我正在使用这个脚本:https://github.com/loeken/CascadingOpenvpnConnect
它创建一个 tun0 实例和一个 tun1 实例,如果我愿意的话还可以创建另一个实例。我在如何指挥交通方面遇到了麻烦。
运行第一个命令时,
sudo openvpn --config eu.fr1.cdn.internetz.me.ovpn --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec (example)
我能够通过 VPN 正确连接。
但是,当我启动第二个命令时,sudo openvpn --config eu.fr4.cdn.internetz.me.ovpn --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec --setenv hopid 2 --setenv prevgw 10.9.1.1 (example)
我不知道下一步该做什么?第二个命令成功运行,但我的 IP 地址仍然列为第一个 VPN (tun0)。那么,我如何将 tun1 纳入其中呢?
谢谢你的帮助。
----- 编辑/更新
这是我的默认路由表。
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 100 0 0 enp0s3
10.0.2.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s3
这是要运行的第一个命令。看来是成功了。
sudo openvpn --config client-east.ovpn --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec
Thu Jul 21 19:29:55 2022 OpenVPN 2.4.4 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Thu Jul 21 19:29:55 2022 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08
Enter Auth Username: openvpn
Enter Auth Password: ***
Thu Jul 21 19:29:59 2022 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Thu Jul 21 19:29:59 2022 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jul 21 19:29:59 2022 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 21 19:29:59 2022 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 21 19:29:59 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]3.228.10.177:1194
Thu Jul 21 19:29:59 2022 Socket Buffers: R=[180224->180224] S=[180224->180224]
Thu Jul 21 19:29:59 2022 UDP link local: (not bound)
Thu Jul 21 19:29:59 2022 UDP link remote: [AF_INET]3.228.10.177:1194
Thu Jul 21 19:29:59 2022 TLS: Initial packet from [AF_INET]3.228.10.177:1194, sid=e06d136c ef7fcba7
Thu Jul 21 19:29:59 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jul 21 19:29:59 2022 VERIFY OK: depth=1, CN=OpenVPN CA
Thu Jul 21 19:29:59 2022 VERIFY OK: nsCertType=SERVER
Thu Jul 21 19:29:59 2022 VERIFY OK: depth=0, CN=OpenVPN Server
Thu Jul 21 19:30:00 2022 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Thu Jul 21 19:30:00 2022 [OpenVPN Server] Peer Connection Initiated with [AF_INET]3.228.10.177:1194
Thu Jul 21 19:30:01 2022 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Thu Jul 21 19:30:01 2022 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,compress stub-v2,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 172.27.232.1,dhcp-option DNS 172.31.0.2,register-dns,block-ipv6,ifconfig 172.27.232.27 255.255.248.0,peer-id 0,auth-tokenSESS_ID,cipher AES-256-GCM'
Thu Jul 21 19:30:01 2022 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:1 is ignored by previous <connection> blocks
Thu Jul 21 19:30:01 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.4)
Thu Jul 21 19:30:01 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.4)
Thu Jul 21 19:30:01 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.4)
Thu Jul 21 19:30:01 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:16: register-dns (2.4.4)
Thu Jul 21 19:30:01 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:17: block-ipv6 (2.4.4)
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: explicit notify parm(s) modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: compression parms modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: route options modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: route-related options modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: peer-id set
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: data channel crypto options modified
Thu Jul 21 19:30:01 2022 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Jul 21 19:30:01 2022 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul 21 19:30:01 2022 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul 21 19:30:01 2022 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:cb:a6:e2
Thu Jul 21 19:30:01 2022 TUN/TAP device tun0 opened
Thu Jul 21 19:30:01 2022 TUN/TAP TX queue length set to 100
Thu Jul 21 19:30:01 2022 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Jul 21 19:30:01 2022 /sbin/ip link set dev tun0 up mtu 1500
Thu Jul 21 19:30:02 2022 /sbin/ip addr add dev tun0 172.27.232.27/21 broadcast 172.27.239.255
Thu Jul 21 19:30:02 2022 updown.sh tun0 1500 1553 172.27.232.27 255.255.248.0 init
## updown.sh: STARTED
## updown.sh: hop id: (default: 1)
## updown.sh: gateway of last hop: (default: local gateway)
## updown.sh: local gateway: 10.0.2.2
## updown.sh: VPN: local IP address: 172.27.232.27
## updown.sh: VPN: local netmask: 255.255.248.0
## updown.sh: VPN: local gateway: 172.27.232.1
## updown.sh: VPN: vpn IP address: 3.228.10.177
## updown.sh: Notice: You didn't set 'hopid'. Assuming this to be the first hop (hopid=1).
## updown.sh: Notice: You didn't set the previous gateway. The gateway of your local network ('10.0.2.2') will be used.
## updown.sh: executing: '/sbin/ip route add 3.228.10.177 via 10.0.2.2'
## updown.sh: executing: '/sbin/ip route add 0.0.0.0/1 via 172.27.232.1'
## updown.sh: executing: '/sbin/ip route add 128.0.0.0/1 via 172.27.232.1'
## updown.sh: HINT: For the next hop, start openvpn with the following options:
## updown.sh: HINT: openvpn --config <config.ovpn> --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec --setenv hopid 2 --setenv prevgw 172.27.232.1
## updown.sh: FINISHED
Thu Jul 21 19:30:07 2022 Initialization Sequence Completed
将我的 DNS 更改为 8.8.8.8,我的流量将通过我的 VPN。
运行第一个命令后,这就是我的路由表的样子。
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.27.232.1 128.0.0.0 UG 0 0 0 tun0
default 10.0.2.2 0.0.0.0 UG 100 0 0 enp0s3
3.228.10.177 10.0.2.2 255.255.255.255 UGH 0 0 0 enp0s3
10.0.2.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s3
128.0.0.0 172.27.232.1 128.0.0.0 UG 0 0 0 tun0
172.27.232.0 0.0.0.0 255.255.248.0 U 0 0 0 tun0
这是我的第二个命令。它看起来也很成功。
sudo openvpn --config client-west.ovpn --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec --setenv hopid 2 --setenv prevgw 172.27.232.1
Thu Jul 21 19:34:30 2022 OpenVPN 2.4.4 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Thu Jul 21 19:34:30 2022 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08
Enter Auth Username: openvpn
Enter Auth Password: ***
Thu Jul 21 19:34:34 2022 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Thu Jul 21 19:34:34 2022 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jul 21 19:34:34 2022 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 21 19:34:34 2022 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 21 19:34:34 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]52.53.125.237:1194
Thu Jul 21 19:34:34 2022 Socket Buffers: R=[180224->180224] S=[180224->180224]
Thu Jul 21 19:34:34 2022 UDP link local: (not bound)
Thu Jul 21 19:34:34 2022 UDP link remote: [AF_INET]52.53.125.237:1194
Thu Jul 21 19:34:34 2022 TLS: Initial packet from [AF_INET]52.53.125.237:1194, sid=0ca1cb6e b7f72f45
Thu Jul 21 19:34:34 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jul 21 19:34:34 2022 VERIFY OK: depth=1, CN=OpenVPN CA
Thu Jul 21 19:34:34 2022 VERIFY OK: nsCertType=SERVER
Thu Jul 21 19:34:34 2022 VERIFY OK: depth=0, CN=OpenVPN Server
Thu Jul 21 19:34:34 2022 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Thu Jul 21 19:34:34 2022 [OpenVPN Server] Peer Connection Initiated with [AF_INET]52.53.125.237:1194
Thu Jul 21 19:34:35 2022 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Thu Jul 21 19:34:36 2022 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,compress stub-v2,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 172.27.232.1,dhcp-option DNS 172.31.0.2,register-dns,block-ipv6,ifconfig 172.27.232.28 255.255.248.0,peer-id 0,auth-tokenSESS_ID,cipher AES-256-GCM'
Thu Jul 21 19:34:36 2022 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:1 is ignored by previous <connection> blocks
Thu Jul 21 19:34:36 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.4)
Thu Jul 21 19:34:36 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.4)
Thu Jul 21 19:34:36 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.4)
Thu Jul 21 19:34:36 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:16: register-dns (2.4.4)
Thu Jul 21 19:34:36 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:17: block-ipv6 (2.4.4)
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: explicit notify parm(s) modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: compression parms modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: route options modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: route-related options modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: peer-id set
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: data channel crypto options modified
Thu Jul 21 19:34:36 2022 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Jul 21 19:34:36 2022 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul 21 19:34:36 2022 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul 21 19:34:36 2022 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:cb:a6:e2
Thu Jul 21 19:34:36 2022 TUN/TAP device tun1 opened
Thu Jul 21 19:34:36 2022 TUN/TAP TX queue length set to 100
Thu Jul 21 19:34:36 2022 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Jul 21 19:34:36 2022 /sbin/ip link set dev tun1 up mtu 1500
Thu Jul 21 19:34:36 2022 /sbin/ip addr add dev tun1 172.27.232.28/21 broadcast 172.27.239.255
Thu Jul 21 19:34:36 2022 updown.sh tun1 1500 1553 172.27.232.28 255.255.248.0 init
## updown.sh: STARTED
## updown.sh: hop id: 2 (default: 1)
## updown.sh: gateway of last hop: 172.27.232.1 (default: local gateway)
## updown.sh: local gateway: 10.0.2.2
## updown.sh: VPN: local IP address: 172.27.232.28
## updown.sh: VPN: local netmask: 255.255.248.0
## updown.sh: VPN: local gateway: 172.27.232.1
## updown.sh: VPN: vpn IP address: 52.53.125.237
## updown.sh: executing: '/sbin/ip route add 52.53.125.237 via 172.27.232.1'
## updown.sh: executing: '/sbin/ip route add 0.0.0.0/2 via 172.27.232.1'
## updown.sh: executing: '/sbin/ip route add 64.0.0.0/2 via 172.27.232.1'
## updown.sh: executing: '/sbin/ip route add 128.0.0.0/2 via 172.27.232.1'
## updown.sh: executing: '/sbin/ip route add 192.0.0.0/2 via 172.27.232.1'
## updown.sh: HINT: For the next hop, start openvpn with the following options:
## updown.sh: HINT: openvpn --config <config.ovpn> --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec --setenv hopid 3 --setenv prevgw 172.27.232.1
## updown.sh: FINISHED
Thu Jul 21 19:34:41 2022 Initialization Sequence Completed
运行第二个命令后的路由表。
Kernel IP routing table
0.0.0.0 172.27.232.1 192.0.0.0 UG 0 0 0 tun0
0.0.0.0 172.27.232.1 128.0.0.0 UG 0 0 0 tun0
default 10.0.2.2 0.0.0.0 UG 100 0 0 enp0s3
ec2-3-228-10-17 10.0.2.2 255.255.255.255 UGH 0 0 0 enp0s3
10.0.2.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s3
ec2-52-53-125-2 172.27.232.1 255.255.255.255 UGH 0 0 0 tun0
64.0.0.0 172.27.232.1 192.0.0.0 UG 0 0 0 tun0
128.0.0.0 172.27.232.1 192.0.0.0 UG 0 0 0 tun0
128.0.0.0 172.27.232.1 128.0.0.0 UG 0 0 0 tun0
172.27.232.0 0.0.0.0 255.255.248.0 U 0 0 0 tun0
172.27.232.0 0.0.0.0 255.255.248.0 U 0 0 0 tun1
192.0.0.0 172.27.232.1 192.0.0.0 UG 0 0 0 tun0
当我运行 tcpdump 时,tun0(第一个 VPN)上有流量,但是 tun1(第二个 VPN)上根本没有流量。
我很困惑。不知道下一步该怎么做。
答案1
首先创建 tun0,然后创建 tun1,因此您希望将常规流量直接路由到 tun1。
------ ------ --------
"regular traffic" -> | tun1 | -> | tun0 | -> | enp0s3 |
------ ------ --------
tun0 和 tun1 的 VPN 内部网关的 IP 地址 (172.27.232.1) 相同。我不知道脚本(updown.sh)是否能够处理这个问题。我不知道是否可以在同一台计算机上链接 VPN 连接,同时具有相同的 VPN 内部网关地址。但我有一些想法。
想法1
tun1是通过tun0创建的吗?如果情况并非如此,稍后(创建两个隧道后)调整路由表可能不会有帮助。创建 tun0 后,我将使用 tcpdump 来查看创建 tun1 是否会导致 enp0s3 上建立新连接,或者是否通过 tun0 建立隧道。
想法2
建立两个 VPN 连接后,创建特定的路由表条目:8.8.8.8 via 172.27.232.1 dev tun1。向 DNS 发送请求并查看它是否通过链进行路由。
想法3
对于 tun1,路由表中只有一个条目。
172.27.232.0 0.0.0.0 255.255.248.0 U 0 0 0 tun1
其目的地是VPN的网络地址并涵盖网关地址。仅此条目不足以将“常规流量”路由到 tun1。
其他 tun* 规则都链接到 tun0。
0.0.0.0 172.27.232.1 192.0.0.0 UG 0 0 0 tun0
0.0.0.0 172.27.232.1 128.0.0.0 UG 0 0 0 tun0
64.0.0.0 172.27.232.1 192.0.0.0 UG 0 0 0 tun0
128.0.0.0 172.27.232.1 192.0.0.0 UG 0 0 0 tun0
128.0.0.0 172.27.232.1 128.0.0.0 UG 0 0 0 tun0
192.0.0.0 172.27.232.1 192.0.0.0 UG 0 0 0 tun0
我会删除这些规则并为 tun1 编写新规则。也许一条规则就足够了:0.0.0.0 via 172.27.232.1 dev tun1。我不知道这是否有效,但这就是我会尝试的。