Openvpn

OpenVPN 客戶端不通過隧道傳輸 HTTP 流量

  • January 6, 2021

我正在託管一個 OpenVPN 伺服器(我遵循了本教程),我在客戶端遇到了一些問題。

當我將手機用作熱點並從 Mac 登錄 VPN(使用手機的連接)時,一切正常。

然而,當我從我家的 WiFi 登錄 VPN 時,行為非常奇怪:我可以執行 ssh 會話、ping 任何我想要的地方等等……(DNS 正在工作)。但是,一旦我嘗試發送 HTTP/HTTPS 請求,它就被阻止了,不知何故……這很奇怪,因為我使用相同的 VPN 配置!為什麼伺服器這次會阻止它?

我一直在嘗試使用 OpenVPN Client 和 Tunnelblick(在所有情況下,客戶端都在我的帶有 macOS Big Sur 的 Macbook pro 上執行),我遇到了同樣的問題。當我查看從一個連接到另一個連接的日誌(電話熱點與 Wifi)時,它們非常相似,我看不出有什麼區別(預設網關的 IP 除外,這是有道理的)。

知道是什麼原因造成的嗎?

以下是 Tunnelblick 的日誌,以防萬一(我將 OpenVPN 伺服器 IP 替換為 SE.RV.ER.IP):

2020-12-30 22:32:07.120527 *Tunnelblick: macOS 11.1 (20C69); Tunnelblick 3.8.4a (build 5601)
2020-12-30 22:32:07.630497 *Tunnelblick: Attempting connection with emmanuel-mac using shadow copy; Set nameserver = 769; monitoring connection
2020-12-30 22:32:07.631264 *Tunnelblick: openvpnstart start emmanuel-mac.tblk 49877 769 0 1 0 1098032 -ptADGNWradsgnw 2.4.9-openssl-1.1.1i
2020-12-30 22:32:07.653760 *Tunnelblick: openvpnstart starting OpenVPN
2020-12-30 22:32:08.015592 OpenVPN 2.4.9 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Dec 14 2020
2020-12-30 22:32:08.015704 library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
2020-12-30 22:32:08.017154 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:49877
2020-12-30 22:32:08.017191 Need hold release from management interface, waiting...
2020-12-30 22:32:08.257068 *Tunnelblick: openvpnstart log:
    OpenVPN started successfully.
    Command used to start OpenVPN (one argument per displayed line):
         /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.9-openssl-1.1.1i/openvpn
         --daemon
         --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Semmanuel-SLibrary-SApplication Support-STunnelblick-SConfigurations-Semmanuel--mac.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1098032.49877.openvpn.log
         --cd /Library/Application Support/Tunnelblick/Users/emmanuel/emmanuel-mac.tblk/Contents/Resources
         --machine-readable-output
         --setenv IV_GUI_VER "net.tunnelblick.tunnelblick 5601 3.8.4a (build 5601)"
         --verb 3
         --config /Library/Application Support/Tunnelblick/Users/emmanuel/emmanuel-mac.tblk/Contents/Resources/config.ovpn
         --setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Users/emmanuel/emmanuel-mac.tblk/Contents/Resources
         --verb 3
         --cd /Library/Application Support/Tunnelblick/Users/emmanuel/emmanuel-mac.tblk/Contents/Resources
         --management 127.0.0.1 49877 /Library/Application Support/Tunnelblick/dajnhpfeahklmohhfdnalmmjkfndbajhjflgbmin.mip
         --management-query-passwords
         --management-hold
         --script-security 2
         --route-up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
         --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2020-12-30 22:32:08.268874 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:49877
2020-12-30 22:32:08.323857 MANAGEMENT: CMD 'pid'
2020-12-30 22:32:08.324000 MANAGEMENT: CMD 'auth-retry interact'
2020-12-30 22:32:08.324053 MANAGEMENT: CMD 'state on'
2020-12-30 22:32:08.324098 MANAGEMENT: CMD 'state'
2020-12-30 22:32:08.324151 MANAGEMENT: CMD 'bytecount 1'
2020-12-30 22:32:08.324988 *Tunnelblick: Established communication with OpenVPN
2020-12-30 22:32:08.355199 *Tunnelblick: >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
2020-12-30 22:32:08.358526 MANAGEMENT: CMD 'hold release'
2020-12-30 22:32:08.358727 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2020-12-30 22:32:08.361291 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2020-12-30 22:32:08.361329 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2020-12-30 22:32:08.361568 TCP/UDP: Preserving recently used remote address: [AF_INET]SE.RV.ER.IP:3000
2020-12-30 22:32:08.361690 Socket Buffers: R=[786896->786896] S=[9216->9216]
2020-12-30 22:32:08.361726 UDP link local: (not bound)
2020-12-30 22:32:08.361750 UDP link remote: [AF_INET]SE.RV.ER.IP:3000
2020-12-30 22:32:08.361793 MANAGEMENT: >STATE:1609360328,WAIT,,,,,,
2020-12-30 22:32:08.427380 MANAGEMENT: >STATE:1609360328,AUTH,,,,,,
2020-12-30 22:32:08.427445 TLS: Initial packet from [AF_INET]SE.RV.ER.IP:3000, sid=a1c1b644 16b7bcc4
2020-12-30 22:32:08.502026 VERIFY OK: depth=1, CN=OpenVPN-Homemade CA
2020-12-30 22:32:08.507011 VERIFY KU OK
2020-12-30 22:32:08.507082 Validating certificate extended key usage
2020-12-30 22:32:08.507107 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2020-12-30 22:32:08.507129 VERIFY EKU OK
2020-12-30 22:32:08.507150 VERIFY OK: depth=0, CN=SE.RV.ER.IP
2020-12-30 22:32:08.587610 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
2020-12-30 22:32:08.587887 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2020-12-30 22:32:08.588274 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2020-12-30 22:32:08.588362 [SE.RV.ER.IP] Peer Connection Initiated with [AF_INET]SE.RV.ER.IP:3000
2020-12-30 22:32:09.876934 MANAGEMENT: >STATE:1609360329,GET_CONFIG,,,,,,
2020-12-30 22:32:09.877057 SENT CONTROL [SE.RV.ER.IP]: 'PUSH_REQUEST' (status=1)
2020-12-30 22:32:09.940358 PUSH: Received control message: 'PUSH_REPLY,block-outside-dns,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,comp-lzo no,route 192.168.255.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.255.6 192.168.255.5,peer-id 2,cipher AES-256-GCM'
2020-12-30 22:32:09.940554 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: block-outside-dns (2.4.9)
2020-12-30 22:32:09.940724 OPTIONS IMPORT: timers and/or timeouts modified
2020-12-30 22:32:09.940772 OPTIONS IMPORT: compression parms modified
2020-12-30 22:32:09.940808 OPTIONS IMPORT: --ifconfig/up options modified
2020-12-30 22:32:09.940839 OPTIONS IMPORT: route options modified
2020-12-30 22:32:09.940867 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2020-12-30 22:32:09.940896 OPTIONS IMPORT: peer-id set
2020-12-30 22:32:09.940924 OPTIONS IMPORT: adjusting link_mtu to 1624
2020-12-30 22:32:09.947147 OPTIONS IMPORT: data channel crypto options modified
2020-12-30 22:32:09.947187 Data Channel: using negotiated cipher 'AES-256-GCM'
2020-12-30 22:32:09.947397 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-12-30 22:32:09.947428 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-12-30 22:32:09.947790 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2020-12-30 22:32:09.947822 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2020-12-30 22:32:09.947868 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2020-12-30 22:32:09.947883 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2020-12-30 22:32:09.950540 Opened utun device utun4
2020-12-30 22:32:09.951157 MANAGEMENT: >STATE:1609360329,ASSIGN_IP,,192.168.255.6,,,,
2020-12-30 22:32:09.951198 /sbin/ifconfig utun4 delete
                          ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2020-12-30 22:32:09.969424 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2020-12-30 22:32:09.969649 /sbin/ifconfig utun4 192.168.255.6 192.168.255.5 mtu 1500 netmask 255.255.255.255 up
2020-12-30 22:32:09.974095 /sbin/route add -net SE.RV.ER.IP 10.0.0.138 255.255.255.255
                          add net SE.RV.ER.IP: gateway 10.0.0.138
2020-12-30 22:32:09.982603 /sbin/route add -net 0.0.0.0 192.168.255.5 128.0.0.0
                          add net 0.0.0.0: gateway 192.168.255.5
2020-12-30 22:32:09.985841 /sbin/route add -net 128.0.0.0 192.168.255.5 128.0.0.0
                          add net 128.0.0.0: gateway 192.168.255.5
2020-12-30 22:32:09.989094 MANAGEMENT: >STATE:1609360329,ADD_ROUTES,,,,,,
2020-12-30 22:32:09.989758 /sbin/route add -net 192.168.255.1 192.168.255.5 255.255.255.255
                          add net 192.168.255.1: gateway 192.168.255.5
                          22:32:10 *Tunnelblick:  **********************************************
                          22:32:10 *Tunnelblick:  Start of output from client.up.tunnelblick.sh
                          22:32:12 *Tunnelblick:  Disabled IPv6 for 'LPSS Serial Adapter (1)'
                          22:32:12 *Tunnelblick:  Disabled IPv6 for 'LPSS Serial Adapter (2)'
                          22:32:12 *Tunnelblick:  Disabled IPv6 for 'USB 10/100/1000 LAN'
                          22:32:12 *Tunnelblick:  Disabled IPv6 for 'Wi-Fi'
                          22:32:12 *Tunnelblick:  Disabled IPv6 for 'Bluetooth PAN'
                          22:32:12 *Tunnelblick:  Disabled IPv6 for 'Thunderbolt Bridge'
                          22:32:12 *Tunnelblick:  Retrieved from OpenVPN: name server(s) [ 8.8.8.8 8.8.4.4 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
                          22:32:12 *Tunnelblick:  Not aggregating ServerAddresses because running on macOS 10.6 or higher
                          22:32:12 *Tunnelblick:  Setting search domains to 'openvpn' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
                          22:32:14 *Tunnelblick:  Saved the DNS and SMB configurations so they can be restored
                          22:32:14 *Tunnelblick:  Changed DNS ServerAddresses setting from '10.0.0.138' to '8.8.8.8 8.8.4.4'
                          22:32:14 *Tunnelblick:  Changed DNS SearchDomains setting from 'Home' to 'openvpn'
                          22:32:14 *Tunnelblick:  Changed DNS DomainName setting from '' to 'openvpn'
                          22:32:14 *Tunnelblick:  Did not change SMB NetBIOSName setting of ''
                          22:32:14 *Tunnelblick:  Did not change SMB Workgroup setting of ''
                          22:32:14 *Tunnelblick:  Did not change SMB WINSAddresses setting of ''
                          22:32:14 *Tunnelblick:  DNS servers '8.8.8.8 8.8.4.4' will be used for DNS queries when the VPN is active
                          22:32:14 *Tunnelblick:  The DNS servers include only free public DNS servers known to Tunnelblick.
                          22:32:14 *Tunnelblick:  Flushed the DNS cache via dscacheutil
                          22:32:14 *Tunnelblick:  /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
                          22:32:14 *Tunnelblick:  Notified mDNSResponder that the DNS cache was flushed
                          22:32:14 *Tunnelblick:  Not notifying mDNSResponderHelper that the DNS cache was flushed because it is not running
                          22:32:14 *Tunnelblick:  Setting up to monitor system configuration with process-network-changes
                          22:32:14 *Tunnelblick:  End of output from client.up.tunnelblick.sh
                          22:32:14 *Tunnelblick:  **********************************************
2020-12-30 22:32:14.354487 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2020-12-30 22:32:14.354550 Initialization Sequence Completed
2020-12-30 22:32:14.354625 MANAGEMENT: >STATE:1609360334,CONNECTED,SUCCESS,192.168.255.6,SE.RV.ER.IP,3000,,
2020-12-30 22:32:15.585018 *Tunnelblick: Routing info stdout:
  route to: 127.0.0.1
destination: 127.0.0.1
 interface: lo0
     flags: <UP,HOST,DONE,LOCAL>
recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire
  49152     49152         0         7        14         0     16384         0 
stderr:

2020-12-30 22:32:15.589686 *Tunnelblick: Warning: DNS server address 127.0.0.1 is not a public IP address and is not being routed through the VPN.


2020-12-30 22:32:15.689957 *Tunnelblick: DNS address 8.8.4.4 is being routed through the VPN
2020-12-30 22:32:15.796318 *Tunnelblick: DNS address 8.8.8.8 is being routed through the VPN
2020-12-30 22:32:58.125526 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's name after connecting.
2020-12-30 22:33:36.295807 *Tunnelblick: An error occurred fetching IP address information using the ipInfo host's IP address after connecting

謝謝你的幫助!

@bitinerant 的評論幫助我找到了解決方案。

這篇文章之後,我能夠將 MTU 設置為正確的值,這將使連接正常工作。

引用自:https://serverfault.com/questions/1048095