AWS 中的 OpenVPN 無法運作 - 相同的設定在 DigitalOcean 中運作

AWS 中的 OpenVPN 無法運作 - 相同的設定在 DigitalOcean 中運作

我正在嘗試在 AWS 環境中設定 VPN 伺服器。我使用與在工作的 Digital Ocean 主機上使用的相同配置設定伺服器(除了不同的伺服器 IP 範圍和連接埠),並且我可以從執行tunnelblick 的客戶端進行連線。

但是,當我連接到 AWS VPN 伺服器時,我的客戶端 tunX 裝置上沒有收到 IP 位址,也沒有更新任何路由。當我連接到 DigitalOcean 時,我從 openvpn server.conf 取得伺服器 IP 範圍內的 IP 位址

我的 AWS VPC 上的 NACL 允許所有入站流量和所有出站流量。

只有一個安全群組與 EC2 執行個體關聯,並且允許協定為 All、Port Range All 和 Destination 0.0.0.0/0 的所有流量

實例上停用了來源/目標檢查,但啟用此功能後也會發生相同的行為。

我的 EC2 執行個體關聯的子網路具有到有效 Internet 閘道的路由並且可以存取 Internet

我的AWS /etc/openvpn/server.conf如下:

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/ip-foo.crt
key /etc/openvpn/easy-rsa/keys/ip-foo.key
user nobody
group nogroup
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.20.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
push "route 172.100.0.0 255.255.0.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
persist-key
persist-tun
status openvpn-status.log
verb 3

我的 DigitalOcean server.conf 是

port 443
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/foo.crt
key /etc/openvpn/easy-rsa/keys/foo.key 
user nobody
group nogroup
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.4.0 255.255.255.0
ifconfig-pool-persist 443ipp.txt
keepalive 10 120
comp-lzo
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
persist-key
persist-tun
verb 3

範例用戶端日誌位於https://pastebin.com/tYwAKFwn

連接到AWS伺服器時,我在journalctl -f的輸出中看到以下內容

Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 TLS: Initial packet from [AF_INET]my.public.ip:56720, sid=f565fbbe 3fc25003
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 VERIFY OK: depth=1, C=GB, ST=Your Province, L=Your City, O=Your Organisation, OU=Your organisational unit, CN=Your Organisation CA, name=EasyRSA, emailAddress=Organisation CA e-mail
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 VERIFY OK: depth=0, C=GB, ST=Your Province, L=Your City, O=Your Organisation, OU=Your organisational unit, CN=vpnclient, name=EasyRSA, emailAddress=Organisation CA e-mail
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1558'
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: my.public.ip:56720 [vpnclient] Peer Connection Initiated with [AF_INET]my.public.ip:56720
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: vpnclient/my.public.ip:56720 MULTI_sva: pool returned IPv4=10.8.20.6, IPv6=(Not enabled)
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: vpnclient/my.public.ip:56720 MULTI: Learn: 10.8.20.6 -> vpnclient/my.public.ip:56720
Feb 23 10:01:11 ip-172-100-54-88 ovpn-server[1872]: vpnclient/my.public.ip:56720 MULTI: primary virtual IP for vpnclient/my.public.ip:56720: 10.8.20.6

AWS 伺服器上 ifconfig tun0 的輸出是

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.20.1  P-t-P:10.8.20.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

但我從未在 tun 設備上獲得 IP,並且無法 ping 10.8.20.1

任何指示將不勝感激!

答案1

atm 我沒有時間查看你的東西,但我有一個 openvpn 的工作設定。

以下是一些可能有幫助的事情:

相關內容