文章/答案/技术大牛

发布

社区首页 >问答首页 >链接VPN和我需要tun0和tun1设置的帮助

问链接VPN和我需要tun0和tun1设置的帮助
EN

Unix & Linux用户

提问于 2022-07-21 02:14:24

回答 1查看 407关注 0票数 2

我正在使用以下脚本：https://github.com/loeken/CascadingOpenvpnConnect

它创建一个tun0实例和一个tun1实例，如果我愿意的话创建另一个实例。我在如何引导交通方面遇到了困难。

运行第一个命令时，sudo openvpn --config eu.fr1.cdn.internetz.me.ovpn --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec (example)

我能够正确地通过VPN连接。

但是，当我启动第二个命令时，sudo openvpn --config eu.fr4.cdn.internetz.me.ovpn --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec --setenv hopid 2 --setenv prevgw 10.9.1.1 (example)

我不知道下一步该怎么办？第二个命令成功运行，但我的IP地址仍然被列为第一个VPN (tun0)。那么，我怎样才能让tun1进入这个画面呢？

谢谢你的帮助。

-编辑/更新

这是我的默认路由表。

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    100    0        0 enp0s3
10.0.2.0        0.0.0.0         255.255.255.0   U     100    0        0 enp0s3

这是第一个运行的命令。它似乎是成功的。

sudo openvpn --config client-east.ovpn --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec
Thu Jul 21 19:29:55 2022 OpenVPN 2.4.4 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Thu Jul 21 19:29:55 2022 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
Enter Auth Username: openvpn
Enter Auth Password: ***
Thu Jul 21 19:29:59 2022 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Thu Jul 21 19:29:59 2022 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jul 21 19:29:59 2022 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 21 19:29:59 2022 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 21 19:29:59 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]3.228.10.177:1194
Thu Jul 21 19:29:59 2022 Socket Buffers: R=[180224->180224] S=[180224->180224]
Thu Jul 21 19:29:59 2022 UDP link local: (not bound)
Thu Jul 21 19:29:59 2022 UDP link remote: [AF_INET]3.228.10.177:1194
Thu Jul 21 19:29:59 2022 TLS: Initial packet from [AF_INET]3.228.10.177:1194, sid=e06d136c ef7fcba7
Thu Jul 21 19:29:59 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jul 21 19:29:59 2022 VERIFY OK: depth=1, CN=OpenVPN CA
Thu Jul 21 19:29:59 2022 VERIFY OK: nsCertType=SERVER
Thu Jul 21 19:29:59 2022 VERIFY OK: depth=0, CN=OpenVPN Server
Thu Jul 21 19:30:00 2022 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Thu Jul 21 19:30:00 2022 [OpenVPN Server] Peer Connection Initiated with [AF_INET]3.228.10.177:1194
Thu Jul 21 19:30:01 2022 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Thu Jul 21 19:30:01 2022 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,compress stub-v2,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 172.27.232.1,dhcp-option DNS 172.31.0.2,register-dns,block-ipv6,ifconfig 172.27.232.27 255.255.248.0,peer-id 0,auth-tokenSESS_ID,cipher AES-256-GCM'
Thu Jul 21 19:30:01 2022 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:1 is ignored by previous <connection> blocks 
Thu Jul 21 19:30:01 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.4)
Thu Jul 21 19:30:01 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.4)
Thu Jul 21 19:30:01 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.4)
Thu Jul 21 19:30:01 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:16: register-dns (2.4.4)
Thu Jul 21 19:30:01 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:17: block-ipv6 (2.4.4)
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: explicit notify parm(s) modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: compression parms modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: route options modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: route-related options modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: peer-id set
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: data channel crypto options modified
Thu Jul 21 19:30:01 2022 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Jul 21 19:30:01 2022 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul 21 19:30:01 2022 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul 21 19:30:01 2022 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:cb:a6:e2
Thu Jul 21 19:30:01 2022 TUN/TAP device tun0 opened
Thu Jul 21 19:30:01 2022 TUN/TAP TX queue length set to 100
Thu Jul 21 19:30:01 2022 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Jul 21 19:30:01 2022 /sbin/ip link set dev tun0 up mtu 1500
Thu Jul 21 19:30:02 2022 /sbin/ip addr add dev tun0 172.27.232.27/21 broadcast 172.27.239.255
Thu Jul 21 19:30:02 2022 updown.sh tun0 1500 1553 172.27.232.27 255.255.248.0 init
## updown.sh: STARTED
## updown.sh: hop id:                (default: 1)
## updown.sh: gateway of last hop:   (default: local gateway)
## updown.sh: local gateway:           10.0.2.2
## updown.sh: VPN: local IP address:   172.27.232.27
## updown.sh: VPN: local netmask:      255.255.248.0
## updown.sh: VPN: local gateway:      172.27.232.1
## updown.sh: VPN: vpn IP address:     3.228.10.177
## updown.sh: Notice: You didn't set 'hopid'. Assuming this to be the first hop (hopid=1).
## updown.sh: Notice: You didn't set the previous gateway. The gateway of your local network ('10.0.2.2') will be used.
## updown.sh: executing: '/sbin/ip route add 3.228.10.177 via 10.0.2.2'
## updown.sh: executing: '/sbin/ip route add 0.0.0.0/1 via 172.27.232.1'
## updown.sh: executing: '/sbin/ip route add 128.0.0.0/1 via 172.27.232.1'
## updown.sh: HINT: For the next hop, start openvpn with the following options:
## updown.sh: HINT: openvpn --config <config.ovpn> --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec --setenv hopid 2 --setenv prevgw 172.27.232.1
## updown.sh: FINISHED
Thu Jul 21 19:30:07 2022 Initialization Sequence Completed

将我的DNS更改为8.8.8.8，我的流量将通过我的VPN。

在运行第一个命令之后，这就是我的路由表的样子。

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.27.232.1    128.0.0.0       UG    0      0        0 tun0
default         10.0.2.2        0.0.0.0         UG    100    0        0 enp0s3
3.228.10.177    10.0.2.2        255.255.255.255 UGH   0      0        0 enp0s3
10.0.2.0        0.0.0.0         255.255.255.0   U     100    0        0 enp0s3
128.0.0.0       172.27.232.1    128.0.0.0       UG    0      0        0 tun0
172.27.232.0    0.0.0.0         255.255.248.0   U     0      0        0 tun0

这是我的第二个命令。它似乎也是成功的。

sudo openvpn --config client-west.ovpn --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec --setenv hopid 2 --setenv prevgw 172.27.232.1
Thu Jul 21 19:34:30 2022 OpenVPN 2.4.4 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Thu Jul 21 19:34:30 2022 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
Enter Auth Username: openvpn
Enter Auth Password: ***
Thu Jul 21 19:34:34 2022 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Thu Jul 21 19:34:34 2022 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jul 21 19:34:34 2022 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 21 19:34:34 2022 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 21 19:34:34 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]52.53.125.237:1194
Thu Jul 21 19:34:34 2022 Socket Buffers: R=[180224->180224] S=[180224->180224]
Thu Jul 21 19:34:34 2022 UDP link local: (not bound)
Thu Jul 21 19:34:34 2022 UDP link remote: [AF_INET]52.53.125.237:1194
Thu Jul 21 19:34:34 2022 TLS: Initial packet from [AF_INET]52.53.125.237:1194, sid=0ca1cb6e b7f72f45
Thu Jul 21 19:34:34 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jul 21 19:34:34 2022 VERIFY OK: depth=1, CN=OpenVPN CA
Thu Jul 21 19:34:34 2022 VERIFY OK: nsCertType=SERVER
Thu Jul 21 19:34:34 2022 VERIFY OK: depth=0, CN=OpenVPN Server
Thu Jul 21 19:34:34 2022 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Thu Jul 21 19:34:34 2022 [OpenVPN Server] Peer Connection Initiated with [AF_INET]52.53.125.237:1194
Thu Jul 21 19:34:35 2022 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Thu Jul 21 19:34:36 2022 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,compress stub-v2,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 172.27.232.1,dhcp-option DNS 172.31.0.2,register-dns,block-ipv6,ifconfig 172.27.232.28 255.255.248.0,peer-id 0,auth-tokenSESS_ID,cipher AES-256-GCM'
Thu Jul 21 19:34:36 2022 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:1 is ignored by previous <connection> blocks 
Thu Jul 21 19:34:36 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.4)
Thu Jul 21 19:34:36 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.4)
Thu Jul 21 19:34:36 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.4)
Thu Jul 21 19:34:36 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:16: register-dns (2.4.4)
Thu Jul 21 19:34:36 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:17: block-ipv6 (2.4.4)
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: explicit notify parm(s) modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: compression parms modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: route options modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: route-related options modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: peer-id set
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: data channel crypto options modified
Thu Jul 21 19:34:36 2022 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Jul 21 19:34:36 2022 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul 21 19:34:36 2022 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul 21 19:34:36 2022 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:cb:a6:e2
Thu Jul 21 19:34:36 2022 TUN/TAP device tun1 opened
Thu Jul 21 19:34:36 2022 TUN/TAP TX queue length set to 100
Thu Jul 21 19:34:36 2022 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Jul 21 19:34:36 2022 /sbin/ip link set dev tun1 up mtu 1500
Thu Jul 21 19:34:36 2022 /sbin/ip addr add dev tun1 172.27.232.28/21 broadcast 172.27.239.255
Thu Jul 21 19:34:36 2022 updown.sh tun1 1500 1553 172.27.232.28 255.255.248.0 init
## updown.sh: STARTED
## updown.sh: hop id:               2 (default: 1)
## updown.sh: gateway of last hop:  172.27.232.1 (default: local gateway)
## updown.sh: local gateway:           10.0.2.2
## updown.sh: VPN: local IP address:   172.27.232.28
## updown.sh: VPN: local netmask:      255.255.248.0
## updown.sh: VPN: local gateway:      172.27.232.1
## updown.sh: VPN: vpn IP address:     52.53.125.237
## updown.sh: executing: '/sbin/ip route add 52.53.125.237 via 172.27.232.1'
## updown.sh: executing: '/sbin/ip route add 0.0.0.0/2 via 172.27.232.1'
## updown.sh: executing: '/sbin/ip route add 64.0.0.0/2 via 172.27.232.1'
## updown.sh: executing: '/sbin/ip route add 128.0.0.0/2 via 172.27.232.1'
## updown.sh: executing: '/sbin/ip route add 192.0.0.0/2 via 172.27.232.1'
## updown.sh: HINT: For the next hop, start openvpn with the following options:
## updown.sh: HINT: openvpn --config <config.ovpn> --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec --setenv hopid 3 --setenv prevgw 172.27.232.1
## updown.sh: FINISHED
Thu Jul 21 19:34:41 2022 Initialization Sequence Completed

运行第二个命令后的路由表。

Kernel IP routing table
0.0.0.0         172.27.232.1    192.0.0.0       UG    0      0        0 tun0
0.0.0.0         172.27.232.1    128.0.0.0       UG    0      0        0 tun0
default         10.0.2.2        0.0.0.0         UG    100    0        0 enp0s3
ec2-3-228-10-17 10.0.2.2        255.255.255.255 UGH   0      0        0 enp0s3
10.0.2.0        0.0.0.0         255.255.255.0   U     100    0        0 enp0s3
ec2-52-53-125-2 172.27.232.1    255.255.255.255 UGH   0      0        0 tun0
64.0.0.0        172.27.232.1    192.0.0.0       UG    0      0        0 tun0
128.0.0.0       172.27.232.1    192.0.0.0       UG    0      0        0 tun0
128.0.0.0       172.27.232.1    128.0.0.0       UG    0      0        0 tun0
172.27.232.0    0.0.0.0         255.255.248.0   U     0      0        0 tun0
172.27.232.0    0.0.0.0         255.255.248.0   U     0      0        0 tun1
192.0.0.0       172.27.232.1    192.0.0.0       UG    0      0        0 tun0

当我运行tcpdump时，tun0 (第一个虚拟专用网)上有流量，但是，tun1 (第二个vpn)上根本没有流量。

我很困惑。不知道下一步该怎么做。

linux

vpn

回答 1

Unix & Linux用户

发布于 2022-07-22 09:09:40

首先创建tun0，然后创建tun1，因此您希望将常规流量直接路由到tun1。

                        ------        ------        --------
"regular traffic"  ->  | tun1 |  ->  | tun0 |  ->  | enp0s3 |
                        ------        ------        --------

VPN内部网关(172.27.232.1)的IP地址对于tun0和tun1是相同的。我不知道脚本(updown.sh)是否能够处理这个问题。我不知道是否有可能在同一台机器上链接VPN连接，同时拥有相同的VPN内部网关地址。但我有一些想法。

Idea 1

tun1是通过tun0创建的吗？如果不是这样的话，稍后(在创建了两个隧道之后)调整路由表可能不会有帮助。在创建tun0之后，我将使用tcpdump来查看创建tun1是否会导致enp0s3上的新连接，或者它是否通过tun0进行隧道化。

Idea 2

在这两个VPN连接建立之后，创建一个特定的路由表条目: 8.8.8.8通过172.27.232.1dev tun1创建8.8.8.8。发送一个DNS请求，并看到它通过链被路由。

Idea 3

对于tun1，路由表中只有一个条目。

172.27.232.0    0.0.0.0         255.255.248.0   U     0      0        0 tun1

它的目的地是VPN的网络地址，覆盖网关地址。仅凭此条目不足以将“常规流量”路由到tun1。

其他tun*规则都链接到tun0。

0.0.0.0         172.27.232.1    192.0.0.0       UG    0      0        0 tun0
0.0.0.0         172.27.232.1    128.0.0.0       UG    0      0        0 tun0

64.0.0.0        172.27.232.1    192.0.0.0       UG    0      0        0 tun0
128.0.0.0       172.27.232.1    192.0.0.0       UG    0      0        0 tun0
128.0.0.0       172.27.232.1    128.0.0.0       UG    0      0        0 tun0
192.0.0.0       172.27.232.1    192.0.0.0       UG    0      0        0 tun0

我会删除这些规则并为tun1编写新规则。也许一条规则就足够了:通过172.27.232.1dev tun1实现0.0.0.0。我不知道这是否可行，但这就是我要尝试的。

票数 0

页面原文内容由Unix & Linux提供。腾讯云小微IT领域专用引擎提供翻译支持

原文链接：

https://unix.stackexchange.com/questions/710661

复制

相似问题

问链接VPN和我需要tun0和tun1设置的帮助
EN

回答 1

Unix & Linux用户

Idea 1

Idea 2

Idea 3

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问链接VPN和我需要tun0和tun1设置的帮助EN

回答 1

Unix & Linux用户

Idea 1

Idea 2

Idea 3

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问链接VPN和我需要tun0和tun1设置的帮助
EN