我希望某些应用程序通过 OpenVPN 访问互联网。我在这个问题/线程底部的最终答案/评论中找到了解决方案: 仅通过 OpenVPN 为特定网络命名空间提供所有流量
我引用那篇文章,我遇到的问题在底部说明:
您可以在命名空间内启动 OpenVPN 链接,然后运行要在命名空间内使用该 OpenVPN 链接的每个命令。有关如何做到这一点的详细信息(不是我的工作)在这里:
http://www.naju.se/articles/openvpn-netns.html
我尝试了一下,确实有效;这个想法是提供一个自定义脚本来执行特定命名空间(而不是全局命名空间)内 OpenVPN 连接的启动和路由阶段。我引用上面的链接,以防万一它将来离线:
First create an --up script for OpenVPN. This script will create the VPN tunnel interface inside a network namespace called vpn, instead of the default namespace.
$ cat > netns-up << EOF
#!/bin/sh
case $script_type in
up)
ip netns add vpn
ip netns exec vpn ip link set dev lo up
mkdir -p /etc/netns/vpn
echo "nameserver 8.8.8.8" > /etc/netns/vpn/resolv.conf
ip link set dev "$1" up netns vpn mtu "$2"
ip netns exec vpn ip addr add dev "$1" \
"$4/${ifconfig_netmask:-30}" \
${ifconfig_broadcast:+broadcast "$ifconfig_broadcast"}
test -n "$ifconfig_ipv6_local" && \
ip netns exec vpn ip addr add dev "$1" \
"$ifconfig_ipv6_local"/112
;;
route-up)
ip netns exec vpn ip route add default via "$route_vpn_gateway"
test -n "$ifconfig_ipv6_remote" && \
ip netns exec vpn ip route add default via \
"$ifconfig_ipv6_remote"
;;
down)
ip netns delete vpn
;;
esac
然后启动 OpenVPN 并告诉它使用我们的 --up 脚本而不是执行 ifconfig 和路由。
openvpn --ifconfig-noexec --route-noexec --up netns-up --route-up netns-up --down netns-up
现在您可以像这样启动要进行隧道传输的程序:
ip netns exec vpn command
唯一的问题是您需要成为 root 才能调用 ip netns exec ...并且也许您不希望应用程序以 root 身份运行。解决方案很简单:
sudo ip netns exec vpn sudo -u $(whoami) command
我的问题:
当我尝试运行调用 netns-up 脚本的 openvpn 命令时,出现两个错误:
:/etc/openvpn$ sudo openvpn --ifconfig-noexec --route-noexec --up netns-up --route-up netns-up --down netns-up --config za1.nordvpn.com.tcp443.ovpn
(..)
Tue Mar 22 00:10:56 2016 [vpn-za.nordvpn.com] Peer Connection Initiated with [AF_INET]154.127.61.142:443
Tue Mar 22 00:10:59 2016 SENT CONTROL [vpn-za.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Tue Mar 22 00:10:59 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 78.46.223.24,dhcp-option DNS 162.242.211.137,route 10.7.7.1,topology net30,ping 5,ping-restart 30,ifconfig 10.7.7.102 10.7.7.101'
Tue Mar 22 00:10:59 2016 OPTIONS IMPORT: timers and/or timeouts modified
Tue Mar 22 00:10:59 2016 OPTIONS IMPORT: --ifconfig/up options modified
Tue Mar 22 00:10:59 2016 OPTIONS IMPORT: route options modified
Tue Mar 22 00:10:59 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Mar 22 00:10:59 2016 ROUTE_GATEWAY 192.168.1.254/255.255.255.0 IFACE=eth0 HWADDR=b8:27:eb:39:7e:46
Tue Mar 22 00:10:59 2016 TUN/TAP device tun0 opened
Tue Mar 22 00:10:59 2016 TUN/TAP TX queue length set to 100
Tue Mar 22 00:10:59 2016 netns-up tun0 1500 1592 10.7.7.102 10.7.7.101 init
Tue Mar 22 00:10:59 2016 WARNING: Failed running command (--up/--down): external program exited with error status: 1
Tue Mar 22 00:10:59 2016 Exiting due to fatal error
我尝试使用和不使用 sudo 重新创建 netns-up 脚本,但没有帮助。我究竟做错了什么?
答案1
在网络命名空间内启动 openvpn 更安全。我使用以下脚本(Schnouki 的分支)来创建命名空间、配置防火墙、DNS、测试连接、启动 openvpn,最后启动 torrent 客户端。我将 TODO 放在脚本中,您必须根据需要进行调整。
#!/bin/sh
# start openvpn tunnel and torrent client inside Linux network namespace
#
# this is a fork of schnouki's script, see original blog post
# https://schnouki.net/posts/2014/12/12/openvpn-for-a-single-application-on-linux/
#
# original script can be found here
# https://gist.github.com/Schnouki/fd171bcb2d8c556e8fdf
# ------------ adjust values below ------------
# network namespace
NS_NAME=myVPN
NS_EXEC="ip netns exec $NS_NAME"
# user for starting the torrent client
REGULAR_USER=heinzwurst
# ---------------------------------------------
# exit on unbound variable
set -u
# exit on error
set -e
set -o pipefail
# trace option
#set -x
if [ $USER != "root" ]; then
echo "This must be run as root."
exit 1
fi
start_vpn() {
echo "Add network interface"
# Create the network namespace
ip netns add $NS_NAME
# Start the loopback interface in the namespace
$NS_EXEC ip addr add 127.0.0.1/8 dev lo
$NS_EXEC ip link set lo up
# Create virtual network interfaces that will let OpenVPN (in the
# namespace) access the real network, and configure the interface in the
# namespace (vpn1) to use the interface out of the namespace (vpn0) as its
# default gateway
ip link add vpn0 type veth peer name vpn1
ip link set vpn0 up
ip link set vpn1 netns $NS_NAME up
ip addr add 10.200.200.1/24 dev vpn0
$NS_EXEC ip addr add 10.200.200.2/24 dev vpn1
$NS_EXEC ip link set dev vpn1 mtu 1492
$NS_EXEC ip route add default via 10.200.200.1 dev vpn1
# Configure the nameserver to use inside the namespace
# TODO use VPN-provided DNS servers in order to prevent leaks
mkdir -p /etc/netns/$NS_NAME
cat >/etc/netns/$NS_NAME/resolv.conf <<EOF || exit 1
nameserver 8.8.8.8
nameserver 8.8.4.4
EOF
# IPv4 NAT, you may need to adjust the interface name prefixes 'eth' 'wlan'
iptables -t nat -A POSTROUTING -o eth+ -m mark --mark 0x29a -j MASQUERADE
iptables -t nat -A POSTROUTING -o wlan+ -m mark --mark 0x29a -j MASQUERADE
iptables -t mangle -A PREROUTING -i vpn0 -j MARK --set-xmark 0x29a/0xffffffff
# TODO create firewall rules for your specific application (torrent)
# or just comment the line below
$NS_EXEC iptables-restore < /etc/iptables/iptables-$NS_NAME.rules
# we should have full network access in the namespace
$NS_EXEC ping -c 3 www.google.com
# start OpenVPN in the namespace
echo "Starting VPN"
cd /etc/openvpn
# TODO create openvpn configuration in /etc/openvpn/$NS_NAME.conf
$NS_EXEC openvpn --config $NS_NAME.conf &
# wait for the tunnel interface to come up
while ! $NS_EXEC ip link show dev tun0 >/dev/null 2>&1 ; do sleep .5 ; done
}
stop_vpn() {
echo "Stopping VPN"
ip netns pids $NS_NAME | xargs -rd'\n' kill
# TODO wait for terminate
# clear NAT
iptables -t nat -D POSTROUTING -o eth+ -m mark --mark 0x29a -j MASQUERADE
iptables -t nat -D POSTROUTING -o wlan+ -m mark --mark 0x29a -j MASQUERADE
iptables -t mangle -D PREROUTING -i vpn0 -j MARK --set-xmark 0x29a/0xffffffff
echo "Delete network interface"
rm -rf /etc/netns/$NS_NAME
ip netns delete $NS_NAME
ip link delete vpn0
}
# stop VPN on exit (even when error occured)
trap stop_vpn EXIT
start_vpn
# TODO start your favorite torrent client
$NS_EXEC sudo -u $REGULAR_USER transmission-gtk
答案2
我已经使用 Felix 提供的分叉脚本大约六个月了,直到上周它一直工作得很好(一旦我添加了 Nehal J Wani 建议的 sysctl -w net.ipv4.ip_forward=1 行并注释掉管道故障 - 否则它会崩溃)。
然而我注意到在过去的一周里它已经完全停止工作了(Debian 9.4)。我花了很多时间尝试调试出了什么问题,因为该脚本非常有用 - 但无论我尝试什么,我都无法让它再次工作。
由于这是一个非常有用的功能,我想提供 Schnouki 工作的替代分支,它可以很好地防止任何人遇到同样的问题。
https://github.com/crasm/vpnshift.sh
#!/bin/bash
#
# Copyright (c) 2016, crasm <[email protected]>
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
usage="usage: vpnshift -c <config> [<command> [<arg>...]]
optional:
-u <user> Execute <command> as <user>
-d Toggle namespace debug shell
if not otherwise specified:
- The command defaults to the user's shell (${SHELL}).
- The user must be inferred from sudo.
"
quick_die() {
format="$1"; shift
>&2 printf "${format}\n" "$@"
exit 1
}
die() {
format="$1"; shift
>&2 printf "${format}\n" "$@"
clean_exit 1
}
hush() {
eval "$@" > /dev/null 2> /dev/null
}
must() {
eval "$@" || die "failed: %s" "$*"
}
is_running() {
local pid="$1"
hush kill -s 0 "${pid}"
}
sig_kill() {
local pid="$1"
hush kill -s KILL "${pid}"
}
sig_term() {
local pid="$1"
hush kill -s TERM "${pid}"
}
clean_exit() {
local exit_code="$1"
if is_running "${openvpn_pid}"; then
# Kill openvpn.
sig_term "${openvpn_pid}"
>&2 printf "stopping openvpn (pid = %d)." "${openvpn_pid}"
for i in {1..100}; do
if is_running "${openvpn_pid}"; then
sleep 0.1
printf "."
else
break
fi
done
printf "\n"
if is_running "${openvpn_pid}"; then
>&2 echo "forced to kill openvpn"
sig_kill "${openvpn_pid}"
fi
else
>&2 echo "openvpn exited"
fi
# don't start cleaning up until openvpn is gone
hush ip netns delete "${namespace}"
hush rm --recursive --force "${namespace_dir}"
hush sysctl --quiet net.ipv4.ip_forward="${forward}"
if hush ps -C 'firewalld'; then
echo "[firewalld] clearing firewalld state"
hush systemctl restart firewalld
else
echo "${rules}" | hush iptables-restore
fi
# Sometimes there's a lag for the veths to be deleted by linux, so we
# delete it manually.
hush ip link delete "${veth_default}"
hush ip link delete "${veth_vpn}"
exit "${exit_code}"
}
nsdo() {
ip netns exec "${namespace}" "$@"
}
_debug=0
main() {
local config=
local user="${SUDO_USER}"
while getopts "hdc:u:" opt; do
case "${opt}" in
h) quick_die "${usage}" ;;
d) _debug=1 ;;
c) config="$(realpath "${OPTARG}")" ;;
u) user="${OPTARG}" ;;
*) quick_die "unknown option: %s" "${opt}" ;;
esac
done
shift $(( OPTIND - 1 ))
if [[ -z "${config}" ]]; then
quick_die "openvpn config is required"
fi
if [[ -z "${user}" ]]; then
quick_die "user must be provided explicitly via '-u' or implicitly via SUDO_USER"
fi
local cmd="$1"; shift
if [[ -z "${cmd}" ]]; then
cmd="${SHELL}"
fi
must ip netns add vpnshift
must mkdir --parents "${namespace_dir}"
# Set up loopback interface
must nsdo ip address add '127.0.0.1/8' dev lo
must nsdo ip address add '::1/128' dev lo
must nsdo ip link set lo up
# Set up veth tunnel
must ip link add "${veth_vpn}" type veth peer name "${veth_default}"
must ip link set "${veth_vpn}" netns "${namespace}"
must ip link set "${veth_default}" up
must nsdo ip link set "${veth_vpn}" up
must ip address add "10.10.10.10/31" dev "${veth_default}"
must nsdo ip \
address add "10.10.10.11/31" dev "${veth_vpn}"
must nsdo ip \
route add default via "10.10.10.10" dev "${veth_vpn}"
# Set up NAT and IP forwarding
must sysctl --quiet net.ipv4.ip_forward=1
# check if we need to enable masquerading via firewalld for veth_default
if hush ps -C 'firewalld'; then
echo "[firewalld] enabling firewalld based masquerading for ${veth_default}"
if [[ $(firewall-cmd --get-zones | grep "${namespace}") != *"${namespace}"* ]]
then
echo "[firewalld] creating permanent new zone ${namespace} with target default"
must firewall-cmd -q --permanent --new-zone="${namespace}"
must firewall-cmd -q --permanent --zone="${namespace}" --set-target="default"
must firewall-cmd -q --reload
fi
# add interface to our zone
echo "[firewalld] adding ${veth_default} and ${veth_vpn} to zone ${namespace}"
must firewall-cmd -q --zone="${namespace}" --change-interface="${veth_default}"
# apply our source range to our zone
echo "[firewalld] adding 10.10.10.10/31 as source for ${namespace}"
must firewall-cmd -q --zone="${namespace}" --add-source=10.10.10.10/31
# enable masquerading from our new source range on the default zone
default_zone=$(firewall-cmd --get-default-zone)
echo "[firewalld] enabling masquerading on default zone: ${default_zone}"
must firewall-cmd -q --zone="${default_zone}" --add-masquerade
must firewall-cmd -q --zone="${default_zone}" --add-rich-rule=\'rule family="ipv4" source address="10.10.10.10/31" masquerade\'
# optionally allow ports, services, etc. on our zone
# enabling desired ports
#echo "enabling all port traffic on zone ${namespace}"
#must firewall-cmd -q --zone="${namespace}" --add-port=1025-65535/udp
#must firewall-cmd -q --zone="${namespace}" --add-port=1025-65535/tcp
# enable services
#echo "enabling dns on zone ${namespace}"
#must firewall-cmd -q --zone="${namespace}" --add-service=dns
else
must iptables --table "nat" --append "POSTROUTING" --jump "MASQUERADE" --source "10.10.10.10/31"
fi
# Set up DNS inside the new namespace
printf > "${namespace_dir}/resolv.conf" \
"nameserver %s\nnameserver %s\n" \
"108.62.19.131" \
"104.238.194.235"
# drop in a shell to debug namespace connectivity ... the exit trap will catch exit from this and clean up
if [[ "$_debug" == 1 ]]; then
nsdo "${SHELL}"
fi
# Launch openvpn
local tun="tunvpn"
nsdo openvpn \
--cd "$(dirname "${config}")" \
--config "${config}" \
--dev "${tun}" \
--errors-to-stderr &
openvpn_pid=$(ps --ppid "$!" \
--format "pid" \
--no-headers
)
>&2 printf "waiting for openvpn (pid = %d)\n" "${openvpn_pid}"
while ! hush nsdo ip link show "${tun}"; do
if ! is_running "${openvpn_pid}"; then
clean_exit 1
fi
sleep 0.2
done
# Removing the default route protects from exposure if openvpn exits
# prematurely.
must nsdo ip \
route delete default via "10.10.10.10" dev "${veth_vpn}"
nsdo sudo -u "${user}" "${cmd}" "$@"
}
if [[ $# == 0 ]]; then
quick_die "${usage}"
elif [[ "$(id -u)" != 0 ]]; then
sudo "$0" "$@"
exit "$?"
fi
# Stuff needed by clean_exit() to restore previous state.
namespace="vpnshift"
namespace_dir="/etc/netns/${namespace}"
forward="$(sysctl --values "net.ipv4.ip_forward")"
rules="$(iptables-save -t nat)"
veth_default="veth_default"
veth_vpn="veth_vpn"
openvpn_pid= # This is set later.
# Enable cleanup routine.
trap 'clean_exit 1' INT TERM
trap 'clean_exit $?' EXIT
main "$@"
答案3
我有一台计算机通过有线以太网连接到 LAN,这使我能够采取一些不同的策略:桥接!它允许 LAN 的 DHCP 服务器向主机和 vpn 命名空间授予单独的地址,并授予 vpn 命名空间直接访问互联网!无需修改 iptables 或手动指定 IP 地址!这是我在命令中的整个解决方案。
# Make the netns.
ip netns add vpn
ip link add br0 type bridge
ip link set br0 up
# Make the inter-namespace pipe and bridge the host end.
ip link add veth.host type veth peer veth.vpn
ip link set veth.host master br0 up
ip link set veth.vpn netns vpn up
# Bridge the wired ethernet.
ip link set eth0 master br0 up
# Start dhcpcd on the bridge for the host to use and on veth.vpn
# for the vpn netns to use. The router will grant separate IP
# addresses to both! (They have different MAC addresses.)
dhcpcd br0
ip netns exec vpn dhcpcd veth.vpn
# OK, now start the VPN.
ip netns exec vpn openvpn --config etc etc etc
设置相当简单。