Centos
將 DNS 與 VPN 拆分隧道一起使用時出現問題。CentOS 8
所以我試圖在我的伺服器上設置一個拆分隧道(我的伺服器是 vpn 客戶端)。vpn 使用者只能通過 VPN 介面 (tun0) 訪問網際網路。
我已經關注並嘗試將 ubuntu 指南“翻譯”到 CentOS 8。我一直關注的指南是Force Torrent,它受到通過 VPN Split Tunnel Debian 8 + Ubuntu 16.04 的 Force Torrent Traffic的啟發,然後我應用了我的更新在Ubuntu 18.04 的拆分隧道指南中找到。
這導致了以下文件:
程式碼/腳本:(結果如下)
/etc/systemd/system/openvpn@openvpn.service:Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO After=network.target [Service] RuntimeDirectory=openvpn PrivateTmp=true KillMode=mixed Type=forking ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid PIDFile=/run/openvpn/%i.pid ExecReload=/bin/kill -HUP $MAINPID WorkingDirectory=/etc/openvpn Restart=on-failure RestartSec=3 ProtectSystem=yes LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw [Install] WantedBy=multi-user.target
/etc/openvpn/openvpn.conf:client setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin dev tun proto udp remote pool-1.prd.se.ovpn.com 1194 remote pool-1.prd.se.ovpn.com 1195 remote pool-2.prd.se.ovpn.com 1194 remote pool-2.prd.se.ovpn.com 1195 remote pool-3.prd.se.ovpn.com 1194 remote pool-3.prd.se.ovpn.com 1195 remote pool-4.prd.se.ovpn.com 1194 remote pool-4.prd.se.ovpn.com 1195 remote-random resolv-retry infinite nobind persist-key persist-tun cipher aes-256-cbc auth-user-pass /etc/openvpn/credentials auth-nocache comp-lzo route-noexec remote-cert-tls server pull reneg-sec 0 verb 3 mute-replay-warnings replay-window 256 ca /etc/openvpn/ovpn-ca.crt tls-auth /etc/openvpn/ovpn-tls.key 1 log /tmp/openvpn.log script-security 2 up /etc/openvpn/firewllad.sh up-restart down /etc/openvpn/scripts/update-systemd-resolved down-pre dhcp-option DOMAIN-ROUTE .
/etc/openvpn/firewalld.sh:#! /bin/bash export INTERFACE="tun0" export VPNUSER="vpn" export LOCALIP="192.168.1.10" export NETIF="enp1s0" # Flush alll rules firewall-cmd --direct --remove-rules ipv4 mangle OUTPUT firewall-cmd --direct --remove-rules ipv4 mangle INPUT firewall-cmd --direct --remove-rules ipv4 filter INPUT firewall-cmd --direct --remove-rules ipv4 filter OUTPUT firewall-cmd --direct --remove-rules ipv4 nat POSTROUTING #firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 ! -o lo -m owner --uid-owner vpn -j DROP # Mark packets from $VPNUSER firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 -j CONNMARK --restore-mark firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 # Added local open ports (since I do not use these services I have not opened these ports) #firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 --src $LOCALIP -p tcp -m tcp -m multiport --sports 6800,7777 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x0 # Continue marking firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 ! --src $LOCALIP -j MARK --set-mark 0x1 firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 -j CONNMARK --save-mark # Allow responses firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT # Block everything incoming on $INTERFACE to prevent accdiental exposing of ports firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i $INTERFACE -j REJECT # Let $VPNUSER access lo and $INTERFACE firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -m owner --uid-owner $VPNUSER -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT # All packets on $INTERFACE needs to be masqueraded firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o $INTERFACE -j MASQUERADE # Reject connection from predator IP going over $NETIF firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 ! --src $LOCALIP -o $NETIF -j REJECT #ADD YOUR OWN RULES HERE # Start routing script /etc/openvpn/routing.sh exit 0
/etc/openvpn/routing.sh:#! /bin/bash VPNIF="tun0" VPNUSER="vpn" GATEWAYIP=$(ip address show $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1) if [[ `ip rule list | grep -c 0x1` == 0 ]]; then ip rule add from all fwmark 0x1 lookup $VPNUSER fi ip route replace default via $GATEWAYIP table $VPNUSER ip route append default via 127.0.0.1 dev lo table $VPNUSER ip route flush cache # run update-resolv-conf script to set VPN DNS /etc/openvpn/scripts/update-systemd-resolved exit 0
/etc/iproute2/rt_tables:# # reserved values # 255 local 254 main 253 default 0 unspec # # local # #1 inr.ruhep 200 vpn
/etc/sysctl.d/9999-vpn.conf:net.ipv4.conf.all.rp_filter = 2 net.ipv4.conf.default.rp_filter = 2 net.ipv4.conf.enp1s0.rp_filter = 2結果:
使用命令檢查 DNS:
systemd-resolve --statusLink 9 (tun0) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 LLMNR setting: yes MulticastDNS setting: no DNSOverTLS setting: no DNSSEC setting: allow-downgrade DNSSEC supported: yes Current DNS Server: 192.165.9.158 DNS Servers: 192.165.9.158 46.227.67.134 DNS Domain: ~.使用以下命令檢查 VPN 公共 IP:
sudo -u vpn -i -- curl ipinfo.io給了我:curl: (6) Could not resolve host: ipinfo.io。雖然sudo curl ipinfo.io --interface tun0工作正常。作為 vpn 使用者時,我也會遇到問題ping www.google.se,但如果我改用該域的 IP,它可以正常工作。
systemd-resolved問題是即使服務正在執行,CentOS 8 也沒有設置 DNS 。要使用腳本設置 dnssystemd-resolved並因此使用腳本update-systemd-resolved,您必須編輯/etc/NetworkManager/NetworkManager.conf並在[main]部分中設置:dns=systemd-resolved。有關該主題的更多資訊:第 33 章。為不同的域使用不同的 DNS 伺服器。