有在 GCP(Google Cloud Platform)搭建 strongswan 的嘛?

我访问其他网站都没问题,就是 google 全家桶不行

不要用 10/8

你换 192.168/16 试试呢

@Showfom 192.168.16.0/24 也是同样的结果， gcp 内网 IP 断是 10.128.0.0/9

有抓包看过没有？

另外问一下，你搭的 strongswan 隧道和 tcp 明文传输带宽损失多少？

我在 gce 上搭的 strongswan ，工作的很好。
大概看了一下配置，和你不一样的地方基本知识子网 ip ，我用的 192.168.55.0/24,iptables 规则是这样的：
iptables -t nat -A POSTROUTING -s 192.168.55.0/24 -j SNAT --to 10.x.x.x

另外，我在同一台机器上搭了 openvpn ， traceroute 显示能连接成功，但是 dns 没法解析，不知道怎么回事。。。

对了，我的问题和楼主正好相反，连上 openvpn 以后只能访问 google 系列网站，访问其他的不行

@redsonic 这玩意怎么测?没弄过啊

@blues9 嗯,我试试,因为 GCP 里面 eth0 的地址并不是真正的外网地址

@blues9 改成 192.168.55.0/24 也是不行,方便把你的 /etc/ipsec.conf 贴一下吗?

openvpn 的话我参考的这个 https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8

DNS 解析不了的话你看看 push 的 DNS 是多少?

用 iperf 跑一下，先跑裸线，然后再跑你隧道里的那个地址看看。 strongswan 我在很多家的上面都搭过 额外开销很大，下行 50Mb 的裸线 跑隧道就变 40Mb 了。

@churchmice ipse.conf 配置文件如下：
config setup
uniqueids=never

conn iOS_cert
keyexchange=ikev1
fragmentation=yes
leftsendcert=always
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=pubkey
rightauth2=xauth
rightsourceip=192.168.55.0/24
rightcert=client.cert.pem
auto=add

我的 openvpn 的 dns 配置是这样的：
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 8.8.8.8"

@blues9 DNS 改成 8.8.4.4 ? 还有你的防火墙这么配置的?

我的配置如下:

port 2048

proto udp

dev tun


ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret

dh /etc/openvpn/dh2048.pem

server 10.0.32.0 255.255.255.0

ifconfig-pool-persist ipp.txt








push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 8.8.8.8"



keepalive 10 120



comp-lzo


user nobody
group nogroup

persist-key
persist-tun

status openvpn-status.log


verb 3


cipher AES-256-CBC

@redsonic
[ ID] Interval Transfer Bandwidth
[ 5] 0.00-60.00 sec 15.5 MBytes 2.17 Mbits/sec sender
[ 5] 0.00-60.00 sec 15.4 MBytes 2.16 Mbits/sec receiver


我家的瓶颈在无线路由器....

@churchmice 这是裸线还是走隧道？ 要对比一下。不过你这带宽足够了，损失多少无所谓了。

@redsonic 连上 strongswan 之后本机(mac)当 server,gcp 当 client 的数据

root@nox-gcp:~# iperf3 -u -c 10.0.64.1 -b 50M -t 60 -i 10
Connecting to host 10.0.64.1, port 5201
[ 4] local ********** port 47358 connected to 10.0.64.1 port 5201
[ ID] Interval Transfer Bandwidth Total Datagrams
[ 4] 0.00-10.00 sec 59.2 MBytes 49.6 Mbits/sec 7575
[ 4] 10.00-20.00 sec 59.6 MBytes 50.0 Mbits/sec 7629
[ 4] 20.00-30.00 sec 59.6 MBytes 50.0 Mbits/sec 7629
[ 4] 30.00-40.00 sec 59.6 MBytes 50.0 Mbits/sec 7630
[ 4] 40.00-50.00 sec 59.6 MBytes 50.0 Mbits/sec 7629
[ 4] 50.00-60.00 sec 59.6 MBytes 50.0 Mbits/sec 7630
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Jitter Lost/Total Datagrams
[ 4] 0.00-60.00 sec 357 MBytes 49.9 Mbits/sec 0.522 ms 26/45722 (0.057%)
[ 4] Sent 45722 datagrams

iperf Done.

@redsonic
刚才可能有人在看电视,所以数据不准
现在拿本机(mac)当 client,gcp 当 server,数据如下

churchmice@rmbp:~ $-> iperf3 -u -c 104.x.x.x -b 50M -t 60 -i 10
Connecting to host 104.x.x.x, port 5201
[ 5] local 10.0.16.64 port 49369 connected to 104.x.x.x port 5201
[ ID] Interval Transfer Bandwidth Total Datagrams
[ 5] 0.00-10.01 sec 59.0 MBytes 49.5 Mbits/sec 43975
[ 5] 10.01-20.00 sec 59.6 MBytes 50.0 Mbits/sec 44404
[ 5] 20.00-30.00 sec 59.6 MBytes 50.0 Mbits/sec 44386
[ 5] 30.00-40.00 sec 59.6 MBytes 50.0 Mbits/sec 44390
[ 5] 40.00-50.01 sec 59.6 MBytes 50.0 Mbits/sec 44391
[ 5] 50.01-60.01 sec 59.6 MBytes 50.0 Mbits/sec 44393
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Jitter Lost/Total Datagrams
[ 5] 0.00-60.01 sec 357 MBytes 49.9 Mbits/sec 1.645 ms 241581/265936 (91%)
[ 5] Sent 265936 datagrams

iperf Done.

连上 strongswan
churchmice@rmbp:~ $-> iperf3 -u -c 104.x.x.x -b 50M -t 60 -i 10
Connecting to host 104.x.x.x, port 5201
[ 5] local 10.0.16.64 port 61546 connected to 104.x.x.x port 5201
[ ID] Interval Transfer Bandwidth Total Datagrams
[ 5] 0.00-10.00 sec 59.1 MBytes 49.5 Mbits/sec 43990
[ 5] 10.00-20.00 sec 59.6 MBytes 50.0 Mbits/sec 44382
[ 5] 20.00-30.00 sec 59.6 MBytes 50.0 Mbits/sec 44407
[ 5] 30.00-40.00 sec 59.6 MBytes 50.0 Mbits/sec 44364
[ 5] 40.00-50.00 sec 59.6 MBytes 50.0 Mbits/sec 44391
[ 5] 50.00-60.00 sec 59.6 MBytes 50.0 Mbits/sec 44402
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Jitter Lost/Total Datagrams
[ 5] 0.00-60.00 sec 357 MBytes 49.9 Mbits/sec 1.704 ms 241100/265927 (91%)
[ 5] Sent 265927 datagrams

iperf Done.

用 tcp 模式测试的话,gcp 开 server,mac 当 client,测试命令 iperf3 -c 104.x.x.x -t 60 -i 10, 连上 vpn 和未连 vpn 速度都是差不多

[ 5] 0.00-60.15 sec 25.9 MBytes 3.62 Mbits/sec sender
[ 5] 0.00-60.15 sec 25.8 MBytes 3.60 Mbits/sec receiver

连上后 mac 当 server,gcp 当 client,测试的话速度倒是挺快 iperf3 -c 10.0.64.1 -t 60 -i 10
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-60.00 sec 348 MBytes 48.6 Mbits/sec 257 sender
[ 4] 0.00-60.00 sec 346 MBytes 48.4 Mbits/sec receiver

不过我的问题还是没法解决啊,很诡异的
ping www.google.com 都是没有问题的
wget 就卡了

churchmice@ancients:~ $-> ping www.google.com
PING www.google.com (64.233.188.104): 56 data bytes
64 bytes from 64.233.188.104: icmp_seq=0 ttl=52 time=48.167 ms
^C
--- www.google.com ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 48.167/48.167/48.167/0.000 ms
churchmice@ancients:~ $-> wget www.google.com
--2017-03-12 19:55:58-- http://www.google.com/
Resolving www.google.com... 64.233.188.103, 64.233.188.104, 64.233.188.106, ...
Connecting to www.google.com|64.233.188.103|:80... connected.
HTTP request sent, awaiting response... ^C

@churchmice
我的 openvpn 配置和你大同小异。改了 dns 也没有用。
iptables 规则是：
iptables -t nat -A POSTROUTING -s 192.168.66.0/24 -j SNAT --to 10.x.x.x

在我的 macbook 上连上 open VPN ，命令行 ping 和 traceroute 某个 ip 都是没有问题的

@blues9 英吹思婷,我的是 ping 没问题,wget 就卡