Vpn

需要幫助在 Windows 伺服器上為 Android 客戶端設置 openVPN 的新設置 - VPN 無法正常工作

  • November 9, 2021

嘗試設置 OpenVPN 以將 android 設備連接回我的家庭網路。目前我可以連接到 VPN 但無法傳輸任何數據,IE 無法 ping,無法訪問站點等。這是我的伺服器配置文件

port 1234
proto udp
dev tap
dev-node tap-bridge
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"
topology subnet
push "topology subnet"
ifconfig-pool-persist ipp.txt
server-bridge 172.26.0.2 255.255.255.248 172.26.0.3 172.26.0.5
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

這是我的客戶端配置

client
dev tap
dev-node tap-bridge
proto udp
remote **** 1234
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
topology subnet

這是來自 VPN 伺服器的狀態視窗

Mon Nov  8 20:50:33 2021 174.215.16.183:15438 TLS: Initial packet from [AF_INET6]::ffff:174.215.16.183:15438, sid=8c2f0064 9d7a75c8
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 VERIFY OK: depth=1, CN=example.com
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 VERIFY OK: depth=0, CN=Client1
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 peer info: IV_VER=3.git::662eae9a:Release
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 peer info: IV_PLAT=android
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 peer info: IV_NCP=2
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 peer info: IV_TCPNL=1
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 peer info: IV_PROTO=2
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 peer info: IV_AUTO_SESS=1
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.5-7182
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 peer info: IV_SSO=openurl
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1589', remote='link-mtu 1557'
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 [Client1] Peer Connection Initiated with [AF_INET6]::ffff:174.215.16.183:15438
Mon Nov  8 20:50:33 2021 Client1/174.215.16.183:15438 MULTI_sva: pool returned IPv4=172.26.0.3, IPv6=(Not enabled)
Mon Nov  8 20:50:33 2021 Client1/174.215.16.183:15438 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Nov  8 20:50:33 2021 Client1/174.215.16.183:15438 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Nov  8 20:50:33 2021 Client1/174.215.16.183:15438 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Nov  8 20:50:33 2021 Client1/174.215.16.183:15438 PUSH: Received control message: 'PUSH_REQUEST'
Mon Nov  8 20:50:33 2021 Client1/174.215.16.183:15438 SENT CONTROL [Client1]: 'PUSH_REPLY,topology subnet,route-gateway 172.26.0.2,ping 10,ping-restart 120,ifconfig 172.26.0.3 255.255.255.248,peer-id 0,cipher AES-256-GCM' (status=1)
Mon Nov  8 20:50:33 2021 Client1/174.215.16.183:15438 MULTI: Learn: 00:01:fe:80:00:00@0 -> Client1/174.215.16.183:15438
Mon Nov  8 20:50:33 2021 Client1/174.215.16.183:15438 MULTI: Learn: 3a:ff:fe:80:00:00@0 -> Client1/174.215.16.183:15438

最後,這是來自 android 設備的日誌。

20:10:43.123 -- ----- OpenVPN Start -----

20:10:43.124 -- EVENT: CORE_THREAD_ACTIVE

20:10:43.126 -- OpenVPN core 3.git::662eae9a:Release android arm64 64-bit PT_PROXY

20:10:43.127 -- Frame=512/2048/512 mssfix-ctrl=1250

20:10:43.127 -- UNUSED OPTIONS
1 [dev-node] [tap-bridge] 
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
13 [verb] [3] 

20:10:43.128 -- EVENT: RESOLVE

20:10:43.130 -- Contacting 1.2.3.4:1234 via UDP

20:10:43.131 -- EVENT: WAIT

20:10:43.132 -- Connecting to [example.com]:1234 (1.2.3.4) via UDPv4

20:10:43.200 -- EVENT: CONNECTING

20:10:43.204 -- Tunnel Options:V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client

20:10:43.204 -- Creds: UsernameEmpty/PasswordEmpty

20:10:43.205 -- Peer Info:
IV_VER=3.git::662eae9a:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.android_3.2.5-7182
IV_SSO=openurl


20:10:43.296 -- VERIFY OK: depth=1, /CN=example

20:10:43.297 -- VERIFY OK: depth=0, /CN=server

20:10:43.428 -- SSL Handshake: CN=server, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA

20:10:43.429 -- Session is ACTIVE

20:10:43.429 -- EVENT: GET_CONFIG

20:10:43.432 -- Sending PUSH_REQUEST to server...

20:10:43.486 -- OPTIONS:
0 [topology] [subnet] 
1 [route-gateway] [172.26.0.2] 
2 [ping] [10] 
3 [ping-restart] [120] 
4 [ifconfig] [172.26.0.3] [255.255.255.248] 
5 [peer-id] [0] 
6 [cipher] [AES-256-GCM] 


20:10:43.487 -- PROTOCOL OPTIONS:
 cipher: AES-256-GCM
 digest: NONE
 compress: NONE
 peer ID: 0

20:10:43.488 -- EVENT: ASSIGN_IP

20:10:43.499 -- Connected via tun

20:10:43.500 -- EVENT: CONNECTED info='example.com:6832 (1.2.3.4) via /UDPv4 on tun/172.26.0.3/ gw=[172.26.0.2/]'

20:10:43.992 -- TUN write exception: write_some: Invalid argument

20:10:44.012 -- TUN write exception: write_some: Invalid argument

20:10:44.013 -- TUN write exception: write_some: Invalid argument

當從 android 設備發送指向 VPN 伺服器(172.26.0.2)的 ping 時,我沒有得到伺服器的響應,但是伺服器日誌中的底線繼續增長,我認為 mac 地址每次 ping 都會發生變化。當嘗試從 LAN、網站、相機等請求某些內容時,也會發生這種情況。

Mon Nov  8 20:50:33 2021 Client1/174.215.16.183:15438 MULTI: Learn: 3a:ff:fe:80:00:00@0 -> Client1/174.215.16.183:15438

在 android 日誌中,最後一行只是每隔幾秒左右重複一次。

20:10:44.013 -- TUN write exception: write_some: Invalid argument

Android 無法與tap. 使用tun. 見維基

您的另一個選擇可能是在 Android 中重新編譯核心,以便支持tap.

另一個重要的考慮因素是tun效率更高。(tap虛擬乙太網)模式必須僅在絕對必要時使用。除非您確定自己需要它並且可以解釋原因,否則不要使用它。

引用自:https://serverfault.com/questions/1082986