所以基本上我只是想要一个终止开关,这样连接就只能通过 VPN 进行。此外,我更希望 openvpn 在连接中断时不断尝试重新连接。
问题是我使用 CyberGhost 作为 VPN 提供商,他们提供域名作为远程地址,而不是单个 IP 地址。如果解析了此域名,我会得到一个 IP 地址列表。现在这个列表正在发生变化。
我所做的是向 openvpn 添加了一个 up.sh 脚本,因此每次启动时它都会重置 ufw,请求 ip 地址列表,并在启动 vpn 连接之前将所有这些地址添加到 ufw。
openvpn.ovpn
client
remote 4-1-gb.cg-dialup.net 443
dev tun
proto udp
auth-user-pass
resolv-retry infinite
redirect-gateway def1
persist-key
persist-tun
nobind
cipher AES-256-CBC
auth SHA256
#ping 5
#ping-exit 60
#ping-timer-rem
explicit-exit-notify 2
script-security 2
remote-cert-tls server
route-delay 5
tun-mtu 1500
fragment 1300
mssfix 1200
verb 4
comp-lzo
auth-user-pass login.conf
keepalive 10 60
ca ca.crt
cert client.crt
key client.key
上传文件
#!/bin/sh
echo "Updating FireWall.."
sh ./firewall_setting.sh
echo "Bringing up the tunnel DNS.."
resolvconf -a tap0 <resolve.conf
防火墙设置
#!/bin/bash
###########################################
# Created by Thomas Butz #
# E-Mail: btom1990(at)googlemail.com #
# Feel free to copy & share this script #
###########################################
# Adapt this value to your config!
VPN_DST_PORT=443
# Don't change anything beyond this point
###########################################
# Check for root priviliges
if [[ $EUID -ne 0 ]]; then
printf "Please run as root:\nsudo %s\n" "${0}"
exit 1
fi
# Reset the ufw config
ufw --force reset
# let all incoming traffic pass
ufw default deny incoming
# and block outgoing by default
ufw default deny outgoing
list="$(dig +short remote 4-1-gb.cg-dialup.net)"
for item in $list
do
ufw allow out to $item
ufw allow in from $item
done
ufw allow out to 8.8.8.8
ufw allow in from 8.8.8.8
ufw allow out on tun0
ufw allow out 53
# Allow local IPv4 connections
ufw allow out to 10.0.0.0/8
ufw allow out to 172.16.0.0/12
ufw allow out to 192.168.0.0/24
ufw allow in from 192.168.0.0/24
# Allow IPv4 local multicasts
ufw allow out to 224.0.0.0/24
ufw allow out to 239.0.0.0/8
# Allow local IPv6 connections
ufw allow out to fe80::/64
# Allow IPv6 link-local multicasts
ufw allow out to ff01::/16
# Allow IPv6 site-local multicasts
ufw allow out to ff02::/16
ufw allow out to ff05::/16
# Enable the firewall
ufw enable
下载
#!/bin/sh
echo "Bringing down the tunnel DNS.."
resolvconf -d tap0
解析配置文件
nameserver 8.8.8.8
options edns0
当我尝试奔跑
sudo openvpn --config openvpn.ovpn --script-security 2 --up up.sh --down down.sh --up-restart
它工作得很好,但是当我拔掉网线 10 秒钟来模拟问题并重新插入时,我得到了:
Tue Jul 16 11:11:43 2019 us=970540 Initialization Sequence Completed
Tue Jul 16 11:11:51 2019 us=671314 Recursive routing detected, drop tun packet to [AF_INET]37.120.159.36:443
Tue Jul 16 11:11:51 2019 us=671489 Recursive routing detected, drop tun packet to [AF_INET]37.120.159.36:443
Tue Jul 16 11:11:51 2019 us=671531 Recursive routing detected, drop tun packet to [AF_INET]37.120.159.36:443
Tue Jul 16 11:11:53 2019 us=670882 Recursive routing detected, drop tun packet to [AF_INET]37.120.159.36:443
.
.
.
Tue Jul 16 11:14:40 2019 us=230774 [UNDEF] Inactivity timeout (--ping-restart), restarting
Tue Jul 16 11:14:40 2019 us=230875 TCP/UDP: Closing socket
Tue Jul 16 11:14:40 2019 us=230958 down.sh tun0 1500 1626 10.248.202.202 10.248.202.201 restart
Bringing down the tunnel DNS..
No resolv.conf for interface tap0
Tue Jul 16 11:14:40 2019 us=234713 WARNING: Failed running command (--up/--down): external program exited with error status: 1
Tue Jul 16 11:14:40 2019 us=234744 Exiting due to fatal error
Tue Jul 16 11:14:40 2019 us=234786 /sbin/ip route del 10.248.200.1/32
Tue Jul 16 11:14:40 2019 us=236717 /sbin/ip route del 37.120.159.36/32
RTNETLINK answers: No such process
Tue Jul 16 11:14:40 2019 us=237808 ERROR: Linux route delete command failed: external program exited with error status: 2
Tue Jul 16 11:14:40 2019 us=237859 /sbin/ip route del 0.0.0.0/1
Tue Jul 16 11:14:40 2019 us=239058 /sbin/ip route del 128.0.0.0/1
Tue Jul 16 11:14:40 2019 us=240052 Closing TUN/TAP interface
Tue Jul 16 11:14:40 2019 us=240104 /sbin/ip addr del dev tun0 local 10.248.202.202 peer 10.248.202.201
Tue Jul 16 11:14:40 2019 us=287588 down.sh tun0 1500 1626 10.248.202.202 10.248.202.201 init
Bringing down the tunnel DNS..
No resolv.conf for interface tap0
Tue Jul 16 11:14:40 2019 us=292226 WARNING: Failed running command (--up/--down): external program exited with error status: 1
Tue Jul 16 11:14:40 2019 us=292267 Exiting due to fatal error
我是不是做错了什么?有没有更简单的方法来实现这一点?因为我觉得这应该比这更简单。
答案1
我的解决方案并不理想,因为当 VPN 不存在时,它可能允许一些数据通过,然后再终止连接……我将我的设置为 1 秒,你可以尝试少得多。见下文。test.wav 需要一个声音文件(它工作得不好,听起来像并发问题,但它确实警告了我),或者忽略它。我的是用于 tun0,这是我的 VPN 连接。使用以下方法检查你的
ip route
当vpn连接和未连接时看看区别。
# 注意使用 sudo 运行此程序 # 注意 2 更新,如果没有自动重新连接(无论如何都会提示输入我的密码),则不需要 sudo。
while (true)
now=$(date +"%T")
do
(ip route | grep tun0)> route.txt
if [ -s route.txt ]
then
echo "VPN is connected "
else
echo "VPN is OFF stopping internet connection"
play test.wav
service network-manager stop
sleep 10
# to start it again 'sudo service network-manager start'
fi
echo "$now"
echo
sleep 1
done
睡不到一秒钟,得到这个 https://serverfault.com/questions/469247/how-do-i-sleep-for-a-millisecond-in-bash-or-ksh
“sleep 的历史实现要求数字是整数,并且只接受没有后缀的单个参数。但是,GNU sleep 接受任意浮点数。请参阅浮点。
因此您可以使用 sleep 0.1、sleep 1.0e-1 和类似的参数。”
答案2
此处的新 gnome tweak 声称可以做到这一点。唯一的警告是您需要先连接到 vpn 才能启用它。我已将以太网自动连接到 vpn,这是一个顶部栏按钮,上面写着 VP ON 或 VP OFF ,当断开连接时,则显示 VPN DOWN。当连接丢失并重新连接时。必须单击 VPM DOWN 才能关闭,然后再次单击才能打开。TWEAKS 中没有设置。我不知道断开连接需要多长时间,但比我上面脚本中的秒数要少。
https://extensions.gnome.org/extension/1898/protectmevpn/
“如果启用并且您的 VPN 已关闭或离线,将禁用所有活动连接(wifi、有线)。请确保在打开 VPN 保护之前启用您的 VPN 连接。要打开/关闭它,只需在菜单栏上单击 VP-OFF。它将更改为 VP-ON(VPN 保护)并保护您的隐私。出现错误时,请确保您已安装“nmcli”(nmcli -v >= 1.16.0)”
配套的调整是顶部栏指示器,即“VPN 已启动”或“VPN 已关闭”。 https://extensions.gnome.org/extension/1134/vpn-indicator/