VPN 터널을 통해 모든 네트워크 트래픽을 보안 인터넷 연결로 전달하는 방법에 대한 TinC 가이드를 따르려고 합니다. 일반적인 안전하지 않은 커피숍 연결 유형 문제입니다.
어쨌든 저는 TinC를 사용하고 있으며 문제 없이 서버에 연결할 수 있지만 이 연결을 통해 인터넷 트래픽을 라우팅하지는 않습니다. 내 공용 IP가 VPN의 보안 측면에서 기대하는 IP와 여전히 다르기 때문에 이를 확신합니다.
다음은 연결된 설정이지만 Tinc-up을 위한 인터넷 트래픽은 없습니다.
ip link set $INTERFACE up
ip addr add 10.0.0.3/32 dev $INTERFACE
ip route add 10.0.0.0/24 dev $INTERFACE
이것은 주석 다운입니다.
ip route del 10.0.0.0/24 dev $INTERFACE
ip addr del 10.0.0.3/32 dev $INTERFACE
ip link set $INTERFACE down
클라이언트 호스트 파일은 다음과 같습니다.
Subnet = 10.0.0.3/32
이것은 서버 호스트 파일입니다.
Address = foo.bar.net
Port = 655
Subnet = 10.0.0.1/32
....괜찮습니다... 다음은 몇 가지 샘플 출력입니다.
foo@local:~ » route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.254 0.0.0.0 UG 202 0 0 enp0s3
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 alpha
192.168.0.0 0.0.0.0 255.255.255.0 U 202 0 0 enp0s3
그러나 나는 여기서 이 가이드를 따르려고 노력했습니다. https://www.tinc-vpn.org/examples/redirect-gateway/
새로운 조정:
set -x
ip link set dev $INTERFACE up
#ip addr add 10.0.0.3/32 dev $INTERFACE
#ip route add 10.0.0.0/24 dev $INTERFACE
VPN_GATEWAY=10.0.0.0
ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 2-5`
ip route add $REMOTEADDRESS $ORIGINAL_GATEWAY
ip route add $VPN_GATEWAY dev $INTERFACE
ip route add 0.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
ip route add 128.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
뉴 시크교 다운:
set -x
ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 2-5`
ip route del $REMOTEADDRESS $ORIGINAL_GATEWAY
ip route del $VPN_GATEWAY dev $INTERFACE
ip route del 0.0.0.0/1 dev $INTERFACE
ip route del 128.0.0.0/1 dev $INTERFACE
ip link set dev $INTERFACE down
이제 스크립트는 IP 경로에 대한 구문 오류를 발생시키며 물론 아무 일도 일어나지 않습니다. 일부 경로를 사용해 보았고 일부 변수를 명시적으로 정의해 보았으며 심지어 셸에서 단계별로 실행해 보았지만 아무 것도 작동하지 않는 것 같습니다. 호스트는 항상 액세스할 수 없습니다.
내가 여기서 뭘 잘못하고 있는 걸까?
감사해요
편집 2: 다음은 set-x 옵션을 포함한 의견의 제안과 함께 작동 중인 새로운 Tinc-up/Down 파일입니다. 위에 표시된 Tinc-down 스크립트는 Tinc-up 스크립트를 먼저 실행한 다음 프로세스를 종료하여 시작됩니다.
:~ » sudo tincd -n alpha -D -d3
tincd 1.0.31 starting, debug level 3
/dev/net/tun is a Linux tun/tap device (tun mode)
Executing script tinc-up
+ ip link set dev alpha up
+ VPN_GATEWAY=10.0.0.0
++ ip route show
++ cut -d ' ' -f 2-5
++ grep '^default'
+ ORIGINAL_GATEWAY='via 192.168.0.254 dev enp0s3'
+ ip route add via 192.168.0.254 dev enp0s3
Usage: ip route { list | flush } SELECTOR
ip route save SELECTOR
ip route restore
ip route showdump
ip route get ADDRESS [ from ADDRESS iif STRING ]
[ oif STRING ] [ tos TOS ]
[ mark NUMBER ] [ vrf NAME ]
[ uid NUMBER ]
ip route { add | del | change | append | replace } ROUTE
SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ]
[ table TABLE_ID ] [ vrf NAME ] [ proto RTPROTO ]
[ type TYPE ] [ scope SCOPE ]
ROUTE := NODE_SPEC [ INFO_SPEC ]
NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ]
[ table TABLE_ID ] [ proto RTPROTO ]
[ scope SCOPE ] [ metric METRIC ]
INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ]...
NH := [ encap ENCAPTYPE ENCAPHDR ] [ via [ FAMILY ] ADDRESS ]
[ dev STRING ] [ weight NUMBER ] NHFLAGS
FAMILY := [ inet | inet6 | ipx | dnet | mpls | bridge | link ]
OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] [ as [ to ] ADDRESS ]
[ rtt TIME ] [ rttvar TIME ] [ reordering NUMBER ]
[ window NUMBER ] [ cwnd NUMBER ] [ initcwnd NUMBER ]
[ ssthresh NUMBER ] [ realms REALM ] [ src ADDRESS ]
[ rto_min TIME ] [ hoplimit NUMBER ] [ initrwnd NUMBER ]
[ features FEATURES ] [ quickack BOOL ] [ congctl NAME ]
[ pref PREF ] [ expires TIME ]
TYPE := { unicast | local | broadcast | multicast | throw |
unreachable | prohibit | blackhole | nat }
TABLE_ID := [ local | main | default | all | NUMBER ]
SCOPE := [ host | link | global | NUMBER ]
NHFLAGS := [ onlink | pervasive ]
RTPROTO := [ kernel | boot | static | NUMBER ]
PREF := [ low | medium | high ]
TIME := NUMBER[s|ms]
BOOL := [1|0]
FEATURES := ecn
ENCAPTYPE := [ mpls | ip | ip6 ]
ENCAPHDR := [ MPLSLABEL ]
+ ip route add 10.0.0.0 dev alpha
+ ip route add 0.0.0.0/1 via 10.0.0.0 dev alpha
+ ip route add 128.0.0.0/1 via 10.0.0.0 dev alpha
Listening on 0.0.0.0 port 655
Ready
Trying to connect to alpha (74.78.156.164 port 655)
Error while connecting to alpha (74.78.156.164 port 655): Network is unreachable
Could not set up a meta connection to alpha
Trying to re-establish outgoing connection in 5 seconds
Purging unreachable nodes
Trying to connect to alpha (74.78.156.164 port 655)
Error while connecting to alpha (74.78.156.164 port 655): Network is unreachable
Could not set up a meta connection to alpha
Trying to re-establish outgoing connection in 10 seconds
Purging unreachable nodes
Got TERM signal
Statistics for Linux tun/tap device (tun mode) /dev/net/tun:
total bytes in: 346
total bytes out: 306
Closing connection with charlie (MYSELF)
Executing script tinc-down
++ cut -d ' ' -f 2-5
++ grep '^default'
++ ip route show
+ ORIGINAL_GATEWAY='via 192.168.0.254 dev enp0s3'
+ ip route del via 192.168.0.254 dev enp0s3
Usage: ip route { list | flush } SELECTOR
ip route save SELECTOR
ip route restore
ip route showdump
ip route get ADDRESS [ from ADDRESS iif STRING ]
[ oif STRING ] [ tos TOS ]
[ mark NUMBER ] [ vrf NAME ]
[ uid NUMBER ]
ip route { add | del | change | append | replace } ROUTE
SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ]
[ table TABLE_ID ] [ vrf NAME ] [ proto RTPROTO ]
[ type TYPE ] [ scope SCOPE ]
ROUTE := NODE_SPEC [ INFO_SPEC ]
NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ]
[ table TABLE_ID ] [ proto RTPROTO ]
[ scope SCOPE ] [ metric METRIC ]
INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ]...
NH := [ encap ENCAPTYPE ENCAPHDR ] [ via [ FAMILY ] ADDRESS ]
[ dev STRING ] [ weight NUMBER ] NHFLAGS
FAMILY := [ inet | inet6 | ipx | dnet | mpls | bridge | link ]
OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] [ as [ to ] ADDRESS ]
[ rtt TIME ] [ rttvar TIME ] [ reordering NUMBER ]
[ window NUMBER ] [ cwnd NUMBER ] [ initcwnd NUMBER ]
[ ssthresh NUMBER ] [ realms REALM ] [ src ADDRESS ]
[ rto_min TIME ] [ hoplimit NUMBER ] [ initrwnd NUMBER ]
[ features FEATURES ] [ quickack BOOL ] [ congctl NAME ]
[ pref PREF ] [ expires TIME ]
TYPE := { unicast | local | broadcast | multicast | throw |
unreachable | prohibit | blackhole | nat }
TABLE_ID := [ local | main | default | all | NUMBER ]
SCOPE := [ host | link | global | NUMBER ]
NHFLAGS := [ onlink | pervasive ]
RTPROTO := [ kernel | boot | static | NUMBER ]
PREF := [ low | medium | high ]
TIME := NUMBER[s|ms]
BOOL := [1|0]
FEATURES := ecn
ENCAPTYPE := [ mpls | ip | ip6 ]
ENCAPHDR := [ MPLSLABEL ]
+ ip route del dev alpha
Usage: ip route { list | flush } SELECTOR
ip route save SELECTOR
ip route restore
ip route showdump
ip route get ADDRESS [ from ADDRESS iif STRING ]
[ oif STRING ] [ tos TOS ]
[ mark NUMBER ] [ vrf NAME ]
[ uid NUMBER ]
ip route { add | del | change | append | replace } ROUTE
SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ]
[ table TABLE_ID ] [ vrf NAME ] [ proto RTPROTO ]
[ type TYPE ] [ scope SCOPE ]
ROUTE := NODE_SPEC [ INFO_SPEC ]
NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ]
[ table TABLE_ID ] [ proto RTPROTO ]
[ scope SCOPE ] [ metric METRIC ]
INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ]...
NH := [ encap ENCAPTYPE ENCAPHDR ] [ via [ FAMILY ] ADDRESS ]
[ dev STRING ] [ weight NUMBER ] NHFLAGS
FAMILY := [ inet | inet6 | ipx | dnet | mpls | bridge | link ]
OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] [ as [ to ] ADDRESS ]
[ rtt TIME ] [ rttvar TIME ] [ reordering NUMBER ]
[ window NUMBER ] [ cwnd NUMBER ] [ initcwnd NUMBER ]
[ ssthresh NUMBER ] [ realms REALM ] [ src ADDRESS ]
[ rto_min TIME ] [ hoplimit NUMBER ] [ initrwnd NUMBER ]
[ features FEATURES ] [ quickack BOOL ] [ congctl NAME ]
[ pref PREF ] [ expires TIME ]
TYPE := { unicast | local | broadcast | multicast | throw |
unreachable | prohibit | blackhole | nat }
TABLE_ID := [ local | main | default | all | NUMBER ]
SCOPE := [ host | link | global | NUMBER ]
NHFLAGS := [ onlink | pervasive ]
RTPROTO := [ kernel | boot | static | NUMBER ]
PREF := [ low | medium | high ]
TIME := NUMBER[s|ms]
BOOL := [1|0]
FEATURES := ecn
ENCAPTYPE := [ mpls | ip | ip6 ]
ENCAPHDR := [ MPLSLABEL ]
+ ip route del 0.0.0.0/1 dev alpha
+ ip route del 128.0.0.0/1 dev alpha
+ ip link set dev alpha down
Terminating
편집 3:
다음과 같은 변경 사항을 찾았습니다.
ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 3-5`
192.168.0.254 dev enp0s3 제공
이제 내 스크립트는 iproute 구문 오류를 발생시키지 않습니다. 그러나 다음 사항에 대해 불평합니다.
+ ip route add 192.168.0.254 dev enp0s3
RTNETLINK answers: File exists