服务器配置文件

服务器配置文件

我目前正在尝试在 CentOS 7 上配置 OpenVPN,以便将特定用户 (vpn) 的所有流量路由到 VPN,而不影响所有其他流量。我已遵循教程基于 ubuntu,针对 CentOS 7 进行了必要的更改,但在启动 openVPN 时,服务器似乎失去了所有用户对互联网的所有访问权限。终止 OpenVPN 后,访问将恢复

在我尝试分割路由之前,OpenVPN 运行良好。
所有配置文件都列在本文末尾。

启动后,openVPN 显示以下内容 Shell 输出
据我所知,主要问题似乎是缺少 IP 地址参数。如果您能发现我哪里出错了,请告诉我。
对于 Linux 来说,我还是比较陌生,在网络方面也不是特别出色,所以非常感谢您的详细信息。很高兴提供调试中可能需要的任何其他详细信息或配置文件

服务器配置文件

client
dev tun
proto udp
remote nl.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/cred.conf
auth-nocache
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ
script-security 2

up /etc/openvpn/iptables.sh
down /etc/openvpn/update-resolv-conf


iptables脚本

#! /bin/bash
# Niftiest Software – www.niftiestsoftware.com
# Modified version by HTPC Guides – www.htpcguides.com

export INTERFACE="tun0"
export VPNUSER="vpn"
export LOCALIP="192.168.1.103"
export NETIF="enp2s0"

# flushes all the iptables rules, if you have other rules to use then add them into the script
/sbin/iptables -F -t nat
/sbin/iptables -F -t mangle
/sbin/iptables -F -t filter

# mark packets from $VPNUSER
/sbin/iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
/sbin/iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
/sbin/iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
/sbin/iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
/sbin/iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
/sbin/iptables -t mangle -A OUTPUT -j CONNMARK --save-mark

# allow responses
/sbin/iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT

# block everything incoming on $INTERFACE to prevent accidental exposing of ports
/sbin/iptables -A INPUT -i $INTERFACE -j REJECT

# let $VPNUSER access lo and $INTERFACE
/sbin/iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
/sbin/iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT

# all packets on $INTERFACE needs to be masqueraded
/sbin/iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE

# reject connections from predator IP going over $NETIF
/sbin/iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT

# Start routing script
/etc/openvpn/routing.sh

exit 0

路由文件

#! /bin/bash
# Niftiest Software – www.niftiestsoftware.com
# Modified version by HTPC Guides – www.htpcguides.com

VPNIF="tun0"
VPNUSER="vpn"
GATEWAYIP=$(/sbin/ifcfg $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)
if [[ `/sbin/ip rule list | grep -c 0x1` == 0 ]]; then
/sbin/ip rule add from all fwmark 0x1 lookup $VPNUSER
fi
/sbin/ip route replace default via $GATEWAYIP table $VPNUSER
/sbin/ip route append default via 127.0.0.1 dev lo table $VPNUSER
/sbin/ip route flush cache

# run update-resolv-conf script to set VPN DNS
/etc/openvpn/update-resolv-conf

exit 0

更新解析配置

#!/usr/bin/env bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood <[email protected]>
# and Chris Hanson
# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL.
# 07/2013 [email protected] Fixed intet name
# 05/2006 [email protected]
#
# Example envs set from openvpn:
foreign_option_1='dhcp-option DNS 209.222.18.222'
foreign_option_2='dhcp-option DNS 209.222.18.218'
foreign_option_3='dhcp-option DNS 8.8.8.8'
# foreign_option_4='dhcp-option DOMAIN-SEARCH bnc.local'

## The 'type' builtins will look for file in $PATH variable, so we set the
## PATH below. You might need to directly set the path to 'resolvconf'
## manually if it still doesn't work, i.e.
## RESOLVCONF=/usr/sbin/resolvconf
export PATH=$PATH:/sbin:/usr/sbin:/bin:/usr/bin
RESOLVCONF=$(type -p resolvconf)

case $script_type in

up)
  for optionname in ${!foreign_option_*} ; do
    option="${!optionname}"
    echo $option
    part1=$(echo "$option" | cut -d " " -f 1)
    if [ "$part1" == "dhcp-option" ] ; then
      part2=$(echo "$option" | cut -d " " -f 2)
      part3=$(echo "$option" | cut -d " " -f 3)
      if [ "$part2" == "DNS" ] ; then
        IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
      fi
      if [[ "$part2" == "DOMAIN" || "$part2" == "DOMAIN-SEARCH" ]] ; then
        IF_DNS_SEARCH="$IF_DNS_SEARCH $part3"
      fi
    fi
  done
  R=""
  if [ "$IF_DNS_SEARCH" ]; then
    R="search "
    for DS in $IF_DNS_SEARCH ; do
      R="${R} $DS"
    done
  R="${R}
"
  fi

  for NS in $IF_DNS_NAMESERVERS ; do
    R="${R}nameserver $NS
"
  done
  #echo -n "$R" | $RESOLVCONF -x -p -a "${dev}"
  echo -n "$R" | $RESOLVCONF -x -a "${dev}.inet"
  ;;
down)
  $RESOLVCONF -d "${dev}.inet"
  ;;
esac

# Workaround / [email protected] 
# force exit with no errors. Due to an apparent conflict with the Network Manager
# $RESOLVCONF sometimes exits with error code 6 even though it has performed the
# action correctly and OpenVPN shuts down.
exit 0
Contact GitHub API Training Shop Blog About
© 2017 GitHub, Inc. Terms Privacy Security Status Help

答案1

您在脚本中使用的 update-resolv-conf 是针对 Debian 量身定制的。macieks openresolv。这是 Fedora/Centos 版本的链接。我还没有弄清楚如何让 DNS 保持原样,但路由肯定是分开的,因为我的 uid 有互联网连接,但 vpn uid 没有。很抱歉我无法提供更多帮助,但当我找到其余答案时,我一定会将其传递出去。

相关内容