openvpn能Ping通DNS卻解釋不了域名（已解決）

openvpn能Ping通DNS卻解釋不了域名（已解決）

openvpn已經連通，客戶端通過伺服器NAT上網，現象是能上IP的網站，域名網站都不能上，ipconfig查看DNS有push過來了，且DNS也能PING通，Tracert DNS確實是走VPN伺服器的。
伺服器Centos4.5，客戶端WindowsXP。是哪裡出了問題了？

server.conf:
port 1194
proto udp
dev tun
ca ca.crt     
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.0.0
push "route 10.0.0.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 218.85.157.99"
duplicate-cn
keepalive 10 120
tls-auth ta.key 0
comp-lzo
persist-key
persist-tun
log-append  openvpn.log
verb 3
mute 20
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login
client-cert-not-required
username-as-common-name

client.ovpn：
client
dev tun
proto udp
remote xxx.xxx.xxx 1194
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
auth-user-pass
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 4

iptables文件：
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
-A POSTROUTING -o eth0 -s 10.8.0.0/16 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:RH-Firewall-1-INPUT -
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1194 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


已解決，見8樓。

[ 本帖最後由 fzcw 於 2009-4-29 09:17 編輯 ]

回復 #1 fzcw 的帖子

push的這個dns是否允許訪問
push "dhcp-option DNS 218.85.157.99"
由這個push "route 10.0.0.0 255.255.255.0"判斷 只有訪問10的才會走vpn

原帖由 kns1024wh 於 2009-4-27 18:13 發表 http://bbs2.chinaunix.net/images/common/back.gif
push的這個dns是否允許訪問
push "dhcp-option DNS 218.85.157.99"
由這個push "route 10.0.0.0 255.255.255.0"判斷 只有訪問10的才會走vpn

應該不是，push "redirect-gateway def1" 就會生成一條默認路由的，都走VPN的。

你nslookup看看是不是用的那個DNS 解析的撒

原帖由 lth0721 於 2009-4-28 10:27 發表 http://bbs2.chinaunix.net/images/common/back.gif
你nslookup看看是不是用的那個DNS 解析的撒

nslookup 是這個DNS，但講超時：
C:\Documents and Settings\Administrator>nslookup

DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 218.85.157.99: Timed out
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 218.85.157.99: Timed out
DNS request timed out.
    timeout was 2 seconds.
Default Server:  UnKnown
Address:  218.85.157.99



Tracert DNS 又能到

C:\Documents and Settings\Administrator>tracert 218.85.157.99

Tracing route to 218.85.157.99 over a maximum of 30 hops

  1     4 ms     4 ms     4 ms  10.8.0.1
  2     6 ms     7 ms     6 ms  10.0.0.1
  3     *        *        *     Request timed out.
  4   494 ms    59 ms     9 ms  202.109.204.57
  5     6 ms     5 ms     6 ms  220.160.92.237
  6     6 ms     5 ms     5 ms  218.85.156.82
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *     2485 ms    11 ms  218.85.157.99

在vpn server上用tcpdump -n port 53看看

原帖由 wenzk 於 2009-4-28 14:06 發表 http://bbs2.chinaunix.net/images/common/back.gif
在vpn server上用tcpdump -n port 53看看

tcpdump -n port 53是抓etho，抓不到包，抓tap0虛擬介面有包：

# tcpdump -i tap0 -n port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap0, link-type EN10MB (Ethernet), capture size 96 bytes
16:07:01.503432 IP 10.8.0.2.65209 > 218.85.157.99.domain:  33085+ A? www.sina.com.cn. (33)
16:07:01.503610 IP 10.8.0.2.65209 > 218.85.157.99.domain:  33085+ A? www.sina.com.cn. (33)
16:07:01.503645 IP 10.8.0.2.65209 > 202.101.98.55.domain:  33085+ A? www.sina.com.cn. (33)
16:07:01.503675 IP 10.8.0.2.65209 > 218.85.157.99.domain:  33085+ A? www.sina.com.cn. (33)
16:07:01.503702 IP 10.8.0.2.65209 > 218.85.157.99.domain:  33085+ A? www.sina.com.cn. (33)
16:07:01.503728 IP 10.8.0.2.65209 > 218.85.157.99.domain:  33085+ A? www.sina.com.cn. (33)
16:07:01.503754 IP 10.8.0.2.65209 > 218.85.157.99.domain:  33085+ A? www.sina.com.cn. (33)
16:07:01.503780 IP 10.8.0.2.65209 > 202.101.98.55.domain:  33085+ A? www.sina.com.cn. (33)
16:07:04.965301 IP 10.8.0.2.65209 > 218.85.157.99.domain:  33085+ A? www.sina.com.cn. (33)
16:07:09.769893 IP 10.8.0.2.65209 ta> 218.85.157.99.domain:  33085+ A? www.sina.com.cn. (33)
16:07:09.770038 IP 10.8.0.2.65209 > 202.101.98.55.domain:  33085+ A? www.sina.com.cn. (33)
16:07:09.920057 IP 10.8.0.2.1026 > 218.85.157.99.domain:  44772+[|domain]

12 packets captured
12 packets received by filter
0 packets dropped by kernel


好象是被過慮掉，是iptables設置有問題嗎？

自己解決了，是iptables配置問題，由於etho接入外網，進來的埠只開放了部分，照成虛擬網卡包無法進入eth0介面，也就無法代理上網了。
所有在iptables文件中加入一條規則就可以了：
-A RH-Firewall-1-INPUT -s 10.8.0.0/255.255.0.0 -j ACCEPT

Tags: