那些遇到过的问题

尝试在网络命名空间中运行 OpenVPN

zil*_*exa 5 linux networking openvpn namespace

我希望某些应用程序通过 OpenVPN 访问互联网。我在此问题/线程底部的最终答案/评论中找到了一个解决方案: Feed all tr​​affic through OpenVPN for a specific network namespace only

我引用了那个帖子,我遇到的问题在底部说明:

您可以在命名空间内启动 OpenVPN 链接,然后运行要在命名空间内使用该 OpenVPN 链接的每个命令。有关如何执行此操作(不是我的工作)的详细信息:

http://www.naju.se/articles/openvpn-netns.html

我试过了,确实有效;这个想法是提供一个自定义脚本来在特定命名空间而不是全局命名空间内执行 OpenVPN 连接的 up 和 route-up 阶段。我引用了上面的链接,以防将来它下线:

First create an --up script for OpenVPN. This script will create the VPN tunnel interface inside a network namespace called vpn, instead of the default namespace.

$ cat > netns-up << EOF
#!/bin/sh
case $script_type in
        up)
                ip netns add vpn
                ip netns exec vpn ip link set dev lo up
                mkdir -p /etc/netns/vpn
                echo "nameserver 8.8.8.8" > /etc/netns/vpn/resolv.conf
                ip link set dev "$1" up netns vpn mtu "$2"
                ip netns exec vpn ip addr add dev "$1" \
                        "$4/${ifconfig_netmask:-30}" \
                        ${ifconfig_broadcast:+broadcast "$ifconfig_broadcast"}
                test -n "$ifconfig_ipv6_local" && \
          ip netns exec vpn ip addr add dev "$1" \
                        "$ifconfig_ipv6_local"/112
                ;;
        route-up)
                ip netns exec vpn ip route add default via "$route_vpn_gateway"
                test -n "$ifconfig_ipv6_remote" && \
          ip netns exec vpn ip route add default via \
                        "$ifconfig_ipv6_remote"
                ;;
        down)
                ip netns delete vpn
                ;;
esac
Run Code Online (Sandbox Code Playgroud)

然后启动 OpenVPN 并告诉它使用我们的 --up 脚本,而不是执行 ifconfig 和 route。

openvpn --ifconfig-noexec --route-noexec --up netns-up --route-up netns-up --down netns-up
Run Code Online (Sandbox Code Playgroud)

现在您可以像这样启动要进行隧道传输的程序:

ip netns exec vpn command
Run Code Online (Sandbox Code Playgroud)

唯一的问题是您需要以 root 身份调用 ip netns exec ... 并且您可能不希望您的应用程序以 root 身份运行。解决方法很简单:

sudo ip netns exec vpn sudo -u $(whoami) command
Run Code Online (Sandbox Code Playgroud)

我的问题:

当我尝试运行调用 netns-up 脚本的 openvpn 命令时,出现两个错误:

:/etc/openvpn$ sudo openvpn --ifconfig-noexec --route-noexec --up netns-up --route-up netns-up --down netns-up --config za1.nordvpn.com.tcp443.ovpn
(..)

Tue Mar 22 00:10:56 2016 [vpn-za.nordvpn.com] Peer Connection Initiated with [AF_INET]154.127.61.142:443
Tue Mar 22 00:10:59 2016 SENT CONTROL [vpn-za.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Tue Mar 22 00:10:59 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 78.46.223.24,dhcp-option DNS 162.242.211.137,route 10.7.7.1,topology net30,ping 5,ping-restart 30,ifconfig 10.7.7.102 10.7.7.101'
Tue Mar 22 00:10:59 2016 OPTIONS IMPORT: timers and/or timeouts modified
Tue Mar 22 00:10:59 2016 OPTIONS IMPORT: --ifconfig/up options modified
Tue Mar 22 00:10:59 2016 OPTIONS IMPORT: route options modified
Tue Mar 22 00:10:59 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Mar 22 00:10:59 2016 ROUTE_GATEWAY 192.168.1.254/255.255.255.0 IFACE=eth0 HWADDR=b8:27:eb:39:7e:46
Tue Mar 22 00:10:59 2016 TUN/TAP device tun0 opened
Tue Mar 22 00:10:59 2016 TUN/TAP TX queue length set to 100
Tue Mar 22 00:10:59 2016 netns-up tun0 1500 1592 10.7.7.102 10.7.7.101 init
Tue Mar 22 00:10:59 2016 WARNING: Failed running command (--up/--down): external program exited with error status: 1
Tue Mar 22 00:10:59 2016 Exiting due to fatal error
Run Code Online (Sandbox Code Playgroud)

我尝试使用和不使用 sudo 重新创建 netns-up 脚本,但没有帮助。我究竟做错了什么?

Fel*_*lix 2

在网络命名空间内启动 openvpn 更安全。我使用以下脚本(Schnouki 的分支)来创建命名空间、配置防火墙、DNS、测试连接、启动 openvpn,最后启动 torrent 客户端。我将 TODO 放在脚本中,您必须根据需要进行调整。

#!/bin/sh
# start openvpn tunnel and torrent client inside Linux network namespace
#
# this is a fork of schnouki's script, see original blog post
# https://schnouki.net/posts/2014/12/12/openvpn-for-a-single-application-on-linux/
#
# original script can be found here
# https://gist.github.com/Schnouki/fd171bcb2d8c556e8fdf

# ------------ adjust values below ------------
# network namespace
NS_NAME=myVPN
NS_EXEC="ip netns exec $NS_NAME"
# user for starting the torrent client
REGULAR_USER=heinzwurst
# ---------------------------------------------

# exit on unbound variable
set -u

# exit on error
set -e
set -o pipefail

# trace option
#set -x

if [ $USER != "root" ]; then
    echo "This must be run as root."
    exit 1
fi

start_vpn() {
    echo "Add network interface"

    # Create the network namespace
    ip netns add $NS_NAME

    # Start the loopback interface in the namespace
    $NS_EXEC ip addr add 127.0.0.1/8 dev lo
    $NS_EXEC ip link set lo up

    # Create virtual network interfaces that will let OpenVPN (in the
    # namespace) access the real network, and configure the interface in the
    # namespace (vpn1) to use the interface out of the namespace (vpn0) as its
    # default gateway
    ip link add vpn0 type veth peer name vpn1
    ip link set vpn0 up
    ip link set vpn1 netns $NS_NAME up

    ip addr add 10.200.200.1/24 dev vpn0
    $NS_EXEC ip addr add 10.200.200.2/24 dev vpn1
    $NS_EXEC ip link set dev vpn1 mtu 1492
    $NS_EXEC ip route add default via 10.200.200.1 dev vpn1

    # Configure the nameserver to use inside the namespace
    # TODO use VPN-provided DNS servers in order to prevent leaks
    mkdir -p /etc/netns/$NS_NAME
    cat >/etc/netns/$NS_NAME/resolv.conf <<EOF || exit 1
nameserver 8.8.8.8
nameserver 8.8.4.4
EOF

    # IPv4 NAT, you may need to adjust the interface name prefixes 'eth' 'wlan'
    iptables -t nat -A POSTROUTING -o eth+ -m mark --mark 0x29a -j MASQUERADE
    iptables -t nat -A POSTROUTING -o wlan+ -m mark --mark 0x29a -j MASQUERADE
    iptables -t mangle -A PREROUTING -i vpn0 -j MARK --set-xmark 0x29a/0xffffffff

    # TODO create firewall rules for your specific application (torrent)
    # or just comment the line below
    $NS_EXEC iptables-restore < /etc/iptables/iptables-$NS_NAME.rules

    # we should have full network access in the namespace
    $NS_EXEC ping -c 3 www.google.com

    # start OpenVPN in the namespace
    echo "Starting VPN"
    cd /etc/openvpn
    # TODO create openvpn configuration in /etc/openvpn/$NS_NAME.conf
    $NS_EXEC openvpn --config $NS_NAME.conf &

    # wait for the tunnel interface to come up
    while ! $NS_EXEC ip link show dev tun0 >/dev/null 2>&1 ; do sleep .5 ; done
}

stop_vpn() {
    echo "Stopping VPN"
    ip netns pids $NS_NAME | xargs -rd'\n' kill
    # TODO wait for terminate

    # clear NAT
    iptables -t nat -D POSTROUTING -o eth+ -m mark --mark 0x29a -j MASQUERADE
    iptables -t nat -D POSTROUTING -o wlan+ -m mark --mark 0x29a -j MASQUERADE
    iptables -t mangle -D PREROUTING -i vpn0 -j MARK --set-xmark 0x29a/0xffffffff

    echo "Delete network interface"
    rm -rf /etc/netns/$NS_NAME

    ip netns delete $NS_NAME
    ip link delete vpn0
}

# stop VPN on exit (even when error occured)
trap stop_vpn EXIT

start_vpn

# TODO start your favorite torrent client
$NS_EXEC sudo -u $REGULAR_USER transmission-gtk
Run Code Online (Sandbox Code Playgroud)

归档时间:

查看次数:

7046 次

最近记录:

6 年,11 月 前
仅通过 OpenVPN 为特定网络命名空间提供所有流量 17
更多相关链接
相关归档
将 shell 脚本作为守护进程运行的“正确”方式 31
Linux:使用的总交换区 = 进程使用的交换区 +? 18
为什么将大量文件复制到 USB 驱动器时桌面会锁定? 12
如何在 Linux 和 Windows 之间共享文件? 9
带有空格的安全复制 (scp) 文件名的问题 9
是否有 Linux 系统调用来创建文件范围的“视图”? 7
如何比较两个 tar 存档(包括文件内容、新/删除的文件、符号链接)? 5
如何通过 iptables 获取有关丢弃流量的指标? 4
/proc/sys/fs/binfmt_misc/下的文件允许什么样的可执行格式? 4
并行进程:将输出附加到 bash 脚本中的数组 4
难疑归档
手册页中的数字是什么意思? 622
Super Cow Powers 背后的故事是什么? 317
如何终止后台进程? 264
已达到内核 inotify 监视限制 247
Combined `mkdir` and `cd`? 189
tar:从成员名称中删除前导“/” 179
如何grep标准错误流(stderr)? 121
如何了解占用磁盘空间的内容? 97
如何将less中的所有行写入文件? 96
即使使用 --passphrase,gpg 也会要求输入密码 93