Closed LinJianping closed 7 years ago
alick
commented
7 years ago 所以在 CentOS 上,你是想用 ISATAP 隧道连 IPv6,然后 v6 连到 VPS,用 VPS VPN 做代理访问互联网?
client -- (IPv4) -- ISATAP server -- (IPv6) -- VPS -- Internet这样 v4/v6 的路由表都很重要,需要细心配置。可用 mtr/traceroute 排查路由配置。
疑问:为何 vpn 日志里只有 IPv4 操作没有 v6?
LinJianping
commented
7 years ago 贴的部分只是openVPN的一部分日志。在不开openVPN的情况下centos能ping6到我VPS的IPV6地址上,但是开了却ping不到了。我在windows下看到openVPN的ip也会有一个ISATAP的隧道,不知道跟这个有没有关系。 `以太网适配器 以太网 3:
连接特定的 DNS 后缀 . . . . . . . : tsinghua.edu.cn 本地链接 IPv6 地址. . . . . . . . : fe80::b109:432d:1833:b492%9 IPv4 地址 . . . . . . . . . . . . : 166.111.67.137 子网掩码 . . . . . . . . . . . . : 255.255.252.0 默认网关. . . . . . . . . . . . . : 166.111.64.1
以太网适配器 以太网 4:
连接特定的 DNS 后缀 . . . . . . . : 本地链接 IPv6 地址. . . . . . . . : fe80::7caf:61cd:a694:9138%17 IPv4 地址 . . . . . . . . . . . . : 10.8.0.6 子网掩码 . . . . . . . . . . . . : 255.255.255.252 默认网关. . . . . . . . . . . . . :
隧道适配器 isatap.tsinghua.edu.cn:
连接特定的 DNS 后缀 . . . . . . . : tsinghua.edu.cn IPv6 地址 . . . . . . . . . . . . : 2402:f000:1:1501:200:5efe:166.111.67.137 本地链接 IPv6 地址. . . . . . . . : fe80::200:5efe:166.111.67.137%18 默认网关. . . . . . . . . . . . . : fe80::5efe:166.111.21.1%18
隧道适配器 isatap.{B97C0EFE-8626-4049-A632-F2E9C5F89F86}:
连接特定的 DNS 后缀 . . . . . . . : 本地链接 IPv6 地址. . . . . . . . : fe80::5efe:10.8.0.6%7 默认网关. . . . . . . . . . . . . :` 是不是我在centos下也要给openVPN的IP弄一个隧道?
shankerwangmiao
commented
7 years ago 该问题产生的原因是,你是通过 isatap 隧道,经由 v4 网络接入到 v6 网络中,从而连接到的你的 VPS 的。拨通 VPN 后,VPS 下发默认路由,将所有 v4 流量路由至 VPN 隧道。此时,去往 isatap 隧道服务器的数据也被路由到了你的 VPN 隧道中,导致 v6 网络中断,从而导致网络全部中断。
修复的方法是,添加一条路由,令去往隧道服务器的流量路由至原网关,即可排除该故障。
在客户端的 openvpn 配置中,加上这么一条
route 166.111.21.1 255.255.255.255 net_gateway
我有一台国外的vps,上面搭建了openvpn,配置如下: port 1194 proto udp6 dev tun ca ca.crt cert server.crt key server.key dh dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3 win10上用openvpn GUI,配置如下: client dev tun proto udp6 remote server-ipv6-addr 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key ns-cert-type server comp-lzo verb 3 配置完就可以通过ipv6免流量上外网。但是在centos7下面相同的配置却不可以。一开始是ipv6无法访问的问题,为根据网上的脚本配置以后,可以访问ipv6.google.com等ipv6网站。脚本如下:
!/bin/bash
REMOTE_IP6="2402:f000:1:1501:200:5efe" REMOTE_IP4="166.111.21.1" FACE4=
ip route show|grep default|sed -e 's/^default.*dev \([^ ]\+\).*$/\1/'IP4=ip addr show dev $IFACE4 | grep -m 1 'inet\ ' | sed -e 's/^.*inet \([^ \\]\+\)\/.*$/\1/'sudo ip tunnel del sit2 # 删除已经创建的设备,若没有则忽略 sudo ip tunnel add sit2 mode sit remote $REMOTE_IP4 local $IP4 sudo ip link set dev sit2 up sudo ip -6 addr add $REMOTE_IP6:$IP4/64 dev sit2 sudo ip -6 route add default via $REMOTE_IP6:$REMOTE_IP4 dev sit2 但是,当我打开openvpn的时候,我发现我既不能ping通ipv4的地址,也不能ping6通ipv6的地址。有人碰到类似的问题吗? openvpn打开之前: ifconfig输出: enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 166.111.64.169 netmask 255.255.252.0 broadcast 166.111.67.255 inet6 fe80::ba89:5840:359b:15ea prefixlen 64 scopeid 0x20 ether 40:8d:5c:ce:b1:0b txqueuelen 1000 (Ethernet) RX packets 697290 bytes 108479946 (103.4 MiB) RX errors 0 dropped 5630 overruns 0 frame 0 TX packets 68533 bytes 8831520 (8.4 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1 (Local Loopback)
RX packets 620 bytes 55688 (54.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 620 bytes 55688 (54.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
sit1: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1480 inet6 fe80::a66f:40a9 prefixlen 128 scopeid 0x20 inet6 2402:f000:1:1501:200:5efe:a66f:40a9 prefixlen 64 scopeid 0x0
sit txqueuelen 1 (IPv6-in-IPv4)
RX packets 29014 bytes 29064775 (27.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 38924068 bytes 61791704468 (57.5 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255 ether 52:54:00:a5:60:e0 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 route -n 输出: 0.0.0.0 166.111.64.1 0.0.0.0 UG 100 0 0 enp2s0 166.111.64.0 0.0.0.0 255.255.252.0 U 100 0 0 enp2s0 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0 openvpn打开之后: enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 166.111.64.169 netmask 255.255.252.0 broadcast 166.111.67.255 inet6 fe80::ba89:5840:359b:15ea prefixlen 64 scopeid 0x20 ether 40:8d:5c:ce:b1:0b txqueuelen 1000 (Ethernet) RX packets 706971 bytes 109155945 (104.0 MiB) RX errors 0 dropped 5630 overruns 0 frame 0 TX packets 68624 bytes 8843403 (8.4 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1 (Local Loopback)
RX packets 620 bytes 55688 (54.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 620 bytes 55688 (54.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
sit1: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1480 inet6 fe80::a66f:40a9 prefixlen 128 scopeid 0x20 inet6 2402:f000:1:1501:200:5efe:a66f:40a9 prefixlen 64 scopeid 0x0
sit txqueuelen 1 (IPv6-in-IPv4)
RX packets 29063 bytes 29072223 (27.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 39334573 bytes 62442597525 (58.1 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.14 netmask 255.255.255.255 destination 10.8.0.13 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 410355 bytes 614374065 (585.9 MiB) TX errors 0 dropped 408770 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255 ether 52:54:00:a5:60:e0 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 route -n输出: 0.0.0.0 10.8.0.13 128.0.0.0 UG 0 0 0 tun0 0.0.0.0 166.111.64.1 0.0.0.0 UG 100 0 0 enp2s0 10.8.0.1 10.8.0.13 255.255.255.255 UGH 0 0 0 tun0 10.8.0.13 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 128.0.0.0 10.8.0.13 128.0.0.0 UG 0 0 0 tun0 166.111.64.0 0.0.0.0 255.255.252.0 U 100 0 0 enp2s0 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0 openvpn输出: Wed Aug 9 16:28:45 2017 ROUTE_GATEWAY 166.111.64.1/255.255.252.0 IFACE=enp2s0 HWADDR=40:8d:5c:ce:b1:0b Wed Aug 9 16:28:45 2017 TUN/TAP device tun0 opened Wed Aug 9 16:28:45 2017 TUN/TAP TX queue length set to 100 Wed Aug 9 16:28:45 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Wed Aug 9 16:28:45 2017 /sbin/ip link set dev tun0 up mtu 1500 Wed Aug 9 16:28:45 2017 /sbin/ip addr add dev tun0 local 10.8.0.14 peer 10.8.0.13 Wed Aug 9 16:28:45 2017 ROUTE remote_host protocol differs from tunneled Wed Aug 9 16:28:45 2017 /sbin/ip route add 0.0.0.0/1 via 10.8.0.13 Wed Aug 9 16:28:45 2017 /sbin/ip route add 128.0.0.0/1 via 10.8.0.13 Wed Aug 9 16:28:45 2017 /sbin/ip route add 10.8.0.1/32 via 10.8.0.13 Wed Aug 9 16:28:45 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Wed Aug 9 16:28:45 2017 Initialization Sequence Completed Wed Aug 9 16:28:46 2017 TLS: soft reset sec=3596 bytes=67109530/67108864 pkts=44154/0 Wed Aug 9 16:29:46 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Wed Aug 9 16:29:46 2017 TLS Error: TLS handshake failed Wed Aug 9 16:29:46 2017 TLS: move_session: dest=TM_LAME_DUCK src=TM_ACTIVE reinit_src=1