: icmp_seq=1 ttl=46 time=212 ms
64 bytes from 188.120.224.182: icmp_seq=2 ttl=46 time=310 ms
64 bytes from 188.120.224.182: icmp_seq=3 ttl=46 time=329 ms
64 bytes from 188.120.224.182: icmp_seq=4 ttl=46 time=180 ms
^C
--- 188.120.224.182 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 180.428/257.780/328.903/63.126 ms

但沒有更遠

root@Inspiron-laptop:/home/# ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2) 56(84) bytes of data.
^C
--- 4.2.2.2 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5098ms

我懷疑防火牆,但我找不到問題。

您在 VPN 伺服器上缺少用於轉換 IPv4 流量的 NAT 規則。也許它被刪除了,也許你從來沒有過。我不能說。但是,一旦您將這樣的規則添加到 nat 表中,您就應該開始獲取 IPv4 流量。就像是:

iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

應該讓你開始。

警告:您的 VPN 伺服器不提供 IPv6 連接。這意味著您的 IPv6 流量不會通過 VPN,但會繼續通過您現有的本地連接。這稱為洩漏,通常是一個嚴重的問題。您需要重新配置您的 VPN 伺服器以向您的客戶端提供 IPv6 連接。

引用自:https://serverfault.com/questions/1029456

相關問答

Linux

將 OpenVPN 連接限制為僅一個程序

  • September 7, 2021
檢視問答
Linux

OpenVPN:客戶端 Internet 連接在一個本地網路中不起作用,但在另一個本地網路中起作用

  • March 28, 2020
檢視問答
Linux

OpenVPN 下載速度慢。配置問題?

  • September 8, 2018
檢視問答
Linux

如何測試我是否有有效的 VPN 連接?

  • January 10, 2016
檢視問答
Linux

OpenVPN不斷崩潰

  • October 4, 2015
檢視問答
Linux

隱藏 OpenVPN 客戶端的 IP

  • May 12, 2015
檢視問答