阿里云 VPN 配置问题求帮助

2014-12-16 08:47:23 +08:00
 ob
采用pptp,装完之后,根据网的资料各种配置方式都试过了,VPN连的上去,就是打开不了网页。
然后提交工单,授权各种密码给阿里云技术客服,也排查不出来,最后的结论是他们也解决不了,需要我自己再想办法
================阿里云回复:
您好,之前给你回复了,我们这边对PPTP这个软件的配置,了解确实有限。建议您在搜索参考一下其他的PPTP的案例配置进行排查配置。给您带来不便,请您谅解。请您及时修改您在工单中提供的密码信息。
=====================
说下我按网上配置的几个点
localip,remoteip设过
ms-dns换过谷歌,阿里云自己的
net.ipv4.ip_forward=1有启用
MTU值有设成1500
网卡有配置成1
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -jMASQUERADE
192.168.0.0这个IP也要跟localip对应更改,换了网上示例的好几种形式,还是不行,不是知道是不是这里出的问题,阿里云技术也没指出这个
防火墙关闭也是不行
xen的iptables 也要试过转发外网IP的,也是不行。
================
有谁用阿里云用pptp配置过VPN成功的吗?帮忙指出问题出在哪里,或者该怎么检查下,感谢感谢
12945 次点击
所在节点    云计算
62 条回复
mahone3297
2014-12-16 09:41:33 +08:00
https://github.com/mahone3297/hades/blob/master/doc/vpn.md
关键点,我都在上边列了。lz再看下。。。
我之前刚配好,试过,可以。
ps:你说额,能连上,但是不能打开网页,可能是ms-dns,也可能是nat。但我看你都配了,我也不清楚,你再仔细看看吧。。。
chinawrj
2014-12-16 09:49:43 +08:00
你备份一下,我上去给你瞧瞧。。。如果你信任我的话,将近6年Tomato/openWrt折腾经验
ob
2014-12-16 09:56:19 +08:00
@mahone3297
跟你的链接有个不一样的地方是:
vi /etc/ppp/pptpd-options
ms-dns 8.8.8.8
ms-dns 8.8.4.4

我ppp目录下面的文件是这个:options.pptpd
不知道是你的写错了,还是我的错了?

@chinawrj
信任到是信任,给个私密的地址,我不好直接公开发表在这里
ryd994
2014-12-16 09:59:06 +08:00
你ifconfig看看你有没有eth0
看看出口网卡是哪个
ob
2014-12-16 10:00:46 +08:00
@ryd994
有,ip我用*代替了下:
===========================
eth0 Link encap:Ethernet HWaddr 00:16:3E:00:44:48
inet addr:10.162.*.* Bcast:10.162.*.* Mask:255.255.240.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:20800395 errors:0 dropped:0 overruns:0 frame:0
TX packets:397111 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:950661604 (906.6 MiB) TX bytes:32056022 (30.5 MiB)
Interrupt:165

eth1 Link encap:Ethernet HWaddr 00:16:3E:00:44:49
inet addr:115.29.*.* Bcast:115.29.*.* Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:402275039 errors:0 dropped:0 overruns:0 frame:0
TX packets:1970978 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:18582675650 (17.3 GiB) TX bytes:2543504644 (2.3 GiB)
Interrupt:164

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1846650 errors:0 dropped:0 overruns:0 frame:0
TX packets:1846650 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:840342079 (801.4 MiB) TX bytes:840342079 (801.4 MiB)
drivel
2014-12-16 10:26:52 +08:00
觉得是 MTU 问题,试试看

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
ob
2014-12-16 10:48:34 +08:00
@drivel 加过,还是一样。。
======================
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Dec 16 10:28:53 2014
# Generated by iptables-save v1.4.7 on Tue Dec 16 10:28:53 2014
*nat
:PREROUTING ACCEPT [176:13030]
:POSTROUTING ACCEPT [41:3203]
:OUTPUT ACCEPT [41:3203]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
COMMIT
# Completed on Tue Dec 16 10:28:53 2014
ryd994
2014-12-16 10:53:06 +08:00
你贴一下配置文件吧
mahone3297
2014-12-16 10:54:13 +08:00
@ob 我确信我没写错。。。确实是 /etc/ppp/pptpd-options
我用的版本是 Ubuntu 14.04.1 LTS
64位
bellchu
2014-12-16 10:59:15 +08:00
把你iptables规则都贴出来看看
ob
2014-12-16 11:07:38 +08:00
@mahone3297 我的是centos 6.3 64位
@ryd994 我贴一键关键位置,就不贴整个了
=======================
/etc/ppp/options.pptpd===============
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
#ms-dns 10.0.0.1
#ms-dns 10.0.0.2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
====================
# cat /etc/ppp/chap-secrets=============
# Secrets for authentication using CHAP
# client server secret IP addresses
ob pptpd 123456 *
guest pptpd 123456 *
======================
# cat /etc/pptpd.conf==============
# (Recommended)
#localip 192.168.0.1
#remoteip 192.168.0.234-238,192.168.0.245
localip 192.168.0.1
remoteip 192.168.0.234-238
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
上面localip和remoteip改过好几种形式,现在是这种
============================
#cat /etc/sysctl.conf===========
# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
===================================
# cat /etc/sysconfig/iptables==============下面是iptables完整的了,可能问题出在这里:帮忙看下:
# Generated by iptables-save v1.4.7 on Tue Dec 16 10:28:53 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5:1174]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1723 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 47 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30000:30100 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Dec 16 10:28:53 2014
# Generated by iptables-save v1.4.7 on Tue Dec 16 10:28:53 2014
*nat
:PREROUTING ACCEPT [176:13030]
:POSTROUTING ACCEPT [41:3203]
:OUTPUT ACCEPT [41:3203]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
COMMIT
# Completed on Tue Dec 16 10:28:53 2014
===============================
其他重启服务,设置生效的都弄过,就差重启服务器了。。实在找不出问题
bellchu
2014-12-16 11:07:39 +08:00
ifconfig

iptables -nL

iptables -nL -t nat

把输出弄出来看看
ob
2014-12-16 11:08:14 +08:00
@bellchu 贴上面了,帮忙看下
ob
2014-12-16 11:10:21 +08:00
@bellchu
ipconfig 上面贴过

# iptables -nL==============
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1723
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:47
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8080
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:30000:30100
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
=========================
# iptables -nL -t nat====================
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.0.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
bellchu
2014-12-16 11:13:53 +08:00
@ob

貌似http和https的tcp回包都被你drop掉了

iptables -A INPUT -p tcp -m multiport --sports 80,443,8080 -j ACCEPT
bellchu
2014-12-16 11:19:05 +08:00
@ob

FORWARD 也都是reject 放行80,8080,443的端口就OK了
ob
2014-12-16 11:32:12 +08:00
@bellchu
放行80,8080,443的端口,加iptables -A INPUT -p tcp -m multiport --sports 80,443,8080 -j ACCEPT
这一句就够了吧,已经save重启,还是没用。
你提醒我了,会不会是我上面那上80端口转8080引起的。
我把跟8080相关的端口规则全部注释掉了,重启还是一样。
==========
注释代码:
#-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
...
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30000:30100 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m multiport --sports 80,443,8080 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
bellchu
2014-12-16 11:56:10 +08:00
@ob 你先把forward的规则注释掉
ob
2014-12-16 12:36:32 +08:00
@bellchu 注释了,重启了,还是没效果,纠结啊
bellchu
2014-12-16 12:42:52 +08:00
@ob 这样吧。你记录一下drop和reject的log。看看在哪儿流量被kill了 就清楚了

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/154220

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX