我在使用公共WiFi时出于隐私目的运行OpenVPN-Server(Debian 8)。 因此,客户端的所有networking通信量都将通过VPN连接进行处理。 服务器和客户端configuration如下。
服务器configuration:
port 1194 proto tcp dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh.pem tls-auth /etc/openvpn/tlsauth.key 0 user nobody group nogroup server 10.11.12.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" persist-key persist-tun comp-lzo status openvpn-status.log verb 3 客户端configuration:
client remote XXXX 1194 proto tcp dev tun resolv-retry-infinite nobind user nobody group nogroup persist-key persist-tun ca /etc/openvpn/ca.crt cert /etc/openvpn/client.crt key /etc/openvpn/client.key tls-auth /etc/openvpn/tlsauth.key 0 comp-lzo 0 verb 2
在客户端启动VPN服务时,路由表如下所示进行更改。
路由表(192.168.178.0/24表示公共WiFi):
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.11.12.13 128.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.178.1 0.0.0.0 UG 1024 0 0 wlan0 10.11.12.1 10.11.12.13 255.255.255.255 UGH 0 0 0 tun0 10.11.12.13 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 128.0.0.0 10.11.12.13 128.0.0.0 UG 0 0 0 tun0 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan0 192.168.178.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0 XXXX 192.168.178.1 255.255.255.255 UGH 0 0 0 wlan0
启动openvpn时syslog的相关部分:
ovpn-client[3395]: OpenVPN 2.3.4 i586-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 1 2014 ovpn-client[3395]: library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08 ovpn-client[3395]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. ovpn-client[3395]: Control Channel Authentication: using '/etc/openvpn/tlsauth.key' as a OpenVPN static key file ovpn-client[3395]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication ovpn-client[3395]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication ovpn-client[3396]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay ovpn-client[3396]: Attempting to establish TCP connection with [AF_INET]XXXX:1194 [nonblock] ovpn-client[3396]: TCP connection established with [AF_INET]XXXX:1194 ovpn-client[3396]: TCPv4_CLIENT link local: [undef] ovpn-client[3396]: TCPv4_CLIENT link remote: [AF_INET]XXXX:1194 ovpn-client[3396]: VERIFY OK: depth=1, [...] ovpn-client[3396]: VERIFY OK: depth=0, [...] ovpn-client[3396]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key ovpn-client[3396]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication ovpn-client[3396]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key ovpn-client[3396]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication ovpn-client[3396]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA ovpn-client[3396]: [VPN-Server] Peer Connection Initiated with [AF_INET]XXXX:1194 ovpn-client[3396]: TUN/TAP device tun0 opened ovpn-client[3396]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 ovpn-client[3396]: /sbin/ip link set dev tun0 up mtu 1500 NetworkManager[556]: <info> (tun0): carrier is OFF NetworkManager[556]: <info> (tun0): new Tun device (driver: 'unknown' ifindex: 15) NetworkManager[556]: <info> (tun0): exported as /org/freedesktop/NetworkManager/Devices/14 ovpn-client[3396]: /sbin/ip addr add dev tun0 local 10.11.12.14 peer 10.11.12.13 NetworkManager[556]: <info> (tun0): link connected ovpn-client[3396]: ERROR: Linux route add command failed: external program exited with error status: 2 ovpn-client[3396]: GID set to nogroup ovpn-client[3396]: UID set to nobody ovpn-client[3396]: Initialization Sequence Completed NetworkManager[556]: <info> (tun0): device state change: unmanaged -> unavailable (reason 'connection-assumed') [10 20 41] NetworkManager[556]: <info> (tun0): device state change: unavailable -> disconnected (reason 'connection-assumed') [20 30 41] NetworkManager[556]: <info> Activation (tun0) starting connection 'tun0' NetworkManager[556]: <info> Activation (tun0) Stage 1 of 5 (Device Prepare) scheduled... NetworkManager[556]: <info> devices added (path: /sys/devices/virtual/net/tun0, iface: tun0) NetworkManager[556]: <info> device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found. NetworkManager[556]: <info> Activation (tun0) Stage 1 of 5 (Device Prepare) started... NetworkManager[556]: <info> (tun0): device state change: disconnected -> prepare (reason 'none') [30 40 0] NetworkManager[556]: <info> Activation (tun0) Stage 2 of 5 (Device Configure) scheduled... NetworkManager[556]: <info> Activation (tun0) Stage 1 of 5 (Device Prepare) complete. NetworkManager[556]: <info> Activation (tun0) Stage 2 of 5 (Device Configure) starting... NetworkManager[556]: <info> (tun0): device state change: prepare -> config (reason 'none') [40 50 0] NetworkManager[556]: <info> Activation (tun0) Stage 2 of 5 (Device Configure) successful. NetworkManager[556]: <info> Activation (tun0) Stage 3 of 5 (IP Configure Start) scheduled. NetworkManager[556]: <info> Activation (tun0) Stage 2 of 5 (Device Configure) complete. NetworkManager[556]: <info> Activation (tun0) Stage 3 of 5 (IP Configure Start) started... NetworkManager[556]: <info> (tun0): device state change: config -> ip-config (reason 'none') [50 70 0] NetworkManager[556]: <info> Activation (tun0) Stage 5 of 5 (IPv4 Configure Commit) scheduled... NetworkManager[556]: <info> Activation (tun0) Stage 3 of 5 (IP Configure Start) complete. NetworkManager[556]: <info> Activation (tun0) Stage 5 of 5 (IPv4 Commit) started... NetworkManager[556]: <info> (tun0): device state change: ip-config -> ip-check (reason 'none') [70 80 0] NetworkManager[556]: <info> Activation (tun0) Stage 5 of 5 (IPv4 Commit) complete. NetworkManager[556]: <info> (tun0): device state change: ip-check -> secondaries (reason 'none') [80 90 0] NetworkManager[556]: <info> (tun0): device state change: secondaries -> activated (reason 'none') [90 100 0] NetworkManager[556]: <info> Activation (tun0) successful, device activated.
我的问题是:
路由表是否正确? 对我来说,由于这两个默认条目,这看起来有点奇怪。 此外,在公共WiFi路由器上loggingstream量(使用tcpdump)时,并非所有stream量都通过VPN路由。
这个错误( ERROR: Linux route add command failed: external program exited with error status: 2 )在系统日志说? 是否可以连接到第一个问题?
编辑:谢谢你的答案,米哈尔。 为了减less组播/本地/ …stream量,我还打算使用iptables来删除这个stream量。
我试图使用iptables规则如下:
#!/bin/bash GATEWAY="192.168.178.1" iptables -F # Allow loopback device (internal communication) iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow DHCP communication with gateway iptables -A INPUT -i wlan0 -p udp -s $GATEWAY/32 --dport 67:68 --sport 67:68 -j ACCEPT iptables -A OUTPUT -o wlan0 -p udp -d $GATEWAY/32 --dport 67:68 --sport 67:68 -j ACCEPT # Allow ICMP communication with gateway iptables -A INPUT -i wlan0 -p icmp -s $GATEWAY/32 -j ACCEPT iptables -A OUTPUT -o wlan0 -p icmp -d $GATEWAY/32 -j ACCEPT #Allow VPN establishment iptables -A OUTPUT -p tcp --dport 1194 -j ACCEPT iptables -A INPUT -p tcp --sport 1194 -j ACCEPT #Accept all TUN connections (tun = VPN tunnel) iptables -A OUTPUT -o tun+ -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT #Set default policies to drop all communication unless specifically allowed iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
国际海事组织,这些规则应该足以获得由网关分配的IP,build立到OpenVPN服务器的连接,并处理通过该连接的所有stream量。 但是,DNS不起作用,虽然它也应该使用VPN连接。 为什么不工作?
下一步编辑:在VPN服务器上设置本地名称服务器( dnsmasq )。 服务器configuration更改为
push "dhcp-option DNS 10.11.12.1"
代替
push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4"
在VPN服务器上运行dig +short serverfault.com @10.11.12.1时,可以成功检索到主机名。 如果命令在不使用VPN的不同主机上运行( dig +short stackoverflow.com @XXXX ),主机名也可以被成功检索。 但是,当命令在连接到VPN的客户端( dig +short stackoverflow.com @10.11.12.1 )上运行时,命令失败( ;; connection timed out; no servers could be reached )。 为什么? iptables设置为全部接受。
PS。 如果您使用远程IP地址,则不需要resolv-retry-infinite,这是没有意义的。
编辑: iptablesconfiguration我认为这是cleint的iptablesconfiguration。
iptables -F -t nat