Openvpn
http代理後面的OpenVPN 503
按照這個驚人的教程,我在數字海洋水滴上成功設置了 OpenVPN 伺服器:https ://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18 -04
然後我還在不同的液滴上使用 squid 代理製作了一個 http 代理伺服器。
當我嘗試連接到我的 VPN 伺服器時,我在客戶端的日誌中收到 503 Service Unavailable。此外,當我嘗試捲曲我的 VPN 伺服器時,結果仍然相同:
curl -I -x myproxy.com:80 http://myvpn.com:1194或 curl -I -x myproxy.com:80 http://myvpn.com
我關閉了我的 OpenVPN 伺服器的 ufw,結果還是一樣。
我應該在哪裡修?我的 OpenVPN 伺服器?我的 OpenVPN 伺服器的 iptables?我的魷魚代理配置?
請幫忙..
OpenVPN 伺服器配置。
伺服器配置文件
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 1.1.1.1" push "dhcp-option DNS 1.0.0.1" keepalive 10 120 tls-auth ta.key 0 cipher AES-256-CBC auth SHA256 user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log verb 3 explicit-exit-notify 1
客戶端配置文件
client dev tun proto tcp remote rl.rltech.xyz 1194 # domain I attached to my vpn server resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun http-proxy proxy.rltech.xyz 80 # domain I attached my proxy server (squid proxy running on port 80) http-proxy-retry http-proxy-timeout 5 http-proxy-option CUSTOM-HEADER Host www.googlevideo.com http-proxy-option CUSTOM-HEADER X-Forwarded-For www.googlevideo.com ca ca.crt cert client.crt key client.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC auth SHA256 key-direction 1 verb 3 ;mute 20 ; script-security 2 ; up /etc/openvpn/update-resolv-conf ; down /etc/openvpn/update-resolv-conf ; script-security 2 ; up /etc/openvpn/update-systemd-resolved ; down /etc/openvpn/update-systemd-resolved ; down-pre ; dhcp-option DOMAIN-ROUTE . <ca> -----BEGIN CERTIFICATE----- cert here .. -----END CERTIFICATE----- </ca>
iptables.sh(我的 VPN 伺服器上的唯一規則)
#!/bin/bash iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -L
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere state NEW udp dpt:openvpn ACCEPT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere
代理伺服器
squid.conf
acl SSL_ports port 1194 # OpenVPN acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 1194 # OpenVPN acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports dns_nameservers 1.1.1.1 1.0.0.1 http_access allow all http_port 80 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320
根據此處的文件,您必須將 TCP 與 http-proxy 指令一起使用,因此請嘗試
proto tcp
在伺服器和客戶端配置中進行設置
根據@demathos
我部署了另一個openvpn伺服器實例,現在執行的是:openvpn@server - 1194/udp openvpn@server1 - 1194/tcp
netstat -tulpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 733/sshd tcp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 24288/openvpn tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 616/systemd-resolve tcp6 0 0 :::22 :::* LISTEN 733/sshd tcp6 0 0 :::80 :::* LISTEN 20175/(squid-1) udp 0 0 127.0.0.53:53 0.0.0.0:* 616/systemd-resolve udp 0 0 0.0.0.0:33916 0.0.0.0:* 20175/(squid-1) udp 0 0 0.0.0.0:1194 0.0.0.0:* 19762/openvpn udp6 0 0 :::33573 :::* 20175/(squid-1)