8

我最近在 AWS EC2 实例上设置了 OpenVPN 服务器,以便将我的办公室连接到 AWS VPC 环境。

我使用 TunnelBlick 作为 VPN 客户端,一切都很好!我可以 ssh 到 VPC 中的私有 IP。但是,从我的办公室主机解析 DNS VPC 名称(如果我从 VPC 中的 EC2 实例运行它,我可以)不起作用。

我目前的解决方案是在 EC2 实例上使用 Unbound 设置 DNS 转发器(这恰好是我正在运行 OpenVPN 服务器的实例) - 但由于某种原因它无法正常工作。一旦连接到 VPN 服务器,您将如何启用 VPN 客户端以解析 VPC 中的私有主机名?

我很迷茫,所以如果你有任何其他想法,或者可以根据我目前的设置找出问题所在,我将永远感激:)

OpenVPN 服务器配置

port 1194 #- change the port you want

proto udp #- protocol can be tcp or udp

dev tun

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt

cert /etc/openvpn/easy-rsa/2.0/keys/server.crt

key /etc/openvpn/easy-rsa/2.0/keys/server.key

dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem

server 10.8.0.0 255.255.255.0

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 8.8.4.4"

push "dhcp-option DNS <PUBLIC_IP_OF_THE_SERVER_RUNNING_OPENVPN_AND_UNBOUND>"

keepalive 5 30

comp-lzo

persist-key

persist-tun

status server-tcp.log

verb 3

未绑定的服务器配置

172.31.0.2 是 VPC DNS 服务器

server:
        interface: 0.0.0.0
        access-control: 0.0.0.0/0 allow
remote-control:
forward-zone:
        name: "."
        forward-addr: 172.31.0.2

VPN 客户端配置

##############################################
# Client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote <PUBLIC_IP_OF_THE_SERVER_RUNNING_OPENVPN_AND_UNBOUND> 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca /Users/antoniogomez/ca.crt
cert /Users/antoniogomez/client.crt
key /Users/antoniogomez/client.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20

# This updates the resolvconf with dns settings
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
script-security 2
up /etc/openvpn/update-resolv-conf.sh
down /etc/openvpn/update-resolv-conf.sh
down-pre

现在,一旦我连接到 VPN,我的 resolv.conf(客户端)如下所示:

nameserver 8.8.8.8
nameserver 8.8.8.4
nameserver PUBLIC_IP_OF_THE_SERVER_RUNNING_OPENVPN_AND_UNBOUND

从客户端到 DNS 服务器的 Telnet 工作(正确应用 AWS 安全组)

[antoniogomez:~]$ telnet PUBLIC_IP_OF_THE_SERVER_RUNNING_OPENVPN_AND_UNBOUND 53
Trying PUBLIC_IP_OF_THE_SERVER_RUNNING_OPENVPN_AND_UNBOUND...
Connected to ec2-instance.us-west-1.compute.amazonaws.com.
Escape character is '^]'.

非常感谢你们所有的帮助,

安东尼奥

4

1 回答 1

9

所以这就是我让它工作的方式!首先,我开始使用Bind而不是Unbound(灵感来自此视频here

绑定服务器配置

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//    

options {
    directory           "/var/named";
    dump-file           "/var/named/data/cache_dump.db";
    statistics-file     "/var/named/data/named_stats.txt";
    memstatistics-file  "/var/named/data/named_mem_stats.txt";
    dnssec-enable no;
    dnssec-validation no;
    allow-query     { any;};
    allow-recursion { any;};
    forward only;
    forwarders { 172.31.0.2; }; # This is my VPC internal DNS Server
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

现在确保将您安装的 DNS 服务器的 IP 推送到您的 VPN 客户端(在本例中为绑定服务器)

OpenVPN 服务器配置

port 1194 #- change the port you want

proto udp #- protocol can be tcp or udp

dev tun

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt

cert /etc/openvpn/easy-rsa/2.0/keys/server.crt

key /etc/openvpn/easy-rsa/2.0/keys/server.key

dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem

server 10.8.0.0 255.255.255.0
   
push "redirect-gateway def1"

push "dhcp-option DNS <IP_OF_SERVER_RUNNING_BOTH_OPENVPN_AND_BIND>" # This line push your DNS server to be used by the VPN clients

keepalive 5 30

comp-lzo

persist-key

persist-tun

status server-tcp.log

verb 3

显然,在 linux 上运行的 VPN 客户端需要“一些帮助”才能将“新”DNS 服务器与以下配置一起使用(请参阅配置中的最后几行,从此处获取脚本):

VPN 客户端配置

##############################################
# Client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote <IP_OF_SERVER_RUNNING_BOTH_OPENVPN_AND_BIND> 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca /Users/myusername/name_of_my_ca.crt
cert /Users/myusername/name_of_my_client.crt
key /Users/myusername/name_of_my_client.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20

# This updates the resolvconf with dns settings
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
script-security 2
up /etc/openvpn/update-resolv-conf.sh
down /etc/openvpn/update-resolv-conf.sh
down-pre

现在,一旦您的 VPN 服务器和绑定服务器正确设置了上述您的 VPN 客户端(您的私有 mac/本地办公计算机等),在连接到 VPN 服务器时,不仅可以访问ssh私有 IP,还可以解析内部 AWS VPC 中的主机名,例如ip-172-31-0-63.us-west-1.compute.internal

编辑:以下有助于创建单个文件来设置 VPN 客户端,这对移动设备很有用。

多合一 VPN 客户端配置

client
dev tun
proto udp
remote PUBLIC_IP 1194
tls-version-min 1.2
tls-cipher <CIPHERS>
cipher AES-256-CBC
auth SHA512
resolv-retry infinite
auth-retry none
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3
tls-client
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
<tls-auth>
...
</tls-auth>
于 2017-12-31T10:43:40.010 回答