但是前者在iptable里为default dev wg1,后者为两条0.0.0.0/1 dev wg1和128.0.0.0/1 dev wg1。
由于路由的ip匹配遵循最长前缀匹配规则,如果路由表里原本有一条efault dev eth0。使用前者会导致混乱。但是使用后者,由于两条的优先级会更高,会屏蔽掉原本的default规则。
前者的iptable修改如下:(macbook上)
1 2 3 4 5 6 7 8
> ip route default via link#18 dev utun3 default via 192.168.233.1 dev en0 10.0.233.5/32 via 10.0.233.5 dev utun3 224.0.0.0/4 dev utun3 scope link 224.0.0.0/4 dev en0 scope link 255.255.255.255/32 dev utun3 scope link 255.255.255.255/32 dev en0 scope link
后者的iptable修改如下
1 2 3 4 5 6 7 8 9 10
> ip route 0.0.0.0/1 dev utun3 scope link default via 192.168.233.1 dev en0 default via link#18 dev utun3 10.0.233.5/32 via 10.0.233.5 dev utun3 128.0.0.0/1 dev utun3 scope link 224.0.0.0/4 dev en0 scope link 224.0.0.0/4 dev utun3 scope link 255.255.255.255/32 dev en0 scope link 255.255.255.255/32 dev utun3 scope link
> ip route 1.0.0.0/8 via 198.18.0.1 dev utun3 2.0.0.0/7 via 198.18.0.1 dev utun3 4.0.0.0/6 via 198.18.0.1 dev utun3 8.0.0.0/5 via 198.18.0.1 dev utun3 16.0.0.0/4 via 198.18.0.1 dev utun3 32.0.0.0/3 via 198.18.0.1 dev utun3 64.0.0.0/2 via 198.18.0.1 dev utun3 128.0.0.0/1 via 198.18.0.1 dev utun3 #前面接受所有的ip,然后转换成198.18.0.1 198.18.0.1/32 via 198.18.0.1 dev utun3 #接受转换后的198.18.0.1,由于最长前缀匹配
明显有代理死循环问题,如何解决???
1 2 3 4 5 6
shaojiemike@shaojiemikedeMacBook-Air ~/github/hugoMinos (main*) [10:59:32] > ip route get 198.18.0.42 198.18.0.42 via 198.18.0.1 dev utun3 src 198.18.0.1 shaojiemike@shaojiemikedeMacBook-Air ~/github/hugoMinos (main*) [10:59:38] > ip route get 198.18.0.1 198.18.0.1 dev utun3 src 198.18.0.1
Wireguard 环境配置
wireguard-go: 安装客户端 wg-quick up config wireguard-tools: 安装服务端 wg
sh-4.4# ip ro default via 222.195.90.254 dev eth0 src 222.195.90.2 10.0.233.0/24 dev wg1 proto kernel scope link src 10.0.233.3 222.195.90.0/24 dev eth0 proto kernel scope link src 222.195.90.2
sh-4.4# ip ro s t eth0-table 222.195.90.0/24 via 222.195.90.2 dev eth0
# 重要项如下 sh-4.4# ip rule 3: from 222.195.90.2 lookup eth0-table (ping 和 ssh ip 222.195.90.2的会使用这个规则) 32766: from all lookup main (ping 和 ssh 其余ip 比如wg的10.0.233.3的会使用这个规则)
# 1. 设置本地ssh eth0的222.195.90.2的高优先级,不至于开启wg断开ssh # 使用命令添加: ip ro add default via 222.195.90.254 dev eth0 table eth0-table sh-4.4# ip route show table eth0-table default via 222.195.90.254 dev eth0 222.195.90.0/24 via 222.195.90.2 dev eth0
# 2. 为了使得除开本地ssh网络走wg,需要删除屏蔽default的wg的DHCP(如果提前删,导致机器ssh连接不上了,重新插拔网线,让DHCP重新配置): # 使用命令添加:ip ro d default via 222.195.90.254 dev eth0 src 222.195.90.2 table main, # 3. 防止服务端重启,Nas的wg客户端失联 # 使用命令添加:ip ro a 114.214.233.0/24 via 222.195.90.254 dev eth0 src 222.195.90.2 table main # 4. 测试: ping域名能正常运行
# 其余方法:为了使得除开本地ssh网络走wg,也可以不删除,在DHCP的前面添加wg的网络通路 # 使用命令添加: ip ro add default dev wg1 proto kernel scope link src 10.0.233.3 table main sh-4.4# ip r s t main default dev wg1 proto kernel scope link src 10.0.233.3
# shaojiemike @ node5 in ~ [22:30:33] $ ip rule 0: from all lookup local 2: from 202.38.73.217 lookup 1 32766: from all lookup main 32767: from all lookup default # 也可以手动添加 ip rule add from 202.38.73.217 table 1 pref 2 或者 ip rule add from 202.38.73.217 lookup 1 pref 2
$ ip route show table 1 default via 202.38.73.254 dev eno0 proto static # 也可以通过`ip route add` $ ip route add default via 202.38.73.254 dev eno0 proto static table 1
衍生问题:网络请求的源地址不是自己吗?怎么确定的
开启wg后,网络请求源地址变成了10.0.33.2。不是202.38.73.217
1 2
root@node5:/home/shaojiemike# ip ro 10.0.33.0/24 dev wg2 proto kernel scope link src 10.0.33.2
# shaojiemike @ node5 in ~ [23:55:47] $ docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki
init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/pki
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Enter New CA Key Passphrase: Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus (2 primes) .........+++++ ...................+++++ e is 65537 (0x010001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:tsj-node5
CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/pki/ca.crt
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ......................+.......................+..........................................................+........................................................................................................+........................................+...................................................................................................................................+.....................................................................................................................+......................................................................................................................................................................................................................................+......++*++*++*++*
DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020 Generating a RSA private key .......................................+++++ .........................................+++++ writing new private key to '/etc/openvpn/pki/easy-rsa-73.EeNnaB/tmp.jhHaaF' ----- Using configuration from /etc/openvpn/pki/easy-rsa-73.EeNnaB/tmp.LGnDjB Enter pass phrase for /etc/openvpn/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'node5.xydustc.me' Certificate is to be certified until Jan 1 15:58:37 2025 GMT (825 days) Write out database with 1 new entries Data Base Updated Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020 Using configuration from /etc/openvpn/pki/easy-rsa-148.CDCEmf/tmp.iJCIGL Enter pass phrase for /etc/openvpn/pki/private/ca.key: An updated CRL has been created.
# shaojiemike @ node5 in ~ [0:16:46] $ docker run -v $OVPN_DATA:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn cb0f7e78f389f112c3c3b230d20d2b50818f6cf59eea2edfaa076c7e8fad7128
# shaojiemike @ node5 in ~ [0:06:01] $ docker container list CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 6c716b27b3f1 kylemanna/openvpn "ovpn_run" 49 seconds ago Up 48 seconds 1194/udp, 0.0.0.0:1195->1195/udp, :::1195->1195/udp charming_zhukovsky
# 上面是错误的
# shaojiemike @ node5 in ~ [0:16:50] $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES cb0f7e78f389 kylemanna/openvpn "ovpn_run" About a minute ago Up About a minute 0.0.0.0:1194->1194/udp, :::1194->1194/udp pedantic_euler
# shaojiemike @ node5 in ~ [0:07:27] C:2 $ docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full tsj-node5-client nopass Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020 Generating a RSA private key ...............+++++ ...............................+++++ writing new private key to '/etc/openvpn/pki/easy-rsa-1.olaINa/tmp.MfohAO' ----- Using configuration from /etc/openvpn/pki/easy-rsa-1.olaINa/tmp.EMkEHF Enter pass phrase for /etc/openvpn/pki/private/ca.key: 139775495048520:error:28078065:UI routines:UI_set_result_ex:result too small:crypto/ui/ui_lib.c:905:You must typein 4 to 1023 characters Enter pass phrase for /etc/openvpn/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'tsj-node5-client' Certificate is to be certified until Jan 1 16:08:23 2025 GMT (825 days) Write out database with 1 new entries Data Base Updated # shaojiemike @ node5 in ~ [0:08:24] $ docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient tsj-node5-client > tsj-node5-client.ovpn # shaojiemike @ node5 in ~ [0:09:20] $ ls tsj-node5-client.ovpn tsj-node5-client.ovpn
# 安装 sudo apt-get install openvpn sudo apt-get install easy-rsa # 配置easy-rsa cd /etc/openvpn/server cp -r /usr/share/easy-rsa/ . ## 拷贝模板并修改vars的参数 cp vars.example vars vim vars
1 2 3 4 5 6 7 8 9 10
# 配置Easyrsa及生成公钥 ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/server/easy-rsa/pki ./easyrsa build-ca nopass Common Name (eg: your user, host, or server name) [Easy-RSA CA]:acsa CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/server/easy-rsa/pki/ca.crt
# 生成服务器私钥和请求 ./easyrsa gen-req shaojie nopass Common Name (eg: your user, host, or server name) [shaojie]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/server/easy-rsa/pki/reqs/shaojie.req key: /etc/openvpn/server/easy-rsa/pki/private/shaojie.key # 拷贝服务器私钥文件到openvpn配置文件目录下 cp pki/private/shaojie.key /etc/openvpn/server
# 生成服务器证书 mv pki/reqs/shaojie.req pki/reqs/shaojieServer.req ./easyrsa import-req pki/reqs/shaojieServer.req shaojie Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 The request has been successfully imported with a short name of: shaojie You may now use this name to perform signing operations on this request. ./easyrsa sign-req server shaojie
将两个shaojie.crt文件和ca.crt文件一起复制到openvpn配置文件目录下
1 2 3 4 5 6
cp pki/ca.crt pki/issued/shaojie.crt /etc/openvpn/server # 生成加密文件(可选,可以提高VPN安全性),这个比较慢,需要稍等几分钟 ./easyrsa gen-dh DH parameters of size 2048 created at /etc/openvpn/server/easy-rsa/pki/dh.pem openvpn --genkey --secret ta.key #生成随机密钥(仅适用于非TLS静态密钥加密模式):--genkey : 生成一个随机密钥作为共享密钥 cp ta.key pki/dh.pem /etc/openvpn/server
# 某些具体的Windows网络设置可以被推送到客户端,例如DNS或WINS服务器地址。(可选) # 下列地址来自opendns.com提供的Public DNS 服务器。 ;push "dhcp-option DNS 208.67.222.222" ;push "dhcp-option DNS 208.67.220.220" push "dhcp-option DNS 8.8.8.8"
sudo service openvpn status ● openvpn.service - OpenVPN service Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled) Active: active (exited) since Sat 2021-04-24 20:40:13 UTC; 2 months 22 days ago Main PID: 1691 (code=exited, status=0/SUCCESS) Tasks: 0 (limit: 154190) Memory: 0B CGroup: /system.slice/openvpn.service
Warning: journal has been rotated since unit was started, output may be incomplete. $ cat server.conf local 202.38.73.26 port 1194 proto udp dev tun #tun路由模式,tap桥模式,据说tun效率高于tap,但是tun只能转发IP数据,tap是二层可以封装任何协议,window下只有tap模式 ca ca.crt cert server.crt key server.key dh dh.pem tls-crypt tc.key # 新加入 ,不使用 tls-auth ta.key 0 改用 tls-crypt tc.key openvpn 2.4 版的新參數 topology subnet # OpenVPN默认的拓扑方式是net30:表示掩码30位,有地址浪费 server 10.8.0.0 255.255.255.0 #定义分配给客户端的IP段,服务端自己默认使用第一个可用地址 ifconfig-pool-persist ipp.txt #在openvpn重启时,再次连接的客户端将依然被分配和以前一样的IP地址 # push表示推送,即将配置推送给客户端,让客户端也使用 push "redirect-gateway def1 bypass-dhcp" #重定向默认网关 此设置将路由/强制所有流量通过VPN。 push "dhcp-option DNS 202.38.64.56" #指定客户端使用的主DNS push "dhcp-option DNS 202.38.64.17" #指定客户端使用的备DNS server-ipv6 2001:0db8:ee00:abcd::/64 push "route-ipv6 2001:da8:d800:811:ae1f:6bff:fe8a:e4ba/64" push "route-ipv6 2000::/3" keepalive 10 120 #表示每隔10秒ping一下客户端/服务端,若是120秒内无响应,认为down,随即重启openvpn(强烈开启) auth SHA512 # 加密算法 cipher AES-256-CBC user nobody # 待openvpn初始化完成后,将其降级为nobody权限运行 group nogroup persist-key #通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys persist-tun #通过keepalive检测超时后,重新启动VPN,一直保持tun或者tap设备是linkup的,否则网络连接会先linkdown然后linkup status openvpn-status.log #状态文件:定期(默认60s)把状态信息写到该文件,以便自己写程序计费或者进行其他操作(需要关闭selinux) verb 3 #日志记录级别,可选0-9,0只记录错误信息,4能记录普通的信息,5和6在连接出现问题时能帮助调试,9显示所有信息,甚至连包头等信息都显示(像tcpdump) crl-verify crl.pem # crl证书 ./easyrsa gen-crl产生,默认180天过期 explicit-exit-notify # 如果协议改成了TCP,这里数值要改成0
