新用户连接和带宽调整连接时自动调用脚本

我希望这很容易

当我以root用户的身份从命令行运行它时,以下脚本名为up.sh作品非常完美。

然而,每当新用户连接到OpenVPN,通过tc(qdisc)为每个新用户(用户1,用户2,用户3无限)个别地限制带宽,延迟等,我不希望手动调用这个脚本,每次有新用户连接到OpenVPN时,新用户连接时都可以单独调整新用户的带宽,延迟等,而不会影响当前用户的带宽,延迟等(可能是100或者1000的)

我尝试将脚本移动到以下文件夹/etc/network/if-up.d以便在新用户连接到OpenVPN时执行该脚本,但由于某种原因脚本不会被调用(它不会对qdisc进行更改),但它是完全相同的脚本,并从命令行执行它时,完美的作品。

我也尝试将脚本重命名为learn-address.sh ,并将其放在以下文件夹/etc/openvpn/netem/learn-address.sh以在OpenVPN学习到新地址时自动调用,但这也不起作用

我也更新了server.conf文件来读取,如下所示

脚本安全3

学习地址/etc/openvpn/netem/learn-address.sh

脚本安全3

up /etc/network/if-up.d/up.sh

但它也没有工作

最后,我也尝试更新/etc/sudoers.tmp文件给予脚本的权限,这似乎也没有帮助(请参阅post的末尾)

我正在运行Ubuntu 14.04

非常感谢您的帮助

下面是从命令行调用up.sh的脚本:

 #!/bin/bash # Full path to tc binary TC=$(which tc) # # NETWORK CONFIGURATION # interface - name of your interface device # interface_speed - speed in mbit of your $interface # ip - IP address of your server, change this if you don't want to use # the default catch all filters. # interface=eth0 interface_speed=100mbit ip=4.1.2.3 # The IP address bound to the interface # Define the upload and download speed limit, follow units can be # passed as a parameter: # kbps: Kilobytes per second # mbps: Megabytes per second # kbit: kilobits per second # mbit: megabits per second # bps: Bytes per second download_limit=512kbit upload_limit=10mbit # Filter options for limiting the intended interface. FILTER="$TC filter add dev $interface protocol ip parent 1: prio 1 u32" # # This function starts the TC rules and limits the upload and download speed # per already configured earlier. # function start_tc { tc qdisc show dev $interface | grep -q "qdisc pfifo_fast 0" [ "$?" -gt "0" ] && tc qdisc del dev $interface root; sleep 1 # start the tc configuration $TC qdisc add dev $interface root handle 1: htb default 30 $TC class add dev $interface parent 1: classid 1:1 htb rate $interface_speed burst 15k $TC class add dev $interface parent 1:1 classid 1:10 htb rate $download_limit burst 15k $TC class add dev $interface parent 1:1 classid 1:20 htb rate $upload_limit burst 15k $TC qdisc add dev $interface parent 1:10 handle 10: sfq perturb 10 $TC qdisc add dev $interface parent 1:20 handle 20: sfq perturb 10 # Apply the filter rules # Catch-all IP rules, which will set global limit on the server # for all IP addresses on the server. $FILTER match ip dst 0.0.0.0/0 flowid 1:10 $FILTER match ip src 0.0.0.0/0 flowid 1:20 # If you want to limit the upload/download limit based on specific IP address # you can comment the above catch-all filter and uncomment these: # # $FILTER match ip dst $ip/32 flowid 1:10 # $FILTER match ip src $ip/32 flowid 1:20 } # # Removes the network speed limiting and restores the default TC configuration # function stop_tc { tc qdisc show dev $interface | grep -q "qdisc pfifo_fast 0" [ "$?" -gt "0" ] && tc qdisc del dev $interface root } function show_status { $TC -s qdisc ls dev $interface } # # Display help # function display_help { echo "Usage: tc [OPTION]" echo -e "\tstart - Apply the tc limit" echo -e "\tstop - Remove the tc limit" echo -e "\tstatus - Show status" } # Start if [ -z "$1" ]; then display_help elif [ "$1" == "start" ]; then start_tc elif [ "$1" == "stop" ]; then stop_tc elif [ "$1" == "status" ]; then show_status fi 

以下是我也更新的文件:

/etc/sudoers.tmp

 # # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL #nobody ALL=(ALL) NOPASSWD: /usr/lib/tc nobody ALL=(ALL) NOPASSWD: /usr/lib/tc www-data ALL=NOPASSWD: /user/lib/tc root ALL=NOPASSWD: /user/lib/tc root ALL=(ALL:ALL) ALL nobody ALL=(ALL) NOPASSWD nobody ALL=(ALL) NOPASSWD: /etc/openvpn/netem/learn-address.sh root ALL=(ALL) NOPASSWD: /etc/openvpn/netem/learn-address.sh www-data ALL=(ALL) NOPASSWD: /etc/openvpn/netem/learn-address.sh nobody ALL=(ALL) NOPASSWD: /etc/openvpn/netem/up.sh www-data ALL=(ALL) NOPASSWD: /etc/openvpn/netem/up.sh root ALL=(ALL) NOPASSWD: /etc/openvpn/netem/up.sh nobody ALL=(ALL) NOPASSWD: /etc/network/if-up.d/up.sh www-data ALL=(ALL) NOPASSWD: /etc/network/if-up.d/up.sh root ALL=(ALL) NOPASSWD: /etc/network/if-up.d/up.sh # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d 

这里是server.conf

 port 1194 proto udp dev tun sndbuf 0 rcvbuf 0 ca ca.crt cert server.crt key server.key dh dh.pem tls-auth ta.key 0 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 cipher AES-128-CBC comp-lzo #user nobody #user openvpn #group nogroup persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem script-security 2 down-pre up /etc/openvpn/tc.sh down /etc/openvpn/tc.sh client-connect /etc/openvpn/tc.sh client-disconnect /etc/openvpn/tc.sh log /var/log/openvpn.log 

OpenVPN每个客户端的stream量控制

要为每个客户端提供一个简单的stream量控制解决scheme,您可以执行以下操作。 此解决scheme仅适用于/24 VPN子网。 在Ubuntu 14.04上testing

OpenVPN服务器示例configuration:

 port 1194 proto udp dev tun topology subnet server 10.8.0.0 255.255.255.0 keepalive 10 60 comp-lzo persist-key persist-tun log /var/log/openvpn.log verb 3 #user openvpn #group nogroup script-security 2 down-pre up /etc/openvpn/tc.sh down /etc/openvpn/tc.sh client-connect /etc/openvpn/tc.sh client-disconnect /etc/openvpn/tc.sh 

stream量控制脚本/etc/openvpn/tc.sh

 #!/bin/bash TC=$(which tc) interface="$dev" interface_speed="100mbit" client_ip="$trusted_ip" client_ip_vpn="$ifconfig_pool_remote_ip" download_limit="512kbit" upload_limit="10mbit" handle=`echo "$client_ip_vpn" | cut -d. -f4` function start_tc { tc qdisc show dev $interface | grep -q "qdisc pfifo_fast 0" [ "$?" -gt "0" ] && tc qdisc del dev $interface root; sleep 1 $TC qdisc add dev $interface root handle 1: htb default 30 $TC class add dev $interface parent 1: classid 1:1 htb rate $interface_speed burst 15k $TC class add dev $interface parent 1:1 classid 1:10 htb rate $download_limit burst 15k $TC class add dev $interface parent 1:1 classid 1:20 htb rate $upload_limit burst 15k $TC qdisc add dev $interface parent 1:10 handle 10: sfq perturb 10 $TC qdisc add dev $interface parent 1:20 handle 20: sfq perturb 10 } function stop_tc { tc qdisc show dev $interface | grep -q "qdisc pfifo_fast 0" [ "$?" -gt "0" ] && tc qdisc del dev $interface root } function filter_add { $TC filter add dev $interface protocol ip handle ::${handle} parent 1: prio 1 u32 match ip ${1} ${2}/32 flowid 1:${3} } function filter_del { $TC filter del dev $interface protocol ip handle 800::${handle} parent 1: prio 1 u32 } function ip_add { filter_add "dst" $client_ip_vpn "10" filter_add "src" $client_ip_vpn "20" } function ip_del { filter_del filter_del } if [ "$script_type" == "up" ]; then start_tc elif [ "$script_type" == "down" ]; then stop_tc elif [ "$script_type" == "client-connect" ]; then ip_add elif [ "$script_type" == "client-disconnect" ]; then ip_del fi 

注意,这是一个非常简单的用于testing目的的脚本,在这个答案中可以find更复杂的OpenVPNstream量控制方法。

使脚本可执行:

 chmod +x /etc/openvpn/tc.sh 

在非特权模式下以root身份运行脚本

如果以非特权模式运行OpenVPN,并且脚本需要以root身份运行,请在服务器configuration中修改以下指令:

 user openvpn group nogroup up "/usr/bin/sudo /etc/openvpn/tc.sh" down "/usr/bin/sudo /etc/openvpn/tc.sh" client-connect "/usr/bin/sudo /etc/openvpn/tc.sh" client-disconnect "/usr/bin/sudo /etc/openvpn/tc.sh" 

添加一个名为openvpn非特权用户:

 useradd -s /usr/sbin/nologin -r -M -d /dev/null openvpn 

用命令visudo编辑/etc/sudoers ,添加下面一行:

 # User privilege specification openvpn ALL=NOPASSWD: /etc/openvpn/tc.sh 

Ctrl + xy保存并退出

使脚本只能由root写入:

 chown root:root /etc/openvpn/tc.sh chmod 700 /etc/openvpn/tc.sh 

请注意,这可能会打开一个安全漏洞,可能与以root身份运行OpenVPN相当。 尽pipe对我来说看起来相当安全,但总是有更好看的人:)

故障排除

该脚本应该以root身份运行,您可以通过tc.sh添加到tc.sh脚本的开头来进行故障排除:

 #!/bin/bash exec >>/tmp/ov.log 2>&1 chmod 666 /tmp/ov.log 2>/dev/null echo date id echo "PATH=$PATH" printenv 

只要服务器第一次启动,您就可以停止日志:

 tail -f /var/log/openvpn.log /tmp/ov.log