Defina a MTU do lado do cliente um pouco para baixo. Use ping com -l para definir o tamanho da carga útil e encontrar o tamanho certo para definir. link
Eu tenho um servidor OpenVPN em execução (93.xxx.xxx.xxx é o IP público) para o qual diferentes clientes do Android e Windows podem se conectar e ter acesso à Internet, mas um cliente OpenVPN no meu PC com Windows 10 se comporta estranhamente:
Sun Nov 08 10:50:38 2015 NOTE: --user option is not implemented on Windows
Sun Nov 08 10:50:38 2015 NOTE: --group option is not implemented on Windows
Sun Nov 08 10:50:38 2015 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 4 2015
Sun Nov 08 10:50:38 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
Sun Nov 08 10:50:38 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Sun Nov 08 10:50:38 2015 Need hold release from management interface, waiting...
Sun Nov 08 10:50:39 2015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342
Sun Nov 08 10:50:39 2015 MANAGEMENT: CMD 'state on'
Sun Nov 08 10:50:39 2015 MANAGEMENT: CMD 'log all on'
Sun Nov 08 10:50:39 2015 MANAGEMENT: CMD 'hold off'
Sun Nov 08 10:50:39 2015 MANAGEMENT: CMD 'hold release'
Sun Nov 08 10:50:43 2015 MANAGEMENT: CMD 'username "Auth" "qwerty"'
Sun Nov 08 10:50:43 2015 MANAGEMENT: CMD 'password [...]'
Sun Nov 08 10:50:43 2015 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Nov 08 10:50:43 2015 UDPv4 link local: [undef]
Sun Nov 08 10:50:43 2015 UDPv4 link remote: [AF_INET]93.xxx.xxx.xxx:50005
Sun Nov 08 10:50:43 2015 MANAGEMENT: >STATE:1446979843,WAIT,,,
Sun Nov 08 10:50:43 2015 MANAGEMENT: >STATE:1446979843,AUTH,,,
Sun Nov 08 10:50:43 2015 TLS: Initial packet from [AF_INET]93.xxx.xxx.xxx:50005, sid=48bd669d fdf76b86
Sun Nov 08 10:50:43 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Nov 08 10:50:43 2015 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=server, [email protected]
Sun Nov 08 10:50:43 2015 Validating certificate key usage
Sun Nov 08 10:50:43 2015 ++ Certificate has key usage 00a0, expects 00a0
Sun Nov 08 10:50:43 2015 VERIFY KU OK
Sun Nov 08 10:50:43 2015 Validating certificate extended key usage
Sun Nov 08 10:50:43 2015 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Nov 08 10:50:43 2015 VERIFY EKU OK
Sun Nov 08 10:50:43 2015 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=server, name=server, [email protected]
Sun Nov 08 10:50:43 2015 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Nov 08 10:50:43 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov 08 10:50:43 2015 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Nov 08 10:50:43 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov 08 10:50:43 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Nov 08 10:50:43 2015 [server] Peer Connection Initiated with [AF_INET]93.xxx.xxx.xxx:50005
Sun Nov 08 10:50:44 2015 MANAGEMENT: >STATE:1446979844,GET_CONFIG,,,
Sun Nov 08 10:50:45 2015 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Nov 08 10:50:45 2015 PUSH: Received control message: 'PUSH_REPLY,route 172.16.101.0 255.0.0.0,redirect-gateway def1 bypass-dhcp,route 172.16.101.0 255.255.255.0,topology net30,ping 3,ping-restart 10,ifconfig 172.16.101.6 172.16.101.5'
Sun Nov 08 10:50:45 2015 OPTIONS IMPORT: timers and/or timeouts modified
Sun Nov 08 10:50:45 2015 OPTIONS IMPORT: --ifconfig/up options modified
Sun Nov 08 10:50:45 2015 OPTIONS IMPORT: route options modified
Sun Nov 08 10:50:45 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Nov 08 10:50:45 2015 MANAGEMENT: >STATE:1446979845,ASSIGN_IP,,172.16.101.6,
Sun Nov 08 10:50:45 2015 open_tun, tt->ipv6=0
Sun Nov 08 10:50:45 2015 TAP-WIN32 device [Ethernet 6] opened: \.\Global\{B3106E59-6B92-4B4D-8A96-B9476295FF36}.tap
Sun Nov 08 10:50:45 2015 TAP-Windows Driver Version 9.9
Sun Nov 08 10:50:45 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.16.101.6/255.255.255.252 on interface {B3106E59-6B92-4B4D-8A96-B9476295FF36} [DHCP-serv: 172.16.101.5, lease-time: 31536000]
Sun Nov 08 10:50:45 2015 Successful ARP Flush on interface [79] {B3106E59-6B92-4B4D-8A96-B9476295FF36}
Sun Nov 08 10:50:50 2015 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 93.xxx.xxx.xxx MASK 255.255.255.255 192.168.10.1
Sun Nov 08 10:50:50 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Sun Nov 08 10:50:50 2015 Route addition via IPAPI succeeded [adaptive]
Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 192.168.10.1 MASK 255.255.255.255 192.168.10.1 IF 24
Sun Nov 08 10:50:50 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Sun Nov 08 10:50:50 2015 Route addition via IPAPI succeeded [adaptive]
Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 172.16.101.5
Sun Nov 08 10:50:50 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sun Nov 08 10:50:50 2015 Route addition via IPAPI succeeded [adaptive]
Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 172.16.101.5
Sun Nov 08 10:50:50 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sun Nov 08 10:50:50 2015 Route addition via IPAPI succeeded [adaptive]
Sun Nov 08 10:50:50 2015 MANAGEMENT: >STATE:1446979850,ADD_ROUTES,,,
Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 172.16.101.0 MASK 255.0.0.0 172.16.101.5
Sun Nov 08 10:50:50 2015 Warning: address 172.16.101.0 is not a network address in relation to netmask 255.0.0.0
Sun Nov 08 10:50:50 2015 ROUTE: route addition failed using CreateIpForwardEntry: The parameter is incorrect. [status=87 if_index=79]
Sun Nov 08 10:50:50 2015 Route addition via IPAPI failed [adaptive]
Sun Nov 08 10:50:50 2015 Route addition fallback to route.exe
Sun Nov 08 10:50:50 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Nov 08 10:50:50 2015 C:\WINDOWS\system32\route.exe ADD 172.16.101.0 MASK 255.255.255.0 172.16.101.5
Sun Nov 08 10:50:50 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sun Nov 08 10:50:50 2015 Route addition via IPAPI succeeded [adaptive]
Sun Nov 08 10:50:50 2015 Initialization Sequence Completed
Sun Nov 08 10:50:50 2015 MANAGEMENT: >STATE:1446979850,CONNECTED,SUCCESS,172.16.101.6,93.xxx.xxx.xxx
O SSH também parece não funcionar, a mesma coisa com o FTP:
Status: Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Status: Connected
Status: Retrieving directory listing...
*Nothing happens*
Coisas como jogos on-line (UDP?) funcionam bem.
Por favor, note também que:
Todos os iptables do servidor (existe apenas um)
[email protected]:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.16.101.0/24 anywhere
[email protected]:~# cat /proc/sys/net/ipv4/ip_forward
1
Rotas do cliente (conectadas à vpn):
>cmd /k route print
===========================================================================
Interface List
24...10 c3 7b 96 51 7c ......Realtek PCIe GBE Family Controller
79...00 ff b3 10 6e 59 ......TAP-Windows Adapter V9 #2
1...........................Software Loopback Interface 1
47...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
45...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
52...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.116 20
0.0.0.0 128.0.0.0 172.16.101.9 172.16.101.10 30
93.xxx.xxx.xxx 255.255.255.255 192.168.10.1 192.168.10.116 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
128.0.0.0 128.0.0.0 172.16.101.9 172.16.101.10 30
172.16.101.0 255.255.255.0 172.16.101.9 172.16.101.10 30
172.16.101.8 255.255.255.252 On-link 172.16.101.10 286
172.16.101.10 255.255.255.255 On-link 172.16.101.10 286
172.16.101.11 255.255.255.255 On-link 172.16.101.10 286
192.168.10.0 255.255.255.0 On-link 192.168.10.116 276
192.168.10.1 255.255.255.255 192.168.10.1 192.168.10.116 20
192.168.10.116 255.255.255.255 On-link 192.168.10.116 276
192.168.10.255 255.255.255.255 On-link 192.168.10.116 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.10.116 276
224.0.0.0 240.0.0.0 On-link 172.16.101.10 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.10.116 276
255.255.255.255 255.255.255.255 On-link 172.16.101.10 286
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
24 276 fe80::/64 On-link
79 286 fe80::/64 On-link
24 276 fe80::5990:eaa3:40fd:4a6d/128
On-link
79 286 fe80::8dce:5ebc:c720:2d68/128
On-link
1 306 ff00::/8 On-link
24 276 ff00::/8 On-link
79 286 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
Rotas do cliente (desconectadas da vpn):
>cmd /k route print
===========================================================================
Interface List
24...10 c3 7b 96 51 7c ......Realtek PCIe GBE Family Controller
79...00 ff b3 10 6e 59 ......TAP-Windows Adapter V9 #2
1...........................Software Loopback Interface 1
45...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
52...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.116 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.10.0 255.255.255.0 On-link 192.168.10.116 276
192.168.10.116 255.255.255.255 On-link 192.168.10.116 276
192.168.10.255 255.255.255.255 On-link 192.168.10.116 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.10.116 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.10.116 276
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
45 306 ::/0 On-link
1 306 ::1/128 On-link
45 306 2001::/32 On-link
45 306 2001:0:9d38:6abd:107a:364f:9711:5573/128
On-link
24 276 fe80::/64 On-link
45 306 fe80::/64 On-link
45 306 fe80::107a:364f:9711:5573/128
On-link
24 276 fe80::5990:eaa3:40fd:4a6d/128
On-link
1 306 ff00::/8 On-link
24 276 ff00::/8 On-link
45 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
Configuração do cliente:
client
dev tun
proto udp
remote 93.xxx.xxx.xxx 50005
resolv-retry infinite
user nobody
group nobody
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
auth-user-pass
cipher AES-128-CBC
auth SHA1
remote-cert-tls server
comp-lzo
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
Configuração do servidor:
port 50005
proto udp
dev tun
server 172.16.101.0 255.255.255.0
duplicate-cn
client-to-client
cipher AES-128-CBC
auth SHA1
comp-lzo
username-as-common-name
client-cert-not-required
auth-user-pass-verify /etc/openvpn/script/login.sh via-env
comp-lzo
user nobody
;group nogroup
username-as-common-name
client-cert-not-required
auth-user-pass-verify /etc/openvpn/script/login.sh via-env
keepalive 3 10
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 172.16.101.0 255.0.0.0"
push "redirect-gateway def1 bypass-dhcp"
script-security 3 system
client-connect /etc/openvpn/script/connect.sh
client-disconnect /etc/openvpn/script/disconnect.sh
persist-key
persist-tun
status openvpn-status.log
verb 5
management localhost 7555
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
<dh>
...
</dh>
Qualquer aviso seria muito apreciado. Obrigado.
Defina a MTU do lado do cliente um pouco para baixo. Use ping com -l para definir o tamanho da carga útil e encontrar o tamanho certo para definir. link