我有一个在raspian上运行的openvpn服务器和一个osx上的tunnelblick客户端。我可以很好地连接到VPN,但我没有访问互联网。服务器响应ping就好了,端口在路由器中打开了。有谁知道什么可能是错的?
这是客户端日志: http://pastebin.com/zvBXPv4D
这是服务器日志: http://pastebin.com/bBsaRK6c
客户端配置:
client
dev tun
proto udp
remote <server external ip> 1194 #change this
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20
ca /Users/user1/vpn/ca.crt #change this
cert /Users/user1/vpn/client1.crt #change this
key /Users/user1/vpn/client1.key #change this
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
#removed for pastebin
-----END OpenVPN Static key V1-----
</tls-auth>
服务器配置:
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/server.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # If you kept 1024, change it to dh1024.pem
server 10.8.0.0 255.255.255.0
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 10.0.1.2 255.255.255.0" # Enter PI LAN PI
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
push "dhcp-option DNS 10.8.0.1"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 5
sysctl net.ipv4.ip_forward给出:
net.ipv4.ip_forward = 1
ip route show给出:
default via 10.0.1.1 dev eth0
10.0.1.0/24 dev eth0 proto kernel scope link src 10.0.1.2
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
iptables -L -v给出:
Chain INPUT (policy ACCEPT 15492 packets, 1793K bytes)
pkts bytes target prot opt in out source destination
88 5861 ACCEPT all -- tun+ any anywhere anywhere
1 70 ACCEPT udp -- eth0 any anywhere anywhere state NEW udp dpt:openvpn
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun0 eth0 10.8.0.0/24 10.0.1.0/24 ctstate NEW
13 948 ACCEPT all -- tun+ any anywhere anywhere
0 0 ACCEPT all -- tun+ eth0 anywhere anywhere state RELATED,ESTABLISHED
4 776 ACCEPT all -- eth0 tun+ anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 18526 packets, 3880K bytes)
pkts bytes target prot opt in out source destination
27 2584 ACCEPT all -- any tun+ anywhere anywhere