我已经设置了一个小型服务器,其中包含桥接的 openvpn 设置。我的目标是从每个可以访问互联网的地方使用我的网络服务和互联网连接。现在我只能通过 vpn 使用我自己网络中的服务。我研究了重定向网关的选项,以强制所有流量通过 vpn。一旦我激活此选项,我就无法访问互联网,但例如我本地网络中的私人 owncloud 设置。如果有人能给我一些建议,那将非常有帮助。提前致谢。
目标:
通过我的 vpn 路由我的 Ubuntu 笔记本电脑的所有流量。
能够访问内部和外部服务。
我已经尝试过的:
通过 VPN 推送 DNS 设置
运行各种 iptable 命令均无效
我认为问题在于:
即使我已经尝试通过 iptable 设置来配置 nat,但我也不确定我是否做得正确。
服务器配置
服务器.conf:
server-bridge
port 1194
proto tcp
dev tap0
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
# server-bridge br0_address netmask clientlowerlimit clientupperlimit
server-bridge 192.168.0.100 255.255.255.0 192.168.0.101 192.168.0.120
# push "route subnet_identifier netmask router_address"
push "route 192.168.0.0 255.255.255.0 192.168.0.1"
# push "dhcp-option DNS router_address"
push "dhcp-option DNS 192.168.0.1"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3
ifconfig-pool-persist ipp.txt
dh dh2048.pem
script-security 2
push "dhcp-option DNS 192.168.0.1"
push "redirect-gateway def1"
桥接脚本:
#!/bin/sh
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth1"
eth_ip="192.168.0.21"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"
eth_gateway="192.168.0.1"
case "$1" in
start)
for t in $tap; do
openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
sleep 10
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw $eth_gateway
;;
stop)
ifconfig $br down
brctl delbr $br
for t in $tap; do
openvpn --rmtun --dev $t
done
ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw $eth_gateway
;;
*)
echo "Usage: bridge {start|stop}"
exit 1
;;
esac
exit 0
客户端配置
客户端.conf:
client
dev tap0
proto tcp
#I use port 80 because it is nerver blocked
remote domain.org 80
persist-key
persist-tun
ca ca.crt
cert test.crt
key test.key
remote-cert-tls server
comp-lzo
verb 3
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
更新-解析-conf:
#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
#
# Example envs set from openvpn:
#
foreign_option_1='dhcp-option DNS 8.8.8.8'
foreign_option_2='dhcp-option DNS 192.168.0.1'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
#
[ -x /sbin/resolvconf ] || exit 0
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0
split_into_parts()
{
part1="$1"
part2="$2"
part3="$3"
}
case "$script_type" in
up)
NMSRVRS=""
SRCHS=""
for optionvarname in ${!foreign_option_*} ; do
option="${!optionvarname}"
echo "$option"
split_into_parts $option
if [ "$part1" = "dhcp-option" ] ; then
if [ "$part2" = "DNS" ] ; then
NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
elif [ "$part2" = "DOMAIN" ] ; then
SRCHS="${SRCHS:+$SRCHS }$part3"
fi
fi
done
R=""
[ "$SRCHS" ] && R="search $SRCHS
"
for NS in $NMSRVRS ; do
R="${R}nameserver $NS
"
done
echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
;;
down)
/sbin/resolvconf -d "${dev}.openvpn"
;;
esac
答案1
我能够部分解决问题。我正在使用 ubuntu vpn 网络管理器连接到服务器,因此不再有客户端配置,但是我的服务器配置更改为:
server-bridge
port 1194
proto tcp
dev tap0
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
# server-bridge br0_address netmask clientlowerlimit clientupperlimit
server-bridge 192.168.0.100 255.255.255.0 192.168.0.101 192.168.0.120
# push "route subnet_identifier netmask router_address"
push "route 192.168.0.1 255.255.255.0"
# push "dhcp-option DNS router_address"
push "dhcp-option DNS 192.168.0.1"
push "redirect-gateway def1 bypass-dhcp"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3
ifconfig-pool-persist ipp.txt
dh dh2048.pem
script-security 2
连接到服务器后,我仍然无法通过 vpn 访问互联网。为了使其正常工作,我必须在客户:
sudo route add default gw 192.168.0.1
剩下要做的唯一任务是找到一种方法,在声明 vpn 连接后自动运行此命令。我将不胜感激任何建议。
答案2
尝试对 .ovpn 文件的客户端配置进行此操作
client dev tun proto udp remote remote-ip 1194 resolv-retry infinite nobind persist-key persist-tun ca ca-cert.pem cert client-user-cert.pem key client-user-key.pem ns-cert-type server comp-lzo redirect-gateway def1 verb 3 auth-nocache auth-user-pass