Windows 10 comportamento estranho do OpenVPN

3

Eu tenho um servidor OpenVPN em execução (93.xxx.xxx.xxx é o IP público) para o qual diferentes clientes do Android e Windows podem se conectar e ter acesso à Internet, mas um cliente OpenVPN no meu PC com Windows 10 se comporta estranhamente:

  1. Ele conecta e autentica com sucesso.
Sun Nov 08 10:50:38 2015 NOTE: --user option is not implemented on Windows
Sun Nov 08 10:50:38 2015 NOTE: --group option is not implemented on Windows
Sun Nov 08 10:50:38 2015 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
Sun Nov 08 10:50:38 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
Sun Nov 08 10:50:38 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Sun Nov 08 10:50:38 2015 Need hold release from management interface, waiting...
Sun Nov 08 10:50:39 2015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342
Sun Nov 08 10:50:39 2015 MANAGEMENT: CMD 'state on'
Sun Nov 08 10:50:39 2015 MANAGEMENT: CMD 'log all on'
Sun Nov 08 10:50:39 2015 MANAGEMENT: CMD 'hold off'
Sun Nov 08 10:50:39 2015 MANAGEMENT: CMD 'hold release'
Sun Nov 08 10:50:43 2015 MANAGEMENT: CMD 'username "Auth" "qwerty"'
Sun Nov 08 10:50:43 2015 MANAGEMENT: CMD 'password [...]'
Sun Nov 08 10:50:43 2015 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Nov 08 10:50:43 2015 UDPv4 link local: [undef]
Sun Nov 08 10:50:43 2015 UDPv4 link remote: [AF_INET]93.xxx.xxx.xxx:50005
Sun Nov 08 10:50:43 2015 MANAGEMENT: >STATE:1446979843,WAIT,,,
Sun Nov 08 10:50:43 2015 MANAGEMENT: >STATE:1446979843,AUTH,,,
Sun Nov 08 10:50:43 2015 TLS: Initial packet from [AF_INET]93.xxx.xxx.xxx:50005, sid=48bd669d fdf76b86
Sun Nov 08 10:50:43 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Nov 08 10:50:43 2015 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=server, [email protected]
Sun Nov 08 10:50:43 2015 Validating certificate key usage
Sun Nov 08 10:50:43 2015 ++ Certificate has key usage  00a0, expects 00a0
Sun Nov 08 10:50:43 2015 VERIFY KU OK
Sun Nov 08 10:50:43 2015 Validating certificate extended key usage
Sun Nov 08 10:50:43 2015 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Nov 08 10:50:43 2015 VERIFY EKU OK
Sun Nov 08 10:50:43 2015 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=server, name=server, [email protected]
Sun Nov 08 10:50:43 2015 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Nov 08 10:50:43 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov 08 10:50:43 2015 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Nov 08 10:50:43 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov 08 10:50:43 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Nov 08 10:50:43 2015 [server] Peer Connection Initiated with [AF_INET]93.xxx.xxx.xxx:50005
Sun Nov 08 10:50:44 2015 MANAGEMENT: >STATE:1446979844,GET_CONFIG,,,
Sun Nov 08 10:50:45 2015 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Nov 08 10:50:45 2015 PUSH: Received control message: 'PUSH_REPLY,route 172.16.101.0 255.0.0.0,redirect-gateway def1 bypass-dhcp,route 172.16.101.0 255.255.255.0,topology net30,ping 3,ping-restart 10,ifconfig 172.16.101.6 172.16.101.5'
Sun Nov 08 10:50:45 2015 OPTIONS IMPORT: timers and/or timeouts modified
Sun Nov 08 10:50:45 2015 OPTIONS IMPORT: --ifconfig/up options modified
Sun Nov 08 10:50:45 2015 OPTIONS IMPORT: route options modified
Sun Nov 08 10:50:45 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Nov 08 10:50:45 2015 MANAGEMENT: >STATE:1446979845,ASSIGN_IP,,172.16.101.6,
Sun Nov 08 10:50:45 2015 open_tun, tt->ipv6=0
Sun Nov 08 10:50:45 2015 TAP-WIN32 device [Ethernet 6] opened: \.\Global\{B3106E59-6B92-4B4D-8A96-B9476295FF36}.tap
Sun Nov 08 10:50:45 2015 TAP-Windows Driver Version 9.9 
Sun Nov 08 10:50:45 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.16.101.6/255.255.255.252 on interface {B3106E59-6B92-4B4D-8A96-B9476295FF36} [DHCP-serv: 172.16.101.5, lease-time: 31536000]
Sun Nov 08 10:50:45 2015 Successful ARP Flush on interface [79] {B3106E59-6B92-4B4D-8A96-B9476295FF36}
Sun Nov 08 10:50:50 2015 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 93.xxx.xxx.xxx MASK 255.255.255.255 192.168.10.1
Sun Nov 08 10:50:50 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Sun Nov 08 10:50:50 2015 Route addition via IPAPI succeeded [adaptive]
Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 192.168.10.1 MASK 255.255.255.255 192.168.10.1 IF 24
Sun Nov 08 10:50:50 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Sun Nov 08 10:50:50 2015 Route addition via IPAPI succeeded [adaptive]
Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 172.16.101.5
Sun Nov 08 10:50:50 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sun Nov 08 10:50:50 2015 Route addition via IPAPI succeeded [adaptive]
Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 172.16.101.5
Sun Nov 08 10:50:50 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sun Nov 08 10:50:50 2015 Route addition via IPAPI succeeded [adaptive]
Sun Nov 08 10:50:50 2015 MANAGEMENT: >STATE:1446979850,ADD_ROUTES,,,
Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 172.16.101.0 MASK 255.0.0.0 172.16.101.5
Sun Nov 08 10:50:50 2015 Warning: address 172.16.101.0 is not a network address in relation to netmask 255.0.0.0
Sun Nov 08 10:50:50 2015 ROUTE: route addition failed using CreateIpForwardEntry: The parameter is incorrect.   [status=87 if_index=79]
Sun Nov 08 10:50:50 2015 Route addition via IPAPI failed [adaptive]
Sun Nov 08 10:50:50 2015 Route addition fallback to route.exe
Sun Nov 08 10:50:50 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 172.16.101.0 MASK 255.255.255.0 172.16.101.5
Sun Nov 08 10:50:50 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sun Nov 08 10:50:50 2015 Route addition via IPAPI succeeded [adaptive]
Sun Nov 08 10:50:50 2015 Initialization Sequence Completed
Sun Nov 08 10:50:50 2015 MANAGEMENT: >STATE:1446979850,CONNECTED,SUCCESS,172.16.101.6,93.xxx.xxx.xxx
  1. É capaz de ping no google, 8.8.8.8 etc, mas não pode navegar na web (as páginas estão sendo carregadas nos primeiros 3 a 5 segundos e depois parar.) Isso é principalmente o Chrome e o Firefox. O Edge parece estar funcionando melhor, mas ainda se comporta de forma estranha (carga de página lenta, atualização necessária para que a página carregue totalmente) [ tela de carregamento de uma página infinitamente ]

O SSH também parece não funcionar, a mesma coisa com o FTP:

Status:  Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Status: Connected
Status: Retrieving directory listing...
*Nothing happens*

Coisas como jogos on-line (UDP?) funcionam bem.

Por favor, note também que:

  • Diferentes outros clientes podem se conectar ao servidor e não ter problemas (os do Windows também) (e os que efetuam login com as mesmas credenciais).
  • Não há firewalls entre o cliente e o servidor.
  • Quando o cliente tenta se conectar a servidores semelhantes, ocorre o mesmo problema (mesmo aqueles que estavam funcionando perfeitamente antes).
  • Mesmo com o ping conectado à VPN, mostra 0% de perda de pacotes.
  • A conexão real com a internet está ok e o cliente pode se conectar a VPNs sem openvpn sem problemas.

Todos os iptables do servidor (existe apenas um)

[email protected]:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.16.101.0/24      anywhere
[email protected]:~# cat /proc/sys/net/ipv4/ip_forward
1

Rotas do cliente (conectadas à vpn):

>cmd /k route print
===========================================================================
Interface List
 24...10 c3 7b 96 51 7c ......Realtek PCIe GBE Family Controller
 79...00 ff b3 10 6e 59 ......TAP-Windows Adapter V9 #2
  1...........................Software Loopback Interface 1
 47...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 45...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
 52...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1   192.168.10.116     20
          0.0.0.0        128.0.0.0     172.16.101.9    172.16.101.10     30
    93.xxx.xxx.xxx  255.255.255.255     192.168.10.1   192.168.10.116     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        128.0.0.0        128.0.0.0     172.16.101.9    172.16.101.10     30
     172.16.101.0    255.255.255.0     172.16.101.9    172.16.101.10     30
     172.16.101.8  255.255.255.252         On-link     172.16.101.10    286
    172.16.101.10  255.255.255.255         On-link     172.16.101.10    286
    172.16.101.11  255.255.255.255         On-link     172.16.101.10    286
     192.168.10.0    255.255.255.0         On-link    192.168.10.116    276
     192.168.10.1  255.255.255.255     192.168.10.1   192.168.10.116     20
   192.168.10.116  255.255.255.255         On-link    192.168.10.116    276
   192.168.10.255  255.255.255.255         On-link    192.168.10.116    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    192.168.10.116    276
        224.0.0.0        240.0.0.0         On-link     172.16.101.10    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link    192.168.10.116    276
  255.255.255.255  255.255.255.255         On-link     172.16.101.10    286
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 24    276 fe80::/64                On-link
 79    286 fe80::/64                On-link
 24    276 fe80::5990:eaa3:40fd:4a6d/128
                                    On-link
 79    286 fe80::8dce:5ebc:c720:2d68/128
                                    On-link
  1    306 ff00::/8                 On-link
 24    276 ff00::/8                 On-link
 79    286 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Rotas do cliente (desconectadas da vpn):

>cmd /k route print
===========================================================================
Interface List
 24...10 c3 7b 96 51 7c ......Realtek PCIe GBE Family Controller
 79...00 ff b3 10 6e 59 ......TAP-Windows Adapter V9 #2
  1...........................Software Loopback Interface 1
 45...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
 52...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1   192.168.10.116     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
     192.168.10.0    255.255.255.0         On-link    192.168.10.116    276
   192.168.10.116  255.255.255.255         On-link    192.168.10.116    276
   192.168.10.255  255.255.255.255         On-link    192.168.10.116    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    192.168.10.116    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link    192.168.10.116    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 45    306 ::/0                     On-link
  1    306 ::1/128                  On-link
 45    306 2001::/32                On-link
 45    306 2001:0:9d38:6abd:107a:364f:9711:5573/128
                                    On-link
 24    276 fe80::/64                On-link
 45    306 fe80::/64                On-link
 45    306 fe80::107a:364f:9711:5573/128
                                    On-link
 24    276 fe80::5990:eaa3:40fd:4a6d/128
                                    On-link
  1    306 ff00::/8                 On-link
 24    276 ff00::/8                 On-link
 45    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Configuração do cliente:

client
dev tun
proto udp
remote 93.xxx.xxx.xxx 50005
resolv-retry infinite
user nobody
group nobody
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
auth-user-pass
cipher AES-128-CBC
auth SHA1
remote-cert-tls server
comp-lzo
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>

Configuração do servidor:

port 50005
proto udp
dev tun
server 172.16.101.0 255.255.255.0
duplicate-cn
client-to-client
cipher AES-128-CBC
auth SHA1
comp-lzo
username-as-common-name
client-cert-not-required
auth-user-pass-verify /etc/openvpn/script/login.sh via-env
comp-lzo
user nobody
;group nogroup
username-as-common-name
client-cert-not-required
auth-user-pass-verify /etc/openvpn/script/login.sh via-env
keepalive 3 10
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 172.16.101.0 255.0.0.0"
push "redirect-gateway def1 bypass-dhcp"
script-security 3 system
client-connect /etc/openvpn/script/connect.sh
client-disconnect /etc/openvpn/script/disconnect.sh
persist-key
persist-tun
status openvpn-status.log
verb 5
management localhost 7555
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
<dh>
...
</dh>

Qualquer aviso seria muito apreciado. Obrigado.

    
por Bob Prets 08.11.2015 / 13:14

1 resposta

0

Defina a MTU do lado do cliente um pouco para baixo. Use ping com -l para definir o tamanho da carga útil e encontrar o tamanho certo para definir. link

    
por 09.11.2015 / 03:00