我有一组程序必须通过 VPN 运行,并且在 Arch Linux 上未连接 VPN 时不应访问互联网。为此,我创建一个网络命名空间,其中包含 VPN 网络接口,作为访问互联网的唯一方式,并在该网络命名空间中运行这些进程。
我面临的问题是,虽然如果我openvpn以 root 身份运行它可以正常工作,但如果我通过systemctl.
OpenVPN配置:
client
route-noexec
script-security 2
dev tun42
proto udp
remote <remotehost> <remoteport>
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/client/ca.crt
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/client/vpn-creds
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/client/crl.pem
route-up /etc/openvpn/client/route-up.sh
路由-up.sh:
#!/bin/bash
/bin/whoami
NS=ns
if [ ! -f /var/run/netns/$NS ]; then
/sbin/ip netns add $NS
fi
/sbin/ip link set $dev netns $NS
/sbin/ip netns exec $NS /sbin/ifconfig lo up
/sbin/ip netns exec $NS /sbin/ifconfig $dev $ifconfig_local pointopoint $ifconfig_remote up
/sbin/ip netns exec $NS /sbin/route add default gw $ifconfig_remote metric 1024
systemctl status openvpn-clien@vpn尝试后的输出start:
Feb 18 11:57:22 arch openvpn[5216]: root
Feb 18 11:57:22 arch openvpn[5216]: mount --make-shared /var/run/netns failed: Operation not permitted
Feb 18 11:57:22 arch openvpn[5216]: Error: argument "ns" is wrong: Invalid "netns" value
Feb 18 11:57:22 arch openvpn[5216]: Cannot open network namespace "ns": No such file or directory
Feb 18 11:57:22 arch openvpn[5216]: Cannot open network namespace "ns": No such file or directory
Feb 18 11:57:22 arch openvpn[5216]: Cannot open network namespace "ns": No such file or directory
Feb 18 11:57:22 arch openvpn[5216]: WARNING: Failed running command (--route-up): external program exited with error status: 1
Feb 18 11:57:22 arch openvpn[5216]: Initialization Sequence Completed
无论它是手动运行还是在系统启动时自动运行(如果我启用该服务),都会表现出相同的行为。
systemctl cat [email protected]输出:
# /usr/lib/systemd/system/[email protected]
[Unit]
Description=OpenVPN tunnel for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/client
ExecStart=/usr/bin/openvpn --suppress-timestamps --nobind --config %i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=process
[Install]
WantedBy=multi-user.target
如何使其在运行时正确设置网络名称空间systemctl?
答案1
ssh up/down 脚本(不使用 selinux)也有类似的问题,直到我发现这个问题。
尽管这个问题很老了,但我通过更改服务定义中的以下沙箱选项解决了它:
ProtectSystem=true
#ProtectHome=true
ProtectHome=read-only
也许这对其他人有帮助。更多信息可以找到这里。
答案2
我最近也遇到了这个问题,结果是selinux。您可以采取以下措施来缓解:
cd /etc/openvpn
mkdir -p scripts
chown -R root:root scripts
chmod 0700 scripts
cd scripts
# create up and down scripts here
# placing scripts in this directory is important!!
# restorecon must be run
restorecon -R /etc/openvpn/scripts/
setsebool openvpn_run_unconfined on
简而言之,selinux 有一个预装的配置,只要将它们放在 /etc/openvpn/scripts 中,就可以允许上下脚本运行。将脚本放置在该目录中后,运行restorecon 将确保在脚本上设置正确的selinux 标志,并将sebool 设置为on 将允许向上和向下脚本运行。