如何让 openvpn 客户端访问与 openvpn 服务器位于同一台机器上的 dns 服务器 (bind9)

tag-icon tag-icon domain-name-system vpn bind openvpn
如何让 openvpn 客户端访问与 openvpn 服务器位于同一台机器上的 dns 服务器 (bind9)

我目前有一台运行 openvpn 服务器的 debian 服务器。我还有一个 dns 服务器 (bind9),我想允许连接的 openvpn 客户端访问它,但我不确定如何做到这一点,我已经知道如何使用

push "dhcp-option DNS x.x.x.x"

但我只是不确定如何让客户端访问与 vpn 服务器位于同一台机器上的 dns 服务器,所以如果有人能给我指出正确的方向,我将不胜感激。此外,如果这与向 iptables 添加规则有关,这是我当前的 iptables 配置

# Generated by iptables-save v1.4.14 on Thu Oct 18 22:05:33 2012
*nat
:PREROUTING ACCEPT [3831842:462225238]
:INPUT ACCEPT [3820049:461550908]
:OUTPUT ACCEPT [1885011:139487044]
:POSTROUTING ACCEPT [1883834:139415168]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Oct 18 22:05:33 2012
# Generated by iptables-save v1.4.14 on Thu Oct 18 22:05:33 2012
*filter
:INPUT ACCEPT [45799:10669929]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [45747:10335026]
:fail2ban-apache - [0:0]
:fail2ban-apache-myadmin - [0:0]
:fail2ban-apache-noscript - [0:0]
:fail2ban-ssh - [0:0]
:fail2ban-ssh-ddos - [0:0]
:fail2ban-webserver-w00tw00t - [0:0]
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-myadmin
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-webserver-w00tw00t
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-noscript
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fail2ban-apache -j RETURN
-A fail2ban-apache-myadmin -s 211.154.213.122/32 -j DROP
-A fail2ban-apache-myadmin -s 201.170.229.96/32 -j DROP
-A fail2ban-apache-myadmin -j RETURN
-A fail2ban-apache-noscript -j RETURN
-A fail2ban-ssh -s 76.9.59.66/32 -j DROP
-A fail2ban-ssh -s 64.13.220.73/32 -j DROP
-A fail2ban-ssh -s 203.69.139.179/32 -j DROP
-A fail2ban-ssh -s 173.10.11.146/32 -j DROP
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh-ddos -j RETURN
-A fail2ban-webserver-w00tw00t -s 217.70.51.154/32 -j DROP
-A fail2ban-webserver-w00tw00t -s 86.35.242.58/32 -j DROP
-A fail2ban-webserver-w00tw00t -j RETURN
COMMIT
# Completed on Thu Oct 18 22:05:33 2012

这是我的 openvpn 服务器配置

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group users
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
push "redirect-gateway def1"
push "dhcp-option DNS 213.133.98.98"
push "dhcp-option DNS 213.133.99.99"
push "dhcp-option DNS 213.133.100.100"
client-to-client

答案1

我只需要告诉 bind9 列出属于 openvpn 子网的 IP 地址

答案2

我通过添加到我的解决了/etc/bind/named.conf.options openvpn在这种情况下的子网,我的 LAN 是192.168.0.xxx,openvpn 是10.8.0.xxx

listen-on port 53 { localhost; 192.168.0.0/24; 10.8.0.0/24; };
allow-query { localhost; 192.168.0.0/24; 10.8.0.0/24; };

在我的 openvpn 服务器配置文件中添加了/etc/openvpn/server.conf192.168.0.124DNS 服务器地址

push "dhcp-option DOMAIN mySpecificDomain.local" 
push "dhcp-option DNS 192.168.0.124"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

我的完全的 /etc/bind/named.conf.options文件是

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable 
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing 
        // the all-0's placeholder.

        forwarders {
                192.168.0.1;
                8.8.8.8;
                8.8.4.4;
        };  

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        //dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };

        listen-on port 53 { localhost; 192.168.0.0/24; 10.8.0.0/24; };
        allow-query { localhost; 192.168.0.0/24; 10.8.0.0/24; };
        recursion yes;
};

相关内容