나는 이 스크립트를 사용하고 있습니다:https://github.com/loeken/CascadingOpenvpnConnect
tun0 인스턴스, tun1 인스턴스 및 원하는 경우 다른 인스턴스를 생성합니다. 교통을 안내하는 데 문제가 있습니다.
첫 번째 명령을 실행할 때,
sudo openvpn --config eu.fr1.cdn.internetz.me.ovpn --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec (example)
VPN을 통해 올바르게 연결할 수 있습니다.
그러나 두 번째 명령을 실행하면sudo openvpn --config eu.fr4.cdn.internetz.me.ovpn --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec --setenv hopid 2 --setenv prevgw 10.9.1.1 (example)
다음에 무엇을 해야할지 모르겠어요? 두 번째 명령은 성공적으로 실행되지만 내 IP 주소는 여전히 첫 번째 VPN(tun0)으로 나열됩니다. 그렇다면 tun1을 여기에 어떻게 포함시킬 수 있나요?
도움을 주셔서 감사합니다.
----- 편집/업데이트
이것이 내 기본 라우팅 테이블입니다.
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 100 0 0 enp0s3
10.0.2.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s3
이것은 실행하는 첫 번째 명령입니다. 성공한 것 같습니다.
sudo openvpn --config client-east.ovpn --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec
Thu Jul 21 19:29:55 2022 OpenVPN 2.4.4 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Thu Jul 21 19:29:55 2022 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08
Enter Auth Username: openvpn
Enter Auth Password: ***
Thu Jul 21 19:29:59 2022 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Thu Jul 21 19:29:59 2022 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jul 21 19:29:59 2022 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 21 19:29:59 2022 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 21 19:29:59 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]3.228.10.177:1194
Thu Jul 21 19:29:59 2022 Socket Buffers: R=[180224->180224] S=[180224->180224]
Thu Jul 21 19:29:59 2022 UDP link local: (not bound)
Thu Jul 21 19:29:59 2022 UDP link remote: [AF_INET]3.228.10.177:1194
Thu Jul 21 19:29:59 2022 TLS: Initial packet from [AF_INET]3.228.10.177:1194, sid=e06d136c ef7fcba7
Thu Jul 21 19:29:59 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jul 21 19:29:59 2022 VERIFY OK: depth=1, CN=OpenVPN CA
Thu Jul 21 19:29:59 2022 VERIFY OK: nsCertType=SERVER
Thu Jul 21 19:29:59 2022 VERIFY OK: depth=0, CN=OpenVPN Server
Thu Jul 21 19:30:00 2022 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Thu Jul 21 19:30:00 2022 [OpenVPN Server] Peer Connection Initiated with [AF_INET]3.228.10.177:1194
Thu Jul 21 19:30:01 2022 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Thu Jul 21 19:30:01 2022 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,compress stub-v2,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 172.27.232.1,dhcp-option DNS 172.31.0.2,register-dns,block-ipv6,ifconfig 172.27.232.27 255.255.248.0,peer-id 0,auth-tokenSESS_ID,cipher AES-256-GCM'
Thu Jul 21 19:30:01 2022 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:1 is ignored by previous <connection> blocks
Thu Jul 21 19:30:01 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.4)
Thu Jul 21 19:30:01 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.4)
Thu Jul 21 19:30:01 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.4)
Thu Jul 21 19:30:01 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:16: register-dns (2.4.4)
Thu Jul 21 19:30:01 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:17: block-ipv6 (2.4.4)
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: explicit notify parm(s) modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: compression parms modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: route options modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: route-related options modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: peer-id set
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: data channel crypto options modified
Thu Jul 21 19:30:01 2022 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Jul 21 19:30:01 2022 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul 21 19:30:01 2022 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul 21 19:30:01 2022 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:cb:a6:e2
Thu Jul 21 19:30:01 2022 TUN/TAP device tun0 opened
Thu Jul 21 19:30:01 2022 TUN/TAP TX queue length set to 100
Thu Jul 21 19:30:01 2022 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Jul 21 19:30:01 2022 /sbin/ip link set dev tun0 up mtu 1500
Thu Jul 21 19:30:02 2022 /sbin/ip addr add dev tun0 172.27.232.27/21 broadcast 172.27.239.255
Thu Jul 21 19:30:02 2022 updown.sh tun0 1500 1553 172.27.232.27 255.255.248.0 init
## updown.sh: STARTED
## updown.sh: hop id: (default: 1)
## updown.sh: gateway of last hop: (default: local gateway)
## updown.sh: local gateway: 10.0.2.2
## updown.sh: VPN: local IP address: 172.27.232.27
## updown.sh: VPN: local netmask: 255.255.248.0
## updown.sh: VPN: local gateway: 172.27.232.1
## updown.sh: VPN: vpn IP address: 3.228.10.177
## updown.sh: Notice: You didn't set 'hopid'. Assuming this to be the first hop (hopid=1).
## updown.sh: Notice: You didn't set the previous gateway. The gateway of your local network ('10.0.2.2') will be used.
## updown.sh: executing: '/sbin/ip route add 3.228.10.177 via 10.0.2.2'
## updown.sh: executing: '/sbin/ip route add 0.0.0.0/1 via 172.27.232.1'
## updown.sh: executing: '/sbin/ip route add 128.0.0.0/1 via 172.27.232.1'
## updown.sh: HINT: For the next hop, start openvpn with the following options:
## updown.sh: HINT: openvpn --config <config.ovpn> --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec --setenv hopid 2 --setenv prevgw 172.27.232.1
## updown.sh: FINISHED
Thu Jul 21 19:30:07 2022 Initialization Sequence Completed
DNS를 8.8.8.8로 변경하면 트래픽이 VPN을 통과하게 됩니다.
이것이 첫 번째 명령을 실행한 후 내 라우팅 테이블의 모습입니다.
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.27.232.1 128.0.0.0 UG 0 0 0 tun0
default 10.0.2.2 0.0.0.0 UG 100 0 0 enp0s3
3.228.10.177 10.0.2.2 255.255.255.255 UGH 0 0 0 enp0s3
10.0.2.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s3
128.0.0.0 172.27.232.1 128.0.0.0 UG 0 0 0 tun0
172.27.232.0 0.0.0.0 255.255.248.0 U 0 0 0 tun0
이것이 나의 두 번째 명령이다. 그것도 성공적으로 보입니다.
sudo openvpn --config client-west.ovpn --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec --setenv hopid 2 --setenv prevgw 172.27.232.1
Thu Jul 21 19:34:30 2022 OpenVPN 2.4.4 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Thu Jul 21 19:34:30 2022 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08
Enter Auth Username: openvpn
Enter Auth Password: ***
Thu Jul 21 19:34:34 2022 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Thu Jul 21 19:34:34 2022 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jul 21 19:34:34 2022 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 21 19:34:34 2022 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 21 19:34:34 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]52.53.125.237:1194
Thu Jul 21 19:34:34 2022 Socket Buffers: R=[180224->180224] S=[180224->180224]
Thu Jul 21 19:34:34 2022 UDP link local: (not bound)
Thu Jul 21 19:34:34 2022 UDP link remote: [AF_INET]52.53.125.237:1194
Thu Jul 21 19:34:34 2022 TLS: Initial packet from [AF_INET]52.53.125.237:1194, sid=0ca1cb6e b7f72f45
Thu Jul 21 19:34:34 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jul 21 19:34:34 2022 VERIFY OK: depth=1, CN=OpenVPN CA
Thu Jul 21 19:34:34 2022 VERIFY OK: nsCertType=SERVER
Thu Jul 21 19:34:34 2022 VERIFY OK: depth=0, CN=OpenVPN Server
Thu Jul 21 19:34:34 2022 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Thu Jul 21 19:34:34 2022 [OpenVPN Server] Peer Connection Initiated with [AF_INET]52.53.125.237:1194
Thu Jul 21 19:34:35 2022 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Thu Jul 21 19:34:36 2022 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,compress stub-v2,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 172.27.232.1,dhcp-option DNS 172.31.0.2,register-dns,block-ipv6,ifconfig 172.27.232.28 255.255.248.0,peer-id 0,auth-tokenSESS_ID,cipher AES-256-GCM'
Thu Jul 21 19:34:36 2022 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:1 is ignored by previous <connection> blocks
Thu Jul 21 19:34:36 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.4)
Thu Jul 21 19:34:36 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.4)
Thu Jul 21 19:34:36 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.4)
Thu Jul 21 19:34:36 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:16: register-dns (2.4.4)
Thu Jul 21 19:34:36 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:17: block-ipv6 (2.4.4)
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: explicit notify parm(s) modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: compression parms modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: route options modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: route-related options modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: peer-id set
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: data channel crypto options modified
Thu Jul 21 19:34:36 2022 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Jul 21 19:34:36 2022 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul 21 19:34:36 2022 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul 21 19:34:36 2022 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:cb:a6:e2
Thu Jul 21 19:34:36 2022 TUN/TAP device tun1 opened
Thu Jul 21 19:34:36 2022 TUN/TAP TX queue length set to 100
Thu Jul 21 19:34:36 2022 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Jul 21 19:34:36 2022 /sbin/ip link set dev tun1 up mtu 1500
Thu Jul 21 19:34:36 2022 /sbin/ip addr add dev tun1 172.27.232.28/21 broadcast 172.27.239.255
Thu Jul 21 19:34:36 2022 updown.sh tun1 1500 1553 172.27.232.28 255.255.248.0 init
## updown.sh: STARTED
## updown.sh: hop id: 2 (default: 1)
## updown.sh: gateway of last hop: 172.27.232.1 (default: local gateway)
## updown.sh: local gateway: 10.0.2.2
## updown.sh: VPN: local IP address: 172.27.232.28
## updown.sh: VPN: local netmask: 255.255.248.0
## updown.sh: VPN: local gateway: 172.27.232.1
## updown.sh: VPN: vpn IP address: 52.53.125.237
## updown.sh: executing: '/sbin/ip route add 52.53.125.237 via 172.27.232.1'
## updown.sh: executing: '/sbin/ip route add 0.0.0.0/2 via 172.27.232.1'
## updown.sh: executing: '/sbin/ip route add 64.0.0.0/2 via 172.27.232.1'
## updown.sh: executing: '/sbin/ip route add 128.0.0.0/2 via 172.27.232.1'
## updown.sh: executing: '/sbin/ip route add 192.0.0.0/2 via 172.27.232.1'
## updown.sh: HINT: For the next hop, start openvpn with the following options:
## updown.sh: HINT: openvpn --config <config.ovpn> --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec --setenv hopid 3 --setenv prevgw 172.27.232.1
## updown.sh: FINISHED
Thu Jul 21 19:34:41 2022 Initialization Sequence Completed
두 번째 명령을 실행한 후의 라우팅 테이블입니다.
Kernel IP routing table
0.0.0.0 172.27.232.1 192.0.0.0 UG 0 0 0 tun0
0.0.0.0 172.27.232.1 128.0.0.0 UG 0 0 0 tun0
default 10.0.2.2 0.0.0.0 UG 100 0 0 enp0s3
ec2-3-228-10-17 10.0.2.2 255.255.255.255 UGH 0 0 0 enp0s3
10.0.2.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s3
ec2-52-53-125-2 172.27.232.1 255.255.255.255 UGH 0 0 0 tun0
64.0.0.0 172.27.232.1 192.0.0.0 UG 0 0 0 tun0
128.0.0.0 172.27.232.1 192.0.0.0 UG 0 0 0 tun0
128.0.0.0 172.27.232.1 128.0.0.0 UG 0 0 0 tun0
172.27.232.0 0.0.0.0 255.255.248.0 U 0 0 0 tun0
172.27.232.0 0.0.0.0 255.255.248.0 U 0 0 0 tun1
192.0.0.0 172.27.232.1 192.0.0.0 UG 0 0 0 tun0
tcpdump를 실행하면 tun0(첫 번째 VPN)에는 트래픽이 있지만 tun1(두 번째 VPN)에는 트래픽이 전혀 없습니다.
혼란스러워요. 다음에 무엇을 해야할지 모르겠습니다.
답변1
먼저 tun0을 만든 다음 tun1을 생성하여 일반 트래픽을 tun1로 직접 라우팅하려고 합니다.
------ ------ --------
"regular traffic" -> | tun1 | -> | tun0 | -> | enp0s3 |
------ ------ --------
VPN 내부 게이트웨이 IP 주소(172.27.232.1)는 tun0과 tun1에서 동일합니다. 스크립트(updown.sh)가 이것을 처리할 수 있는지는 모르겠습니다. 동일한 VPN 내부 게이트웨이 주소를 사용하면서 동일한 컴퓨터에서 VPN 연결을 연결할 수 있는지 모르겠습니다. 하지만 나에게는 몇 가지 아이디어가 있습니다.
아이디어 1
tun1은 tun0을 통해 생성됩니까? 그렇지 않은 경우 나중에(두 터널을 모두 생성한 후) 라우팅 테이블을 조정하는 것이 도움이 되지 않을 수 있습니다. tun0이 생성되면 tcpdump를 사용하여 tun1을 생성하면 enp0s3에 새 연결이 설정되는지, 아니면 tun0을 통해 터널링되는지 확인합니다.
아이디어 2
두 VPN 연결을 모두 설정한 후 172.27.232.1 dev tun1을 통해 특정 경로 테이블 항목인 8.8.8.8을 만듭니다. DNS에 요청을 보내고 체인을 통해 라우팅되는지 확인합니다.
아이디어 3
tun1의 경우 라우팅 테이블에 항목이 하나만 있습니다.
172.27.232.0 0.0.0.0 255.255.248.0 U 0 0 0 tun1
대상은 VPN의 네트워크 주소이며 게이트웨이 주소를 포함합니다. 이 항목만으로는 "일반 트래픽"을 tun1로 라우팅하는 데 충분하지 않습니다.
다른 tun* 규칙은 tun0에 연결됩니다.
0.0.0.0 172.27.232.1 192.0.0.0 UG 0 0 0 tun0
0.0.0.0 172.27.232.1 128.0.0.0 UG 0 0 0 tun0
64.0.0.0 172.27.232.1 192.0.0.0 UG 0 0 0 tun0
128.0.0.0 172.27.232.1 192.0.0.0 UG 0 0 0 tun0
128.0.0.0 172.27.232.1 128.0.0.0 UG 0 0 0 tun0
192.0.0.0 172.27.232.1 192.0.0.0 UG 0 0 0 tun0
이 규칙을 삭제하고 tun1에 대한 새 규칙을 작성하겠습니다. 아마도 하나의 규칙으로 충분할 것입니다: 172.27.232.1 dev tun1을 통한 0.0.0.0. 이것이 효과가 있을지는 모르겠지만, 시도해 보겠습니다.