clowwindy
commented
9 years ago 可能是服务端的 NAT 没做好。
Open ahappyforest opened 9 years ago
clowwindy
commented
9 years ago 可能是服务端的 NAT 没做好。
ahappyforest
commented
9 years ago 刚又把上面问题描述修改了一下,谢谢回复,nat应该是OK的,/proc下的ip_forward为1,eth0已经配置了nat为masquerade.
clowwindy
commented
9 years ago 如果数据包没有进 tun0,ShadowVPN 也做不了什么,只能检查 Linux 配置。
puxxustc
commented
9 years ago 检查 mtu 设置是否有问题,分别测试 curl -v -I http://github.com 和 curl -v https://github.com,如果前者正常,后者没有回应,可以断定 mtu 设置有问题。
ahappyforest
commented
9 years ago 两者都没有反应, -;(
昨天怀疑过mtu的问题, 修改过还是无效.
$ curl -v -I http://github.com
* Rebuilt URL to: http://github.com/
* Hostname was NOT found in DNS cache
* Trying 192.30.252.130...
* connect to 192.30.252.130 port 80 failed: Connection timed out
* Failed to connect to github.com port 80: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to github.com port 80: Connection timed out$ curl -v http://github.com
* Rebuilt URL to: http://github.com/
* Hostname was NOT found in DNS cache
* Trying 192.30.252.130...
* connect to 192.30.252.130 port 80 failed: Connection timed out
* Failed to connect to github.com port 80: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to github.com port 80: Connection timed out$ ping github.com
PING github.com (192.30.252.128) 56(84) bytes of data.
64 bytes from github.com (192.30.252.128): icmp_seq=2 ttl=52 time=366 ms
64 bytes from github.com (192.30.252.128): icmp_seq=3 ttl=52 time=358 ms
64 bytes from github.com (192.30.252.128): icmp_seq=5 ttl=52 time=351 ms
64 bytes from github.com (192.30.252.128): icmp_seq=6 ttl=52 time=345 ms
64 bytes from github.com (192.30.252.128): icmp_seq=7 ttl=52 time=346 ms
^C
--- github.com ping statistics ---
8 packets transmitted, 5 received, 37% packet loss, time 11564ms
rtt min/avg/max/mdev = 345.055/353.454/366.016/7.777 ms$ ping www.google.com
PING www.google.com (216.58.220.228) 56(84) bytes of data.
64 bytes from nrt13s37-in-f228.1e100.net (216.58.220.228): icmp_seq=1 ttl=57 time=469 ms
64 bytes from nrt13s37-in-f228.1e100.net (216.58.220.228): icmp_seq=3 ttl=57 time=86.0 ms
64 bytes from nrt13s37-in-f228.1e100.net (216.58.220.228): icmp_seq=4 ttl=57 time=85.0 ms
64 bytes from nrt13s37-in-f228.1e100.net (216.58.220.228): icmp_seq=5 ttl=57 time=87.4 ms
64 bytes from nrt13s37-in-f228.1e100.net (216.58.220.228): icmp_seq=6 ttl=57 time=176 ms
^C
--- www.google.com ping statistics ---
6 packets transmitted, 5 received, 16% packet loss, time 5009ms
rtt min/avg/max/mdev = 85.072/180.915/469.249/148.375 ms$ traceroute github.com
traceroute to github.com (192.30.252.128), 30 hops max, 60 byte packets
1 10.7.0.1 (10.7.0.1) 218.269 ms * 218.235 ms
2 * * (my VPS ip).vultr.com (xxxxxxx) 224.315 ms(被注释)
3 * * *
4 xe-0-3-0-9.r02.tokyjp03.jp.bb.gin.ntt.net (117.103.177.33) 231.486 ms 499.690 ms 499.744 ms
5 ae-22.r24.tokyjp05.jp.bb.gin.ntt.net (129.250.3.56) 499.757 ms * ae-20.r25.tokyjp05.jp.bb.gin.ntt.net (129.250.3.90) 500.152 ms
6 * ae-2.r20.tokyjp05.jp.bb.gin.ntt.net (129.250.6.214) 281.747 ms ae-1.r20.tokyjp05.jp.bb.gin.ntt.net (129.250.6.210) 281.623 ms
7 ae-2.r20.sttlwa01.us.bb.gin.ntt.net (129.250.3.12) 332.356 ms 747.123 ms 478.733 ms
8 * ae-0.r21.sttlwa01.us.bb.gin.ntt.net (129.250.2.54) 480.415 ms 480.190 ms
9 ae-12.r23.asbnva02.us.bb.gin.ntt.net (129.250.3.50) 480.152 ms 480.095 ms *
10 ae-46.r05.asbnva02.us.bb.gin.ntt.net (129.250.5.191) 403.819 ms ae-45.r06.asbnva02.us.bb.gin.ntt.net (129.250.6.11) 403.963 ms ae-46.r05.asbnva02.us.bb.gin.ntt.net (129.250.5.191) 402.197 ms
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *$ traceroute google.com
traceroute to google.com (216.58.220.238), 30 hops max, 60 byte packets
1 10.7.0.1 (10.7.0.1) 85.837 ms 85.969 ms 85.970 ms
2 xxx.vultr.com (xxx) 85.968 ms 85.959 ms *
3 * * *
4 xe-0-3-0-9.r02.tokyjp03.jp.bb.gin.ntt.net (117.103.177.33) 86.604 ms 88.197 ms 90.197 ms
5 117.103.177.18 (117.103.177.18) 88.179 ms * 88.450 ms
6 209.85.143.107 (209.85.143.107) 89.944 ms 86.638 ms 85.898 ms
7 * 209.85.143.37 (209.85.143.37) 86.200 ms *
8 nrt13s37-in-f14.1e100.net (216.58.220.238) 86.169 ms 84.605 ms 84.984 msVPS上配置:
# cat /proc/sys/net/ipv4/ip_forward
1# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere /* eth0 (shadowvpn) */# # iptables -L -v
Chain INPUT (policy ACCEPT 38 packets, 2816 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 tun0 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- tun0 eth0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 21 packets, 9174 bytes)
pkts bytes target prot opt in out source destination shadowvpn版本为最新的release 0.1.6
为了保证情况一致, 所有测试都是使用的0.1.6版本, iptables在测试之前已经清空.
很费解.
sdysj
commented
9 years ago 是 DigitalOcean 的吗?我也一样,之前还行的,然后新开的 Droplet 就不行了。
ahappyforest
commented
9 years ago vultr
jryaonj
commented
8 years ago I have the same problem. Maybe firewall drops all forwarding packages.
I am using ufw on Ubuntu 16.04 to manage my firewall settings.
As is mentioned in Vultr OpenVPN tutorial, change default forwarding policy
'DEFAULT_FORWARD_POLICY' to 'ACCEPT' in /etc/default/ufw , reload the ufw settings, then all links from ShadowVPN client seems to be OK.
or using iptables alternative commands to directly enable forward packages option.
在client和server都搭建好了.
配置使用的就是默认配置, 按照wiki照做.
完成后, 在客户端:
ping www.google.com可以ping通.(DNS已经改成8.8.8.8)
traceroute可以看到走的就是tun0出去的.
但是当用wget www.google.com尝试直接访问google就不行了,在客户端Wireshark抓包,发现了TCP重传。
于是用tcpdump在vps上抓包
发现在vps的eth0口(外网端口), www.google.com 服务器有返回数据, 但是在vps的tun0上只有发送的数据包,看不到返回的数据包.
现象就是ICMP包可以顺利返回,而TCP包无法返回,不知道为什么从vps的eth0返回的数据到达不了tun0了。
已经检查了ip_forward参数为1,eth0的nat已经打开。
很奇怪.