Domain-Name-System
如何讓openvpn客戶端訪問與openvpn伺服器位於同一台機器上的dns伺服器(bind9)
我目前有一個執行 openvpn 伺服器的 debian 伺服器。我還有一個 dns 伺服器(bind9),我想允許連接的 openvpn 客戶端訪問它,但我不確定如何執行此操作,我已經知道如何使用
push "dhcp-option DNS x.x.x.x"但我只是不確定如何讓客戶端訪問與 vpn 伺服器位於同一台機器上的 dns 伺服器,所以如果有人能指出我正確的方向,我將不勝感激。此外,如果這與向 iptables 添加規則有關,這是我目前對 iptables 的配置
# Generated by iptables-save v1.4.14 on Thu Oct 18 22:05:33 2012 *nat :PREROUTING ACCEPT [3831842:462225238] :INPUT ACCEPT [3820049:461550908] :OUTPUT ACCEPT [1885011:139487044] :POSTROUTING ACCEPT [1883834:139415168] -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE COMMIT # Completed on Thu Oct 18 22:05:33 2012 # Generated by iptables-save v1.4.14 on Thu Oct 18 22:05:33 2012 *filter :INPUT ACCEPT [45799:10669929] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [45747:10335026] :fail2ban-apache - [0:0] :fail2ban-apache-myadmin - [0:0] :fail2ban-apache-noscript - [0:0] :fail2ban-ssh - [0:0] :fail2ban-ssh-ddos - [0:0] :fail2ban-webserver-w00tw00t - [0:0] -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-myadmin -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-webserver-w00tw00t -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-noscript -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A INPUT -i tun+ -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT -A FORWARD -i tun+ -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A fail2ban-apache -j RETURN -A fail2ban-apache-myadmin -s 211.154.213.122/32 -j DROP -A fail2ban-apache-myadmin -s 201.170.229.96/32 -j DROP -A fail2ban-apache-myadmin -j RETURN -A fail2ban-apache-noscript -j RETURN -A fail2ban-ssh -s 76.9.59.66/32 -j DROP -A fail2ban-ssh -s 64.13.220.73/32 -j DROP -A fail2ban-ssh -s 203.69.139.179/32 -j DROP -A fail2ban-ssh -s 173.10.11.146/32 -j DROP -A fail2ban-ssh -j RETURN -A fail2ban-ssh-ddos -j RETURN -A fail2ban-webserver-w00tw00t -s 217.70.51.154/32 -j DROP -A fail2ban-webserver-w00tw00t -s 86.35.242.58/32 -j DROP -A fail2ban-webserver-w00tw00t -j RETURN COMMIT # Completed on Thu Oct 18 22:05:33 2012這也是我的openvpn伺服器配置
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo user nobody group users persist-key persist-tun status /var/log/openvpn/openvpn-status.log verb 3 push "redirect-gateway def1" push "dhcp-option DNS 213.133.98.98" push "dhcp-option DNS 213.133.99.99" push "dhcp-option DNS 213.133.100.100" client-to-client
我只需要告訴 bind9 列出一個屬於 openvpn 子網的 IP 地址
在這種情況下,我通過添加到我
/etc/bind/named.conf.options**的子網中openvpn**來解決它,我的 LAN 是192.168.0.xxx並且 openvpn 是10.8.0.xxxlisten-on port 53 { localhost; 192.168.0.0/24; 10.8.0.0/24; }; allow-query { localhost; 192.168.0.0/24; 10.8.0.0/24; };在我的情況下,添加到我的 openvpn 伺服器配置文件
/etc/openvpn/server.conf中 192.168.0.124 是DNS 伺服器地址:push "dhcp-option DOMAIN mySpecificDomain.local" push "dhcp-option DNS 192.168.0.124" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4"我的完整
/etc/bind/named.conf.options文件是options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { 192.168.0.1; 8.8.8.8; 8.8.4.4; }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== //dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; listen-on port 53 { localhost; 192.168.0.0/24; 10.8.0.0/24; }; allow-query { localhost; 192.168.0.0/24; 10.8.0.0/24; }; recursion yes; };