Ale*_*lex 6 networking linux vpn openvpn traffic
I have Ubuntu Server, and I would like to filter traffic and have only a specific users or groups traffic be sent through the VPN, and the rest of the traffic sent through the standard internet connection. I would think this would be rather easy to do, but I'm having a lot of trouble getting it set up.
I have been able to successfully set up a VPN connection using:
openvpn --config '/etc/openvpn/Sweden.ovpn' --auth-user-pass '/etc/openvpn/pia.txt' --persist-key --persist-tun --tls-client --remote-cert-tls server --user vpn &
The configuration file for OpenVPN contains the following:
client
dev tun
proto udp
remote sweden.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
Which creates a new interface named "tun0". Using that interface works perfectly fine:
curl -v --interface tun0 icanhazip.com
However, when I attempt to use the eth0 interface, the connection will timeout:
curl -v --interface eth0 icanhazip.com
If I disable the OpenVPN connection, then my curl call through eth0 will work correctly.
Once I am able to get both eth0 and tun0 working, I had planned on using something similar to this command to route a specific group through the OpenVPN tunnel:
iptables -A OUTPUT -m owner --gid-owner vpn \! -o tun0 -j REJECT
Does anyone know of a way that I could get both eth0 and tun0 to work at the same time, so that I may route the traffic of a specific user/group through it and leave all other traffic alone?
Similar posts: How to route specific traffic through OpenVPN? - I only have one network card in my solver, this solution appears to use two network cards.
你的curl -test有一个问题,我知道如何解决,你的方案也有一个问题,我可以建议一个解决方案。
curl不可能以这种方式工作:启动 VPN 后,该接口 (eth0) 上没有定义网关:eth0 NIC 有一个 IP 地址,并且可以到达您的 LAN,但没有可以访问互联网的网关,并且 icanhazip特别是.com,可以到达。为了让curl以这种方式工作,您必须指示内核到216.69.252.101 (icanhazip.com)的特定路由是通过eth0接口:
ip ro add 216.69.252.101 via your_home_routers_IP_address
现在,curl调用将按照您的意愿工作。
如果您希望通过 VPN 和 VPN 外部进行稳定、完整的通信,正确的方法是通过基于策略的路由安装第二个路由表。您可以在此处的姊妹网站上找到 David Schwartz 对该主题的精彩而简洁的介绍。您需要这个装置的原因是您正在设想一个具有两个不同网关的系统,这是不允许的,除非有两个不同的路由表。
现在,为了实现您的目标,即根据用户身份沿着不同的路由路由数据包,您必须设置适当的规则来选择相关的路由表。因此,让我们假设您现在有两个表,分别称为 vpn 和 novpn。您首先必须使用iptables的mangle表根据用户身份标记数据包,然后根据所述标记的存在(或不存在)提供基于策略的路由规则。
它可以这样工作:
iptables -t mangle -I OUTPUT -m owner --uid-owner some-user -j MARK --set-mark 100
ip rule add fwmark 100 table vpn
对于注定要使用 VPN 的用户,以及
iptables -t mangle -I OUTPUT -m owner --uid-owner some-other-user -j MARK --set-mark 300
ip rule add fwmark 300 table novpn
对于那些您想要在 VPN 之外路由的人。另外,最好为其他任何东西设置一个路由表,即默认值。希望这可以帮助。
| 归档时间: |
|
| 查看次数: |
4565 次 |
| 最近记录: |