DNSoverTLS 1.1.1.1 OpenVPN 配置。

DNSoverTLS 1.1.1.1 OpenVPN 配置。

我正在尝试在 Ubuntu 18.04.3 上设置 VPN。按照这个问题,我在 .ovpn 文件末尾添加了以下几行:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

我也跑了

sudo rm -i /etc/resolv.conf

sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf

修复 /etc/resolv.conf。

然后我在 VPN 设置 -> 添加 VPN -> 从文件打开下创建了 VPN,并使用了 .ovpn 文件。

但是,当我打开 VPN 时,计算机仍然使用本地 DNS 服务器,而不是 VPN 的 DNS 服务器。

以下是 VPN 开启和关闭情况下的各种诊断结果:

---------------------------VPN 关闭:------------------------------

猫/运行/resolvconf/resolv.conf:

No such file or directory

猫/运行/systemd/resolv/resolv.conf:

nameserver 192.168.0.1
nameserver fd08:b55d:5917:0:3e89:94ff:fe31:c148
search Home

猫/运行/systemd/resolve/stub-resolv.conf:

nameserver 127.0.0.53
options edns0
search Home

systemd-resolve——状态:

Global
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 2 (wlp59s0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.0.1
                      fd08:b55d:5917:0:3e89:94ff:fe31:c148
          DNS Domain: Home

猫/等/网络/接口:

 # interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback

猫/etc/netplan/*.yaml:

# Let NetworkManager manage all devices on this system
network:
  version: 2
  renderer: NetworkManager

----------------------------------------VPN 开启:------------------------------

猫/运行/resolvconf/resolv.conf:

No such file or directory

猫/运行/systemd/resolv/resolv.conf:

nameserver 192.168.0.1
nameserver fd08:b55d:5917:0:3e89:94ff:fe31:c148
nameserver 10.34.16.1
search Home

猫/运行/systemd/resolve/stub-resolv.conf:

nameserver 127.0.0.53
options edns0
search Home

systemd-resolve——状态:

Global
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 8 (tun0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 10.34.16.1

Link 2 (wlp59s0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.0.1
                      fd08:b55d:5917:0:3e89:94ff:fe31:c148
          DNS Domain: Home

猫/等/网络/接口:

# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback

猫/etc/netplan/*.yaml:

# Let NetworkManager manage all devices on this system
network:
  version: 2
  renderer: NetworkManager

编辑:

ls -al /sbin/resolvconf 输出ls: cannot access '/sbin/resolvconf': No such file or directory

关闭 VPN 后,host -v www.ebay.com输出:

Trying "www.ebay.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12728
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ebay.com.          IN  A

;; ANSWER SECTION:
www.ebay.com.       60  IN  CNAME   slot9428.ebay.com.edgekey.net.
slot9428.ebay.com.edgekey.net. 60 IN    CNAME   e9428.b.akamaiedge.net.
e9428.b.akamaiedge.net. 60  IN  A   104.78.177.101

Received 122 bytes from 192.168.0.1#53 in 14 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 881
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net.        IN  AAAA

;; AUTHORITY SECTION:
b.akamaiedge.net.   996 IN  SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976151 1000 1000 1000 1800

Received 101 bytes from 192.168.0.1#53 in 12 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30223
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net.        IN  MX

;; AUTHORITY SECTION:
b.akamaiedge.net.   1000    IN  SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976180 1000 1000 1000 1800

Received 101 bytes from 192.168.0.1#53 in 13 ms

开启 VPN 后:

Trying "www.ebay.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7665
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ebay.com.          IN  A

;; ANSWER SECTION:
www.ebay.com.       60  IN  CNAME   slot9428.ebay.com.edgekey.net.
slot9428.ebay.com.edgekey.net. 60 IN    CNAME   e9428.b.akamaiedge.net.
e9428.b.akamaiedge.net. 60  IN  A   104.78.177.101

Received 122 bytes from 192.168.0.1#53 in 15 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1414
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net.        IN  AAAA

;; AUTHORITY SECTION:
b.akamaiedge.net.   999 IN  SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976217 1000 1000 1000 1800

Received 101 bytes from 192.168.0.1#53 in 12 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6348
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net.        IN  MX

;; AUTHORITY SECTION:
b.akamaiedge.net.   994 IN  SOA n0b.akamaiedge.net. hostmaster.akamai.com. 1568976219 1000 1000 1000 1800

Received 101 bytes from 192.168.0.1#53 in 19 ms

编辑2:运行后,在开启VPN的情况下,sudo apt-get install resolvconf的输出变为:host -v www.ebay.com

Trying "www.ebay.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9033
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ebay.com.          IN  A

;; ANSWER SECTION:
www.ebay.com.       60  IN  CNAME   slot9428.ebay.com.edgekey.net.
slot9428.ebay.com.edgekey.net. 59 IN    CNAME   e9428.b.akamaiedge.net.
e9428.b.akamaiedge.net. 59  IN  A   104.78.177.101

Received 122 bytes from 127.0.0.53#53 in 57 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19716
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net.        IN  AAAA

Received 40 bytes from 127.0.0.53#53 in 15 ms
Trying "e9428.b.akamaiedge.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48908
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;e9428.b.akamaiedge.net.        IN  MX

Received 40 bytes from 127.0.0.53#53 in 21 ms

编辑3:

cat /etc/resolv.conf和的输出cat /run/resolvconf/resolv.conf相同,且为:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.53
search Home

编辑 4:调用grep -r '192.168.0.1' /etc/返回:

/etc/sane.d/saned.conf:#192.168.0.1
/etc/sane.d/saned.conf:#192.168.0.1/29
/etc/sane.d/magicolor.conf:# net 192.168.0.1
/etc/avahi/hosts:# 192.168.0.1 router.local

通过网络管理器 GUI(即从顶部菜单)打开 VPN 后,输出如下systemd-resolve --status

Global
          DNS Domain: Home
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 13 (tun0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 10.34.40.1

Link 2 (wlp59s0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.0.1
                      fd08:b55d:5917:0:3e89:94ff:fe31:c148
          DNS Domain: Home

通过调用 VPNsudo openvpn似乎工作正常:输出为systemd-resolve --status

Global
         DNS Servers: 10.34.48.1
          DNS Domain: Home
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 14 (tun0)
      Current Scopes: none
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

Link 2 (wlp59s0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.0.1
                      fd08:b55d:5917:0:3e89:94ff:fe31:c148
          DNS Domain: Home

dnsleak.com 显示 VPN 的 DNS 服务器,并host -v www.ebay.com从 10.34.48.1 获取其数据。

从终端初始化 VPN 时输出的两个有趣的输出行是:

/etc/openvpn/update-resolv-conf tun0 1500 1553 10.34.48.8 255.255.252.0 init
dhcp-option DNS 10.34.48.1

看起来好像openvpn命令正在改变dhcp-option,但是网络管理器没有。

答案1

DNSoverTLS 1.1.1.1 OpenVPN 配置。

首先,您需要安装 systemd-resolved 并配置为使用 stub-resolv.conf。

ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
cat /etc/resolv.conf

输出

nameserver 127.0.0.53
options edns0

systemd-networkd

/etc/systemd/resolved.conf (示例):

[Resolve]
DNS=8.8.8.8 8.8.4.4
FallbackDNS=1.1.1.1 1.0.0.1
LLMNR=no
MulticastDNS=no
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
Cache=yes
DNSStubListener=yes

/etc/systemd/network/ethX.network(示例):

[Match]
Name=eth*

[Link]
RequiredForOnline=yes

[Network]
DHCP=yes
MulticastDNS=no
LLMNR=no
LinkLocalAddressing=no

[DHCP]
UseDNS=yes
UseHostname=no
CriticalConnection=yes

/etc/systemd/network/tunX.network(重要!):

(为了使 openvpn 能够管理 tun 链接,该链接必须是未管理的)

[Match]
Name=tun*

[Link]
Unmanaged=yes

我用更新已解决配置 systemd-resolved。(你可以使用更新系统已解决或者 aptitude install openvpn-systemd-resolved,但是当你需要按照 自述文件.md反而)。

安装更新已解决:

cd /etc/openvpn
git clone https://github.com/bac0n/update-resolved.git

将 update-resolved 添加到你的 openvpn.conf:

# Include update-resolved up/down script.
config /etc/openvpn/update-resolved/update-resolved.ovpn

重启 openvpn:

systemctl restart openvpn

日志:

journalctl -t update-resolved

输出

-- Logs begin at Sat 2019-09-21 12:28:01 CEST, end at Sun 2019-09-22 17:05:01 CEST. --
Sep 21 12:28:11 foobar update-resolved[914]: Note: Successfully configured resolved on link 3 (tun0)

笔记:

默认情况下,它使用 openvpn 提供的 dns。如果您喜欢使用静态 dns,则需要在“update-resolved.ovpn”中过滤 openvpn 提供的 dns,并在“update-resolved.conf”中设置您自己的 dns

例子:

resolve_options=(DOMAIN ~. DNS 1.1.1.1 DNS 1.0.0.1 LLMNR no MulticastDNS no)

(当使用域名 ~. 时,resolved 将使用 tun 链接执行所有 dns 查询(除非其他域名也带有这种仅路由的域名)。当 tun 链接被删除时,resolved 将开始并行使用“全局”和“isp”dns,协议和路由

答案2

首先,似乎您当前的 update-resolv-conf 脚本可能直接覆盖了 /etc/resolv.conf 并导致死链接,我们可以在您的 up 和 down 脚本中修复此问题。根据您的问题,您希望 /etc/resolv.conf 链接到 /run/resolvconf/resolv.conf,而不是 systemd resolv.conf。您应该有两个脚本,一个在 openvpn 连接时,一个在它断开连接时,因此请将您的 vpn 配置稍微修改为:

script-security 2
up /etc/openvpn/update-resolv-conf-up
down /etc/openvpn/update-resolv-conf-down

创建 update-resolv-conf-up 和 update-resolv-conf-down 后,您需要为其添加 +x 权限。

/etc/openvpn/update-resolv-conf-up

#!/bin/sh

cat <<EOF > /run/resolvconf/resolv.conf
nameserver 127.0.0.53
options edns0
nameserver 10.34.48.1
nameserver 192.168.0.1
nameserver fd08:b55d:5917:0:3e89:94ff:fe31:c148
search Home
EOF

rm /etc/resolv.conf 
ln -s /run/resolvconf/resolv.conf /etc/resolv.conf

和 /etc/openvpn/update-resolv-conf-down

#!/bin/sh
cat <<EOF > /run/systemd/resolve/resolv.conf
nameserver 127.0.0.53
options edns0
nameserver 192.168.0.1
nameserver fd08:b55d:5917:0:3e89:94ff:fe31:c148
search Home
EOF

/etc/openvpn/update-resolv-conf-up 脚本确保名称服务器 127.0.0.53 是第一个名称服务器,确保 DNS 在解析地址时使用它,当 vpn 连接时,10.34.48.1 成为第二个 dns,而 192.168.0.1 始终是最后一个 dns。

相关内容