我遇到一个问题,即“在配置了 dns push 的 openvpn 连接后,NetworkManager 没有更新/etc/resolv.conf”。
这是我的 openvpn 服务器配置: (出于安全原因,我已将域名更改为 ABC.COM;))
########################################
# Sample OpenVPN config file for
# 2.0-style multi-client udp server
#
# Adapted from http://openvpn.sourceforge.net/20notes.html
#
# tun-style tunnel
port 1194
dev tun
# Use "local" to set the source address on multi-homed hosts
#local [IP address]
# TLS parms
tls-server
ca keys/ca.crt
cert keys/static.crt
key keys/static.key
dh keys/dh1024.pem
proto tcp-server
# Tell OpenVPN to be a multi-client udp server
mode server
# The server's virtual endpoints
ifconfig 10.8.0.1 10.8.0.2
# Pool of /30 subnets to be allocated to clients.
# When a client connects, an --ifconfig command
# will be automatically generated and pushed back to
# the client.
ifconfig-pool 10.8.0.4 10.8.0.255
# Push route to client to bind it to our local
# virtual endpoint.
push "route 10.8.0.1 255.255.255.255"
push "dhcp-option DNS 10.8.0.1"
# Push any routes the client needs to get in
# to the local network.
#push "route 192.168.0.0 255.255.255.0"
# Push DHCP options to Windows clients.
push "dhcp-option DOMAIN ABC.COM"
#push "dhcp-option DNS 192.168.0.1"
#push "dhcp-option WINS 192.168.0.1"
# Client should attempt reconnection on link
# failure.
keepalive 10 60
# Delete client instances after some period
# of inactivity.
inactive 600
# Route the --ifconfig pool range into the
# OpenVPN server.
route 10.8.0.0 255.255.255.0
# The server doesn't need privileges
user openvpn
group openvpn
# Keep TUN devices and keys open across restarts.
persist-tun
persist-key
verb 4
正如您所见,它基本上是经过少量调整的示例配置。
现在..
在我的计算机(openvpn 客户端)上,我可以看到 dns 正常:
{17:12}/etc/NetworkManager ➭ nslookup git.ABC.COM 10.8.0.1
Server: 10.8.0.1
Address: 10.8.0.1#53
Name: git.ABC.COM
Address: 10.8.0.1
{17:18}/etc/NetworkManager ➭ nslookup ABC.COM 10.8.0.1
Server: 10.8.0.1
Address: 10.8.0.1#53
Name: ABC.COM
Address: 18X.XX.XX.71
服务器端的 openvpn 日志显示(如果我理解正确的话)DNS已被推送:
openvpn[13257]: TCPv4_SERVER link remote: [AF_INET]83.30.135.214:37658
openvpn[13257]: 83.30.135.214:37658 TLS: Initial packet from [AF_INET]83.30.135.214:37658, sid=3251df51 915772f3
openvpn[13257]: 83.30.135.214:37658 VERIFY OK: depth=1, C=XX, ST=XX, L=XXX, O=XXX, OU=XXX, CN=XXX, name=XXX, [email protected]
openvpn[13257]: 83.30.135.214:37658 VERIFY OK: depth=0, C=XX, ST=XX, L=XXX, O=XXX, OU=XXX, CN=XXX, name=XXX, [email protected]
openvpn[13257]: 83.30.135.214:37658 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
openvpn[13257]: 83.30.135.214:37658 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
openvpn[13257]: 83.30.135.214:37658 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
openvpn[13257]: 83.30.135.214:37658 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
openvpn[13257]: 83.30.135.214:37658 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
openvpn[13257]: 83.30.135.214:37658 [jacek] Peer Connection Initiated with [AF_INET]83.30.135.214:37658
openvpn[13257]: jacek/83.30.135.214:37658 MULTI_sva: pool returned IPv4=10.8.0.10, IPv6=(Not enabled)
openvpn[13257]: jacek/83.30.135.214:37658 MULTI: Learn: 10.8.0.10 -> jacek/83.30.135.214:37658
openvpn[13257]: jacek/83.30.135.214:37658 MULTI: primary virtual IP for jacek/83.30.135.214:37658: 10.8.0.10
openvpn[13257]: jacek/83.30.135.214:37658 PUSH: Received control message: 'PUSH_REQUEST'
openvpn[13257]: jacek/83.30.135.214:37658 send_push_reply(): safe_cap=940
openvpn[13257]: jacek/83.30.135.214:37658 SENT CONTROL [jacek]: 'PUSH_REPLY,route 10.8.0.1 255.255.255.255,dhcp-option DNS 10.8.0.1,dhcp-option DOMAIN ABC.COM,ping 10,ping-restart 60,ifconfig 10.8.0.10 10.8.0.9' (status=1)
openvp 在我这边记录:
Aug 05 17:13:55 localhost.localdomain openvpn[1198]: TCPv4_CLIENT link remote: [AF_INET]XXX.XX.37.71:1194
Aug 05 17:13:55 localhost.localdomain openvpn[1198]: TLS: Initial packet from [AF_INET]XXX.XX.37.71:1194, sid=89cc981c d57dd826
Aug 05 17:13:56 localhost.localdomain openvpn[1198]: VERIFY OK: depth=1, C=XX, ST=XX, L=XXX, O=XXX, OU=XXX, CN=XXX, name=XXX, [email protected]
Aug 05 17:13:56 localhost.localdomain openvpn[1198]: VERIFY OK: depth=0, C=XX, ST=XX, L=XXX, O=XXX, OU=XXX, CN=XXX, name=XXX, [email protected]
Aug 05 17:13:58 localhost.localdomain openvpn[1198]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Aug 05 17:13:58 localhost.localdomain openvpn[1198]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 05 17:13:58 localhost.localdomain openvpn[1198]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Aug 05 17:13:58 localhost.localdomain openvpn[1198]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 05 17:13:58 localhost.localdomain openvpn[1198]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Aug 05 17:13:58 localhost.localdomain openvpn[1198]: [static] Peer Connection Initiated with [AF_INET]XXX.XX.37.71:1194
Aug 05 17:14:00 localhost.localdomain openvpn[1198]: SENT CONTROL [static]: 'PUSH_REQUEST' (status=1)
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1 255.255.255.255,dhcp-option DNS 10.8.0.1,dhcp-option DOMAIN ABC.COM,ping 10,ping-restart 60,ifconfig 10.8.0.10 10.8.0.9'
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: OPTIONS IMPORT: timers and/or timeouts modified
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: OPTIONS IMPORT: --ifconfig/up options modified
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: OPTIONS IMPORT: route options modified
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: ROUTE_GATEWAY 10.123.123.1/255.255.255.0 IFACE=wlan0 HWADDR=44:6d:57:32:81:2e
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: TUN/TAP device tun0 opened
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: TUN/TAP TX queue length set to 100
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: /usr/sbin/ip link set dev tun0 up mtu 1500
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: /usr/sbin/ip addr add dev tun0 local 10.8.0.10 peer 10.8.0.9
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: /usr/sbin/ip route add 10.8.0.1/32 via 10.8.0.9
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: Initialization Sequence Completed
看上去一切都很好。
但是。我/var/log/messages也检查了一下...并发现了这一行:
Aug 5 17:14:01 localhost NetworkManager[761]: <warn> /sys/devices/virtual/net/tun0: couldn't determine device driver; ignoring...
ip a返回:
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 10.8.0.10 peer 10.8.0.9/32 scope global tun0
valid_lft forever preferred_lft forever
route -n返回:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.123.123.1 0.0.0.0 UG 0 0 0 wlan0
10.8.0.1 10.8.0.9 255.255.255.255 UGH 0 0 0 tun0
10.8.0.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.123.123.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
因此,基本上一切正常,除了 DNS 被推送...哦!对了,我的/etc/resolv.conf:
# Generated by NetworkManager
domain home
search home
nameserver 10.123.123.1
问题出在哪里?
(我收到了来自使用 openvpn 客户端的 Windows 用户的回复,他这边的 DNS 工作正常,所以这是我这边的问题。
好的,现在我有了另一个回应(在我重新启动服务器端的 openvpn 服务之后) - 它不起作用。
我必须说它昨天在我的计算机上也运行正常。。那么我是不是搞砸了服务器上的什么东西?会是什么?)
编辑: 好的,我收到了另一个 Windows 用户的反应(与之前的用户相同)——它现在可以正常工作了。所以……我猜这是由 openvpn 重启和一些延迟引起的。从那时起我就什么也没做。所以我们回到我的机器上。
我还发现tun0昨天也出现了那个奇怪的消息,而昨天它起作用了。或者我自己添加了条目resolv.conf?我不记得了……(该死)
答案1
这对我有用:http://www.softwarepassion.com/solving-dns-problems-with-openvpn-on-ubuntu-box/
重要的一步是将以下三行配置添加到您的客户openvpn配置文件:
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
还要确保该resolvconf包已安装在客户端上,因为该update-resolv-conf脚本依赖于它。
它与 openvpn 客户端服务或命令配合使用以手动启动它。
但是,Ubuntu 网络管理器却没有这个功能。到目前为止,这是一个问题:https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1211110
答案2
禁用 NetworkManager 自己的 dnsmasq 后,它可以为我工作。
编辑/etc/NetworkManager/NetworkManager.conf
#dns=dnsmasq
并重新启动 NetworkManager
sudo restart network-manager
答案3
最终工作(使用标准 NetworkManager 和 OVPN 插件)
nmcli -p connection modify MY_VPN_CONNECTION ipv4.never-default no
nmcli -p connection modify MY_VPN_CONNECTION ipv4.ignore-auto-dns no
nmcli -p connection modify MY_VPN_CONNECTION ipv4.dns-priority -42
在这种情况下,一旦建立 VPN 连接,所有 DNS 请求都将定向到 VPN 提供的 DNS 服务器,而无需使用 dnsmasq、up/down/dispatch 帮助脚本进行任何操作。
答案4
可以通过手动替换 来使 NetworkManager/etc/resolv.conf正常工作。请注意,这是一种 hack,不能被视为适用于每种情况的有效解决方案。
#!/bin/bash
case "$2" in
vpn-up)
tmp=$(mktemp)
func=$(mktemp)
echo 'ping -c 1 -w 1 -q $1 > /dev/null ;
if [ 0 -eq $? ]; then echo $1; fi' > $func
grep -v "^#" /etc/resolv.conf > $tmp
grep -rl type=vpn /etc/NetworkManager/system-connections \
| xargs -n 1 sed -rne 's|dns=||p' \
| sed -re 's|;|\n|g' \
| grep -v "^\s*$" \
| xargs -n 1 bash $func \
| sed -re "s|(.*)|nameserver \1|" \
| cat - $tmp \
> /etc/resolv.conf
rm -f $tmp $func;;
vpn-down) resolvconf -u;;
esac
此脚本应放置在 下/etc/NetworkManager/dispatcher.d;应为可执行文件并由 root 拥有。它读取它能找到的所有 NetworkManager vpn 配置,并/etc/resolv.conf使用在那里找到的可访问名称服务器进行重写。它不写入domain和search行;但它允许忘记令人讨厌的 NetworkManager 错误。
我使用 Ubuntu 16.04,它可以工作。