通过网络命名空间对某些应用程序使用 VPN

通过网络命名空间对某些应用程序使用 VPN

我正在尝试使用网络命名空间来处理特定于 VPN 的流量,使用本指南:https://schnouki.net/posts/2014/12/12/openvpn-for-a-single-application-on-linux/在 Debian 上。

一切都与设置命名空间和新娘有关,如下所示。命名空间名为 piavpn,命名空间侧的 veth 为 vpn1,主侧的 veth 为 vpn0。但是,我无法从命名空间访问互联网或主网络。

在命名空间上:

sudo ip netns exec piavpn ip addr list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
7: vpn1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether da:8f:25:6f:47:74 brd ff:ff:ff:ff:ff:ff
    inet 10.200.200.2/24 scope global vpn1
       valid_lft forever preferred_lft forever
    inet6 fe80::d88f:25ff:fe6f:4774/64 scope link 
       valid_lft forever preferred_lft forever

在正常网络上:

ip addr list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 00:90:f5:eb:90:24 brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 68:17:29:90:f5:ba brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.16/24 brd 192.168.0.255 scope global dynamic wlan0
       valid_lft 80406sec preferred_lft 80406sec
    inet6 fe80::6a17:29ff:fe90:f5ba/64 scope link 
       valid_lft forever preferred_lft forever
4: vmnet1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 00:50:56:c0:00:01 brd ff:ff:ff:ff:ff:ff
5: vmnet8: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff
8: vpn0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 2a:19:71:d5:79:29 brd ff:ff:ff:ff:ff:ff
    inet 10.200.200.1/24 scope global vpn0
       valid_lft forever preferred_lft forever
    inet6 fe80::2819:71ff:fed5:7929/64 scope link 
       valid_lft forever preferred_lft forever

Ping 有两种方式:

ping 10.200.200.2
PING 10.200.200.2 (10.200.200.2) 56(84) bytes of data.
64 bytes from 10.200.200.2: icmp_seq=1 ttl=64 time=0.084 ms
64 bytes from 10.200.200.2: icmp_seq=2 ttl=64 time=0.068 ms

sudo ip netns exec piavpn ping 10.200.200.1
PING 10.200.200.1 (10.200.200.1) 56(84) bytes of data.
64 bytes from 10.200.200.1: icmp_seq=1 ttl=64 time=0.088 ms
64 bytes from 10.200.200.1: icmp_seq=2 ttl=64 time=0.040 ms

但是,我无法从命名空间访问互联网或主网络。我认为这一定是 iptables 问题,因为我在 sysctl 中启用了 ipv4 转发。

我的 iptables 规则在这里:https://gist.github.com/anonymous/a1b440f1d3538be6557d

NAT iptables 规则是:

sudo iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  10.200.200.0/24      anywhere            
MASQUERADE  all  --  10.200.200.0/24      anywhere            
MASQUERADE  all  --  10.200.200.0/24      anywhere            
MASQUERADE  all  --  10.200.200.0/24      anywhere            
MASQUERADE  all  --  anywhere             anywhere            
MASQUERADE  all  --  10.0.0.0/8           anywhere

显然,我多次尝试过的地方已经变得混乱了。但应该是宽容的。

在我从命名空间获得一般连接之前,无需担心 VPN。

答案1

事实证明,诀窍是禁用 ufw:

sudo ufw disable

然后我刷新了 iptables 并重新添加了规则,并在 NetworkManager 由于某种原因覆盖了 /etc/resolv.conf 后重新编写了它。

现在一切都很完美。

相关内容