OpenVPN 每个客户端流量控制

tag-icon tag-icon openvpn bandwidth
OpenVPN 每个客户端流量控制

我希望这很容易

up.sh当我以 root 身份从命令行运行以下脚本时,它运行完美。

但是,我不想在每次新用户连接到 OpenVPN 时手动调用此脚本来通过 tc(qdisc)单独限制每个新用户(用户 1、用户 2、用户 3 到无穷大)的带宽、延迟等,而是希望每次新用户连接到 OpenVPN 时都调用该脚本,并且当新用户连接时能够单独塑造新用户的带宽、延迟等,而不会影响当前用户(可能是 100 或 1000)的带宽、延迟等

我尝试将脚本移动到以下文件夹/etc/network/if-up.d,以便在新用户连接到 OpenVPN 时执行它,但是由于某种原因,该脚本没有被调用(它不会对 qdisc 进行任何更改),但它完全相同的脚本,并且当我从命令行执行它时运行良好。

我还尝试将脚本重命名为,learn-address.sh并将其放在以下文件夹中,/etc/openvpn/netem/learn-address.sh以便在 OpenVPN 学习到新地址时自动调用,但这也不起作用

我还更新了 server.conf 文件,内容如下

脚本安全 3

学习地址 /etc/openvpn/netem/learn-address.sh

脚本安全 3

启动 /etc/network/if-up.d/up.sh

但它也没有用

最后,我还尝试更新文件/etc/sudoers.tmp以授予脚本权限,但这似乎也无济于事(请参阅文章末尾)

我正在运行 Ubuntu 14.04

非常感谢您的帮助

下面是名为 up.sh 的脚本,当我从命令行调用它时它会起作用:

#!/bin/bash  
# Full path to tc binary 

TC=$(which tc)

#
# NETWORK CONFIGURATION
# interface - name of your interface device
# interface_speed - speed in mbit of your $interface
# ip - IP address of your server, change this if you don't want to use
#      the default catch all filters.
#
interface=eth0
interface_speed=100mbit
ip=4.1.2.3 # The IP address bound to the interface

# Define the upload and download speed limit, follow units can be 
# passed as a parameter:
# kbps: Kilobytes per second
# mbps: Megabytes per second
# kbit: kilobits per second
# mbit: megabits per second
# bps: Bytes per second
download_limit=512kbit
upload_limit=10mbit    


# Filter options for limiting the intended interface.
FILTER="$TC filter add dev $interface protocol ip parent 1: prio 1 u32"

#
# This function starts the TC rules and limits the upload and download speed
# per already configured earlier.
# 

function start_tc { 
    tc qdisc show dev $interface | grep -q "qdisc pfifo_fast 0"  
    [ "$?" -gt "0" ] && tc qdisc del dev $interface root; sleep 1  

    # start the tc configuration
    $TC qdisc add dev $interface root handle 1: htb default 30
    $TC class add dev $interface parent 1: classid 1:1 htb rate $interface_speed burst 15k

    $TC class add dev $interface parent 1:1 classid 1:10 htb rate $download_limit burst 15k
    $TC class add dev $interface parent 1:1 classid 1:20 htb rate $upload_limit burst 15k

    $TC qdisc add dev $interface parent 1:10 handle 10: sfq perturb 10
    $TC qdisc add dev $interface parent 1:20 handle 20: sfq perturb 10

    # Apply the filter rules
    
    # Catch-all IP rules, which will set global limit on the server
    # for all IP addresses on the server. 
    $FILTER match ip dst 0.0.0.0/0 flowid 1:10
    $FILTER match ip src 0.0.0.0/0 flowid 1:20

    # If you want to limit the upload/download limit based on specific IP address
    # you can comment the above catch-all filter and uncomment these:
    #
    # $FILTER match ip dst $ip/32 flowid 1:10
    # $FILTER match ip src $ip/32 flowid 1:20
}

#
# Removes the network speed limiting and restores the default TC configuration
#
function stop_tc {
    tc qdisc show dev $interface | grep -q "qdisc pfifo_fast 0"
    [ "$?" -gt "0" ] && tc qdisc del dev $interface root
}

function show_status {
        $TC -s qdisc ls dev $interface
}
#
# Display help 
#
function display_help {
        echo "Usage: tc [OPTION]"
        echo -e "\tstart - Apply the tc limit"
        echo -e "\tstop - Remove the tc limit"
        echo -e "\tstatus - Show status"
}

# Start
if [ -z "$1" ]; then
        display_help
elif [ "$1" == "start" ]; then
        start_tc
elif [ "$1" == "stop" ]; then
        stop_tc
elif [ "$1" == "status" ]; then
        show_status
fi

以下是我也更新的文件:

/etc/sudoers.tmp

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification    

# User privilege specification
root    ALL=(ALL:ALL) ALL
#nobody ALL=(ALL) NOPASSWD: /usr/lib/tc
nobody ALL=(ALL) NOPASSWD: /usr/lib/tc
www-data ALL=NOPASSWD: /user/lib/tc
root ALL=NOPASSWD: /user/lib/tc
root    ALL=(ALL:ALL) ALL
nobody  ALL=(ALL) NOPASSWD
nobody  ALL=(ALL) NOPASSWD: /etc/openvpn/netem/learn-address.sh
root  ALL=(ALL) NOPASSWD: /etc/openvpn/netem/learn-address.sh
www-data  ALL=(ALL) NOPASSWD: /etc/openvpn/netem/learn-address.sh
nobody  ALL=(ALL) NOPASSWD: /etc/openvpn/netem/up.sh
www-data  ALL=(ALL) NOPASSWD: /etc/openvpn/netem/up.sh
root  ALL=(ALL) NOPASSWD: /etc/openvpn/netem/up.sh
nobody  ALL=(ALL) NOPASSWD: /etc/network/if-up.d/up.sh
www-data  ALL=(ALL) NOPASSWD: /etc/network/if-up.d/up.sh
root  ALL=(ALL) NOPASSWD: /etc/network/if-up.d/up.sh  
    
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

这是 server.conf

port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-128-CBC
comp-lzo
#user nobody
#user openvpn
#group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
script-security 2
down-pre
up /etc/openvpn/tc.sh
down /etc/openvpn/tc.sh
client-connect /etc/openvpn/tc.sh
client-disconnect /etc/openvpn/tc.sh
log /var/log/openvpn.log

答案1

OpenVPN 每个客户端流量控制

要获得一个简单的解决方案来控制每个客户端的流量,您可以执行以下操作。此解决方案仅适用于/24VPN 子网。在 Ubuntu 14.04 上测试。

OpenVPN 服务器示例配置:

port 1194
proto udp
dev tun
topology subnet
server 10.8.0.0 255.255.255.0
keepalive 10 60
comp-lzo
persist-key
persist-tun
log /var/log/openvpn.log
verb 3
#user openvpn
#group nogroup
script-security 2
down-pre
up /etc/openvpn/tc.sh
down /etc/openvpn/tc.sh
client-connect /etc/openvpn/tc.sh
client-disconnect /etc/openvpn/tc.sh

流量控制脚本/etc/openvpn/tc.sh

#!/bin/bash
TC=$(which tc)

interface="$dev"
interface_speed="100mbit"
client_ip="$trusted_ip"
client_ip_vpn="$ifconfig_pool_remote_ip"
download_limit="512kbit"
upload_limit="10mbit"
handle=`echo "$client_ip_vpn" | cut -d. -f4`

function start_tc {
  tc qdisc show dev $interface | grep -q "qdisc pfifo_fast 0"
  [ "$?" -gt "0" ] && tc qdisc del dev $interface root; sleep 1

  $TC qdisc add dev $interface root handle 1: htb default 30
  $TC class add dev $interface parent 1: classid 1:1 htb rate $interface_speed burst 15k
  $TC class add dev $interface parent 1:1 classid 1:10 htb rate $download_limit burst 15k
  $TC class add dev $interface parent 1:1 classid 1:20 htb rate $upload_limit burst 15k
  $TC qdisc add dev $interface parent 1:10 handle 10: sfq perturb 10
  $TC qdisc add dev $interface parent 1:20 handle 20: sfq perturb 10
}

function stop_tc {
  tc qdisc show dev $interface | grep -q "qdisc pfifo_fast 0"
  [ "$?" -gt "0" ] && tc qdisc del dev $interface root
}

function filter_add {
  $TC filter add dev $interface protocol ip handle ::${handle} parent 1: prio 1 u32 match ip ${1} ${2}/32 flowid 1:${3}
}

function filter_del {
  $TC filter del dev $interface protocol ip handle 800::${handle} parent 1: prio 1 u32
}

function ip_add {
  filter_add "dst" $client_ip_vpn "10"
  filter_add "src" $client_ip_vpn "20"
}

function ip_del {
  filter_del
  filter_del
}

if [ "$script_type" == "up" ]; then
        start_tc
elif [ "$script_type" == "down" ]; then
        stop_tc
elif [ "$script_type" == "client-connect" ]; then
        ip_add
elif [ "$script_type" == "client-disconnect" ]; then
        ip_del
fi

笔记,这是一个用于测试目的的非常简单的脚本tc,可以在以下位置找到用于 OpenVPN 流量控制的更复杂的方法这个答案

使脚本可执行:

chmod +x /etc/openvpn/tc.sh

在非特权模式下以 root 身份运行脚本

如果你在非特权模式下运行 OpenVPN,并且脚本需要以如下方式运行root,修改服务器配置中的以下指令:

user openvpn
group nogroup
up "/usr/bin/sudo /etc/openvpn/tc.sh"
down "/usr/bin/sudo /etc/openvpn/tc.sh"
client-connect "/usr/bin/sudo /etc/openvpn/tc.sh"
client-disconnect "/usr/bin/sudo /etc/openvpn/tc.sh"

添加无特权用户名为openvpn:

useradd -s /usr/sbin/nologin -r -M -d /dev/null openvpn

/etc/sudoers使用命令编辑visudo,添加以下行:

# User privilege specification
openvpn ALL=NOPASSWD: /etc/openvpn/tc.sh

使用Ctrl+保存并退出xy

使脚本只能由 root 写入:

chown root:root /etc/openvpn/tc.sh
chmod 700 /etc/openvpn/tc.sh

请注意,这可能会打开安全漏洞,并且可能与以 root 身份运行 OpenVPN 相当。虽然对我来说看起来很安全,但总有人有更好的眼光:)

故障排除

该脚本现在应该以 root 身份运行,您可以通过在脚本开头添加以下几行来排除故障tc.sh

#!/bin/bash
exec >>/tmp/ov.log 2>&1
chmod 666 /tmp/ov.log 2>/dev/null
echo
date
id
echo "PATH=$PATH"
printenv

服务器首次启动后,您可以跟踪日志:

tail -f /var/log/openvpn.log /tmp/ov.log

相关内容