服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 在openvpn dns push之后,NetworkManager不会改变/etc/resolv.conf
Intereting Posts
Exchange 2010 – 电子邮件地址策略 – 用户丢失,但在AD中存在! Ubuntu 16有不明原因的第二个IP 如何将文件从Amazon EC2服务器上传到S3存储桶? 什么是最安全的方式来build立一个MySQL用户的WordPress的? 创build桌面快捷方式时权限错误 虚拟机快照如何工作的详细说明 更改LogRotate旋转日志文件的默认方式 Linux的顶层命令。 内存使用情况 nginx uwsgi烧瓶重写目录作为基地目录内的应用程序 表示/发送延迟图 如何在本地复制apacheconfiguration(维护二级域结构,符号链接) 如何处理频繁和不断的PHP / MySQL版本更新 l7-过滤debian不起作用 如何用脚本在linux上重命名远程文件 Nginx服务器块不能正常工作

在openvpn dns push之后,NetworkManager不会改变/etc/resolv.conf

我遇到一个问题,就是“在configuration了dns push的openvpn连接之后,NetworkManager没有更新/etc/resolv.conf ”。

这是我的openvpn服务器configuration:( 为了安全起见,我把域名更改为ABC.COM

 ######################################## # Sample OpenVPN config file for # 2.0-style multi-client udp server # # Adapted from http://openvpn.sourceforge.net/20notes.html # # tun-style tunnel port 1194 dev tun # Use "local" to set the source address on multi-homed hosts #local [IP address] # TLS parms tls-server ca keys/ca.crt cert keys/static.crt key keys/static.key dh keys/dh1024.pem proto tcp-server # Tell OpenVPN to be a multi-client udp server mode server # The server's virtual endpoints ifconfig 10.8.0.1 10.8.0.2 # Pool of /30 subnets to be allocated to clients. # When a client connects, an --ifconfig command # will be automatically generated and pushed back to # the client. ifconfig-pool 10.8.0.4 10.8.0.255 # Push route to client to bind it to our local # virtual endpoint. push "route 10.8.0.1 255.255.255.255" push "dhcp-option DNS 10.8.0.1" # Push any routes the client needs to get in # to the local network. #push "route 192.168.0.0 255.255.255.0" # Push DHCP options to Windows clients. push "dhcp-option DOMAIN ABC.COM" #push "dhcp-option DNS 192.168.0.1" #push "dhcp-option WINS 192.168.0.1" # Client should attempt reconnection on link # failure. keepalive 10 60 # Delete client instances after some period # of inactivity. inactive 600 # Route the --ifconfig pool range into the # OpenVPN server. route 10.8.0.0 255.255.255.0 # The server doesn't need privileges user openvpn group openvpn # Keep TUN devices and keys open across restarts. persist-tun persist-key verb 4

正如你可以看到它是基本的样本configuration,很less调整。

现在..

在我的机器上(openvpn客户端),我可以看到dns是好的: 

 {17:12}/etc/NetworkManager ➭ nslookup git.ABC.COM 10.8.0.1 Server: 10.8.0.1 Address: 10.8.0.1#53 Name: git.ABC.COM Address: 10.8.0.1 {17:18}/etc/NetworkManager ➭ nslookup ABC.COM 10.8.0.1 Server: 10.8.0.1 Address: 10.8.0.1#53 Name: ABC.COM Address: 18X.XX.XX.71

服务器端的openvpn日志说(如果我理解正确的话)DNS已被推送: 

 openvpn[13257]: TCPv4_SERVER link remote: [AF_INET]83.30.135.214:37658 openvpn[13257]: 83.30.135.214:37658 TLS: Initial packet from [AF_INET]83.30.135.214:37658, sid=3251df51 915772f3 openvpn[13257]: 83.30.135.214:37658 VERIFY OK: depth=1, C=XX, ST=XX, L=XXX, O=XXX, OU=XXX, CN=XXX, name=XXX, [email protected] openvpn[13257]: 83.30.135.214:37658 VERIFY OK: depth=0, C=XX, ST=XX, L=XXX, O=XXX, OU=XXX, CN=XXX, name=XXX, [email protected] openvpn[13257]: 83.30.135.214:37658 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key openvpn[13257]: 83.30.135.214:37658 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication openvpn[13257]: 83.30.135.214:37658 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key openvpn[13257]: 83.30.135.214:37658 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication openvpn[13257]: 83.30.135.214:37658 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA openvpn[13257]: 83.30.135.214:37658 [jacek] Peer Connection Initiated with [AF_INET]83.30.135.214:37658 openvpn[13257]: jacek/83.30.135.214:37658 MULTI_sva: pool returned IPv4=10.8.0.10, IPv6=(Not enabled) openvpn[13257]: jacek/83.30.135.214:37658 MULTI: Learn: 10.8.0.10 -> jacek/83.30.135.214:37658 openvpn[13257]: jacek/83.30.135.214:37658 MULTI: primary virtual IP for jacek/83.30.135.214:37658: 10.8.0.10 openvpn[13257]: jacek/83.30.135.214:37658 PUSH: Received control message: 'PUSH_REQUEST' openvpn[13257]: jacek/83.30.135.214:37658 send_push_reply(): safe_cap=940 openvpn[13257]: jacek/83.30.135.214:37658 SENT CONTROL [jacek]: 'PUSH_REPLY,route 10.8.0.1 255.255.255.255,dhcp-option DNS 10.8.0.1,dhcp-option DOMAIN ABC.COM,ping 10,ping-restart 60,ifconfig 10.8.0.10 10.8.0.9' (status=1)

openvplogin在我身边: 

 Aug 05 17:13:55 localhost.localdomain openvpn[1198]: TCPv4_CLIENT link remote: [AF_INET]XXX.XX.37.71:1194 Aug 05 17:13:55 localhost.localdomain openvpn[1198]: TLS: Initial packet from [AF_INET]XXX.XX.37.71:1194, sid=89cc981c d57dd826 Aug 05 17:13:56 localhost.localdomain openvpn[1198]: VERIFY OK: depth=1, C=XX, ST=XX, L=XXX, O=XXX, OU=XXX, CN=XXX, name=XXX, [email protected] Aug 05 17:13:56 localhost.localdomain openvpn[1198]: VERIFY OK: depth=0, C=XX, ST=XX, L=XXX, O=XXX, OU=XXX, CN=XXX, name=XXX, [email protected] Aug 05 17:13:58 localhost.localdomain openvpn[1198]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Aug 05 17:13:58 localhost.localdomain openvpn[1198]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Aug 05 17:13:58 localhost.localdomain openvpn[1198]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Aug 05 17:13:58 localhost.localdomain openvpn[1198]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Aug 05 17:13:58 localhost.localdomain openvpn[1198]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Aug 05 17:13:58 localhost.localdomain openvpn[1198]: [static] Peer Connection Initiated with [AF_INET]XXX.XX.37.71:1194 Aug 05 17:14:00 localhost.localdomain openvpn[1198]: SENT CONTROL [static]: 'PUSH_REQUEST' (status=1) Aug 05 17:14:01 localhost.localdomain openvpn[1198]: PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1 255.255.255.255,dhcp-option DNS 10.8.0.1,dhcp-option DOMAIN ABC.COM,ping 10,ping-restart 60,ifconfig 10.8.0.10 10.8.0.9' Aug 05 17:14:01 localhost.localdomain openvpn[1198]: OPTIONS IMPORT: timers and/or timeouts modified Aug 05 17:14:01 localhost.localdomain openvpn[1198]: OPTIONS IMPORT: --ifconfig/up options modified Aug 05 17:14:01 localhost.localdomain openvpn[1198]: OPTIONS IMPORT: route options modified Aug 05 17:14:01 localhost.localdomain openvpn[1198]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Aug 05 17:14:01 localhost.localdomain openvpn[1198]: ROUTE_GATEWAY 10.123.123.1/255.255.255.0 IFACE=wlan0 HWADDR=44:6d:57:32:81:2e Aug 05 17:14:01 localhost.localdomain openvpn[1198]: TUN/TAP device tun0 opened Aug 05 17:14:01 localhost.localdomain openvpn[1198]: TUN/TAP TX queue length set to 100 Aug 05 17:14:01 localhost.localdomain openvpn[1198]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Aug 05 17:14:01 localhost.localdomain openvpn[1198]: /usr/sbin/ip link set dev tun0 up mtu 1500 Aug 05 17:14:01 localhost.localdomain openvpn[1198]: /usr/sbin/ip addr add dev tun0 local 10.8.0.10 peer 10.8.0.9 Aug 05 17:14:01 localhost.localdomain openvpn[1198]: /usr/sbin/ip route add 10.8.0.1/32 via 10.8.0.9 Aug 05 17:14:01 localhost.localdomain openvpn[1198]: Initialization Sequence Completed

它看起来像一切都很好。

但。 我检查了/var/log/messages也…我发现那行: 

 Aug 5 17:14:01 localhost NetworkManager[761]: <warn> /sys/devices/virtual/net/tun0: couldn't determine device driver; ignoring...

ip a返回: 

 5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/none inet 10.8.0.10 peer 10.8.0.9/32 scope global tun0 valid_lft forever preferred_lft forever

route -n返回: 

 # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.123.123.1 0.0.0.0 UG 0 0 0 wlan0 10.8.0.1 10.8.0.9 255.255.255.255 UGH 0 0 0 tun0 10.8.0.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 10.123.123.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0

所以基本上一切正常,除了DNS被推…哦! 对了,和我的/etc/resolv.conf

 # Generated by NetworkManager domain home search home nameserver 10.123.123.1

问题在哪里?

(我有一个来自Windows用户的openvpn客户端的回应,他身边的DNS工作正常,所以这是我的一个问题。

好吧,现在我有另一个响应(在服务器端重新启动openvpn服务后) – 它不工作。

我必须说,它也在我的机器昨天工作..所以我搞砸了一些东西在服务器上? 它会是什么? )

编辑:好的,我有另一个Windows用户响应(与以前一样的用户) – 现在正在工作。 所以..我想这是由openvpn重新启动造成的,并有一些延迟。 从那以后我什么也没做。 所以我们回到了我的机器上。

我也追溯到昨天也出现了一个奇怪的消息,昨天它也起作用了。 或者,也许我自己添加条目到resolv.conf ? 我不记得了..(该死的)

这适用于我: http : //www.softwarepassion.com/solving-dns-problems-with-openvpn-on-ubuntu-box/

重要的一步是在客户端 openvpnconfiguration文件中添加以下两行configuration: 

 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf

还要确保resolvconf软件包安装在客户端上,因为update-resolv-conf脚本依赖于它。

它与openvpn客户端服务或命令手动启动。

但是,Ubuntunetworkingpipe理器不这样做。 到目前为止,这是一个问题: https : //bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1211110

禁用NetworkManager自己的dnsmasq后为我工作。

编辑/etc/NetworkManager/NetworkManager.conf 

  #dns=dnsmasq

并重新启动NetworkManager 

 sudo restart network-manager

OpenVPN目前无法推送DNS设置。 您将不得不手动更改/etc/resolv.conf以匹配您的(安全的)DNS服务器。 我只是在与Access Server相同的机器上运行BIND9服务,并通过隧道指向该服务。 使用本机的本地IP地址,例如192.168.1.110

祝你好运!

碧玉

在OpenVPN中推送DNS设置是可能的。 就像你在你的configuration中一样,它是在服务器configuration中用下面一行完成的:

push "dhcp-option DNS 10.20.30.40"

这对于使用Windowsgraphics用户界面是非常有用的,但是它需要对Linux系统进行微调。 为了连接到我的家庭networking(目前使用Fedora 18),我在GitHub( https://github.com/gronke/OpenVPN-linux-push )上使用了gronke脚本来自动执行更新过程。

为了使用这些脚本,我将以下内容添加到了我的OpenVPN客户端文件中: 

 up /home/gadgeteering/tools/vpn/up.sh down /home/gadgeteering/tools/vpn/down.sh

up.sh: 

 #! /bin/bash DEV=$1 if [ ! -d /tmp/openvpn ]; then mkdir /tmp/openvpn fi CACHE_NAMESERVER="/tmp/openvpn/$DEV.nameserver" echo -n "" > $CACHE_NAMESERVER dns=dns for opt in ${!foreign_option_*} do eval "dns=\${$opt#dhcp-option DNS }" if [[ $dns =~ [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} ]]; then if [ ! -f /etc/resolv.conf.default ]; then cp /etc/resolv.conf /etc/resolv.conf.default fi cat /etc/resolv.conf | grep -v ^# | grep -v ^nameserver > /tmp/resolv.conf echo "nameserver $dns" >> /tmp/resolv.conf echo $dns >> $CACHE_NAMESERVER cat /etc/resolv.conf | grep -v ^# | grep -v "nameserver $dns" | grep nameserver >> /tmp/resolv.conf mv /tmp/resolv.conf /etc/resolv.conf fi done

down.sh: 

 #! /bin/bash DEV=$1 CACHE_NAMESERVER="/tmp/openvpn/$DEV.nameserver" echo $CACHE_NAMESERVER if [ -f $CACHE_NAMESERVER ]; then for ns in `cat $CACHE_NAMESERVER`; do echo "Removing $ns from /etc/resolv.conf" cat /etc/resolv.conf | grep -v "nameserver $ns" > /tmp/resolv.conf mv /tmp/resolv.conf /etc/resolv.conf done fi

有可能通过手动replace/etc/resolv.conf来使NetworkManager工作。 请注意,这是相当黑客行为,不能被视为对每一种情况的有效解决scheme。 

 #!/bin/bash case "$2" in vpn-up) tmp=$(mktemp) func=$(mktemp) echo 'ping -c 1 -w 1 -q $1 > /dev/null ; if [ 0 -eq $? ]; then echo $1; fi' > $func grep -v "^#" /etc/resolv.conf > $tmp grep -rl type=vpn /etc/NetworkManager/system-connections \ | xargs -n 1 sed -rne 's|dns=||p' \ | sed -re 's|;|\n|g' \ | grep -v "^\s*$" \ | xargs -n 1 bash $func \ | sed -re "s|(.*)|nameserver \1|" \ | cat - $tmp \ > /etc/resolv.conf rm -f $tmp $func;; vpn-down) resolvconf -u;; esac

这个脚本应该放在/etc/NetworkManager/dispatcher.d下; 应该是可执行的并由root拥有。 它读取它可以find的所有NetworkManager vpnconfiguration,并用在那里find的可访问的名称服务器重写/etc/resolv.conf 。 它不写domainsearch行; 但它允许忘记讨厌的NetworkManager错误。

我使用Ubuntu 16.04,它的工作原理。