Ich habe eingerichtet
Stunnel auf dem Server
pid = /var/run/stunnel4/stunnel.pid
output = /var/log/stunnel4/stunnel.log
setuid = root
setgid = root
[openvpn]
cert=/etc/stunnel/cert.pem
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
sslVersion = TLSv1.2
key=/etc/stunnel/key.pem
accept = 0.0.0.0:8080
connect = 127.0.0.1:1194
Stunnel auf dem Client
output = /Volumes/HDD/Users/steve/Desktop/stunnel/stunnel.log
pid = /Volumes/HDD/Users/steve/Desktop/stunnel/stunnel.pid
client = yes
[openvpn]
sni = www.bing.com
accept = 127.0.0.1:1194
connect = 23.95.191.205:8080
Und bevor ich mich über OpenVPN verbinde, füge die IP zum Gateway hinzu mit (unter macOS)
sudo route -n add -net 23.95.191.254/27 192.168.1.1
sudo route -n add -net 23.95.191.205/27 192.168.1.1
Dann drücke ich die Schaltfläche „Verbinden“ in OpenVPN (das so eingerichtet ist, dass es 127.0.0.1 statt der öffentlichen IP des Servers verwendet), die Verbindung wird hergestellt (sehr schnell, keine Probleme und die Verbindung wird jedes Mal hergestellt, wenn ich es versuche):
Aber ich kann keine Webseiten laden!
Hier sind die Protokolle für Stunnel auf dem Server
2022.12.14 22:43:03 LOG5[27948:140462685611776]: Service [openvpn] accepted connection from 78.39.186.44:52571
2022.12.14 22:43:03 LOG5[27948:140462685611776]: connect_blocking: connected 127.0.0.1:1194
2022.12.14 22:43:03 LOG5[27948:140462685611776]: Service [openvpn] connected remote server from 127.0.0.1:46476
und Kunde
2022.12.15 02:13:03 LOG5[29]: Service [openvpn] accepted connection from 127.0.0.1:52570
2022.12.15 02:13:03 LOG5[29]: s_connect: connected 23.95.191.205:8080
2022.12.15 02:13:03 LOG5[29]: Service [openvpn] connected remote server from 192.168.1.100:52571
Hier sind die iptables
iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
76 3114 udp2rawDwrW_46cc7010_C0 icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
285K 295M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
802 48092 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4239 300K INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4239 300K INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
4239 300K INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
399 18215 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
1640 150K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
19 1596 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
7791 506K FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
7791 506K FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
7791 506K FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
7790 506K FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
7790 506K FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7790 506K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 ACCEPT all -- wg0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * wg0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1709 packets, 212K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
36495 6037K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
169K 278M OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- ens160 * 0.0.0.0/0 0.0.0.0/0 [goto]
7791 506K FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
7790 506K FWDO_public all -- * ens160 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (2 references)
pkts bytes target prot opt in out source destination
7791 506K FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
7791 506K FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
7791 506K FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
1 84 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (2 references)
pkts bytes target prot opt in out source destination
7790 506K FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
7790 506K FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
7790 506K FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 10.66.66.0/24 0.0.0.0/0 ctstate NEW,UNTRACKED
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
4216 297K IN_public all -- ens160 * 0.0.0.0/0 0.0.0.0/0 [goto]
23 2734 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (2 references)
pkts bytes target prot opt in out source destination
4239 300K IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
4239 300K IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
4239 300K IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
175 10260 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
1018 61136 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW,UNTRACKED
44 2804 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6969 ctstate NEW,UNTRACKED
434 25940 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:81 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5903 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6980 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6981 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6982 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:82 ctstate NEW,UNTRACKED
53 2996 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW,UNTRACKED
1 64 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:75 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:76 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:77 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:78 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:90 ctstate NEW,UNTRACKED
375 22484 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2086 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2095 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:202 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:208 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2082 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2052 ctstate NEW,UNTRACKED
100 6252 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8880 ctstate NEW,UNTRACKED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:64731 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain udp2rawDwrW_46cc7010_C0 (1 references)
pkts bytes target prot opt in out source destination
76 3114 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Und hier ist die Ausgabe tcpdump -i tun0vor der Verbindung mit OpenVPN:
tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
Und hier ist es, nachdem ich eine Verbindung hergestellt habe:
tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
22:45:16.360934 IP 10.8.0.2.63499 > one.one.one.one.domain: 6966+ PTR? lb._dns-sd._udp.0.1.168.192.in-addr.arpa. (58)
22:45:16.360982 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 94
22:45:16.361002 IP 10.8.0.2.53716 > one.one.one.one.domain: 47471+ PTR? 100.1.168.192.in-addr.arpa. (44)
22:45:16.361018 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 80
22:45:16.362743 IP 10.8.0.2.52330 > one.one.one.one.domain: 36750+ PTR? lb._dns-sd._udp.0.0.8.10.in-addr.arpa. (55)
22:45:16.362766 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 91
22:45:16.365807 IP 10.8.0.2.63499 > one.one.one.one.domain: 6966+ PTR? lb._dns-sd._udp.0.1.168.192.in-addr.arpa. (58)
22:45:16.365834 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 94
22:45:16.365852 IP 10.8.0.2.53716 > one.one.one.one.domain: 47471+ PTR? 100.1.168.192.in-addr.arpa. (44)
22:45:16.365868 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 80
22:45:16.368288 IP 10.8.0.2.52330 > one.one.one.one.domain: 36750+ PTR? lb._dns-sd._udp.0.0.8.10.in-addr.arpa. (55)
22:45:16.368318 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 91
22:45:16.370302 IP 10.8.0.2.52870 > one.one.one.one.domain: 14412+ PTR? 100.1.168.192.in-addr.arpa. (44)
22:45:16.523890 IP 10.8.0.2.60316 > one.one.one.one.domain: 45399+ A? gsp64-ssl.ls.apple.com. (40)
22:45:16.523967 IP 10.8.0.2.59793 > one.one.one.one.domain: 51359+ A? www.apple.com. (31)
22:45:16.524013 IP 10.8.0.2.51573 > one.one.one.one.domain: 20437+ A? 1-courier.push.apple.com. (42)
22:45:16.525081 IP 10.8.0.2.53960 > one.one.one.one.domain: 21369+ A? api.apple-cloudkit.com. (40)
22:45:16.527192 IP 10.8.0.2.50532 > one.one.one.one.domain: 26438+ A? configuration.ls.apple.com. (44)
22:45:16.529435 IP 10.8.0.2.51882 > one.one.one.one.domain: 37097+ A? 1-courier.sandbox.push.apple.com. (50)
22:45:16.531746 IP 10.8.0.2.53059 > 91.108.56.111.https: Flags [SEW], seq 338450811, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093645577 ecr 0,sackOK,eol], length 0
22:45:16.533099 IP 10.8.0.2.54112 > one.one.one.one.domain: 40715+ A? www.madrau.com. (32)
22:45:16.535849 IP 10.8.0.2.53062 > 91.108.56.111.http: Flags [SEW], seq 2456034833, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093645578 ecr 0,sackOK,eol], length 0
22:45:16.713073 IP 10.8.0.2.56939 > one.one.one.one.domain: 20658+ A? radarsubmissions.apple.com. (44)
22:45:16.713127 IP 10.8.0.2.62667 > one.one.one.one.domain: 22009+ A? init.push.apple.com. (37)
22:45:17.028509 IP 10.8.0.2.51262 > 239.255.255.250.ssdp: UDP, length 176
22:45:17.028544 IP 10.8.0.2.59809 > one.one.one.one.domain: 60079+ A? mtalk.google.com. (34)
22:45:17.132382 IP 10.8.0.2.53065 > 10.10.34.36.https: Flags [SEW], seq 3781149487, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093646161 ecr 0,sackOK,eol], length 0
22:45:17.367617 IP 10.8.0.2.63499 > one.one.one.one.domain: 6966+ PTR? lb._dns-sd._udp.0.1.168.192.in-addr.arpa. (58)
22:45:17.367668 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 94
22:45:17.367688 IP 10.8.0.2.52330 > one.one.one.one.domain: 36750+ PTR? lb._dns-sd._udp.0.0.8.10.in-addr.arpa. (55)
22:45:17.369552 IP 10.8.0.2.52870 > one.one.one.one.domain: 14412+ PTR? 100.1.168.192.in-addr.arpa. (44)
22:45:17.725973 IP 10.8.0.2.59793 > one.one.one.one.domain: 51359+ A? www.apple.com. (31)
22:45:17.726030 IP 10.8.0.2.51573 > one.one.one.one.domain: 20437+ A? 1-courier.push.apple.com. (42)
22:45:17.726055 IP 10.8.0.2.53960 > one.one.one.one.domain: 21369+ A? api.apple-cloudkit.com. (40)
22:45:17.726079 IP 10.8.0.2.50532 > one.one.one.one.domain: 26438+ A? configuration.ls.apple.com. (44)
22:45:17.726103 IP 10.8.0.2.51882 > one.one.one.one.domain: 37097+ A? 1-courier.sandbox.push.apple.com. (50)
22:45:17.726126 IP 10.8.0.2.54112 > one.one.one.one.domain: 40715+ A? www.madrau.com. (32)
22:45:17.726174 IP 10.8.0.2.56939 > one.one.one.one.domain: 20658+ A? radarsubmissions.apple.com. (44)
22:45:17.726200 IP 10.8.0.2.62667 > one.one.one.one.domain: 22009+ A? init.push.apple.com. (37)
22:45:17.726224 IP 10.8.0.2.53059 > 91.108.56.111.https: Flags [S], seq 338450811, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093646577 ecr 0,sackOK,eol], length 0
22:45:17.726249 IP 10.8.0.2.53062 > 91.108.56.111.http: Flags [S], seq 2456034833, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093646578 ecr 0,sackOK,eol], length 0
22:45:17.922321 IP 10.8.0.2.53066 > ams15s21-in-f138.1e100.net.https: Flags [SEW], seq 3014126703, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093646947 ecr 0,sackOK,eol], length 0
22:45:18.203016 IP 10.8.0.2.51262 > 239.255.255.250.ssdp: UDP, length 176
22:45:18.203060 IP 10.8.0.2.59809 > one.one.one.one.domain: 60079+ A? mtalk.google.com. (34)
22:45:18.377713 IP 10.8.0.2.53065 > 10.10.34.36.https: Flags [S], seq 3781149487, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647161 ecr 0,sackOK,eol], length 0
22:45:18.377763 IP 23951912052447552280 > 10.8.0.2: ICMP host 10.10.34.36 unreachable - admin prohibited, length 72
22:45:18.696580 IP 10.8.0.2.63499 > one.one.one.one.domain: 6966+ PTR? lb._dns-sd._udp.0.1.168.192.in-addr.arpa. (58)
22:45:18.696675 IP 10.8.0.2.52330 > one.one.one.one.domain: 36750+ PTR? lb._dns-sd._udp.0.0.8.10.in-addr.arpa. (55)
22:45:18.696711 IP 10.8.0.2.53067 > 91.108.56.111.https: Flags [SEW], seq 2427387506, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647537 ecr 0,sackOK,eol], length 0
22:45:18.696749 IP 10.8.0.2.53070 > 91.108.56.111.http: Flags [SEW], seq 1261704993, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647538 ecr 0,sackOK,eol], length 0
22:45:18.696784 IP 10.8.0.2.53073 > 10.10.34.36.https: Flags [SEW], seq 3210044483, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647568 ecr 0,sackOK,eol], length 0
22:45:18.719281 IP 10.8.0.2.53074 > any-in-2678.1e100.net.https: Flags [SEW], seq 1411185388, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647733 ecr 0,sackOK,eol], length 0
22:45:19.632625 IP 10.8.0.2.53066 > ams15s21-in-f138.1e100.net.https: Flags [S], seq 3014126703, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647947 ecr 0,sackOK,eol], length 0
22:45:19.632682 IP 23951912052447552280 > 10.8.0.2: ICMP host ams15s21-in-f138.1e100.net unreachable - admin prohibited, length 72
22:45:19.632701 IP 10.8.0.2.51262 > 239.255.255.250.ssdp: UDP, length 176
22:45:19.632719 IP 10.8.0.2.52870 > one.one.one.one.domain: 14412+ PTR? 100.1.168.192.in-addr.arpa. (44)
22:45:19.632759 IP 10.8.0.2.53075 > any-in-2678.1e100.net.https: Flags [SEW], seq 2289735527, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093648525 ecr 0,sackOK,eol], length 0
22:45:19.632782 IP 10.8.0.2.59793 > one.one.one.one.domain: 51359+ A? www.apple.com. (31)
22:45:19.632803 IP 10.8.0.2.51573 > one.one.one.one.domain: 20437+ A? 1-courier.push.apple.com. (42)
22:45:19.632823 IP 10.8.0.2.53960 > one.one.one.one.domain: 21369+ A? api.apple-cloudkit.com. (40)
22:45:19.632843 IP 10.8.0.2.50532 > one.one.one.one.domain: 26438+ A? configuration.ls.apple.com. (44)
22:45:19.632863 IP 10.8.0.2.51882 > one.one.one.one.domain: 37097+ A? 1-courier.sandbox.push.apple.com. (50)
22:45:19.632883 IP 10.8.0.2.54112 > one.one.one.one.domain: 40715+ A? www.madrau.com. (32)
22:45:19.632903 IP 10.8.0.2.56939 > one.one.one.one.domain: 20658+ A? radarsubmissions.apple.com. (44)
22:45:19.632923 IP 10.8.0.2.62667 > one.one.one.one.domain: 22009+ A? init.push.apple.com. (37)
22:45:19.632943 IP 10.8.0.2.49661 > one.one.one.one.domain: 30889+ A? self.events.data.microsoft.com. (48)
22:45:19.632963 IP 10.8.0.2.53067 > 91.108.56.111.https: Flags [S], seq 2427387506, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093648537 ecr 0,sackOK,eol], length 0
22:45:19.738242 IP 10.8.0.2.53074 > any-in-2678.1e100.net.https: Flags [S], seq 1411185388, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093648733 ecr 0,sackOK,eol], length 0
22:45:19.810583 IP 10.8.0.2.53076 > ams15s22-in-f170.1e100.net.https: Flags [SEW], seq 2352629644, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093648803 ecr 0,sackOK,eol], length 0
22:45:20.026331 IP 10.8.0.2.51262 > 239.255.255.250.ssdp: UDP, length 176
22:45:20.029851 IP 10.8.0.2.59809 > one.one.one.one.domain: 60079+ A? mtalk.google.com. (34)
22:45:20.321839 IP 10.8.0.2.51039 > one.one.one.one.domain: 27155+ A? www.google.ru. (31)
22:45:20.330333 IP 10.8.0.2.50375 > one.one.one.one.domain: 7439+ A? ident.me. (26)
22:45:20.370704 IP 10.8.0.2.63499 > one.one.one.one.domain: 6966+ PTR? lb._dns-sd._udp.0.1.168.192.in-addr.arpa. (58)
22:45:20.370763 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 94
Es geht ewig so weiter.
Antwort1
Bei genauerer Prüfung der iptable-Ausgabe sehe ich, dass die OpenVPN-Regeln für (tun0) überhaupt nicht angewendet werden. Das manuelle Anwenden hat das Problem gelöst. Die Regeln lauten wie folgt:
/etc/iptables/add-openvpn-rules.sh
und der Inhalt ist
iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o ens160 -j MASQUERADE
iptables -I INPUT 1 -i tun0 -j ACCEPT
iptables -I FORWARD 1 -i ens160 -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o ens160 -j ACCEPT
So tat ich :
sh /etc/iptables/add-openvpn-rules.sh
zur Zeit.