ufw阻止来自Linux主机的openvpn流量

时间:2019-05-28 22:47:59

标签: openvpn ufw

我在设置openvpn时遇到问题。客户端之间的通信正常,但是我的linux客户端无法连接到Internet。似乎其流量被openvpn服务器上的ufw阻止了。在我的Mac上,连接到同一VPN时,Internet可以正常工作。

这是/var/log/ufw.log中的消息

  

May 29 00:36:17 ubuntu-4gb-nbg1-1内核:[1208.545264] [UFW BLOCK]   IN = eth0 OUT = MAC = xxx SRC = xxx DST = xxx LEN = 40 TOS = 0x00 PREC = 0x00 TTL = 33   ID = 15564 PROTO = TCP SPT = 61366 DPT = 9299 WINDOW = 1024 RES = 0x00 SYN URGP = 0

我已将其添加到ufw的before.rules

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0 
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT

ufw / sysctl.conf 

net/ipv4/ip_forward=1

etc / sysctl.conf 

net.ipv4.ip_forward=1

/ etc / default / ufw:

DEFAULT_FORWARD_POLICY="ACCEPT"

ufw状态:

To                         Action      From
--                         ------      ----
1194/udp                   ALLOW       Anywhere                  
OpenSSH                    ALLOW       Anywhere                  
22                         ALLOW       Anywhere                  
1194                       ALLOW       Anywhere                  
1194/udp (v6)              ALLOW       Anywhere (v6)             
OpenSSH (v6)               ALLOW       Anywhere (v6)             
22 (v6)                    ALLOW       Anywhere (v6)             
1194 (v6)                  ALLOW       Anywhere (v6)

我在ubuntu框的客户端配置中添加了以下内容

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

客户端似乎启动时没有错误

Tue May 28 22:33:34 2019 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 19 2019
Tue May 28 22:33:34 2019 library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.08
Tue May 28 22:33:34 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue May 28 22:33:34 2019 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue May 28 22:33:34 2019 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue May 28 22:33:34 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx:1194
Tue May 28 22:33:34 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue May 28 22:33:34 2019 UDP link local: (not bound)
Tue May 28 22:33:34 2019 UDP link remote: [AF_INET]xxx:1194
Tue May 28 22:33:34 2019 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Tue May 28 22:33:34 2019 TLS: Initial packet from [AF_INET]116.203.179.130:1194, sid=b819c3e2 f0a257e9
Tue May 28 22:33:34 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue May 28 22:33:34 2019 VERIFY KU OK
Tue May 28 22:33:34 2019 Validating certificate extended key usage
Tue May 28 22:33:34 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue May 28 22:33:34 2019 VERIFY EKU OK
Tue May 28 22:33:34 2019 VERIFY OK: depth=0, CN=server
Tue May 28 22:33:34 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue May 28 22:33:34 2019 [server] Peer Connection Initiated with [AF_INET]116.203.179.130:1194
Tue May 28 22:33:35 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue May 28 22:33:35 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9,peer-id 2,cipher AES-256-GCM'
Tue May 28 22:33:35 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue May 28 22:33:35 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue May 28 22:33:35 2019 OPTIONS IMPORT: route options modified
Tue May 28 22:33:35 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue May 28 22:33:35 2019 OPTIONS IMPORT: peer-id set
Tue May 28 22:33:35 2019 OPTIONS IMPORT: adjusting link_mtu to 1624
Tue May 28 22:33:35 2019 OPTIONS IMPORT: data channel crypto options modified
Tue May 28 22:33:35 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue May 28 22:33:35 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue May 28 22:33:35 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue May 28 22:33:35 2019 ROUTE_GATEWAY 192.168.178.1/255.255.255.0 IFACE=enp4s0 HWADDR=f8:32:e4:a2:c0:c5
Tue May 28 22:33:35 2019 TUN/TAP device tun0 opened
Tue May 28 22:33:35 2019 TUN/TAP TX queue length set to 100
Tue May 28 22:33:35 2019 /sbin/ip link set dev tun0 up mtu 1500
Tue May 28 22:33:35 2019 /sbin/ip addr add dev tun0 local 10.8.0.10 peer 10.8.0.9
Tue May 28 22:33:36 2019 /etc/openvpn/update-resolv-conf tun0 1500 1552 10.8.0.10 10.8.0.9 init
Tue May 28 22:33:36 2019 /sbin/ip route add 116.203.179.130/32 via 192.168.178.1
Tue May 28 22:33:36 2019 /sbin/ip route add 0.0.0.0/1 via 10.8.0.9
Tue May 28 22:33:36 2019 /sbin/ip route add 128.0.0.0/1 via 10.8.0.9
Tue May 28 22:33:36 2019 /sbin/ip route add 10.8.0.1/32 via 10.8.0.9
Tue May 28 22:33:36 2019 GID set to nogroup
Tue May 28 22:33:36 2019 UID set to nobody
Tue May 28 22:33:36 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue May 28 22:33:36 2019 Initialization Sequence Completed

我还能尝试什么?我真的不知道该怎么看...如何使ufw正确转发外部流量?

编辑

运行wget https://www.google.com时我明白了,然后它永远挂起了

wget http://www.google.de
--2019-05-28 23:12:37--  http://www.google.de/
Resolving www.google.de (www.google.de)... 216.58.207.35, 2a00:1450:4001:824::2003
Connecting to www.google.de (www.google.de)|216.58.207.35|:80... connected.
HTTP request sent, awaiting response...

0 个答案:

没有答案
相关问题
最新问题