그래서 내 서버에 분할 터널을 설정해 보았습니다(내 서버는 VPN 클라이언트입니다). VPN 사용자는 VPN 인터페이스(tun0)를 통해서만 인터넷에 액세스할 수 있습니다.
나는 우분투 가이드를 CentOS 8로 "번역"하려고 시도했습니다. 내가 따라온 지침은 다음과 같습니다.힘의 급류그것은에서 영감을 얻었습니다VPN 분할 터널링을 통해 강제 토렌트 트래픽 Debian 8 + Ubuntu 16.04그런 다음 내가 찾은 업데이트를 적용했습니다.Ubuntu 18.04 분할 터널링 가이드.
그 결과 다음과 같은 파일이 생성되었습니다.
코드/스크립트: (아래 결과)
/etc/systemd/system/[email protected]:
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
After=network.target
[Service]
RuntimeDirectory=openvpn
PrivateTmp=true
KillMode=mixed
Type=forking
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
PIDFile=/run/openvpn/%i.pid
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
Restart=on-failure
RestartSec=3
ProtectSystem=yes
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
[Install]
WantedBy=multi-user.target
/etc/openvpn/openvpn.conf:
client
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
dev tun
proto udp
remote pool-1.prd.se.ovpn.com 1194
remote pool-1.prd.se.ovpn.com 1195
remote pool-2.prd.se.ovpn.com 1194
remote pool-2.prd.se.ovpn.com 1195
remote pool-3.prd.se.ovpn.com 1194
remote pool-3.prd.se.ovpn.com 1195
remote pool-4.prd.se.ovpn.com 1194
remote pool-4.prd.se.ovpn.com 1195
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-256-cbc
auth-user-pass /etc/openvpn/credentials
auth-nocache
comp-lzo
route-noexec
remote-cert-tls server
pull
reneg-sec 0
verb 3
mute-replay-warnings
replay-window 256
ca /etc/openvpn/ovpn-ca.crt
tls-auth /etc/openvpn/ovpn-tls.key 1
log /tmp/openvpn.log
script-security 2
up /etc/openvpn/firewllad.sh
up-restart
down /etc/openvpn/scripts/update-systemd-resolved
down-pre
dhcp-option DOMAIN-ROUTE .
/etc/openvpn/firewalld.sh:
#! /bin/bash
export INTERFACE="tun0"
export VPNUSER="vpn"
export LOCALIP="192.168.1.10"
export NETIF="enp1s0"
# Flush alll rules
firewall-cmd --direct --remove-rules ipv4 mangle OUTPUT
firewall-cmd --direct --remove-rules ipv4 mangle INPUT
firewall-cmd --direct --remove-rules ipv4 filter INPUT
firewall-cmd --direct --remove-rules ipv4 filter OUTPUT
firewall-cmd --direct --remove-rules ipv4 nat POSTROUTING
#firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 ! -o lo -m owner --uid-owner vpn -j DROP
# Mark packets from $VPNUSER
firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 -j CONNMARK --restore-mark
firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
# Added local open ports (since I do not use these services I have not opened these ports)
#firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 --src $LOCALIP -p tcp -m tcp -m multiport --sports 6800,7777 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x0
# Continue marking
firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 ! --src $LOCALIP -j MARK --set-mark 0x1
firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 -j CONNMARK --save-mark
# Allow responses
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Block everything incoming on $INTERFACE to prevent accdiental exposing of ports
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i $INTERFACE -j REJECT
# Let $VPNUSER access lo and $INTERFACE
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
# All packets on $INTERFACE needs to be masqueraded
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o $INTERFACE -j MASQUERADE
# Reject connection from predator IP going over $NETIF
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 ! --src $LOCALIP -o $NETIF -j REJECT
#ADD YOUR OWN RULES HERE
# Start routing script
/etc/openvpn/routing.sh
exit 0
/etc/openvpn/routing.sh:
#! /bin/bash
VPNIF="tun0"
VPNUSER="vpn"
GATEWAYIP=$(ip address show $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)
if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
ip rule add from all fwmark 0x1 lookup $VPNUSER
fi
ip route replace default via $GATEWAYIP table $VPNUSER
ip route append default via 127.0.0.1 dev lo table $VPNUSER
ip route flush cache
# run update-resolv-conf script to set VPN DNS
/etc/openvpn/scripts/update-systemd-resolved
exit 0
/etc/iproute2/rt_tables:
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
200 vpn
/etc/sysctl.d/9999-vpn.conf:
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.enp1s0.rp_filter = 2
결과:
다음 명령을 사용하여 DNS를 확인하십시오.systemd-resolve --status
Link 9 (tun0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: allow-downgrade
DNSSEC supported: yes
Current DNS Server: 192.165.9.158
DNS Servers: 192.165.9.158
46.227.67.134
DNS Domain: ~.
다음 명령을 사용하여 VPN 공용 IP를 확인하면 sudo -u vpn -i -- curl ipinfo.io다음이 제공됩니다: curl: (6) Could not resolve host: ipinfo.io. 그래도 sudo curl ipinfo.io --interface tun0잘 작동합니다 . ping www.google.seVPN 사용자로서 문제도 있지만 도메인의 IP를 사용하면 제대로 작동합니다.
답변1
문제는 systemd-resolvedCentOS 8이 서비스가 실행 중임에도 DNS를 설정하지 않는다는 것입니다. systemd-resolved스크립트를 사용하여 DNS를 설정 하려면 다음 섹션에서 편집하고 설정 update-systemd-resolved해야 합니다 ./etc/NetworkManager/NetworkManager.conf[main]dns=systemd-resolved
이 주제에 대한 추가 정보:33장. 서로 다른 도메인에 서로 다른 DNS 서버 사용하기.