仅对选定的应用程序使用 VPN 连接

仅对选定的应用程序使用 VPN 连接

我正在尝试遵循:https://superuser.com/a/1262250/41337但我无法让它发挥作用。

我愿意:

interface=eth0

down() {
    ip netns delete myvpn
    ip link delete vpn0
    iptables -D INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
    iptables -t nat -D POSTROUTING -s 10.200.200.0/24 -o $interface -j MASQUERADE
}

up() {
    ip netns add myvpn
    ip netns exec myvpn ip addr add 127.0.0.1/8 dev lo
    ip netns exec myvpn ip link set lo up
    ip link add vpn0 type veth peer name vpn1
    ip link set vpn0 up
    ip link set vpn1 netns myvpn up
    ip addr add 10.200.200.1/24 dev vpn0
    ip netns exec myvpn ip addr add 10.200.200.2/24 dev vpn1
    ip netns exec myvpn ip route add default via 10.200.200.1 dev vpn1
    iptables -A INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
    iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o $interface -j MASQUERADE
    sysctl -q net.ipv4.ip_forward=1
    mkdir -p /etc/netns/myvpn
    echo 'nameserver 8.8.8.8' > /etc/netns/myvpn/resolv.conf
    ip netns exec myvpn ping 8.8.8.8
}

down
up

在另一个终端我运行:

$ sudo tcpdump -ni any host 8.8.8.8
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
22:49:44.817183 vpn0  In  IP 10.200.200.2 > 8.8.8.8: ICMP echo request, id 18314, seq 1, length 64
22:49:45.822772 vpn0  In  IP 10.200.200.2 > 8.8.8.8: ICMP echo request, id 18314, seq 2, length 64
22:49:46.842785 vpn0  In  IP 10.200.200.2 > 8.8.8.8: ICMP echo request, id 18314, seq 3, length 64

这让我相信缺少一个步骤:网络流量不会在 eth0 上流出。

这些都有效:

ip netns exec myvpn ping 10.200.200.1
ip netns exec myvpn ping 10.200.200.2
ping 10.200.200.2

这失败了:

ping 10.200.200.1

答案1

这个命令...

ip netns exec myvpn ip route add default via 10.200.200.1 dev vpn1

...应该失败:

Error: Nexthop has invalid gateway.

因为你从未设置过接口vpn1 up(所以10.200.200.1无法访问)。您应该在分配地址后立即执行此操作:

ip netns exec myvpn ip addr add 10.200.200.2/24 dev vpn1
ip netns exec myvpn ip link set vpn1 up

以下脚本对我有用。这与您的脚本几乎相同,但有以下更改:

  • 我已经添加了ip set link up前面提到的缺少的命令
  • 我已将所有实例替换ip netns exec myvpn ip ...ip -n myvpn ...
  • 我利用了这个netns论点ip link add
#!/bin/bash

interface=eth0

down() {
    ip netns delete myvpn
    ip link delete vpn0
    iptables -D INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
    iptables -t nat -D POSTROUTING -s 10.200.200.0/24 -o $interface -j MASQUERADE
}

up() {
    ip netns add myvpn
    ip -n myvpn addr add 127.0.0.1/8 dev lo
    ip -n myvpn link set lo up
    ip link add vpn0 type veth peer name vpn1 netns myvpn
    ip link set vpn0 up
    ip addr add 10.200.200.1/24 dev vpn0
    ip -n myvpn addr add 10.200.200.2/24 dev vpn1
    ip -n myvpn link set vpn1 up
    ip -n myvpn route add default via 10.200.200.1 dev vpn1
    iptables -A INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
    iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o $interface -j MASQUERADE
    ip netns exec myvpn ping -c 10 8.8.8.8
}

sysctl -q net.ipv4.ip_forward=1

down
trap down EXIT
up

在我的系统上运行此脚本会产生:

Cannot remove namespace file "/var/run/netns/myvpn": No such file or directory
Cannot find device "vpn0"
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=9.80 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=12.3 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=116 time=15.8 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=116 time=9.06 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=116 time=12.5 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=116 time=15.2 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=116 time=8.27 ms
64 bytes from 8.8.8.8: icmp_seq=8 ttl=116 time=11.3 ms
64 bytes from 8.8.8.8: icmp_seq=9 ttl=116 time=14.8 ms
64 bytes from 8.8.8.8: icmp_seq=10 ttl=116 time=7.21 ms

--- 8.8.8.8 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9012ms
rtt min/avg/max/mdev = 7.211/11.621/15.819/2.871 ms

相关内容