使用 OpenVPN 和 DNSMasq 启用 DNS 主机名解析

使用 OpenVPN 和 DNSMasq 启用 DNS 主机名解析

我已将 OpenVPN 配置为服务器来托管我自己的 VPN,并且我想使用 DNSMasq 来解析 VPN 上的主机名。

假设我有 OpenVPN 服务器、内网上的两台计算机和外网的一台计算机,所有客户端都是 VPN(192.168.254.0/24):

  • 内部网络:192.168.1.0/24
    • 服务器:IP:192.168.1.1
    • A:IP:192.168.1.2,VPN:192.168.254.2
    • :IP:192.168.1.3,VPN:192.168.254.3
  • 外部网络:192.168.2.0/24
    • C:IP:192.168.2.1,VPN:192.168.254.4

使用我当前的设置,两者A可以通过内部网络上的 DNSMasq 解析其主机名。并且,所有A, 和C可以通过直接 IP 互相访问。但是,我想允许C访问A通过主机名(DNS解析,而不是NetBIOS)而不是通过VPN引导所有网络流量。

OpenVPN配置:

proto tcp
dev tap
server 192.168.254.0 255.255.255.0
client-to-client
persist-key
persist-tun

我是否还需要将 VPN 服务器配置为客户端?我是否需要通过 VPN 从内部网络推送域?我需要做什么?

答案1

由于非常复杂,我得到了一些类似于 VPN 上的 DNS 的东西。

首先,我必须在向 OpenVPN 添加地址时运行一个脚本。在服务器配置中:

ifconfig-pool-persist ip-pool # Store mappings of CN,IP, 1 per line
script-security 2             # Allow OpenVPN to run user scripts
learn-address /path/to/learn-address.sh

我开始learn-address.sh来自旧 OpenVPN 线程的脚本ip-pool但由于我正在运行 TAP 接口,所以我必须添加脚本来解析文件:

#!/bin/sh
# openvpn learn-address script to manage a hosts-like file
# - intended to allow dnsmasq to resolve openvpn clients
#   addn-hosts=/etc/hosts.openvpn-clients
#
# Changelog
# 2006-10-13 BDL original
# 2018-12-10 Palswim change to query OpenVPN Persistent pool for TAP interfaces

# replace with a sub-domain of your domain, use a sub-domain to
# prevent VPN clients from stealing existing names
DOMAIN=example

HOSTS=/etc/openvpn/hosts

h="hosts-openvpn-$DOMAIN"
LOCKFILE="/var/run/$h.lock"

IP="$2"
CN="$3"

if [ -z "$IP" ]; then
    echo "$0: IP not provided" >&2
    exit 1
else
    # In TAP mode, OpenVPN passes MAC instead of IP, since with TAP, clients can use protocols other than IP
    MAC="$IP"
    IP=$(grep "^$CN[[:space:]]*," ip-pool | head -n 1 | cut -d, -f 2)
    if [ -z "$IP" ]; then
        echo "$0: Failed to find IP in ipconfig-pool" >&2
        exit 0
    else
        echo "$0: Translated MAC ($MAC) to IP ($IP)"
    fi
fi

case "$1" in
    add|update)
        if [ -z "$CN" ]; then
            echo "$0: Common Name not provided" >&2
            exit 0
        fi
    ;;
    delete)
    ;;
    *)
        echo "$0: unknown operation [$1]" >&2
        exit 1
    ;;
esac

# serialise concurrent accesses
[ -x /bin/lock ] && /bin/lock "$LOCKFILE"

# clean up IP if we can
[ -x /bin/ipcalc ] && eval $(ipcalc "$IP")

FQDN="$CN"

# busybox mktemp must have exactly six X's
t=$(/bin/mktemp "/run/shm/$h.XXXXXX")
if [ $? -ne 0 ]; then
    echo "$0: mktemp failed" >&2
    exit 1
fi


case "$1" in
    add|update)
        /usr/bin/awk '
            # update/uncomment address|FQDN with new record, drop any duplicates:
            $1 == "'"$IP"'" || $1 == "#'"$IP"'" || $2 == "'"$FQDN"'" \
            { if (!m) print "'"$IP"'\t'"$FQDN"'"; m=1; next }
            { print }
            END { if (!m) print "'"$IP"'\t'"$FQDN"'" }           # add new address to end
        ' "$HOSTS" > "$t" && cat "$t" > "$HOSTS"
    ;;

    delete)
            /usr/bin/awk '
            # no FQDN, comment out all matching addresses (should only be one)
            $1 == "'"$IP"'" { print "#" $0; next }
            { print }
        ' "$HOSTS" > "$t" && cat "$t" > "$HOSTS"
    ;;

esac

# signal dnsmasq to reread hosts file
kill -HUP $(cat /var/run/dnsmasq/dnsmasq.pid)

rm "$t"

[ -x /bin/lock ] && /bin/lock -u "$LOCKFILE"
exit 0

我最终在一台服务器上为自己的 LAN 运行 DNSMasq,在另一台服务器上为 VPN 运行 DNSMasq。我必须/etc/dnsmasq.conf在 VPN DNS 服务器上更新我的配置 ():

no-resolv                     # Didn't want to serve anything but VPN requests
interface=tap0
no-hosts                      # Don't use /etc/hosts
addn-hosts=/etc/openvpn/hosts # Target the output of the learn-address.sh script
expand-hosts
domain=example

完成这些后,我必须通过 OpenVPN 的 DHCP 服务器推送一些选项。同样,在 OpenVPN 服务器配置中:

server 192.168.254.0 255.255.255.0 # Assuming this VPN network
push "dhcp-option DNS 192.168.254.1"
push "dhcp-option DOMAIN example"  # Push domain to clients

不幸的是,只有 Windows 版本的 OpenVPN 支持自动设置这些选项。Linux 客户端需要配置脚本以在连接建立/断开时运行。如果您的 Linux 系统使用/etc/resolv.conf,最终,您需要您的 VPN 域出现在您的search列表中,并且您的服务器 IP 显示为nameserver

search example # you may have other strings here too, separated by a space
# ... other nameservers, then:
nameserver 192.168.254.1

相关内容