我遇到过OpenVPN和SSH(以及其他服务)的问题:
我可以连接到VPN而不会出现任何错误消息 . 如果我想通过SSH连接到VPN内的计算机,我会收到错误:“ssh_exchange_identification:read:Connection reset by peer” .
在哪台机器上出现此问题的方式与日常和连接的连接不同 .
$ ssh root@storage -vvv
OpenSSH_6.9p1, OpenSSL 1.0.1k-fips 8 Jan 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to storage [192.168.1.5] port 22.
debug1: Connection established.
debug1: identity file /home/ewald/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ewald/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ewald/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ewald/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ewald/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ewald/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ewald/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ewald/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9
ssh_exchange_identification: read: Connection reset by peer
如果我可以连接到VPN内的其他机器,我可以SSH到我的目标 . 此外,我尝试在远程路由器上为端口22配置端口转发,并经常通过此转发从我的客户端连接,它始终有效,所以我认为问题不在于SSH服务器或客户端配置 .
所以我在OpenVPN配置中尝试了很多设置(不同的链接-mtus,tcp而不是udp,禁用lzo,...),将它安装在不同的机器上(默认的OpenVPN服务器在Ubuntu 12.04 VM中 . 我试图安装它在裸机上也没有变化 .
由于问题首次出现,甚至ISP也发生了变化(从DSL到光纤) .
其他客户端机器也存在问题:使用粘度的macbook(tunnelblick也不起作用),几个linux盒子:fedora,ubuntu,......
有时我也没有收到来自HTTP服务器的答案(即使我可以使用SSH连接到它)HTTP服务器本身可以从内部网络和我的SSH隧道访问(使用它作为SOCKS代理),所以问题必须是OpenVPN连接 .
谁能帮我?如果连接本身有问题,我如何检查?
TCP转储:
$ sudo tcpdump -i tun0 dst port 22
15:56:17.689847 IP myclient.60920 > storage.ssh: Flags [S], seq 729708226, win 29200, options [mss 1460,sackOK,TS val 3108117687 ecr 0,nop,wscale 7], length 0
15:56:17.717556 IP myclient.60920 > storage.ssh: Flags [.], ack 2044707578, win 229, options [nop,nop,TS val 3108117714 ecr 1518717699], length 0
15:56:17.717949 IP myclient.60920 > storage.ssh: Flags [P.], seq 0:21, ack 1, win 229, options [nop,nop,TS val 3108117715 ecr 1518717699], length 21
15:56:17.945811 IP myclient.60920 > storage.ssh: Flags [P.], seq 0:21, ack 1, win 229, options [nop,nop,TS val 3108117943 ecr 1518717699], length 21
1 回答
也许缺少POSTROUTING规则,你可以粘贴这个命令的结果(在openvpn服务器上)吗?
如果没有规则,您可以尝试:
还要验证ipv4转发(在openvpn服务器上):
如果结果为0,则必须在'/etc/sysctl.conf'中添加以下行:
告诉我它是否有帮助