Windows 10 OpenVPN 用戶端可以連線但無法存取任何內容

tag-icon tag-icon openvpn windows-10
Windows 10 OpenVPN 用戶端可以連線但無法存取任何內容

我的 OpenVPN 伺服器在 Windows 2012 伺服器上運作。它工作得很好,我可以從我的 iPhone 和 iPad 連接到 VPN,我的所有網路流量都透過 VPN 路由,並且我可以使用 iOS 遠端桌面應用程式遠端存取我的網路上的裝置。

我在 Windows 10 筆記型電腦上安裝了 OpenVPN 應用程序,其客戶端設定檔與 iOS 裝置相同,雖然它允許我進行連接,但我無法存取互聯網或 LAN 上的任何裝置。

看起來 DNS 正在工作,因為當我嘗試 ping 網域時,它解析了 IP,但隨後出現請求逾時。

我甚至無法 ping VPN 網關 10.8.0.1。

這是我的伺服器配置:

port 1194
proto udp
dev tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
push "redirect-gateway local def1"
push "dhcp-option DNS 8.8.8.8"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
ca "C:\\Program Files (x86)\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files (x86)\\OpenVPN\\config\\server.crt"
key "C:\\Program Files (x86)\\OpenVPN\\config\\server.key"
dh "C:\\Program Files (x86)\\OpenVPN\\config\\dh1024.pem"

這是我的客戶端配置:

client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3

這是我最近連線的日誌:

Mon Jan 16 13:45:08 2017 OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 27 2016
Mon Jan 16 13:45:08 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Mon Jan 16 13:45:08 2017 library versions: OpenSSL 1.0.2i  22 Sep 2016, LZO 2.09
Enter Management Password:
Mon Jan 16 13:45:08 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Mon Jan 16 13:45:08 2017 Need hold release from management interface, waiting...
Mon Jan 16 13:45:09 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Mon Jan 16 13:45:09 2017 MANAGEMENT: CMD 'state on'
Mon Jan 16 13:45:09 2017 MANAGEMENT: CMD 'log all on'
Mon Jan 16 13:45:09 2017 MANAGEMENT: CMD 'hold off'
Mon Jan 16 13:45:09 2017 MANAGEMENT: CMD 'hold release'
Mon Jan 16 13:45:09 2017 MANAGEMENT: >STATE:1484574309,RESOLVE,,,,,,
Mon Jan 16 13:45:09 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Jan 16 13:45:09 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Jan 16 13:45:09 2017 UDP link local: (not bound)
Mon Jan 16 13:45:09 2017 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Jan 16 13:45:09 2017 MANAGEMENT: >STATE:1484574309,WAIT,,,,,,
Mon Jan 16 13:45:09 2017 MANAGEMENT: >STATE:1484574309,AUTH,,,,,,
Mon Jan 16 13:45:09 2017 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=153bc069 fc314ff6
Mon Jan 16 13:45:10 2017 VERIFY OK: depth=1, C=UK, ST=...
Mon Jan 16 13:45:10 2017 VERIFY OK: nsCertType=SERVER
Mon Jan 16 13:45:10 2017 VERIFY OK: depth=0, C=UK, ST=...
Mon Jan 16 13:45:10 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Jan 16 13:45:10 2017 [server] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Jan 16 13:45:11 2017 MANAGEMENT: >STATE:1484574311,GET_CONFIG,,,,,,
Mon Jan 16 13:45:11 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Jan 16 13:45:11 2017 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,redirect-gateway local def1,dhcp-option DNS 8.8.8.8,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Mon Jan 16 13:45:11 2017 OPTIONS IMPORT: timers and/or timeouts modified
Mon Jan 16 13:45:11 2017 OPTIONS IMPORT: --ifconfig/up options modified
Mon Jan 16 13:45:11 2017 OPTIONS IMPORT: route options modified
Mon Jan 16 13:45:11 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Jan 16 13:45:11 2017 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jan 16 13:45:11 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Mon Jan 16 13:45:11 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jan 16 13:45:11 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jan 16 13:45:11 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Mon Jan 16 13:45:11 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jan 16 13:45:11 2017 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Mon Jan 16 13:45:11 2017 interactive service msg_channel=536
Mon Jan 16 13:45:11 2017 ROUTE_GATEWAY 172.20.10.1/255.255.255.240 I=12 HWADDR=14:10:9f:ce:13:73
Mon Jan 16 13:45:11 2017 open_tun
Mon Jan 16 13:45:11 2017 TAP-WIN32 device [Ethernet 4] opened: \\.\Global\{27AC27A1-A13C-4E12-B90F-C2797B3E8157}.tap
Mon Jan 16 13:45:11 2017 TAP-Windows Driver Version 9.21 
Mon Jan 16 13:45:11 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {27AC27A1-A13C-4E12-B90F-C2797B3E8157} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Mon Jan 16 13:45:11 2017 Successful ARP Flush on interface [6] {27AC27A1-A13C-4E12-B90F-C2797B3E8157}
Mon Jan 16 13:45:11 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Jan 16 13:45:11 2017 MANAGEMENT: >STATE:1484574311,ASSIGN_IP,,10.8.0.6,,,,
Mon Jan 16 13:45:16 2017 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Mon Jan 16 13:45:16 2017 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Mon Jan 16 13:45:16 2017 Route addition via service succeeded
Mon Jan 16 13:45:16 2017 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Mon Jan 16 13:45:16 2017 Route addition via service succeeded
Mon Jan 16 13:45:16 2017 MANAGEMENT: >STATE:1484574316,ADD_ROUTES,,,,,,
Mon Jan 16 13:45:16 2017 C:\WINDOWS\system32\route.exe ADD 192.168.0.0 MASK 255.255.255.0 10.8.0.5
Mon Jan 16 13:45:16 2017 Route addition via service succeeded
Mon Jan 16 13:45:16 2017 C:\WINDOWS\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.5
Mon Jan 16 13:45:16 2017 Route addition via service succeeded
Mon Jan 16 13:45:16 2017 Initialization Sequence Completed
Mon Jan 16 13:45:16 2017 MANAGEMENT: >STATE:1484574316,CONNECTED,SUCCESS,10.8.0.6,xxx.xxx.xxx.xxx,1194,,

有什麼想法從哪裡開始嗎?

答案1

請問您能否顯示 Windows 10 用戶端連線時的路由表?

C:\> route print

根據用戶端日誌,OpenVPN用戶端沒有透過原先的預設閘道(連線建立前使用的閘道)新增至OpenVPN伺服器的靜態路由。這會阻止 OpenVPN 用戶端封包到達伺服器,因為沒有到伺服器的路由。我建議您更改伺服器配置,替換以下行:

push "redirect-gateway local def1"

使用其中之一:

push "redirect-gateway autolocal def1"

push "redirect-gateway def1"

參考:

  $ man 8 openvpn


   --redirect-gateway flags...
          Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN.  This is a client-side option.

          This option performs three steps:

          (1) Create a static route for the --remote address which forwards to the pre-existing default gateway.  This is done so that (3) will not create a routing loop.

          (2) Delete the default gateway route.

          (3) Set the new default gateway to be the VPN endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified).

          When the tunnel is torn down, all of the above steps are reversed so that the original default route is restored.

          Option flags:

          local  --  Add the local flag if both OpenVPN servers are directly connected via a common subnet, such as with wireless.  The local flag will cause step 1 above to be omit‐
          ted.

          autolocal -- Try to automatically determine whether to enable local flag above.

          def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0.  This has the benefit of overriding but not wiping  out  the
          original default gateway.

          bypass-dhcp  --  Add  a  direct  route  to the DHCP server (if it is non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows
          clients).

          bypass-dns -- Add a direct route to the DNS server(s) (if they are non-local) which bypasses the tunnel (Available on Windows clients, may not be available  on  non-Windows
          clients).

          block-local  --  Block  access to local LAN when the tunnel is active, except for the LAN gateway itself.  This is accomplished by routing the local LAN (except for the LAN
          gateway address) into the tunnel.

          ipv6 -- Redirect IPv6 routing into the tunnel.  This works similar to the def1 flag, that is, more specific IPv6 routes are added (2000::/4, 3000::/4), covering  the  whole
          IPv6 unicast space.

          !ipv4 -- Do not redirect IPv4 traffic - typically used in the flag pair ipv6 !ipv4 to redirect IPv6-only.

答案2

對於舊版的 OpenVPN-GUI,這是 OpenVPN.exe 檔案未以管理權限執行的症狀,而變更路由表需要這些權限。

使用 連接並檢查路由表netstat -rn。如果到遠端網路的路由不存在,請找到 openvpn.exe 二進位檔案並更改它,以便它以管理員身份運行。

答案3

這聽起來似乎很明顯,但您是否嘗試過在 Windows 10 中停用防火牆?另一個選擇是仔細檢查您的地址,因為根據您的日誌,您的網關位址似乎是 10.8.0.5,而不是 10.8.0.1。

答案4

對於那些像我一樣從第三方 VPN 供應商切換到自己的 OpenVPN 伺服器的人,您需要卸載系統上的所有 VPN 用戶端,包括 OpenVPN。確保刪除所有配置和註冊表項。然後重新安裝 OpenVPN,乾淨清爽。那些其他 VPN 用戶端可能基於 OpenVPN 用戶端並共用 TAP 適配器和配置,但它們可能不是正確的。

另外,自動安裝程式伺服器端有助於處理伺服器配置中任何可能的錯誤。

相關內容