Я следовал этому руководству, чтобы настроить сервер OpenVPN:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04
Сервер OpenVPN является VPS на Ubuntu-18.04-x86_64
Клиент Raspberry Pi 3 B+ на Raspbian Stretch Lite
Проблема: клиент успешно подключается к серверу (Initialization Sequence Completed), но нет подключения к Интернету.
Пинг www.google.com работает.
Запрашивает общедоступный IP-адрес: он выводит IP-адрес сервера.
Но загрузка чего-либо (например, с помощью wget или apt install) не работает.
Изменить: Я пытался подключиться к тому же серверу с другим клиентом (Windows 10), у меня та же проблема, не работает интернет-соединение. Я думаю, что проблема исходит от сервера (VPS), а не на стороне клиента.
server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
client.ovpn
client
dev tun
proto udp
remote XXX.XXX.XXX.XXX 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
auth SHA256
verb 3
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
<ca>
-snip-
</ca>
<cert>
-snip-
</cert>
<key>
-snip-
</key>
<tls-auth>
-snip-
</tls-auth>
/etc/sysctl.conf (сервер)
net.ipv4.ip_forward=1
/etc/ufw/before.rules (сервер)
Я добавил эти строки:
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
UFW статус (сервер)
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp LIMIT IN Anywhere
1194/udp ALLOW IN Anywhere
22/tcp (v6) LIMIT IN Anywhere (v6)
1194/udp (v6) ALLOW IN Anywhere (v6)
Вывод клиента OpenVPN во время соединения
OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Socket Buffers: R=[163840->163840] S=[163840->163840]
UDP link local: (not bound)
UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=3eb50ad7 3b03202e
VERIFY OK: depth=1, CN=Easy-RSA CA
Validating certificate key usage
++ Certificate has key usage 00a0, expects 00a0
VERIFY KU OK
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
VERIFY EKU OK
VERIFY OK: depth=0, CN=server
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
[server] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
OPTIONS IMPORT: peer-id set
OPTIONS IMPORT: adjusting link_mtu to 1624
OPTIONS IMPORT: data channel crypto options modified
Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
/etc/openvpn/update-resolv-conf tun0 1500 1552 10.8.0.6 10.8.0.5 init
dhcp-option DNS 208.67.222.222
dhcp-option DNS 208.67.220.220
/sbin/ip route add XXX.XXX.XXX.XXX/32 via 192.168.1.1
RTNETLINK answers: File exists
ERROR: Linux route add command failed: external program exited with error status: 2
/sbin/ip route add 0.0.0.0/1 via 10.8.0.5
/sbin/ip route add 128.0.0.0/1 via 10.8.0.5
/sbin/ip route add 10.8.0.1/32 via 10.8.0.5
GID set to nogroup
UID set to nobody
Initialization Sequence Completed
Вывод клиента OpenVPN при отключении
event_wait : Interrupted system call (code=4)
/sbin/ip route del 10.8.0.1/32
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
/sbin/ip route del XXX.XXX.XXX.XXX/32
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
/sbin/ip route del 0.0.0.0/1
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
/sbin/ip route del 128.0.0.0/1
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
Closing TUN/TAP interface
/sbin/ip addr del dev tun0 local 10.8.0.6 peer 10.8.0.5
RTNETLINK answers: Operation not permitted
Linux ip addr del failed: external program exited with error status: 2
/etc/openvpn/update-resolv-conf tun0 1500 1552 10.8.0.6 10.8.0.5 init
Cannot write to /run/resolvconf/lock
WARNING: Failed running command (--up/--down): external program exited with error status: 1
Exiting due to fatal error
/etc/resolv.conf (клиент)
# Generated by resolvconf
domain home
nameserver 208.67.222.222
nameserver 208.67.220.220
nameserver 192.168.1.1
Таблица маршрутизации клиента
VPN выключен
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
XXX.XXX.XX.XX 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
VPN на
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
XXX.XXX.XX.XX 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
128.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
mtr google.com (клиент)
Host Loss% Snt Last Avg Best Wrst StDev
1. 10.8.0.1 1.6% 62 55.3 541.2 53.9 2056. 669.3
2. 0.0% 62 55.2 561.6 54.0 2277. 685.9
3. 10.95.48.15 0.0% 62 56.3 563.4 53.9 2228. 691.4
4. 10.95.48.10 0.0% 62 57.5 577.0 55.6 2236. 688.9
5. be100-1258.gsw-1-a9.fr.eu 0.0% 62 65.4 567.7 63.2 2172. 671.9
6. ???
7. 108.170.244.193 0.0% 62 64.8 563.5 63.4 2163. 672.7
8. 216.239.59.209 0.0% 59 65.6 530.8 63.0 2162. 650.7
9. par21s11-in-f4.1e100.net 0.0% 59 64.4 522.3 63.5 2093. 647.6