Cisco Anyconnect 连接后只能打开 Google，其他网站都打不开

改 DNS ，主 DNS 改成 opendns 就可以了。。。

DNS 的问题 换个

@Vicer
@webdev
改成了 OPENDNS 还是不行
# Network settings
#

# The name to use for the tun device
device = vpns

# Whether the generated IPs will be predictable, i.e., IP stays the
# same for the same user when possible.
predictable-ips = true

# The default domain to be advertised
default-domain = 163.44.150.201

# The pool of addresses that leases will be given from. If the leases
# are given via Radius, or via the explicit-ip? per-user config option then
# these network values should contain a network with at least a single
# address that will remain under the full control of ocserv (that is
# to be able to assign the local part of the tun device address).
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0

# An alternative way of specifying the network:
#ipv4-network = 192.168.1.0/24

# The IPv6 subnet that leases will be given from.
#ipv6-network = fda9:4efe:7e3b:03ea::/64

# Specify the size of the network to provide to clients. It is
# generally recommended to provide clients with a /64 network in
# IPv6, but any subnet may be specified. To provide clients only
# with a single IP use the prefix 128.
#ipv6-subnet-prefix = 128
#ipv6-subnet-prefix = 64

# Whether to tunnel all DNS queries via the VPN. This is the default
# when a default route is set.
tunnel-all-dns = true

# The advertized DNS server. Use multiple lines for
# multiple servers.
# dns = fc00::4be0
dns = 208.67.222.222

# The NBNS server (if any)
#nbns = 192.168.1.3

# The domains over which the provided DNS should be used. Use
# multiple lines for multiple domains.
#split-dns = example.com

# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
# Only set to true, if there can be occupied addresses in the
# IP range for leases.
ping-leases = false

# Use this option to enforce an MTU value to the incoming
# connections. Unset to use the default MTU of the TUN device.
#mtu = 1420

# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
#rx-data-per-sec = 40000
#tx-data-per-sec = 40000

# The number of packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
#output-buffer = 23000

# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
# comment out all routes from the server, or use the special keyword
# 'default'.

#route = 10.10.10.0/255.255.255.0
#route = 192.168.1.0/255.255.0.0
#route = fef4:db8:1000:1001::/64
#route = default

# Subsets of the routes above that will not be routed by
# the server.

#no-route = 192.168.5.0/255.255.255.0

# Note the that following two firewalling options currently are available
# in Linux systems with iptables software.

# If set, the script /usr/bin/ocserv-fw will be called to restrict
# the user to its allowed routes and prevent him from accessing
# any other routes. In case of defaultroute, the no-routes are restricted.
# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
# --removeall. This option can be set globally or in the per-user configuration.
#restrict-user-to-routes = true

# This option implies restrict-user-to-routes set to true. If set, the
# script /usr/bin/ocserv-fw will be called to restrict the user to
# access specific ports in the network. This option can be set globally
# or in the per-user configuration.
#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"

# You could also use negation, i.e., block the user from accessing these ports only.
#restrict-user-to-ports = "!(tcp(443), tcp(80))"

# When set to true, all client's iroutes are made visible to all
# connecting clients except for the ones offering them. This option
# only makes sense if config-per-user is set.
#expose-iroutes = true

# Groups that a client is allowed to select from.
# A client may belong in multiple groups, and in certain use-cases
# it is needed to switch between them. For these cases the client can
# select prior to authentication. Add multiple entries for multiple groups.
# The group may be followed by a user-friendly name in brackets.
#select-group = group1
#select-group = group2[My special group]

# The name of the (virtual) group that if selected it would assign the user
# to its default group.
#default-select-group = DEFAULT

# Instead of specifying manually all the allowed groups, you may instruct
# ocserv to scan all available groups and include the full list.
#auto-select-group = true

# Configuration files that will be applied per user connection or
# per group. Each file name on these directories must match the username
# or the groupname.
# The options allowed in the configuration files are dns, nbns,
# ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route,
# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp,
# keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
# restrict-user-to-routes, user-profile, cgroup, stats-report-time,
# mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
# and session-timeout.
#
# Note that the 'iroute' option allows to add routes on the server
# based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below). The no-udp
# is a boolean option (e.g., no-udp = true), and will prevent a UDP session
# for that specific user or group. Note also, that, any DNS or NBNS servers
# present will overwrite the global ones, while any routes or no-routes set
# will be appended to the default set.

#config-per-user = /etc/ocserv/config-per-user/
#config-per-group = /etc/ocserv/config-per-group/

# When config-per-xxx is specified and there is no group or user that
# matches, then utilize the following configuration.
#default-user-config = /etc/ocserv/defaults/user.conf
#default-group-config = /etc/ocserv/defaults/group.conf

# The system command to use to setup a route. %{R} will be replaced with the
# route/mask and %{D} with the (tun) device.
#
# The following example is from linux systems. %R should be something
# like 192.168.2.0/24 (the argument of iroute).

route-add-cmd = "ip route add 192.168.1.0 dev tun0"
route-del-cmd = "ip route delete 192.168.1.0 dev tun0"

# This option allows to forward a proxy. The special keywords '%{U}'
# and '%{G}', if present will be replaced by the username and group name.
#proxy-url = http://example.com/
#proxy-url = http://example.com/%{U}/

# This option allows you to specify a URL location where a client can
# post using MS-KKDCP, and the message will be forwarded to the provided
# KDC server. That is a translation URL between HTTP and Kerberos.
# In MIT kerberos you'll need to add in realms:
# EXAMPLE.COM = {
# kdc = https://ocserv.example.com/kerberos
# http_anchors = FILE:/etc/ocserv-ca.pem
# }
# This option is available if ocserv is compiled with GSSAPI support.

#kkdcp = SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT
#kkdcp = /kerberos EXAMPLE.COM [email protected]:88
#kkdcp = /kerberos-tcp EXAMPLE.COM [email protected]:88

#
# The following options are for (experimental) AnyConnect client
# compatibility.

# This option must be set to true to support legacy CISCO clients.
# A side effect of this option is that it will no longer be required
# for clients to present their certificate on every connection.
# That is they may resume a cookie without presenting a certificate
# (when certificate authentication is used).
cisco-client-compat = true

# Client profile xml. A sample file exists in doc/profile.xml.
# It is required by some of the CISCO clients.
# This file must be accessible from inside the worker's chroot.
#user-profile = /etc/ocserv/profile.xml

# Binary files that may be downloaded by the CISCO client. Must
# be within any chroot environment. Normally you don't need
# to use this option.
#binary-files = /path/to/binaries

#Advanced options

# Option to allow sending arbitrary custom headers to the client after
# authentication and prior to VPN tunnel establishment. You shouldn't
# need to use this option normally; if you do and you think that
# this may help others, please send your settings and reason to
# the openconnect mailing list. The special keywords '%{U}'
# and '%{G}', if present will be replaced by the username and group name.
#custom-header = "X-My-Header: hi there"

试试我的配置，两处$serverip 换成自己的 IP.


# The default domain to be advertised
default-domain = $serverip

#auth = "plain[passwd=/etc/ocserv/ocpasswd]"
auth = "certificate"

# TCP and UDP port number
tcp-port = 8888
udp-port = 8888

server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
ca-cert = /etc/ocserv/ca-cert.pem

run-as-user = nobody
run-as-group = daemon
cert-user-oid = 2.5.4.3
socket-file = /var/run/ocserv-socket
isolate-workers = false
max-clients = 512
max-same-clients = 256
keepalive = 32400
dpd = 120
mobile-dpd = 1200
try-mtu-discovery = true
compression = true
#no-compress-limit = 256
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 40
idle-timeout = 1200
mobile-idle-timeout = 2400
cookie-timeout = 3600
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpnssl
predictable-ips = true
ipv4-network = 192.168.8.0
ipv4-netmask = 255.255.255.0
dns = 208.67.220.222
dns = 119.29.29.29
ping-leases = false
cisco-client-compat = true

# no-route list
no-route = $serverip/255.255.255.255
no-route = 192.168.0.0/255.255.0.0

192.168.1.0/24 是不是和你局域网的网络冲突了？
你加了这条
route-add-cmd = "ip route add 192.168.1.0 dev tun0"
如果你的局域网也是 192.168.1.0/24 ，路由就成死循环了

@lhbc 我试过删了这条或是把 192.168.1.0 改成 192.168.2.0 ，还是只能打开*.google.com ，其他都打不开

@Vicer 套用你的配置并修改成我的服务器地址后，启动服务提示：
[....] Restarting ocserv: ocservBad argument `/255.255.255.0'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `/255.255.255.0'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `/255.255.255.0'
Try `iptables -h' or 'iptables --help' for more information.
Setting 'certificate' as primary authentication method
Unknown user: nobody
failed!

@tyhunter ipv4-network = 192.168.1.0
这个也要改
如果确实能 ping 通 google.com , 在终端上做路由跟踪才能找到原因
推荐手机上很好用的网络检测工具 HE.NET Network Tools

顺便把防火墙配置贴上来吧

@lhbc 能 ping 通任何网站，但在浏览器里只能打开 google ，并且 QQ 也无法登陆，在本机 TraceRoute 结果如下：
traceroute to www.qq.com (182.254.18.159[广东省深圳市 深圳腾讯计算机系统有限公司 BGP 节点]), 64 hops max, 52 byte packets
1 192.168.5.1[局域网 对方和您在同一内部网] (192.168.5.1[局域网 对方和您在同一内部网]) 141.705 ms 139.087 ms 142.274 ms
2 v163-44-150-2.a00b.g.sin1.static.cnode.io (163.44.150.2[新加坡 GMO 互联网数据中心]) 139.782 ms 150.003 ms 146.593 ms
3 b-061001-1-be-3.interq.or.jp (103.234.168.37[新加坡 GMO 互联网公司国际互联节点]) 148.244 ms 136.318 ms 136.504 ms
4 b-061001-2-po-1.interq.or.jp (103.234.168.58[新加坡 GMO 互联网公司国际互联节点]) 133.067 ms 129.743 ms 129.881 ms
5 * * *
6 * * *
7 * * *
8 * * *
9 202.97.33.101[上海市 电信骨干网] (202.97.33.101[上海市 电信骨干网]) 209.424 ms * *
10 202.97.33.33[上海市 电信骨干网] (202.97.33.33[上海市 电信骨干网]) 233.036 ms *
202.97.35.157[中国 电信骨干网] (202.97.35.157[中国 电信骨干网]) 239.826 ms
11 202.97.34.210[中国 电信骨干网] (202.97.34.210[中国 电信骨干网]) 278.189 ms 283.512 ms 294.887 ms
12 219.150.52.138[天津市 电信] (219.150.52.138[天津市 电信]) 291.658 ms
219.150.52.122[天津市 电信] (219.150.52.122[天津市 电信]) 285.605 ms 281.141 ms
13 219.150.51.150[天津市 电信] (219.150.51.150[天津市 电信]) 282.806 ms * 306.816 ms
14 180.213.12.22[天津市 电信] (180.213.12.22[天津市 电信]) 262.793 ms 292.657 ms 307.876 ms
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *

@tyhunter 好吧，有几项配置要改，开始没仔细看

哥~ 我遇到了相同的问题，能 ping 通所有域名，浏览器只能打开 google 国内网站都打不开，但是都能 ping 通！！
帮帮我！！！！