1. Клиент подключается к интернету:
Код: Выделить всё
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 enp0s25
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 enp0s25
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s25
Код: Выделить всё
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.0.25 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 enp0s25
10.8.0.1 10.8.0.25 255.255.255.255 UGH 0 0 0 tun0
10.8.0.25 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
128.0.0.0 10.8.0.25 128.0.0.0 UG 0 0 0 tun0
123.123.123.123 192.168.1.1 255.255.255.255 UGH 0 0 0 enp0s25
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 enp0s25
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s25
Код: Выделить всё
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.0.25 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 enp0s25
10.8.0.1 10.8.0.25 255.255.255.255 UGH 0 0 0 tun0
10.8.0.25 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
128.0.0.0 10.8.0.25 128.0.0.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 enp0s25
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s25
Код: Выделить всё
123.123.123.123 192.168.1.1 255.255.255.255 UGH 0 0 0 enp0s25
Конфигурация сервера:
Spoiler
port 443
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh none
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-crypt /etc/openvpn/server/ta.key
auth SHA256
cipher AES-256-GCM
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh none
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-crypt /etc/openvpn/server/ta.key
auth SHA256
cipher AES-256-GCM
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
Spoiler
client
dev tun
proto udp
remote 123.123.123.123 443
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
key-direction 1
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
verb 4
<ca>
…
</ca>
<cert>
…
</cert>
<key>
…
</key>
<tls-crypt>
…
</tls-crypt>
dev tun
proto udp
remote 123.123.123.123 443
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
key-direction 1
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
verb 4
<ca>
…
</ca>
<cert>
…
</cert>
<key>
…
</key>
<tls-crypt>
…
</tls-crypt>
Код: Выделить всё
Wed Sep 8 15:59:39 2021 us=751334 Recursive routing detected, drop tun packet to [AF_INET]123.123.123.123:443
Лог сервера (как и следует ожидать, не меняется уже после обрыва подключения к интернету у клиента):
Код: Выделить всё
сен 08 13:17:53 vpn-srv openvpn[2827143]: 1.2.3.4:46836 TLS: Initial packet from [AF_INET]1.2.3.4:46836, sid=e431b65e eb6208fa
сен 08 13:17:53 vpn-srv openvpn[2827143]: 1.2.3.4:46836 VERIFY OK: depth=1, CN=Easy-RSA CA
сен 08 13:17:53 vpn-srv openvpn[2827143]: 1.2.3.4:46836 VERIFY OK: depth=0, CN=test
сен 08 13:17:53 vpn-srv openvpn[2827143]: 1.2.3.4:46836 peer info: IV_VER=2.4.7
сен 08 13:17:53 vpn-srv openvpn[2827143]: 1.2.3.4:46836 peer info: IV_PLAT=linux
сен 08 13:17:53 vpn-srv openvpn[2827143]: 1.2.3.4:46836 peer info: IV_PROTO=2
сен 08 13:17:53 vpn-srv openvpn[2827143]: 1.2.3.4:46836 peer info: IV_NCP=2
сен 08 13:17:53 vpn-srv openvpn[2827143]: 1.2.3.4:46836 peer info: IV_LZ4=1
сен 08 13:17:53 vpn-srv openvpn[2827143]: 1.2.3.4:46836 peer info: IV_LZ4v2=1
сен 08 13:17:53 vpn-srv openvpn[2827143]: 1.2.3.4:46836 peer info: IV_LZO=1
сен 08 13:17:53 vpn-srv openvpn[2827143]: 1.2.3.4:46836 peer info: IV_COMP_STUB=1
сен 08 13:17:53 vpn-srv openvpn[2827143]: 1.2.3.4:46836 peer info: IV_COMP_STUBv2=1
сен 08 13:17:53 vpn-srv openvpn[2827143]: 1.2.3.4:46836 peer info: IV_TCPNL=1
сен 08 13:17:53 vpn-srv openvpn[2827143]: 1.2.3.4:46836 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
сен 08 13:17:53 vpn-srv openvpn[2827143]: 1.2.3.4:46836 [test] Peer Connection Initiated with [AF_INET]1.2.3.4:46836
сен 08 13:17:53 vpn-srv openvpn[2827143]: MULTI: new connection by 1.2.3.4 'test' will cause previous active sessions by this 1.2.3.4 to be dropped. Remember t
o use the --duplicate-cn option if you want multiple 1.2.3.4s using the same certificate or username to concurrently connect.
сен 08 13:17:53 vpn-srv openvpn[2827143]: MULTI_sva: pool returned IPv4=10.8.0.26, IPv6=(Not enabled)
сен 08 13:17:53 vpn-srv openvpn[2827143]: MULTI: Learn: 10.8.0.26 -> test/1.2.3.4:46836
сен 08 13:17:53 vpn-srv openvpn[2827143]: MULTI: primary virtual IP for test/1.2.3.4:46836: 10.8.0.26
сен 08 13:17:54 vpn-srv openvpn[2827143]: test/1.2.3.4:46836 PUSH: Received control message: 'PUSH_REQUEST'
сен 08 13:17:54 vpn-srv openvpn[2827143]: test/1.2.3.4:46836 SENT CONTROL [test]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222
.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.26 10.8.0.25,peer-id 0,cipher AES-256-GCM' (status=
1)
сен 08 13:17:54 vpn-srv openvpn[2827143]: test/1.2.3.4:46836 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
сен 08 13:17:54 vpn-srv openvpn[2827143]: test/1.2.3.4:46836 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Нашёл единственную похожую ситуацию, но и там человеку написали, что воспроизвести проблему не удалось, то есть она была где-то на его стороне.