我有一个 ProtonVPN 付费账户。我想在我的 VPS 服务器上使用它(所以是无头的),来更改我的 IP。
他们的客户端在无头模式下不起作用,所以我使用 OpenVPN。
我在 ProtonVPN 上下载了 Linux 配置文件。我安装了 ProtonVPN 和 resolvconf。
当我启动时:
sudo openvpn conf_vpn.ovpn
它似乎有效:
2023-07-31 11:21:54 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2023-07-31 11:21:54 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
2023-07-31 11:21:54 library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10
2023-07-31 11:21:54 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-07-31 11:21:54 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-07-31 11:21:54 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-07-31 11:21:54 TCP/UDP: Preserving recently used remote address: [AF_INET]146.70.194.98:51820
2023-07-31 11:21:54 Socket Buffers: R=[212992->212992] S=[212992->212992]
2023-07-31 11:21:54 UDP link local: (not bound)
2023-07-31 11:21:54 UDP link remote: [AF_INET]146.70.194.98:51820
2023-07-31 11:21:54 TLS: Initial packet from [AF_INET]146.70.194.98:51820, sid=69f07161 a4eee661
2023-07-31 11:21:54 VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
2023-07-31 11:21:54 VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
2023-07-31 11:21:54 VERIFY KU OK
2023-07-31 11:21:54 Validating certificate extended key usage
2023-07-31 11:21:54 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Server Authentication
2023-07-31 11:21:54 ++ Certificate has EKU (oid) 1.3.6.1.5.5.7.3.2, expects TLS Web Server Authentication
2023-07-31 11:21:54 ++ Certificate has EKU (str) 1.3.6.1.5.5.8.2.2, expects TLS Web Server Authentication
2023-07-31 11:21:54 ++ Certificate has EKU (oid) 1.3.6.1.5.5.8.2.2, expects TLS Web Server Authentication
2023-07-31 11:21:54 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-07-31 11:21:54 VERIFY EKU OK
2023-07-31 11:21:54 VERIFY OK: depth=0, CN=node-fr-21.protonvpn.net
2023-07-31 11:21:54 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634'
2023-07-31 11:21:54 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
2023-07-31 11:21:54 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2023-07-31 11:21:54 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
2023-07-31 11:21:54 [node-fr-21.protonvpn.net] Peer Connection Initiated with [AF_INET]146.70.194.98:51820
2023-07-31 11:21:55 SENT CONTROL [node-fr-21.protonvpn.net]: 'PUSH_REQUEST' (status=1)
2023-07-31 11:21:55 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.16.0.1,sndbuf 524288,rcvbuf 524288,redirect-gateway def1,explicit-exit-notify,comp-lzo no,route-gateway 10.16.0.1,topology subnet,ping 10,ping-restart 60,socket-flags TCP_NODELAY,ifconfig 10.16.0.8 255.255.0.0,peer-id 6,cipher AES-256-GCM'
2023-07-31 11:21:55 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
2023-07-31 11:21:55 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
2023-07-31 11:21:55 OPTIONS IMPORT: timers and/or timeouts modified
2023-07-31 11:21:55 OPTIONS IMPORT: explicit notify parm(s) modified
2023-07-31 11:21:55 OPTIONS IMPORT: compression parms modified
2023-07-31 11:21:55 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2023-07-31 11:21:55 Socket Buffers: R=[212992->425984] S=[212992->425984]
2023-07-31 11:21:55 OPTIONS IMPORT: --socket-flags option modified
2023-07-31 11:21:55 NOTE: setsockopt TCP_NODELAY=1 failed
2023-07-31 11:21:55 OPTIONS IMPORT: --ifconfig/up options modified
2023-07-31 11:21:55 OPTIONS IMPORT: route-related options modified
2023-07-31 11:21:55 OPTIONS IMPORT: peer-id set
2023-07-31 11:21:55 OPTIONS IMPORT: adjusting link_mtu to 1656
2023-07-31 11:21:55 OPTIONS IMPORT: data channel crypto options modified
2023-07-31 11:21:55 Data Channel: using negotiated cipher 'AES-256-GCM'
2023-07-31 11:21:55 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-07-31 11:21:55 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-07-31 11:21:55 TUN/TAP device tun0 opened
2023-07-31 11:21:55 net_iface_mtu_set: mtu 1500 for tun0
2023-07-31 11:21:55 net_iface_up: set tun0 up
2023-07-31 11:21:55 net_addr_v4_add: 10.16.0.8/16 dev tun0
2023-07-31 11:21:55 /etc/openvpn/update-resolv-conf tun0 1500 1584 10.16.0.8 255.255.0.0 init
resolvconf: Error: Command not recognized
Usage: resolvconf (-d IFACE|-a IFACE|-u|--enable-updates|--disable-updates|--updates-are-enabled)
2023-07-31 11:21:55 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-07-31 11:21:55 Initialization Sequence Completed
但是如果我打开这个终端选项卡,并打开一个通过 ssh 连接的新选项卡,然后运行:
curl -s https://ipinfo.io/ip
我的IP根本没变。
我发现我有错误:
resolvconf: Error: Command not recognized
但是当我启动(带或不带 sudo)时:
sudo /etc/openvpn/update-resolv-conf tun0 1500 1584 10.20.0.8 255.255.0.0 init
它似乎有效,因为我没有任何警告。
我忘了什么?
答案1
Openvpn 在您的机器上创建一个新接口 (tun0),其“外部”部分连接到您现有的接口。因此,您计算机上运行的任何想要连接到外部世界的软件都必须决定是通过原始接口还是 openvpn 接口发送数据包.....实际上,内核负责决定部分,并使用路由表。您可以使用以下命令查看路由:
sudo ip route -4
如果您希望所有互联网流量都使用 VPN 链接,则需要告诉您的计算机使用 VPN 子网上的路由器作为默认路由。当 openvpn 客户端具有正确的配置时,它将为您处理详细信息。您的 VPN 提供商应该已经为您提供了这个地址。
答案2
最后我只是用脚本为我想要的网站设置了一条规则,并在 openvpn 配置文件中删除了 route-no pull 指令。
#!/bin/bash
sudo pkill openvpn
website="www.targetedwebsite.com"
config_file="conf_vpn.ovpn"
# Start the OpenVPN client.
sudo openvpn --config $config_file --daemon
# Give OpenVPN a few seconds to establish the connection.
sleep 5
# Use `dig` to find the IP addresses for the website.
ip_addresses=$(dig +short $website)
# Loop over the IP addresses.
for ip_address in $ip_addresses; do
# Check if the line is an IP address.
if [[ $ip_address =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
# Add a route for the IP address.
sudo ip route add $ip_address/32 dev tun0
echo "Added route for $ip_address"
fi
done