我正在尝试让所有流量都通过 VPN 路由,以便我在浏览互联网时显示 OpenVPN 服务器的 IP 地址。
这没什么关系,但我们通过 PAM 模块使用基于密码的身份验证。该 PAM 模块会向网站发出 HTTP 调用来验证内容。
这是我的 OpenVPN 服务器配置:
port 1194
proto udp
dev tun
dh keys/dh2048.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
;topology subnet
server 10.8.0.0 255.255.255.0
;route 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
;duplicate-cn
;max-clients 30
;user nobody
;group nogroup
;mute 20
;explicit-exit-notify 1
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
verify-client-cert optional
push "redirect-gateway def1"
;push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
;push "route 10.8.0.0 255.255.255.0"
这是我的客户端 OpenVPN 配置:
client
dev tun
proto udp
remote MY_SERVERS_PUBLIC_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cipher AES-256-CBC
comp-lzo
redirect-gateway def1
verb 3
auth-user-pass
iptables --list 如下所示:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- ip-10-8-0-0.ec2.internal/24 anywhere ctstate NEW
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
这些 iptables 条目是使用以下命令创建的:
iptables -I FORWARD -i tun0 -o eth0 \
-s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
-j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 \
-s 10.8.0.0/24 -j MASQUERADE
这是 OpenVPN 服务器上的 ifconfig 的样子:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 172.26.12.92 netmask 255.255.240.0 broadcast 172.26.15.255
inet6 fe80::89c:e4ff:feab:ccce prefixlen 64 scopeid 0x20<link>
ether 0a:9c:e4:ab:cc:ce txqueuelen 1000 (Ethernet)
RX packets 219194 bytes 218590052 (218.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 98397 bytes 11103942 (11.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 4886 bytes 669299 (669.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4886 bytes 669299 (669.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::ef51:ccb3:ccc0:f02b prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 144 (144.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
IP 转发已启用:
ubuntu@ip-172-26-2-31:~$ cat /proc/sys/net/ipv4/ip_forward
1
如果我的客户端登录,我会看到以下内容:
Wed Jun 05 07:40:02 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Wed Jun 05 07:40:02 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Jun 05 07:40:02 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Wed Jun 05 07:40:02 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Wed Jun 05 07:40:02 2019 Need hold release from management interface, waiting...
Wed Jun 05 07:40:03 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'state on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'log all on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'echo all on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'bytecount 5'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'hold off'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'hold release'
Wed Jun 05 07:40:04 2019 MANAGEMENT: CMD 'username "Auth" "dlogan"'
Wed Jun 05 07:40:04 2019 MANAGEMENT: CMD 'password [...]'
Wed Jun 05 07:40:04 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Jun 05 07:40:04 2019 MANAGEMENT: >STATE:1559734804,RESOLVE,,,,,,
Wed Jun 05 07:40:05 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:05 2019 Socket Buffers: R=[65536->65536] S=[64512->64512]
Wed Jun 05 07:40:05 2019 UDP link local: (not bound)
Wed Jun 05 07:40:05 2019 UDP link remote: [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:05 2019 MANAGEMENT: >STATE:1559734805,WAIT,,,,,,
Wed Jun 05 07:40:05 2019 MANAGEMENT: >STATE:1559734805,AUTH,,,,,,
Wed Jun 05 07:40:05 2019 TLS: Initial packet from [AF_INET]MY_SERVERS_PUBLIC_IP:1194, sid=ea2002fc a21451ed
Wed Jun 05 07:40:05 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jun 05 07:40:05 2019 VERIFY OK: depth=1, C=US, ST=FL, L=Sarasota, O=Cyber Ninjas, OU=Ethical Hacking, CN=Cyber Ninjas CA, name=CyberNinjas, [email protected]
Wed Jun 05 07:40:05 2019 VERIFY OK: depth=0, C=US, ST=FL, L=Sarasota, O=Cyber Ninjas, OU=Ethical Hacking, CN=remote2.cyberninjas.com, name=remote2.cyberninjas.com, [email protected]
Wed Jun 05 07:40:32 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Jun 05 07:40:32 2019 [remote2.cyberninjas.com] Peer Connection Initiated with [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:33 2019 MANAGEMENT: >STATE:1559734833,GET_CONFIG,,,,,,
Wed Jun 05 07:40:33 2019 SENT CONTROL [remote2.cyberninjas.com]: 'PUSH_REQUEST' (status=1)
Wed Jun 05 07:40:33 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.220.220,dhcp-option DNS 208.67.222.222,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: route options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: peer-id set
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: adjusting link_mtu to 1625
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: data channel crypto options modified
Wed Jun 05 07:40:33 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jun 05 07:40:33 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 05 07:40:33 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 05 07:40:33 2019 interactive service msg_channel=832
Wed Jun 05 07:40:33 2019 ROUTE_GATEWAY 192.168.1.99/255.255.255.0 I=15 HWADDR=8c:ae:4c:f6:89:4d
Wed Jun 05 07:40:33 2019 open_tun
Wed Jun 05 07:40:33 2019 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{A4956E3A-C1FC-45BF-9857-31E5725E5011}.tap
Wed Jun 05 07:40:33 2019 TAP-Windows Driver Version 9.21
Wed Jun 05 07:40:33 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {A4956E3A-C1FC-45BF-9857-31E5725E5011} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Wed Jun 05 07:40:33 2019 Successful ARP Flush on interface [23] {A4956E3A-C1FC-45BF-9857-31E5725E5011}
Wed Jun 05 07:40:33 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jun 05 07:40:33 2019 MANAGEMENT: >STATE:1559734833,ASSIGN_IP,,10.8.0.6,,,,
Wed Jun 05 07:40:38 2019 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Wed Jun 05 07:40:38 2019 C:\WINDOWS\system32\route.exe ADD MY_SERVERS_PUBLIC_IP MASK 255.255.255.255 192.168.1.99
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 MANAGEMENT: >STATE:1559734838,ADD_ROUTES,,,,,,
Wed Jun 05 07:40:38 2019 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 Initialization Sequence Completed
Wed Jun 05 07:40:38 2019 MANAGEMENT: >STATE:1559734838,CONNECTED,SUCCESS,10.8.0.6,MY_SERVERS_PUBLIC_IP,1194,,
这是我在服务器的 OpenVPN 日志中看到的内容:
Wed Jun 5 11:39:35 2019 WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional (or --client-cert-not-required) may accept clients which do not present a certificate
Wed Jun 5 11:39:35 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jan 9 2019
Wed Jun 5 11:39:35 2019 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Wed Jun 5 11:39:35 2019 PLUGIN_INIT: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_
VERIFY
Wed Jun 5 11:39:35 2019 Diffie-Hellman initialized with 2048 bit key
Wed Jun 5 11:39:35 2019 ROUTE_GATEWAY 172.26.0.1/255.255.240.0 IFACE=eth0 HWADDR=0a:9c:e4:ab:cc:ce
Wed Jun 5 11:39:35 2019 TUN/TAP device tun0 opened
Wed Jun 5 11:39:35 2019 TUN/TAP TX queue length set to 100
Wed Jun 5 11:39:35 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jun 5 11:39:35 2019 /sbin/ip link set dev tun0 up mtu 1500
Wed Jun 5 11:39:35 2019 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Jun 5 11:39:35 2019 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Wed Jun 5 11:39:35 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Jun 5 11:39:35 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jun 5 11:39:35 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Jun 5 11:39:35 2019 UDPv4 link remote: [AF_UNSPEC]
Wed Jun 5 11:39:35 2019 MULTI: multi_init called, r=256 v=256
Wed Jun 5 11:39:35 2019 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Wed Jun 5 11:39:35 2019 IFCONFIG POOL LIST
Wed Jun 5 11:39:35 2019 Initialization Sequence Completed
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 TLS: Initial packet from [AF_INET]THE_CLIENT_PUBLIC_IP:50490, sid=80eafd2f b659fb60
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_VER=2.4.6
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_PLAT=win
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_PROTO=2
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_NCP=2
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZ4=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZ4v2=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZO=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_COMP_STUB=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_COMP_STUBv2=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_TCPNL=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_GUI_VER=OpenVPN_GUI_11
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 PLUGIN_CALL: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 TLS: Username/Password authentication succeeded for username 'dlogan'
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 [] Peer Connection Initiated with [AF_INET]THE_CLIENT_PUBLIC_IP:50490
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI: Learn: 10.8.0.6 -> THE_CLIENT_PUBLIC_IP:50490
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI: primary virtual IP for THE_CLIENT_PUBLIC_IP:50490: 10.8.0.6
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 SENT CONTROL [UNDEF]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.220.220,dhcp-option DNS 208.67.222.222,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.
8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 5 11:46:32 2019 THE_CLIENT_PUBLIC_IP:50490 [UNDEF] Inactivity timeout (--ping-restart), restarting
Wed Jun 5 11:46:32 2019 THE_CLIENT_PUBLIC_IP:50490 SIGUSR1[soft,ping-restart] received, client-instance restarting
我查看并尝试采用/尝试以下文章中的设置,但没有成功: https://www.linode.com/docs/networking/vpn/tunnel-your-internet-traffic-through-an-openvpn-server/
https://askubuntu.com/questions/462533/route-all-traffic-through-openvpn
https://openvpn.net/community-resources/how-to/#redirect
很可能我只是没有把正确的组合在一起,但我在这里不知所措,肯定在寻求帮助。
如果您能够解释为什么给定的设置可以解决问题,我将不胜感激,因为如果您给出的不是完整的解决方案,这可能会帮助我解决这个问题。
答案1
似乎服务器配置中缺少一条路由。服务器必须告诉客户端加入它和整个 VPN 子网的新路由。我猜是这样的:
push "route 10.8.0.0 255.255.255.0"
答案2
经过大量的反复试验、阅读更多的资源以及一些有用的评论(感谢 Meoffrey)之后,我最终得到了这个有效的配置。
错误之处:
1)最初我没有启用IP转发。这是关键问题。
2)我不需要现有的 iptable 规则,我所需要的只是:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
以下是工作配置。
OpenVPN服务器配置:
port 1194
proto udp4
dev tun
dh keys/dh2048.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
duplicate-cn
max-clients 30
user nobody
group nogroup
mute 20
explicit-exit-notify 3
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
verify-client-cert optional
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
OpenVPN服务器/etc/sysctl.conf:
net.ipv4.ip_forward=1
安装了 iptables-persistent 并具有以下 /etc/iptables/rules.v4:
注意:我在 AWS Lightsail 上运行此程序,因此我已经使用 AWS 网络防火墙限制了端口。如果您在没有防火墙的情况下将此程序放在互联网上,您可能需要比我拥有的更多规则。
# Generated by iptables-save v1.6.1 on Wed Jun 5 15:14:19 2019
*mangle
:PREROUTING ACCEPT [51602:22128126]
:INPUT ACCEPT [26875:8155930]
:FORWARD ACCEPT [24727:13972196]
:OUTPUT ACCEPT [26848:13392260]
:POSTROUTING ACCEPT [51575:27364456]
COMMIT
# Completed on Wed Jun 5 15:14:19 2019
# Generated by iptables-save v1.6.1 on Wed Jun 5 15:14:19 2019
*nat
:PREROUTING ACCEPT [737:43965]
:INPUT ACCEPT [28:1240]
:OUTPUT ACCEPT [510:38713]
:POSTROUTING ACCEPT [510:38713]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Jun 5 15:14:19 2019
# Generated by iptables-save v1.6.1 on Wed Jun 5 15:14:19 2019
*filter
:INPUT ACCEPT [13001:3562550]
:FORWARD ACCEPT [18127:10646956]
:OUTPUT ACCEPT [13277:9043865]
COMMIT
# Completed on Wed Jun 5 15:14:19 2019
最后,OpenVPN 客户端配置:
client
dev tun
proto udp
remote OPENVPNSERVER_PUBLIC_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cipher AES-256-CBC
comp-lzo
redirect-gateway def1
verb 3
explicit-exit-notify 3
auth-user-pass
auth-nocache
remote-cert-tls server
答案3
因此看起来您正在转发到eth0,但是,该界面上似乎没有允许输入的规则。
# Allow input on eth0
iptables -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
参考: