我在 CentOS 6.7 上设置了 OpenVPN 服务器
我从已知的工作服务器复制了配置,因此我很确定服务器配置正确。
我遇到的问题是 VPN 客户端可以正常连接,但无法访问 Internet 上的任何内容。
- 客户端正在使用证书进行身份验证。
- 我正在推送 Google 的公共 DNS 服务器(8.8.8.8)
我在 sysctl.conf 中启用了数据包转发
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
我添加了这些 iptables 规则:
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE -m comment --comment "Masquerade OpenVPN traffic"
iptables -A INPUT -i tun0 -j ACCEPT -m comment --comment "Allow all incoming OpenVPN"
iptables -A FORWARD -i tun0 -j ACCEPT
tun0配置如下:
$ ip address show tun0
6: tun0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/[65534]
inet 172.16.1.1 peer 172.16.1.2/32 scope global tun0
在我的 openvpn.log 中,我可以看到客户端连接正常:
Thu Aug 20 06:54:59 2015 us=94453 31.108.32.42:55065 [David] Peer Connection Initiated with [AF_INET]31.108.32.42:55065
Thu Aug 20 06:54:59 2015 us=94789 MULTI: new connection by client 'David' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Thu Aug 20 06:54:59 2015 us=94913 MULTI_sva: pool returned IPv4=172.16.1.6, IPv6=(Not enabled)
Thu Aug 20 06:54:59 2015 us=94991 MULTI: Learn: 172.16.1.6 -> David/31.108.32.42:55065
Thu Aug 20 06:54:59 2015 us=95013 MULTI: primary virtual IP for David/31.108.32.42:55065: 172.16.1.6
Thu Aug 20 06:55:00 2015 us=350681 David/31.108.32.42:55065 UDPv4 READ [56] from [AF_INET]31.108.32.42:55065: P_CONTROL_V1 kid=0 [ ] pid=6 DATA len=42
Thu Aug 20 06:55:00 2015 us=351165 David/31.108.32.42:55065 PUSH: Received control message: 'PUSH_REQUEST'
Thu Aug 20 06:55:00 2015 us=351212 David/31.108.32.42:55065 send_push_reply(): safe_cap=940
Thu Aug 20 06:55:00 2015 us=351282 David/31.108.32.42:55065 SENT CONTROL [David]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,route 172.16.1.1,topology net30,ping 10,ping-restart 120,ifconfig 172.16.1.6 172.16.1.5' (status=1)
如果我使用 tshark 观看 tun0 我可以看到正在执行 DNS 查询,但似乎没有任何响应:
1.935018671 172.16.1.6 -> 8.8.8.8 DNS 74 Standard query 0xe4a3 A external-lhr3-1.xx.fbcdn.net
1.937067717 172.16.1.6 -> 8.8.8.8 DNS 68 Standard query 0xdbc8 A edge-chat.facebook.com
2.324716221 172.16.1.6 -> 8.8.8.8 DNS 65 Standard query 0xc98b A clients4.google.com
2.331865976 172.16.1.6 -> 8.8.8.8 DNS 65 Standard query 0x5acb AAAA clients4.google.com
2.335206663 172.16.1.6 -> 8.8.8.8 DNS 65 Standard query 0x6ba8 A clients4.google.com
2.610867667 172.16.1.6 -> 8.8.8.8 DNS 62 Standard query 0xfb5e A www.google.co.uk
2.612555200 172.16.1.6 -> 8.8.8.8 DNS 62 Standard query 0xcaf7 A www.google.co.uk
2.628983231 172.16.1.6 -> 8.8.8.8 DNS 75 Standard query 0x803d A fbcdn-photos-a-a.akamaihd.net
我也可以在 eth0 上看到数据包,它有一个公共互联网 IP。
$ tshark -i eth0 -f "host 172.16.1.6"
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
0.000000000 172.16.1.6 -> 8.8.8.8 DNS 79 Standard query 0x7afb A clients4.google.com
0.002199239 172.16.1.6 -> 8.8.8.8 DNS 74 Standard query 0x4f3c A m.facebook.com
0.003786487 172.16.1.6 -> 8.8.8.8 DNS 74 Standard query 0x7033 A m.facebook.com
0.005484385 172.16.1.6 -> 8.8.8.8 DNS 70 Standard query 0x86a1 A google.com
0.008791391 172.16.1.6 -> 8.8.8.8 DNS 74 Standard query 0x031d AAAA api.amazon.com
再一次 - 没有别的方式
客户端可以 ping vpn 服务器 (172.16.1.1) 但除此之外什么都没有。
我不确定我还能检查什么。