Я установил сервер OpenVPN на Ubuntu 18.04, следуя этому руководству: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04
Основное отличие от этого руководства заключается в том, что он не будет работать с использованием UDP, поэтому мне пришлось переключить его на TCP (с использованием порта 1194). Наша сеть настроена таким образом, что один сервер получает весь трафик с наших 4 общедоступных IP-адресов, а затем порт перенаправляет трафик на соответствующий сервер. Сначала я перенаправлял порт UDP 1194, но он не подключался. Я думаю, что что-то дальше вверх по течению блокировало это.
Пока он отлично работает с:
Он не работает с компьютерами, которые я пробовал дома (Mac через Wi-Fi, Windows и Linux через Ethernet). Я также попытался подключить свой Mac к личной точке доступа iPhone (Wi-Fi и USB), но это все равно не сработало.
Все компьютеры, которые не работали, имели следующие симптомы:
Ниже мой последний журнал с Tunnelblick на моем Mac. Все, что я удалил, это общедоступный IP-адрес нашего сервера OpenVPN.
2020-03-23 07:34:55.351272 *Tunnelblick: macOS 10.14.6 (18G3020); Tunnelblick 3.8.2 (build 5480); prior version 3.8.1 (build 5400)
2020-03-23 07:23:04.642958 *Tunnelblick: openvpnstart starting OpenVPN
2020-03-23 07:23:04.916999 OpenVPN 2.4.8 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 22 2020
2020-03-23 07:23:04.917053 library versions: OpenSSL 1.1.1e 17 Mar 2020, LZO 2.10
2020-03-23 07:23:04.918394 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:50826
2020-03-23 07:23:04.918430 Need hold release from management interface, waiting...
2020-03-23 07:23:05.251198 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:50826
2020-03-23 07:23:05.267574 MANAGEMENT: CMD 'pid'
2020-03-23 07:23:05.267622 MANAGEMENT: CMD 'auth-retry interact'
2020-03-23 07:23:05.267644 MANAGEMENT: CMD 'state on'
2020-03-23 07:23:05.267678 MANAGEMENT: CMD 'state'
2020-03-23 07:23:05.267707 MANAGEMENT: CMD 'bytecount 1'
2020-03-23 07:23:05.272094 MANAGEMENT: CMD 'hold release'
2020-03-23 07:23:05.272204 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2020-03-23 07:23:05.272267 PLUGIN_INIT: POST /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.8-openssl-1.1.1e/openvpn-down-root.so '[/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.8-openssl-1.1.1e/openvpn-down-root.so] [/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh] [-9] [-d] [-f] [-m] [-w] [-ptADGNWradsgnw]' intercepted=PLUGIN_UP|PLUGIN_DOWN
2020-03-23 07:23:05.276207 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-03-23 07:23:05.276229 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-03-23 07:23:05.279431 TCP/UDP: Preserving recently used remote address: [AF_INET]<PUBLICIP>:1194
2020-03-23 07:23:05.279491 Socket Buffers: R=[131072->131072] S=[131072->131072]
2020-03-23 07:23:05.279526 Attempting to establish TCP connection with [AF_INET]<PUBLICIP>:1194 [nonblock]
2020-03-23 07:23:05.279538 MANAGEMENT: >STATE:1584908585,TCP_CONNECT,,,,,,
2020-03-23 07:23:06.335829 TCP connection established with [AF_INET]<PUBLICIP>:1194
2020-03-23 07:23:06.335906 TCP_CLIENT link local: (not bound)
2020-03-23 07:23:06.335941 TCP_CLIENT link remote: [AF_INET]<PUBLICIP>:1194
2020-03-23 07:23:06.335964 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2020-03-23 07:23:06.336089 MANAGEMENT: >STATE:1584908586,WAIT,,,,,,
2020-03-23 07:23:06.358596 MANAGEMENT: >STATE:1584908586,AUTH,,,,,,
2020-03-23 07:23:06.358716 TLS: Initial packet from [AF_INET]<PUBLICIP>:1194, sid=0e863ba9 ff390d97
2020-03-23 07:23:07.054438 VERIFY OK: depth=1, CN=Easy-RSA CA
2020-03-23 07:23:07.054780 VERIFY KU OK
2020-03-23 07:23:07.054796 Validating certificate extended key usage
2020-03-23 07:23:07.054806 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2020-03-23 07:23:07.054814 VERIFY EKU OK
2020-03-23 07:23:07.054821 VERIFY OK: depth=0, CN=vpn1
2020-03-23 07:23:07.798702 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2020-03-23 07:23:07.798811 [vpn1] Peer Connection Initiated with [AF_INET]<PUBLICIP>:1194
2020-03-23 07:23:08.995275 MANAGEMENT: >STATE:1584908588,GET_CONFIG,,,,,,
2020-03-23 07:23:08.997181 SENT CONTROL [vpn1]: 'PUSH_REQUEST' (status=1)
2020-03-23 07:23:11.410325 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway autolocal def1 bypass-dhcp,dhcp-option DNS 10.179.144.201,dhcp-option DNS 10.179.144.202,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
2020-03-23 07:23:11.410525 OPTIONS IMPORT: timers and/or timeouts modified
2020-03-23 07:23:11.410555 OPTIONS IMPORT: --ifconfig/up options modified
2020-03-23 07:23:11.410575 OPTIONS IMPORT: route options modified
2020-03-23 07:23:11.410595 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2020-03-23 07:23:11.410614 OPTIONS IMPORT: peer-id set
2020-03-23 07:23:11.410633 OPTIONS IMPORT: adjusting link_mtu to 1626
2020-03-23 07:23:11.410652 OPTIONS IMPORT: data channel crypto options modified
2020-03-23 07:23:11.410673 Data Channel: using negotiated cipher 'AES-256-GCM'
2020-03-23 07:23:11.410926 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-03-23 07:23:11.410949 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-03-23 07:23:11.411380 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2020-03-23 07:23:11.411576 Opened utun device utun1
2020-03-23 07:23:11.411611 MANAGEMENT: >STATE:1584908591,ASSIGN_IP,,10.8.0.6,,,,
2020-03-23 07:23:11.411651 /sbin/ifconfig utun1 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2020-03-23 07:23:11.415348 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2020-03-23 07:23:11.415397 /sbin/ifconfig utun1 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up
2020-03-23 07:23:11.419458 PLUGIN_CALL: POST /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.8-openssl-1.1.1e/openvpn-down-root.so/PLUGIN_UP status=0
2020-03-23 07:23:11.419636 /sbin/route add -net <PUBLICIP> 192.168.254.254 255.255.255.255
add net <PUBLICIP>: gateway 192.168.254.254
2020-03-23 07:23:11.422008 /sbin/route add -net 0.0.0.0 10.8.0.5 128.0.0.0
add net 0.0.0.0: gateway 10.8.0.5
2020-03-23 07:23:11.424335 /sbin/route add -net 128.0.0.0 10.8.0.5 128.0.0.0
add net 128.0.0.0: gateway 10.8.0.5
2020-03-23 07:23:11.426268 MANAGEMENT: >STATE:1584908591,ADD_ROUTES,,,,,,
2020-03-23 07:23:11.426320 /sbin/route add -net 10.8.0.1 10.8.0.5 255.255.255.255
add net 10.8.0.1: gateway 10.8.0.5
07:23:11 *Tunnelblick: **********************************************
07:23:11 *Tunnelblick: Start of output from client.up.tunnelblick.sh
07:23:14 *Tunnelblick: Disabled IPv6 for 'Wi-Fi'
07:23:14 *Tunnelblick: Disabled IPv6 for 'Bluetooth PAN'
07:23:14 *Tunnelblick: Disabled IPv6 for 'Thunderbolt Bridge'
07:23:14 *Tunnelblick: Disabled IPv6 for 'Server VLAN'
07:23:14 *Tunnelblick: Disabled IPv6 for 'Servers 20'
07:23:14 *Tunnelblick: Disabled IPv6 for 'Attendance'
07:23:14 *Tunnelblick: Disabled IPv6 for 'CASES'
07:23:14 *Tunnelblick: Retrieved from OpenVPN: name server(s) [ 10.179.144.201 10.179.144.202 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
07:23:14 *Tunnelblick: Not aggregating ServerAddresses because running on macOS 10.6 or higher
07:23:14 *Tunnelblick: Setting search domains to 'openvpn' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
07:23:15 *Tunnelblick: Saved the DNS and SMB configurations so they can be restored
07:23:15 *Tunnelblick: Changed DNS ServerAddresses setting from '192.168.254.7' to '10.179.144.201 10.179.144.202'
07:23:15 *Tunnelblick: Changed DNS SearchDomains setting from '' to 'openvpn'
07:23:15 *Tunnelblick: Changed DNS DomainName setting from '' to 'openvpn'
07:23:15 *Tunnelblick: Did not change SMB NetBIOSName setting of ''
07:23:15 *Tunnelblick: Did not change SMB Workgroup setting of ''
07:23:15 *Tunnelblick: Did not change SMB WINSAddresses setting of ''
07:23:15 *Tunnelblick: DNS servers '10.179.144.201 10.179.144.202' will be used for DNS queries when the VPN is active
07:23:15 *Tunnelblick: NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
07:23:15 *Tunnelblick: Flushed the DNS cache via dscacheutil
07:23:15 *Tunnelblick: /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
07:23:15 *Tunnelblick: Notified mDNSResponder that the DNS cache was flushed
07:23:15 *Tunnelblick: Notified mDNSResponderHelper that the DNS cache was flushed
07:23:15 *Tunnelblick: Setting up to monitor system configuration with process-network-changes
07:23:15 *Tunnelblick: End of output from client.up.tunnelblick.sh
07:23:15 *Tunnelblick: **********************************************
2020-03-23 07:23:15.877205 GID set to nogroup
2020-03-23 07:23:15.877250 UID set to nobody
2020-03-23 07:23:15.877259 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2020-03-23 07:23:15.877279 Initialization Sequence Completed
2020-03-23 07:23:15.877307 MANAGEMENT: >STATE:1584908595,CONNECTED,SUCCESS,10.8.0.6,<PUBLICIP>,1194,192.168.254.29,50195
2020-03-23 07:23:22.727626 *Tunnelblick: process-network-changes: A system configuration change was ignored