UFW блокирует трафик openvpn с хоста Linux

Question

У меня проблемы с настройкой openvpn.Связь между клиентом работает, но мой клиент Linux не может подключиться к Интернету;похоже, что его трафик блокируется UFW на сервере OpenVPN.На моем mac интернет работает нормально при подключении к тому же vpn.

Вот сообщение от /var/log/ufw.log

29 мая 00:36:17 ядро ​​ubuntu-4gb-nbg1-1: [1208.545264] [БЛОК UFW]IN = eth0 OUT = MAC = xxx SRC = xxx DST = xxx LEN = 40 TOS = 0x00 PREC = 0x00 TTL = 33 ID = 15564 PROTO = TCP SPT = 61366 DPT = 9299 WINDOW = 1024 RES = 0x00 SYN URGP = 0

Я добавил это в before.rules ufw:

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0 
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT

ufw / sysctl.conf

net/ipv4/ip_forward=1

и т.д. / sysctl.conf

net.ipv4.ip_forward=1

/ etc / default / ufw:

DEFAULT_FORWARD_POLICY="ACCEPT"

ufw status:

To                         Action      From
--                         ------      ----
1194/udp                   ALLOW       Anywhere                  
OpenSSH                    ALLOW       Anywhere                  
22                         ALLOW       Anywhere                  
1194                       ALLOW       Anywhere                  
1194/udp (v6)              ALLOW       Anywhere (v6)             
OpenSSH (v6)               ALLOW       Anywhere (v6)             
22 (v6)                    ALLOW       Anywhere (v6)             
1194 (v6)                  ALLOW       Anywhere (v6)             

Я добавил ниже к моей конфигурации клиента в окне Ubuntu

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Клиент запускается без ошибок

Tue May 28 22:33:34 2019 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 19 2019
Tue May 28 22:33:34 2019 library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.08
Tue May 28 22:33:34 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue May 28 22:33:34 2019 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue May 28 22:33:34 2019 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue May 28 22:33:34 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx:1194
Tue May 28 22:33:34 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue May 28 22:33:34 2019 UDP link local: (not bound)
Tue May 28 22:33:34 2019 UDP link remote: [AF_INET]xxx:1194
Tue May 28 22:33:34 2019 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Tue May 28 22:33:34 2019 TLS: Initial packet from [AF_INET]116.203.179.130:1194, sid=b819c3e2 f0a257e9
Tue May 28 22:33:34 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue May 28 22:33:34 2019 VERIFY KU OK
Tue May 28 22:33:34 2019 Validating certificate extended key usage
Tue May 28 22:33:34 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue May 28 22:33:34 2019 VERIFY EKU OK
Tue May 28 22:33:34 2019 VERIFY OK: depth=0, CN=server
Tue May 28 22:33:34 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue May 28 22:33:34 2019 [server] Peer Connection Initiated with [AF_INET]116.203.179.130:1194
Tue May 28 22:33:35 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue May 28 22:33:35 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9,peer-id 2,cipher AES-256-GCM'
Tue May 28 22:33:35 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue May 28 22:33:35 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue May 28 22:33:35 2019 OPTIONS IMPORT: route options modified
Tue May 28 22:33:35 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue May 28 22:33:35 2019 OPTIONS IMPORT: peer-id set
Tue May 28 22:33:35 2019 OPTIONS IMPORT: adjusting link_mtu to 1624
Tue May 28 22:33:35 2019 OPTIONS IMPORT: data channel crypto options modified
Tue May 28 22:33:35 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue May 28 22:33:35 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue May 28 22:33:35 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue May 28 22:33:35 2019 ROUTE_GATEWAY 192.168.178.1/255.255.255.0 IFACE=enp4s0 HWADDR=f8:32:e4:a2:c0:c5
Tue May 28 22:33:35 2019 TUN/TAP device tun0 opened
Tue May 28 22:33:35 2019 TUN/TAP TX queue length set to 100
Tue May 28 22:33:35 2019 /sbin/ip link set dev tun0 up mtu 1500
Tue May 28 22:33:35 2019 /sbin/ip addr add dev tun0 local 10.8.0.10 peer 10.8.0.9
Tue May 28 22:33:36 2019 /etc/openvpn/update-resolv-conf tun0 1500 1552 10.8.0.10 10.8.0.9 init
Tue May 28 22:33:36 2019 /sbin/ip route add 116.203.179.130/32 via 192.168.178.1
Tue May 28 22:33:36 2019 /sbin/ip route add 0.0.0.0/1 via 10.8.0.9
Tue May 28 22:33:36 2019 /sbin/ip route add 128.0.0.0/1 via 10.8.0.9
Tue May 28 22:33:36 2019 /sbin/ip route add 10.8.0.1/32 via 10.8.0.9
Tue May 28 22:33:36 2019 GID set to nogroup
Tue May 28 22:33:36 2019 UID set to nobody
Tue May 28 22:33:36 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue May 28 22:33:36 2019 Initialization Sequence Completed

Что еще можно попробовать?Я действительно не знаю, где еще искать ... Как заставить ufw правильно перенаправлять внешний трафик?

Редактировать

При запуске wget https://www.google.com я получаю это, потом зависает навсегда

wget http://www.google.de
--2019-05-28 23:12:37--  http://www.google.de/
Resolving www.google.de (www.google.de)... 216.58.207.35, 2a00:1450:4001:824::2003
Connecting to www.google.de (www.google.de)|216.58.207.35|:80... connected.
HTTP request sent, awaiting response...