所以我尝试在我的服务器上设置一个分割隧道(我的服务器是VPN客户端)。 VPN 用户只能使用 VPN 接口 (tun0) 访问互联网。
我遵循并尝试将 ubuntu 指南“翻译”为 CentOS 8。我一直遵循的指南是力洪流其灵感来自于强制 Torrent 流量通过 VPN 分割隧道 Debian 8 + Ubuntu 16.04然后我应用了我在中找到的更新Ubuntu 18.04 分割隧道指南。
这导致了以下文件:
代码/脚本:(结果如下)
/etc/systemd/system/[email protected]:
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
After=network.target
[Service]
RuntimeDirectory=openvpn
PrivateTmp=true
KillMode=mixed
Type=forking
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
PIDFile=/run/openvpn/%i.pid
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
Restart=on-failure
RestartSec=3
ProtectSystem=yes
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
[Install]
WantedBy=multi-user.target
/etc/openvpn/openvpn.conf:
client
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
dev tun
proto udp
remote pool-1.prd.se.ovpn.com 1194
remote pool-1.prd.se.ovpn.com 1195
remote pool-2.prd.se.ovpn.com 1194
remote pool-2.prd.se.ovpn.com 1195
remote pool-3.prd.se.ovpn.com 1194
remote pool-3.prd.se.ovpn.com 1195
remote pool-4.prd.se.ovpn.com 1194
remote pool-4.prd.se.ovpn.com 1195
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-256-cbc
auth-user-pass /etc/openvpn/credentials
auth-nocache
comp-lzo
route-noexec
remote-cert-tls server
pull
reneg-sec 0
verb 3
mute-replay-warnings
replay-window 256
ca /etc/openvpn/ovpn-ca.crt
tls-auth /etc/openvpn/ovpn-tls.key 1
log /tmp/openvpn.log
script-security 2
up /etc/openvpn/firewllad.sh
up-restart
down /etc/openvpn/scripts/update-systemd-resolved
down-pre
dhcp-option DOMAIN-ROUTE .
/etc/openvpn/firewalld.sh:
#! /bin/bash
export INTERFACE="tun0"
export VPNUSER="vpn"
export LOCALIP="192.168.1.10"
export NETIF="enp1s0"
# Flush alll rules
firewall-cmd --direct --remove-rules ipv4 mangle OUTPUT
firewall-cmd --direct --remove-rules ipv4 mangle INPUT
firewall-cmd --direct --remove-rules ipv4 filter INPUT
firewall-cmd --direct --remove-rules ipv4 filter OUTPUT
firewall-cmd --direct --remove-rules ipv4 nat POSTROUTING
#firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 ! -o lo -m owner --uid-owner vpn -j DROP
# Mark packets from $VPNUSER
firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 -j CONNMARK --restore-mark
firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
# Added local open ports (since I do not use these services I have not opened these ports)
#firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 --src $LOCALIP -p tcp -m tcp -m multiport --sports 6800,7777 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x0
# Continue marking
firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 ! --src $LOCALIP -j MARK --set-mark 0x1
firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 -j CONNMARK --save-mark
# Allow responses
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Block everything incoming on $INTERFACE to prevent accdiental exposing of ports
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i $INTERFACE -j REJECT
# Let $VPNUSER access lo and $INTERFACE
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
# All packets on $INTERFACE needs to be masqueraded
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o $INTERFACE -j MASQUERADE
# Reject connection from predator IP going over $NETIF
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 ! --src $LOCALIP -o $NETIF -j REJECT
#ADD YOUR OWN RULES HERE
# Start routing script
/etc/openvpn/routing.sh
exit 0
/etc/openvpn/routing.sh:
#! /bin/bash
VPNIF="tun0"
VPNUSER="vpn"
GATEWAYIP=$(ip address show $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)
if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
ip rule add from all fwmark 0x1 lookup $VPNUSER
fi
ip route replace default via $GATEWAYIP table $VPNUSER
ip route append default via 127.0.0.1 dev lo table $VPNUSER
ip route flush cache
# run update-resolv-conf script to set VPN DNS
/etc/openvpn/scripts/update-systemd-resolved
exit 0
/etc/iproute2/rt_tables:
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
200 vpn
/etc/sysctl.d/9999-vpn.conf:
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.enp1s0.rp_filter = 2
结果:
使用命令检查 DNS:systemd-resolve --status
Link 9 (tun0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: allow-downgrade
DNSSEC supported: yes
Current DNS Server: 192.165.9.158
DNS Servers: 192.165.9.158
46.227.67.134
DNS Domain: ~.
使用以下命令检查 VPN 公共 IP:sudo -u vpn -i -- curl ipinfo.io给了我:curl: (6) Could not resolve host: ipinfo.io。虽然sudo curl ipinfo.io --interface tun0工作正常。ping www.google.se作为 vpn 用户时,我也会遇到问题,但如果我使用该域的 IP,它就可以正常工作。
答案1
问题在于,systemd-resolved即使服务正在运行,CentOS 8 也不会设置 DNS。要systemd-resolved使用脚本设置dns update-systemd-resolved,您必须/etc/NetworkManager/NetworkManager.conf在 部分中编辑 和[main]设置:dns=systemd-resolved。
有关该主题的更多信息:第 33 章. 对不同域使用不同的 DNS 服务器。