tengo configurado
túnel en el servidor
pid = /var/run/stunnel4/stunnel.pid
output = /var/log/stunnel4/stunnel.log
setuid = root
setgid = root
[openvpn]
cert=/etc/stunnel/cert.pem
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
sslVersion = TLSv1.2
key=/etc/stunnel/key.pem
accept = 0.0.0.0:8080
connect = 127.0.0.1:1194
stunnel en cliente
output = /Volumes/HDD/Users/steve/Desktop/stunnel/stunnel.log
pid = /Volumes/HDD/Users/steve/Desktop/stunnel/stunnel.pid
client = yes
[openvpn]
sni = www.bing.com
accept = 127.0.0.1:1194
connect = 23.95.191.205:8080
Y antes de conectarme a través de OpenVPN, agregue la IP a la puerta de enlace usando (en macOS)
sudo route -n add -net 23.95.191.254/27 192.168.1.1
sudo route -n add -net 23.95.191.205/27 192.168.1.1
Luego presiono el botón de conexión en OpenVPN (que está configurado para usar 127.0.0.1 en lugar de la IP pública del servidor), está conectado (muy rápido, sin problemas y se conecta cada vez que lo intento):
¡Pero no puedo cargar ningún sitio web!
Aquí están los registros de stunnel en el servidor.
2022.12.14 22:43:03 LOG5[27948:140462685611776]: Service [openvpn] accepted connection from 78.39.186.44:52571
2022.12.14 22:43:03 LOG5[27948:140462685611776]: connect_blocking: connected 127.0.0.1:1194
2022.12.14 22:43:03 LOG5[27948:140462685611776]: Service [openvpn] connected remote server from 127.0.0.1:46476
y cliente
2022.12.15 02:13:03 LOG5[29]: Service [openvpn] accepted connection from 127.0.0.1:52570
2022.12.15 02:13:03 LOG5[29]: s_connect: connected 23.95.191.205:8080
2022.12.15 02:13:03 LOG5[29]: Service [openvpn] connected remote server from 192.168.1.100:52571
Aquí están las iptables.
iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
76 3114 udp2rawDwrW_46cc7010_C0 icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
285K 295M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
802 48092 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4239 300K INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4239 300K INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
4239 300K INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
399 18215 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
1640 150K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
19 1596 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
7791 506K FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
7791 506K FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
7791 506K FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
7790 506K FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
7790 506K FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7790 506K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 ACCEPT all -- wg0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * wg0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1709 packets, 212K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
36495 6037K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
169K 278M OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- ens160 * 0.0.0.0/0 0.0.0.0/0 [goto]
7791 506K FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
7790 506K FWDO_public all -- * ens160 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (2 references)
pkts bytes target prot opt in out source destination
7791 506K FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
7791 506K FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
7791 506K FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
1 84 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (2 references)
pkts bytes target prot opt in out source destination
7790 506K FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
7790 506K FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
7790 506K FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 10.66.66.0/24 0.0.0.0/0 ctstate NEW,UNTRACKED
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
4216 297K IN_public all -- ens160 * 0.0.0.0/0 0.0.0.0/0 [goto]
23 2734 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (2 references)
pkts bytes target prot opt in out source destination
4239 300K IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
4239 300K IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
4239 300K IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
175 10260 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
1018 61136 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW,UNTRACKED
44 2804 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6969 ctstate NEW,UNTRACKED
434 25940 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:81 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5903 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6980 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6981 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6982 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:82 ctstate NEW,UNTRACKED
53 2996 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW,UNTRACKED
1 64 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:75 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:76 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:77 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:78 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:90 ctstate NEW,UNTRACKED
375 22484 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2086 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2095 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:202 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:208 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2082 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2052 ctstate NEW,UNTRACKED
100 6252 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8880 ctstate NEW,UNTRACKED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:64731 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain udp2rawDwrW_46cc7010_C0 (1 references)
pkts bytes target prot opt in out source destination
76 3114 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Y aquí está el resultado tcpdump -i tun0antes de conectarse a OpenVPN:
tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
Y aquí está después de conectarme a él:
tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
22:45:16.360934 IP 10.8.0.2.63499 > one.one.one.one.domain: 6966+ PTR? lb._dns-sd._udp.0.1.168.192.in-addr.arpa. (58)
22:45:16.360982 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 94
22:45:16.361002 IP 10.8.0.2.53716 > one.one.one.one.domain: 47471+ PTR? 100.1.168.192.in-addr.arpa. (44)
22:45:16.361018 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 80
22:45:16.362743 IP 10.8.0.2.52330 > one.one.one.one.domain: 36750+ PTR? lb._dns-sd._udp.0.0.8.10.in-addr.arpa. (55)
22:45:16.362766 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 91
22:45:16.365807 IP 10.8.0.2.63499 > one.one.one.one.domain: 6966+ PTR? lb._dns-sd._udp.0.1.168.192.in-addr.arpa. (58)
22:45:16.365834 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 94
22:45:16.365852 IP 10.8.0.2.53716 > one.one.one.one.domain: 47471+ PTR? 100.1.168.192.in-addr.arpa. (44)
22:45:16.365868 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 80
22:45:16.368288 IP 10.8.0.2.52330 > one.one.one.one.domain: 36750+ PTR? lb._dns-sd._udp.0.0.8.10.in-addr.arpa. (55)
22:45:16.368318 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 91
22:45:16.370302 IP 10.8.0.2.52870 > one.one.one.one.domain: 14412+ PTR? 100.1.168.192.in-addr.arpa. (44)
22:45:16.523890 IP 10.8.0.2.60316 > one.one.one.one.domain: 45399+ A? gsp64-ssl.ls.apple.com. (40)
22:45:16.523967 IP 10.8.0.2.59793 > one.one.one.one.domain: 51359+ A? www.apple.com. (31)
22:45:16.524013 IP 10.8.0.2.51573 > one.one.one.one.domain: 20437+ A? 1-courier.push.apple.com. (42)
22:45:16.525081 IP 10.8.0.2.53960 > one.one.one.one.domain: 21369+ A? api.apple-cloudkit.com. (40)
22:45:16.527192 IP 10.8.0.2.50532 > one.one.one.one.domain: 26438+ A? configuration.ls.apple.com. (44)
22:45:16.529435 IP 10.8.0.2.51882 > one.one.one.one.domain: 37097+ A? 1-courier.sandbox.push.apple.com. (50)
22:45:16.531746 IP 10.8.0.2.53059 > 91.108.56.111.https: Flags [SEW], seq 338450811, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093645577 ecr 0,sackOK,eol], length 0
22:45:16.533099 IP 10.8.0.2.54112 > one.one.one.one.domain: 40715+ A? www.madrau.com. (32)
22:45:16.535849 IP 10.8.0.2.53062 > 91.108.56.111.http: Flags [SEW], seq 2456034833, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093645578 ecr 0,sackOK,eol], length 0
22:45:16.713073 IP 10.8.0.2.56939 > one.one.one.one.domain: 20658+ A? radarsubmissions.apple.com. (44)
22:45:16.713127 IP 10.8.0.2.62667 > one.one.one.one.domain: 22009+ A? init.push.apple.com. (37)
22:45:17.028509 IP 10.8.0.2.51262 > 239.255.255.250.ssdp: UDP, length 176
22:45:17.028544 IP 10.8.0.2.59809 > one.one.one.one.domain: 60079+ A? mtalk.google.com. (34)
22:45:17.132382 IP 10.8.0.2.53065 > 10.10.34.36.https: Flags [SEW], seq 3781149487, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093646161 ecr 0,sackOK,eol], length 0
22:45:17.367617 IP 10.8.0.2.63499 > one.one.one.one.domain: 6966+ PTR? lb._dns-sd._udp.0.1.168.192.in-addr.arpa. (58)
22:45:17.367668 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 94
22:45:17.367688 IP 10.8.0.2.52330 > one.one.one.one.domain: 36750+ PTR? lb._dns-sd._udp.0.0.8.10.in-addr.arpa. (55)
22:45:17.369552 IP 10.8.0.2.52870 > one.one.one.one.domain: 14412+ PTR? 100.1.168.192.in-addr.arpa. (44)
22:45:17.725973 IP 10.8.0.2.59793 > one.one.one.one.domain: 51359+ A? www.apple.com. (31)
22:45:17.726030 IP 10.8.0.2.51573 > one.one.one.one.domain: 20437+ A? 1-courier.push.apple.com. (42)
22:45:17.726055 IP 10.8.0.2.53960 > one.one.one.one.domain: 21369+ A? api.apple-cloudkit.com. (40)
22:45:17.726079 IP 10.8.0.2.50532 > one.one.one.one.domain: 26438+ A? configuration.ls.apple.com. (44)
22:45:17.726103 IP 10.8.0.2.51882 > one.one.one.one.domain: 37097+ A? 1-courier.sandbox.push.apple.com. (50)
22:45:17.726126 IP 10.8.0.2.54112 > one.one.one.one.domain: 40715+ A? www.madrau.com. (32)
22:45:17.726174 IP 10.8.0.2.56939 > one.one.one.one.domain: 20658+ A? radarsubmissions.apple.com. (44)
22:45:17.726200 IP 10.8.0.2.62667 > one.one.one.one.domain: 22009+ A? init.push.apple.com. (37)
22:45:17.726224 IP 10.8.0.2.53059 > 91.108.56.111.https: Flags [S], seq 338450811, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093646577 ecr 0,sackOK,eol], length 0
22:45:17.726249 IP 10.8.0.2.53062 > 91.108.56.111.http: Flags [S], seq 2456034833, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093646578 ecr 0,sackOK,eol], length 0
22:45:17.922321 IP 10.8.0.2.53066 > ams15s21-in-f138.1e100.net.https: Flags [SEW], seq 3014126703, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093646947 ecr 0,sackOK,eol], length 0
22:45:18.203016 IP 10.8.0.2.51262 > 239.255.255.250.ssdp: UDP, length 176
22:45:18.203060 IP 10.8.0.2.59809 > one.one.one.one.domain: 60079+ A? mtalk.google.com. (34)
22:45:18.377713 IP 10.8.0.2.53065 > 10.10.34.36.https: Flags [S], seq 3781149487, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647161 ecr 0,sackOK,eol], length 0
22:45:18.377763 IP 23951912052447552280 > 10.8.0.2: ICMP host 10.10.34.36 unreachable - admin prohibited, length 72
22:45:18.696580 IP 10.8.0.2.63499 > one.one.one.one.domain: 6966+ PTR? lb._dns-sd._udp.0.1.168.192.in-addr.arpa. (58)
22:45:18.696675 IP 10.8.0.2.52330 > one.one.one.one.domain: 36750+ PTR? lb._dns-sd._udp.0.0.8.10.in-addr.arpa. (55)
22:45:18.696711 IP 10.8.0.2.53067 > 91.108.56.111.https: Flags [SEW], seq 2427387506, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647537 ecr 0,sackOK,eol], length 0
22:45:18.696749 IP 10.8.0.2.53070 > 91.108.56.111.http: Flags [SEW], seq 1261704993, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647538 ecr 0,sackOK,eol], length 0
22:45:18.696784 IP 10.8.0.2.53073 > 10.10.34.36.https: Flags [SEW], seq 3210044483, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647568 ecr 0,sackOK,eol], length 0
22:45:18.719281 IP 10.8.0.2.53074 > any-in-2678.1e100.net.https: Flags [SEW], seq 1411185388, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647733 ecr 0,sackOK,eol], length 0
22:45:19.632625 IP 10.8.0.2.53066 > ams15s21-in-f138.1e100.net.https: Flags [S], seq 3014126703, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093647947 ecr 0,sackOK,eol], length 0
22:45:19.632682 IP 23951912052447552280 > 10.8.0.2: ICMP host ams15s21-in-f138.1e100.net unreachable - admin prohibited, length 72
22:45:19.632701 IP 10.8.0.2.51262 > 239.255.255.250.ssdp: UDP, length 176
22:45:19.632719 IP 10.8.0.2.52870 > one.one.one.one.domain: 14412+ PTR? 100.1.168.192.in-addr.arpa. (44)
22:45:19.632759 IP 10.8.0.2.53075 > any-in-2678.1e100.net.https: Flags [SEW], seq 2289735527, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093648525 ecr 0,sackOK,eol], length 0
22:45:19.632782 IP 10.8.0.2.59793 > one.one.one.one.domain: 51359+ A? www.apple.com. (31)
22:45:19.632803 IP 10.8.0.2.51573 > one.one.one.one.domain: 20437+ A? 1-courier.push.apple.com. (42)
22:45:19.632823 IP 10.8.0.2.53960 > one.one.one.one.domain: 21369+ A? api.apple-cloudkit.com. (40)
22:45:19.632843 IP 10.8.0.2.50532 > one.one.one.one.domain: 26438+ A? configuration.ls.apple.com. (44)
22:45:19.632863 IP 10.8.0.2.51882 > one.one.one.one.domain: 37097+ A? 1-courier.sandbox.push.apple.com. (50)
22:45:19.632883 IP 10.8.0.2.54112 > one.one.one.one.domain: 40715+ A? www.madrau.com. (32)
22:45:19.632903 IP 10.8.0.2.56939 > one.one.one.one.domain: 20658+ A? radarsubmissions.apple.com. (44)
22:45:19.632923 IP 10.8.0.2.62667 > one.one.one.one.domain: 22009+ A? init.push.apple.com. (37)
22:45:19.632943 IP 10.8.0.2.49661 > one.one.one.one.domain: 30889+ A? self.events.data.microsoft.com. (48)
22:45:19.632963 IP 10.8.0.2.53067 > 91.108.56.111.https: Flags [S], seq 2427387506, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093648537 ecr 0,sackOK,eol], length 0
22:45:19.738242 IP 10.8.0.2.53074 > any-in-2678.1e100.net.https: Flags [S], seq 1411185388, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093648733 ecr 0,sackOK,eol], length 0
22:45:19.810583 IP 10.8.0.2.53076 > ams15s22-in-f170.1e100.net.https: Flags [SEW], seq 2352629644, win 65535, options [mss 1359,nop,wscale 6,nop,nop,TS val 1093648803 ecr 0,sackOK,eol], length 0
22:45:20.026331 IP 10.8.0.2.51262 > 239.255.255.250.ssdp: UDP, length 176
22:45:20.029851 IP 10.8.0.2.59809 > one.one.one.one.domain: 60079+ A? mtalk.google.com. (34)
22:45:20.321839 IP 10.8.0.2.51039 > one.one.one.one.domain: 27155+ A? www.google.ru. (31)
22:45:20.330333 IP 10.8.0.2.50375 > one.one.one.one.domain: 7439+ A? ident.me. (26)
22:45:20.370704 IP 10.8.0.2.63499 > one.one.one.one.domain: 6966+ PTR? lb._dns-sd._udp.0.1.168.192.in-addr.arpa. (58)
22:45:20.370763 IP 23951912052447552280 > 10.8.0.2: ICMP host one.one.one.one unreachable - admin prohibited, length 94
Sigue adelante para siempre.
Respuesta1
Al verificar la salida de iptable con más atención, veo que las reglas de openvpn para (tun0) no se aplican en absoluto, al aplicarlas manualmente se resolvió el problema, las reglas están en:
/etc/iptables/add-openvpn-rules.sh
y el contenido es
iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o ens160 -j MASQUERADE
iptables -I INPUT 1 -i tun0 -j ACCEPT
iptables -I FORWARD 1 -i ens160 -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o ens160 -j ACCEPT
Así que lo hice :
sh /etc/iptables/add-openvpn-rules.sh
por ahora.