Ubuntu 18.04 LTS OpenVPN 和 dnsmasq 不适用于 VPN 隧道

Ubuntu 18.04 LTS OpenVPN 和 dnsmasq 不适用于 VPN 隧道

我最近遇到了这个问题。这看起来相当常见,但我找到的每个解决方案都不起作用 - 所以请不要评判我未经研究就开始新线程。但在主要话题中:

我买了一个 VPS nazwa.pl,并尝试将其配置为我的OpenVPNDNS 服务器(用于我的私人项目)。我运行的OpenVPN它在那里运行得很好(客户端的 DNS 除外)。dnsmasq在本地也可以正常工作。但它不会自动应用于 VPN 隧道接口(tun0)。当我手动将 DNS 服务器添加到它时,/etc/resolv.conf它就可以正常工作,但手动编辑任何类型的配置文件似乎不是一个好方法 ;)。我的问题是:我应该对我的配置进行哪些更改,以便 +dnsmasq开始OpenVPN将其更改应用于 tun0 接口?

服务器:

  • Ubuntu18.04
  • dnsmasq2.79具有:IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
  • OpenVPN2.4.4具有enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

这是我的配置和日志文件:

/etc/openvpn/server/server.conf:

local 77.55.XXX.XXX
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify

client.ovpn

client
dev tun
proto udp
remote 77.55.XXX.XXX 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
script-security 2
# I have both services on the server 
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
down-pre
<ca>
... certs here

dnsmasq.conf:

address=/public-domain.com/77.XXX.XXX.XXX
listen-address=127.0.0.1
listen-address=10.8.0.1
bind-interfaces
no-hosts
addn-hosts=/etc/dnsmasq.hosts
expand-hosts
domain=netps

OpenVPN & dnsmasq server iptables:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DROP       icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            
DROP       tcp  --  anywhere             anywhere             multiport dports http,https ctstate NEW,ESTABLISHED
ACCEPT     tcp  --  10.8.0.0/24          anywhere             multiport dports http,https ctstate NEW,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:domain

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  10.8.0.0/24          anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain state NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain state NEW

VPN server systemd-resolve --status:

Global
     DNS Servers: 127.0.0.1
                  10.8.0.1
                  1.1.1.1
                  8.8.8.8
      DNSSEC NTA: 10.in-addr.arpa
                  16.172.in-addr.arpa
                  168.192.in-addr.arpa
                  17.172.in-addr.arpa
                  18.172.in-addr.arpa
                  19.172.in-addr.arpa
                  20.172.in-addr.arpa
                  21.172.in-addr.arpa
                  22.172.in-addr.arpa
                  23.172.in-addr.arpa
                  24.172.in-addr.arpa
                  25.172.in-addr.arpa
                  26.172.in-addr.arpa
                  27.172.in-addr.arpa
                  28.172.in-addr.arpa
                  29.172.in-addr.arpa
                  30.172.in-addr.arpa
                  31.172.in-addr.arpa
                  corp
                  d.f.ip6.arpa
                  home
                  internal
                  intranet
                  lan
                  local
                  private
                  test
Link 3 (tun0)
      Current Scopes: none
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

VPN client systemd-resolve --status:

Global
       LLMNR setting: no
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
      DNSSEC NTA: 10.in-addr.arpa
                  16.172.in-addr.arpa
                  168.192.in-addr.arpa
                  17.172.in-addr.arpa
                  18.172.in-addr.arpa
                  19.172.in-addr.arpa
                  20.172.in-addr.arpa
                  21.172.in-addr.arpa
                  22.172.in-addr.arpa
                  23.172.in-addr.arpa
                  24.172.in-addr.arpa
                  25.172.in-addr.arpa
                  26.172.in-addr.arpa
                  27.172.in-addr.arpa
                  28.172.in-addr.arpa
                  29.172.in-addr.arpa
                  30.172.in-addr.arpa
                  31.172.in-addr.arpa
                  corp
                  d.f.ip6.arpa
                  home
                  internal
                  intranet
                  lan
                  local
                  private
                  test

Link 58 (tun0)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: 1.1.1.1
     DNS Servers: 1.1.1.1
                  1.0.0.1
      DNS Domain: ~.

Syslog:

Jan  2 14:17:40 serverXXXXXX openvpn[3053]: MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Jan  2 14:17:40 serverXXXXXX openvpn[3053]: MULTI: Learn: 10.8.0.2 -> npsclient/91.90.XXX.XXX:40266
Jan  2 14:17:40 serverXXXXXX openvpn[3053]: MULTI: primary virtual IP for npsclient/91.90.XXX.XXX:40266: 10.8.0.2
Jan  2 14:17:41 serverXXXXXX openvpn[3053]: npsclient/91.90.XXX.XXX:40266 PUSH: Received control message: 'PUSH_REQUEST'
Jan  2 14:17:41 serverXXXXXX openvpn[3053]: npsclient/91.90.XXX.XXX:40266 SENT CONTROL [npsclient]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Jan  2 14:17:41 serverXXXXXX openvpn[3053]: npsclient/91.90.XXX.XXX:40266 Data Channel: using negotiated cipher 'AES-256-GCM'
Jan  2 14:17:41 serverXXXXXX openvpn[3053]: npsclient/91.90.XXX.XXX:40266 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan  2 14:17:41 serverXXXXXX openvpn[3053]: npsclient/91.90.XXX.XXX:40266 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

如您所见,syslogDNS 未推送到客户端,但这并不奇怪,因为systemd-resolve --statusVPN 服务器上没有有效的 DNS 服务器用于tun0接口。我只能猜测问题出在侧面dnsmasq,但我不知道在哪里以及如何修复它。

编辑 内容/etc/dnsmasq.hosts

10.8.0.1 gitlab.netps

答案1

经过几天的尝试和大量研究,我发现这里的关键问题与systemd-resolve机制有关。简而言之:它将每个 DNS 服务器的响应/状态存储在缓存中,如果配置过程中出现任何问题,它将忽略整个服务器 :/。此线程中详细描述了此案例https://github.com/systemd/systemd/issues/5755

我现在找到的唯一解决方案是手动编辑文件/etc/resolv.conf......

相关内容