我正在尝试在 Ubuntu 18.04.3 上设置 VPN。按照这个问题,我在 .ovpn 文件末尾添加了以下几行:
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
我也跑了
sudo rm -i /etc/resolv.conf
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
修复 /etc/resolv.conf。
然后我在 VPN 设置 -> 添加 VPN -> 从文件打开下创建了 VPN,并使用了 .ovpn 文件。
但是,当我打开 VPN 时,计算机仍然使用本地 DNS 服务器,而不是 VPN 的 DNS 服务器。
以下是 VPN 开启和关闭情况下的各种诊断结果:
---------------------------VPN 关闭:------------------------------
猫/运行/resolvconf/resolv.conf:
No such file or directory
猫/运行/systemd/resolv/resolv.conf:
nameserver 192.168.0.1
nameserver fd08:b55d:5917:0:3e89:94ff:fe31:c148
search Home
猫/运行/systemd/resolve/stub-resolv.conf:
nameserver 127.0.0.53
options edns0
search Home
systemd-resolve——状态:
Global
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 2 (wlp59s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.0.1
fd08:b55d:5917:0:3e89:94ff:fe31:c148
DNS Domain: Home
猫/等/网络/接口:
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback
猫/etc/netplan/*.yaml:
# Let NetworkManager manage all devices on this system
network:
version: 2
renderer: NetworkManager
----------------------------------------VPN 开启:------------------------------
猫/运行/resolvconf/resolv.conf:
No such file or directory
猫/运行/systemd/resolv/resolv.conf:
nameserver 192.168.0.1
nameserver fd08:b55d:5917:0:3e89:94ff:fe31:c148
nameserver 10.34.16.1
search Home
猫/运行/systemd/resolve/stub-resolv.conf:
nameserver 127.0.0.53
options edns0
search Home
systemd-resolve——状态:
Global
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 8 (tun0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.34.16.1
Link 2 (wlp59s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.0.1
fd08:b55d:5917:0:3e89:94ff:fe31:c148
DNS Domain: Home
猫/等/网络/接口:
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback
猫/etc/netplan/*.yaml:
# Let NetworkManager manage all devices on this system
network:
version: 2
renderer: NetworkManager
编辑:
ls -al /sbin/resolvconf 输出ls: cannot access '/sbin/resolvconf': No such file or directory。
关闭 VPN 后,host -v www.ebay.com输出:
Trying "www.ebay.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12728
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.ebay.com. IN A
;; ANSWER SECTION:
www.ebay.com. 60 IN CNAME slot9428.ebay.com.edgekey.net.
slot9428.ebay.com.edgekey.net. 60 IN CNAME e9428.b.akamaiedge.net.
e9428.b.akamaiedge.net. 60 IN A 104.78.177.101
Received 122 bytes from 192.168.0.1#53 in 14 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 881
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN AAAA
;; AUTHORITY SECTION:
b.akamaiedge.net. 996 IN SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976151 1000 1000 1000 1800
Received 101 bytes from 192.168.0.1#53 in 12 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30223
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN MX
;; AUTHORITY SECTION:
b.akamaiedge.net. 1000 IN SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976180 1000 1000 1000 1800
Received 101 bytes from 192.168.0.1#53 in 13 ms
开启 VPN 后:
Trying "www.ebay.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7665
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.ebay.com. IN A
;; ANSWER SECTION:
www.ebay.com. 60 IN CNAME slot9428.ebay.com.edgekey.net.
slot9428.ebay.com.edgekey.net. 60 IN CNAME e9428.b.akamaiedge.net.
e9428.b.akamaiedge.net. 60 IN A 104.78.177.101
Received 122 bytes from 192.168.0.1#53 in 15 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1414
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN AAAA
;; AUTHORITY SECTION:
b.akamaiedge.net. 999 IN SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976217 1000 1000 1000 1800
Received 101 bytes from 192.168.0.1#53 in 12 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6348
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN MX
;; AUTHORITY SECTION:
b.akamaiedge.net. 994 IN SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976219 1000 1000 1000 1800
Received 101 bytes from 192.168.0.1#53 in 19 ms
编辑2:运行后,在开启VPN的情况下,sudo apt-get install resolvconf的输出变为:host -v www.ebay.com
Trying "www.ebay.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9033
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.ebay.com. IN A
;; ANSWER SECTION:
www.ebay.com. 60 IN CNAME slot9428.ebay.com.edgekey.net.
slot9428.ebay.com.edgekey.net. 59 IN CNAME e9428.b.akamaiedge.net.
e9428.b.akamaiedge.net. 59 IN A 104.78.177.101
Received 122 bytes from 127.0.0.53#53 in 57 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19716
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN AAAA
Received 40 bytes from 127.0.0.53#53 in 15 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48908
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;e9428.b.akamaiedge.net. IN MX
Received 40 bytes from 127.0.0.53#53 in 21 ms
编辑3:
cat /etc/resolv.conf和的输出cat /run/resolvconf/resolv.conf相同,且为:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
nameserver 127.0.0.53
search Home
编辑 4:调用grep -r '192.168.0.1' /etc/返回:
/etc/sane.d/saned.conf:#192.168.0.1
/etc/sane.d/saned.conf:#192.168.0.1/29
/etc/sane.d/magicolor.conf:# net 192.168.0.1
/etc/avahi/hosts:# 192.168.0.1 router.local
通过网络管理器 GUI(即从顶部菜单)打开 VPN 后,输出如下systemd-resolve --status:
Global
DNS Domain: Home
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 13 (tun0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.34.40.1
Link 2 (wlp59s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.0.1
fd08:b55d:5917:0:3e89:94ff:fe31:c148
DNS Domain: Home
通过调用 VPNsudo openvpn似乎工作正常:输出为systemd-resolve --status:
Global
DNS Servers: 10.34.48.1
DNS Domain: Home
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 14 (tun0)
Current Scopes: none
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
Link 2 (wlp59s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.0.1
fd08:b55d:5917:0:3e89:94ff:fe31:c148
DNS Domain: Home
dnsleak.com 显示 VPN 的 DNS 服务器,并host -v www.ebay.com从 10.34.48.1 获取其数据。
从终端初始化 VPN 时输出的两个有趣的输出行是:
/etc/openvpn/update-resolv-conf tun0 1500 1553 10.34.48.8 255.255.252.0 init
dhcp-option DNS 10.34.48.1
看起来好像openvpn命令正在改变dhcp-option,但是网络管理器没有。
答案1
DNSoverTLS 1.1.1.1 OpenVPN 配置。
首先,您需要安装 systemd-resolved 并配置为使用 stub-resolv.conf。
ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
cat /etc/resolv.conf
输出
nameserver 127.0.0.53
options edns0
systemd-networkd
/etc/systemd/resolved.conf (示例):
[Resolve]
DNS=8.8.8.8 8.8.4.4
FallbackDNS=1.1.1.1 1.0.0.1
LLMNR=no
MulticastDNS=no
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
Cache=yes
DNSStubListener=yes
/etc/systemd/network/ethX.network(示例):
[Match]
Name=eth*
[Link]
RequiredForOnline=yes
[Network]
DHCP=yes
MulticastDNS=no
LLMNR=no
LinkLocalAddressing=no
[DHCP]
UseDNS=yes
UseHostname=no
CriticalConnection=yes
/etc/systemd/network/tunX.network(重要!):
(为了使 openvpn 能够管理 tun 链接,该链接必须是未管理的)
[Match]
Name=tun*
[Link]
Unmanaged=yes
我用更新已解决配置 systemd-resolved。(你可以使用更新系统已解决或者 aptitude install openvpn-systemd-resolved,但是当你需要按照 自述文件.md反而)。
安装更新已解决:
cd /etc/openvpn
git clone https://github.com/bac0n/update-resolved.git
将 update-resolved 添加到你的 openvpn.conf:
# Include update-resolved up/down script.
config /etc/openvpn/update-resolved/update-resolved.ovpn
重启 openvpn:
systemctl restart openvpn
日志:
journalctl -t update-resolved
输出
-- Logs begin at Sat 2019-09-21 12:28:01 CEST, end at Sun 2019-09-22 17:05:01 CEST. --
Sep 21 12:28:11 foobar update-resolved[914]: Note: Successfully configured resolved on link 3 (tun0)
笔记:
默认情况下,它使用 openvpn 提供的 dns。如果您喜欢使用静态 dns,则需要在“update-resolved.ovpn”中过滤 openvpn 提供的 dns,并在“update-resolved.conf”中设置您自己的 dns
例子:
resolve_options=(DOMAIN ~. DNS 1.1.1.1 DNS 1.0.0.1 LLMNR no MulticastDNS no)
(当使用域名 ~. 时,resolved 将使用 tun 链接执行所有 dns 查询(除非其他域名也带有这种仅路由的域名)。当 tun 链接被删除时,resolved 将开始并行使用“全局”和“isp”dns,协议和路由)
答案2
首先,似乎您当前的 update-resolv-conf 脚本可能直接覆盖了 /etc/resolv.conf 并导致死链接,我们可以在您的 up 和 down 脚本中修复此问题。根据您的问题,您希望 /etc/resolv.conf 链接到 /run/resolvconf/resolv.conf,而不是 systemd resolv.conf。您应该有两个脚本,一个在 openvpn 连接时,一个在它断开连接时,因此请将您的 vpn 配置稍微修改为:
script-security 2
up /etc/openvpn/update-resolv-conf-up
down /etc/openvpn/update-resolv-conf-down
创建 update-resolv-conf-up 和 update-resolv-conf-down 后,您需要为其添加 +x 权限。
/etc/openvpn/update-resolv-conf-up
#!/bin/sh
cat <<EOF > /run/resolvconf/resolv.conf
nameserver 127.0.0.53
options edns0
nameserver 10.34.48.1
nameserver 192.168.0.1
nameserver fd08:b55d:5917:0:3e89:94ff:fe31:c148
search Home
EOF
rm /etc/resolv.conf
ln -s /run/resolvconf/resolv.conf /etc/resolv.conf
和 /etc/openvpn/update-resolv-conf-down
#!/bin/sh
cat <<EOF > /run/systemd/resolve/resolv.conf
nameserver 127.0.0.53
options edns0
nameserver 192.168.0.1
nameserver fd08:b55d:5917:0:3e89:94ff:fe31:c148
search Home
EOF
/etc/openvpn/update-resolv-conf-up 脚本确保名称服务器 127.0.0.53 是第一个名称服务器,确保 DNS 在解析地址时使用它,当 vpn 连接时,10.34.48.1 成为第二个 dns,而 192.168.0.1 始终是最后一个 dns。