Openvpn
OpenVPN 客戶端不通過隧道傳輸 HTTP 流量
我正在託管一個 OpenVPN 伺服器(我遵循了本教程),我在客戶端遇到了一些問題。
當我將手機用作熱點並從 Mac 登錄 VPN(使用手機的連接)時,一切正常。
然而,當我從我家的 WiFi 登錄 VPN 時,行為非常奇怪:我可以執行 ssh 會話、ping 任何我想要的地方等等……(DNS 正在工作)。但是,一旦我嘗試發送 HTTP/HTTPS 請求,它就被阻止了,不知何故……這很奇怪,因為我使用相同的 VPN 配置!為什麼伺服器這次會阻止它?
我一直在嘗試使用 OpenVPN Client 和 Tunnelblick(在所有情況下,客戶端都在我的帶有 macOS Big Sur 的 Macbook pro 上執行),我遇到了同樣的問題。當我查看從一個連接到另一個連接的日誌(電話熱點與 Wifi)時,它們非常相似,我看不出有什麼區別(預設網關的 IP 除外,這是有道理的)。
知道是什麼原因造成的嗎?
以下是 Tunnelblick 的日誌,以防萬一(我將 OpenVPN 伺服器 IP 替換為 SE.RV.ER.IP):
2020-12-30 22:32:07.120527 *Tunnelblick: macOS 11.1 (20C69); Tunnelblick 3.8.4a (build 5601) 2020-12-30 22:32:07.630497 *Tunnelblick: Attempting connection with emmanuel-mac using shadow copy; Set nameserver = 769; monitoring connection 2020-12-30 22:32:07.631264 *Tunnelblick: openvpnstart start emmanuel-mac.tblk 49877 769 0 1 0 1098032 -ptADGNWradsgnw 2.4.9-openssl-1.1.1i 2020-12-30 22:32:07.653760 *Tunnelblick: openvpnstart starting OpenVPN 2020-12-30 22:32:08.015592 OpenVPN 2.4.9 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Dec 14 2020 2020-12-30 22:32:08.015704 library versions: OpenSSL 1.1.1i 8 Dec 2020, LZO 2.10 2020-12-30 22:32:08.017154 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:49877 2020-12-30 22:32:08.017191 Need hold release from management interface, waiting... 2020-12-30 22:32:08.257068 *Tunnelblick: openvpnstart log: OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line): /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.9-openssl-1.1.1i/openvpn --daemon --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Semmanuel-SLibrary-SApplication Support-STunnelblick-SConfigurations-Semmanuel--mac.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1098032.49877.openvpn.log --cd /Library/Application Support/Tunnelblick/Users/emmanuel/emmanuel-mac.tblk/Contents/Resources --machine-readable-output --setenv IV_GUI_VER "net.tunnelblick.tunnelblick 5601 3.8.4a (build 5601)" --verb 3 --config /Library/Application Support/Tunnelblick/Users/emmanuel/emmanuel-mac.tblk/Contents/Resources/config.ovpn --setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Users/emmanuel/emmanuel-mac.tblk/Contents/Resources --verb 3 --cd /Library/Application Support/Tunnelblick/Users/emmanuel/emmanuel-mac.tblk/Contents/Resources --management 127.0.0.1 49877 /Library/Application Support/Tunnelblick/dajnhpfeahklmohhfdnalmmjkfndbajhjflgbmin.mip --management-query-passwords --management-hold --script-security 2 --route-up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw 2020-12-30 22:32:08.268874 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:49877 2020-12-30 22:32:08.323857 MANAGEMENT: CMD 'pid' 2020-12-30 22:32:08.324000 MANAGEMENT: CMD 'auth-retry interact' 2020-12-30 22:32:08.324053 MANAGEMENT: CMD 'state on' 2020-12-30 22:32:08.324098 MANAGEMENT: CMD 'state' 2020-12-30 22:32:08.324151 MANAGEMENT: CMD 'bytecount 1' 2020-12-30 22:32:08.324988 *Tunnelblick: Established communication with OpenVPN 2020-12-30 22:32:08.355199 *Tunnelblick: >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info 2020-12-30 22:32:08.358526 MANAGEMENT: CMD 'hold release' 2020-12-30 22:32:08.358727 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2020-12-30 22:32:08.361291 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2020-12-30 22:32:08.361329 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2020-12-30 22:32:08.361568 TCP/UDP: Preserving recently used remote address: [AF_INET]SE.RV.ER.IP:3000 2020-12-30 22:32:08.361690 Socket Buffers: R=[786896->786896] S=[9216->9216] 2020-12-30 22:32:08.361726 UDP link local: (not bound) 2020-12-30 22:32:08.361750 UDP link remote: [AF_INET]SE.RV.ER.IP:3000 2020-12-30 22:32:08.361793 MANAGEMENT: >STATE:1609360328,WAIT,,,,,, 2020-12-30 22:32:08.427380 MANAGEMENT: >STATE:1609360328,AUTH,,,,,, 2020-12-30 22:32:08.427445 TLS: Initial packet from [AF_INET]SE.RV.ER.IP:3000, sid=a1c1b644 16b7bcc4 2020-12-30 22:32:08.502026 VERIFY OK: depth=1, CN=OpenVPN-Homemade CA 2020-12-30 22:32:08.507011 VERIFY KU OK 2020-12-30 22:32:08.507082 Validating certificate extended key usage 2020-12-30 22:32:08.507107 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2020-12-30 22:32:08.507129 VERIFY EKU OK 2020-12-30 22:32:08.507150 VERIFY OK: depth=0, CN=SE.RV.ER.IP 2020-12-30 22:32:08.587610 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542' 2020-12-30 22:32:08.587887 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' 2020-12-30 22:32:08.588274 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA 2020-12-30 22:32:08.588362 [SE.RV.ER.IP] Peer Connection Initiated with [AF_INET]SE.RV.ER.IP:3000 2020-12-30 22:32:09.876934 MANAGEMENT: >STATE:1609360329,GET_CONFIG,,,,,, 2020-12-30 22:32:09.877057 SENT CONTROL [SE.RV.ER.IP]: 'PUSH_REQUEST' (status=1) 2020-12-30 22:32:09.940358 PUSH: Received control message: 'PUSH_REPLY,block-outside-dns,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,comp-lzo no,route 192.168.255.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.255.6 192.168.255.5,peer-id 2,cipher AES-256-GCM' 2020-12-30 22:32:09.940554 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: block-outside-dns (2.4.9) 2020-12-30 22:32:09.940724 OPTIONS IMPORT: timers and/or timeouts modified 2020-12-30 22:32:09.940772 OPTIONS IMPORT: compression parms modified 2020-12-30 22:32:09.940808 OPTIONS IMPORT: --ifconfig/up options modified 2020-12-30 22:32:09.940839 OPTIONS IMPORT: route options modified 2020-12-30 22:32:09.940867 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2020-12-30 22:32:09.940896 OPTIONS IMPORT: peer-id set 2020-12-30 22:32:09.940924 OPTIONS IMPORT: adjusting link_mtu to 1624 2020-12-30 22:32:09.947147 OPTIONS IMPORT: data channel crypto options modified 2020-12-30 22:32:09.947187 Data Channel: using negotiated cipher 'AES-256-GCM' 2020-12-30 22:32:09.947397 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2020-12-30 22:32:09.947428 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2020-12-30 22:32:09.947790 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16) 2020-12-30 22:32:09.947822 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16) 2020-12-30 22:32:09.947868 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16) 2020-12-30 22:32:09.947883 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16) 2020-12-30 22:32:09.950540 Opened utun device utun4 2020-12-30 22:32:09.951157 MANAGEMENT: >STATE:1609360329,ASSIGN_IP,,192.168.255.6,,,, 2020-12-30 22:32:09.951198 /sbin/ifconfig utun4 delete ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address 2020-12-30 22:32:09.969424 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure 2020-12-30 22:32:09.969649 /sbin/ifconfig utun4 192.168.255.6 192.168.255.5 mtu 1500 netmask 255.255.255.255 up 2020-12-30 22:32:09.974095 /sbin/route add -net SE.RV.ER.IP 10.0.0.138 255.255.255.255 add net SE.RV.ER.IP: gateway 10.0.0.138 2020-12-30 22:32:09.982603 /sbin/route add -net 0.0.0.0 192.168.255.5 128.0.0.0 add net 0.0.0.0: gateway 192.168.255.5 2020-12-30 22:32:09.985841 /sbin/route add -net 128.0.0.0 192.168.255.5 128.0.0.0 add net 128.0.0.0: gateway 192.168.255.5 2020-12-30 22:32:09.989094 MANAGEMENT: >STATE:1609360329,ADD_ROUTES,,,,,, 2020-12-30 22:32:09.989758 /sbin/route add -net 192.168.255.1 192.168.255.5 255.255.255.255 add net 192.168.255.1: gateway 192.168.255.5 22:32:10 *Tunnelblick: ********************************************** 22:32:10 *Tunnelblick: Start of output from client.up.tunnelblick.sh 22:32:12 *Tunnelblick: Disabled IPv6 for 'LPSS Serial Adapter (1)' 22:32:12 *Tunnelblick: Disabled IPv6 for 'LPSS Serial Adapter (2)' 22:32:12 *Tunnelblick: Disabled IPv6 for 'USB 10/100/1000 LAN' 22:32:12 *Tunnelblick: Disabled IPv6 for 'Wi-Fi' 22:32:12 *Tunnelblick: Disabled IPv6 for 'Bluetooth PAN' 22:32:12 *Tunnelblick: Disabled IPv6 for 'Thunderbolt Bridge' 22:32:12 *Tunnelblick: Retrieved from OpenVPN: name server(s) [ 8.8.8.8 8.8.4.4 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ] 22:32:12 *Tunnelblick: Not aggregating ServerAddresses because running on macOS 10.6 or higher 22:32:12 *Tunnelblick: Setting search domains to 'openvpn' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected 22:32:14 *Tunnelblick: Saved the DNS and SMB configurations so they can be restored 22:32:14 *Tunnelblick: Changed DNS ServerAddresses setting from '10.0.0.138' to '8.8.8.8 8.8.4.4' 22:32:14 *Tunnelblick: Changed DNS SearchDomains setting from 'Home' to 'openvpn' 22:32:14 *Tunnelblick: Changed DNS DomainName setting from '' to 'openvpn' 22:32:14 *Tunnelblick: Did not change SMB NetBIOSName setting of '' 22:32:14 *Tunnelblick: Did not change SMB Workgroup setting of '' 22:32:14 *Tunnelblick: Did not change SMB WINSAddresses setting of '' 22:32:14 *Tunnelblick: DNS servers '8.8.8.8 8.8.4.4' will be used for DNS queries when the VPN is active 22:32:14 *Tunnelblick: The DNS servers include only free public DNS servers known to Tunnelblick. 22:32:14 *Tunnelblick: Flushed the DNS cache via dscacheutil 22:32:14 *Tunnelblick: /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil 22:32:14 *Tunnelblick: Notified mDNSResponder that the DNS cache was flushed 22:32:14 *Tunnelblick: Not notifying mDNSResponderHelper that the DNS cache was flushed because it is not running 22:32:14 *Tunnelblick: Setting up to monitor system configuration with process-network-changes 22:32:14 *Tunnelblick: End of output from client.up.tunnelblick.sh 22:32:14 *Tunnelblick: ********************************************** 2020-12-30 22:32:14.354487 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2020-12-30 22:32:14.354550 Initialization Sequence Completed 2020-12-30 22:32:14.354625 MANAGEMENT: >STATE:1609360334,CONNECTED,SUCCESS,192.168.255.6,SE.RV.ER.IP,3000,, 2020-12-30 22:32:15.585018 *Tunnelblick: Routing info stdout: route to: 127.0.0.1 destination: 127.0.0.1 interface: lo0 flags: <UP,HOST,DONE,LOCAL> recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire 49152 49152 0 7 14 0 16384 0 stderr: 2020-12-30 22:32:15.589686 *Tunnelblick: Warning: DNS server address 127.0.0.1 is not a public IP address and is not being routed through the VPN. 2020-12-30 22:32:15.689957 *Tunnelblick: DNS address 8.8.4.4 is being routed through the VPN 2020-12-30 22:32:15.796318 *Tunnelblick: DNS address 8.8.8.8 is being routed through the VPN 2020-12-30 22:32:58.125526 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's name after connecting. 2020-12-30 22:33:36.295807 *Tunnelblick: An error occurred fetching IP address information using the ipInfo host's IP address after connecting謝謝你的幫助!
@bitinerant 的評論幫助我找到了解決方案。
在這篇文章之後,我能夠將 MTU 設置為正確的值,這將使連接正常工作。