OpenVPN建立ipv6连接但是无法上网

271 views
Skip to first unread message

bran...@gmail.com

unread,
Dec 7, 2013, 6:42:13 AM12/7/13
to ustc...@googlegroups.com
服务器的config如下:
port 1184
proto udp6
dev tun
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/server.crt
key easy-rsa/keys/server.key
dh easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
cipher AES-128-CBC
duplicate-cn
verb 3
服务器同时设置了sysctl上
ipv4_forward=1
 和iptables转发
iptables -t nat -A PREROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE


客户端的:
client
dev tun
proto udp6
route-method exe
remote  2001:da8:d800:144:1916:c465:1996:a072 1184
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert user.crt
key user.key
ns-cert-type server
comp-lzo
cipher AES-128-CBC
verb 3


客户端(windows 7 32位)连接后的log:
Sat Dec 07 19:35:08 2013 OpenVPN 2.3.2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013
Enter Management Password:
Sat Dec 07 19:35:08 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Dec 07 19:35:08 2013 Need hold release from management interface, waiting...
Sat Dec 07 19:35:08 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Dec 07 19:35:09 2013 MANAGEMENT: CMD 'state on'
Sat Dec 07 19:35:09 2013 MANAGEMENT: CMD 'log all on'
Sat Dec 07 19:35:09 2013 MANAGEMENT: CMD 'hold off'
Sat Dec 07 19:35:09 2013 MANAGEMENT: CMD 'hold release'
Sat Dec 07 19:35:09 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Dec 07 19:35:09 2013 UDPv6 link local: [undef]
Sat Dec 07 19:35:09 2013 UDPv6 link remote: [AF_INET6]2001:da8:d800:144:1916:c465:1996:a072:1184
Sat Dec 07 19:35:09 2013 MANAGEMENT: >STATE:1386416109,WAIT,,,
Sat Dec 07 19:35:09 2013 MANAGEMENT: >STATE:1386416109,AUTH,,,
Sat Dec 07 19:35:09 2013 TLS: Initial packet from [AF_INET6]2001:da8:d800:144:1916:c465:1996:a072:1184, sid=5a79a780 62bb344a
Sat Dec 07 19:35:14 2013 VERIFY OK: depth=1, C=CN, ST=Anhui, L=Hefei, O=USTC, OU=B, CN=A, name=A, emailAddress=aaa
Sat Dec 07 19:35:14 2013 VERIFY OK: nsCertType=SERVER
Sat Dec 07 19:35:14 2013 VERIFY OK: depth=0, C=CN, ST=Anhui, L=Hefei, O=USTC, OU=B, CN=server, name=A, emailAddress=aaa
Sat Dec 07 19:35:16 2013 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sat Dec 07 19:35:16 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Dec 07 19:35:16 2013 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sat Dec 07 19:35:16 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Dec 07 19:35:16 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Dec 07 19:35:16 2013 [server] Peer Connection Initiated with [AF_INET6]2001:da8:d800:144:1916:c465:1996:a072:1184
Sat Dec 07 19:35:17 2013 MANAGEMENT: >STATE:1386416117,GET_CONFIG,,,
Sat Dec 07 19:35:18 2013 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Dec 07 19:35:18 2013 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.8.0.1,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Sat Dec 07 19:35:18 2013 OPTIONS IMPORT: timers and/or timeouts modified
Sat Dec 07 19:35:18 2013 OPTIONS IMPORT: --ifconfig/up options modified
Sat Dec 07 19:35:18 2013 OPTIONS IMPORT: route options modified
Sat Dec 07 19:35:18 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Dec 07 19:35:18 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Dec 07 19:35:18 2013 MANAGEMENT: >STATE:1386416118,ASSIGN_IP,,10.8.0.6,
Sat Dec 07 19:35:18 2013 open_tun, tt->ipv6=0
Sat Dec 07 19:35:18 2013 TAP-WIN32 device [本地连接 2] opened: \\.\Global\{79305141-32F2-48E8-B655-F3119503652C}.tap
Sat Dec 07 19:35:18 2013 TAP-Windows Driver Version 9.9 
Sat Dec 07 19:35:18 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {79305141-32F2-48E8-B655-F3119503652C} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Sat Dec 07 19:35:18 2013 Successful ARP Flush on interface [88] {79305141-32F2-48E8-B655-F3119503652C}
Sat Dec 07 19:35:23 2013 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Sat Dec 07 19:35:23 2013 C:\Windows\system32\route.exe ADD 172.16.4.1 MASK 255.255.255.255 172.16.4.1 IF 11
Sat Dec 07 19:35:23 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat Dec 07 19:35:23 2013 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Sat Dec 07 19:35:23 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat Dec 07 19:35:23 2013 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Sat Dec 07 19:35:23 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat Dec 07 19:35:23 2013 MANAGEMENT: >STATE:1386416123,ADD_ROUTES,,,
Sat Dec 07 19:35:23 2013 C:\Windows\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.5
Sat Dec 07 19:35:23 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat Dec 07 19:35:23 2013 Initialization Sequence Completed
Sat Dec 07 19:35:23 2013 MANAGEMENT: >STATE:1386416123,CONNECTED,SUCCESS,10.8.0.6,

bran...@gmail.com

unread,
Dec 7, 2013, 6:49:11 AM12/7/13
to ustc...@googlegroups.com
OpenVPN给我分配的地址是10.8.0.2,我只能能ping通10.8.0.X系列的地址,余下的包括科大校内地址都无法ping

Bojie Li

unread,
Dec 7, 2013, 6:49:55 AM12/7/13
to USTC_LUG
你 push 了 DNS option 10.8.0.1,那么你的 OpenVPN server 上有没有装 dnsmasq 或者 bind9 之类的 DNS server?

在客户端里 ping 10.8.0.1 看看通不通,再 ping 202.38.64.1,再 ping ustc.edu.cn


--
-- 来自USTC LUG
请使用gmail订阅,不要灌水。
更多信息more info:http://groups.google.com/group/ustc_lug?hl=en?hl=en
 
---
You received this message because you are subscribed to the Google Groups "USTC_LUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ustc_lug+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Bojie Li

unread,
Dec 7, 2013, 6:52:54 AM12/7/13
to USTC_LUG
tcpdump 在 VPN server 的 tun0 和 eth0 上分别抓 icmp 包,再从 VPN client ping 202.38.64.1,看看能否抓到包。


On Sat, Dec 7, 2013 at 7:49 PM, <bran...@gmail.com> wrote:
OpenVPN给我分配的地址是10.8.0.2,我只能能ping通10.8.0.X系列的地址,余下的包括科大校内地址都无法ping

bran...@gmail.com

unread,
Dec 7, 2013, 7:05:31 AM12/7/13
to ustc...@googlegroups.com
确实没装这两个软件,现在装了
能ping 10.8.0.1 和 202.38.64.1,但是不能评ustc.edu.cn
是dns出问题?

在 2013年12月7日星期六UTC+8下午7时49分55秒,Bojie Li写道:
Message has been deleted

bran...@gmail.com

unread,
Dec 7, 2013, 7:53:11 AM12/7/13
to ustc...@googlegroups.com
打错了,是:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE


在 2013年12月7日星期六UTC+8下午7时42分13秒,bran...@gmail.com写道:

Bojie Li

unread,
Dec 7, 2013, 10:35:55 AM12/7/13
to USTC_LUG
如果你不想自建 DNS,建议把 server 配置文件里 push "dhcp-option DNS 10.8.0.1" 这一行去掉。

On Sat, Dec 7, 2013 at 8:13 PM, <bran...@gmail.com> wrote:
> 这两个软件包确实没装,现在装上了
> 可以ping通10.8.0.1和202.38.64.1,不能ping ustc.edu.cn
> dns地址的问题?
>
> 在 2013年12月7日星期六UTC+8下午7时49分55秒,Bojie Li写道:

bran...@gmail.com

unread,
Dec 9, 2013, 8:44:41 PM12/9/13
to ustc...@googlegroups.com
已经解决了,在客户端配置里加上:
dhcp-option DNS 202.38.64.56
就可以了~


在 2013年12月7日星期六UTC+8下午11时35分55秒,Bojie Li写道:

Bojie Li

unread,
Dec 10, 2013, 9:26:23 AM12/10/13
to USTC_LUG

我在前面的回复里说过去掉 dhcp-option 一行啊……这样就是仍然用原来的DNS。为什么要人为push个学校DNS呢?

Reply all
Reply to author
Forward
0 new messages