Domain-Name-System

在 openvpn dns push 之後 NetworkManager 沒有改變 /etc/resolv.conf

  • April 12, 2020

我遇到了一個問題,即“/etc/resolv.conf在配置了 dns 推送的 openvpn 連接後 NetworkManager 沒有更新”。

這是我的 openvpn 伺服器配置:(出於安全原因,我已將域名更改為 ABC.COM ;)

########################################
# Sample OpenVPN config file for
# 2.0-style multi-client udp server
#
# Adapted from http://openvpn.sourceforge.net/20notes.html
#
# tun-style tunnel

port 1194
dev tun

# Use "local" to set the source address on multi-homed hosts
#local [IP address]

# TLS parms
tls-server 
ca keys/ca.crt
cert keys/static.crt
key keys/static.key
dh keys/dh1024.pem
proto tcp-server

# Tell OpenVPN to be a multi-client udp server
mode server

# The server's virtual endpoints
ifconfig 10.8.0.1 10.8.0.2

# Pool of /30 subnets to be allocated to clients.
# When a client connects, an --ifconfig command
# will be automatically generated and pushed back to
# the client.
ifconfig-pool 10.8.0.4 10.8.0.255

# Push route to client to bind it to our local
# virtual endpoint.
push "route 10.8.0.1 255.255.255.255"

push "dhcp-option DNS 10.8.0.1"

# Push any routes the client needs to get in
# to the local network.
#push "route 192.168.0.0 255.255.255.0"

# Push DHCP options to Windows clients.
push "dhcp-option DOMAIN ABC.COM"
#push "dhcp-option DNS 192.168.0.1"
#push "dhcp-option WINS 192.168.0.1"

# Client should attempt reconnection on link
# failure.
keepalive 10 60

# Delete client instances after some period
# of inactivity.
inactive 600

# Route the --ifconfig pool range into the
# OpenVPN server.
route 10.8.0.0 255.255.255.0

# The server doesn't need privileges
user openvpn
group openvpn

# Keep TUN devices and keys open across restarts.
persist-tun
persist-key

verb 4

正如您所看到的,它基本上是經過少量調整的範例配置。

現在..

在我的機器(openvpn 客戶端)上,我可以看到 dns 沒問題:

{17:12}/etc/NetworkManager ➭ nslookup git.ABC.COM 10.8.0.1
Server:     10.8.0.1
Address:    10.8.0.1#53

Name:   git.ABC.COM
Address: 10.8.0.1

{17:18}/etc/NetworkManager ➭ nslookup ABC.COM 10.8.0.1   
Server:     10.8.0.1
Address:    10.8.0.1#53

Name:   ABC.COM
Address: 18X.XX.XX.71

伺服器端的openvpn日誌說(如果我理解正確的話)DNS已被推送:

openvpn[13257]: TCPv4_SERVER link remote: [AF_INET]83.30.135.214:37658
openvpn[13257]: 83.30.135.214:37658 TLS: Initial packet from [AF_INET]83.30.135.214:37658, sid=3251df51 915772f3
openvpn[13257]: 83.30.135.214:37658 VERIFY OK: depth=1, C=XX, ST=XX, L=XXX, O=XXX, OU=XXX, CN=XXX, name=XXX, emailAddress=mail@ABC.COM
openvpn[13257]: 83.30.135.214:37658 VERIFY OK: depth=0, C=XX, ST=XX, L=XXX, O=XXX, OU=XXX, CN=XXX, name=XXX, emailAddress=mail@ABC.COM
openvpn[13257]: 83.30.135.214:37658 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
openvpn[13257]: 83.30.135.214:37658 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
openvpn[13257]: 83.30.135.214:37658 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
openvpn[13257]: 83.30.135.214:37658 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
openvpn[13257]: 83.30.135.214:37658 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
openvpn[13257]: 83.30.135.214:37658 [jacek] Peer Connection Initiated with [AF_INET]83.30.135.214:37658
openvpn[13257]: jacek/83.30.135.214:37658 MULTI_sva: pool returned IPv4=10.8.0.10, IPv6=(Not enabled)
openvpn[13257]: jacek/83.30.135.214:37658 MULTI: Learn: 10.8.0.10 -> jacek/83.30.135.214:37658
openvpn[13257]: jacek/83.30.135.214:37658 MULTI: primary virtual IP for jacek/83.30.135.214:37658: 10.8.0.10
openvpn[13257]: jacek/83.30.135.214:37658 PUSH: Received control message: 'PUSH_REQUEST'
openvpn[13257]: jacek/83.30.135.214:37658 send_push_reply(): safe_cap=940
openvpn[13257]: jacek/83.30.135.214:37658 SENT CONTROL [jacek]: 'PUSH_REPLY,route 10.8.0.1 255.255.255.255,dhcp-option DNS 10.8.0.1,dhcp-option DOMAIN ABC.COM,ping 10,ping-restart 60,ifconfig 10.8.0.10 10.8.0.9' (status=1)

我這邊的openvp日誌:

Aug 05 17:13:55 localhost.localdomain openvpn[1198]: TCPv4_CLIENT link remote: [AF_INET]XXX.XX.37.71:1194
Aug 05 17:13:55 localhost.localdomain openvpn[1198]: TLS: Initial packet from [AF_INET]XXX.XX.37.71:1194, sid=89cc981c d57dd826
Aug 05 17:13:56 localhost.localdomain openvpn[1198]: VERIFY OK: depth=1, C=XX, ST=XX, L=XXX, O=XXX, OU=XXX, CN=XXX, name=XXX, emailAddress=mail@ABC.COM
Aug 05 17:13:56 localhost.localdomain openvpn[1198]: VERIFY OK: depth=0, C=XX, ST=XX, L=XXX, O=XXX, OU=XXX, CN=XXX, name=XXX, emailAddress=mail@ABC.COM
Aug 05 17:13:58 localhost.localdomain openvpn[1198]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Aug 05 17:13:58 localhost.localdomain openvpn[1198]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 05 17:13:58 localhost.localdomain openvpn[1198]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Aug 05 17:13:58 localhost.localdomain openvpn[1198]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 05 17:13:58 localhost.localdomain openvpn[1198]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Aug 05 17:13:58 localhost.localdomain openvpn[1198]: [static] Peer Connection Initiated with [AF_INET]XXX.XX.37.71:1194
Aug 05 17:14:00 localhost.localdomain openvpn[1198]: SENT CONTROL [static]: 'PUSH_REQUEST' (status=1)
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1 255.255.255.255,dhcp-option DNS 10.8.0.1,dhcp-option DOMAIN ABC.COM,ping 10,ping-restart 60,ifconfig 10.8.0.10 10.8.0.9'
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: OPTIONS IMPORT: timers and/or timeouts modified
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: OPTIONS IMPORT: --ifconfig/up options modified
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: OPTIONS IMPORT: route options modified
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: ROUTE_GATEWAY 10.123.123.1/255.255.255.0 IFACE=wlan0 HWADDR=44:6d:57:32:81:2e
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: TUN/TAP device tun0 opened
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: TUN/TAP TX queue length set to 100
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: /usr/sbin/ip link set dev tun0 up mtu 1500
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: /usr/sbin/ip addr add dev tun0 local 10.8.0.10 peer 10.8.0.9
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: /usr/sbin/ip route add 10.8.0.1/32 via 10.8.0.9
Aug 05 17:14:01 localhost.localdomain openvpn[1198]: Initialization Sequence Completed

看起來一切都很好。

但。我/var/log/messages也檢查了……我發現那行:

Aug  5 17:14:01 localhost NetworkManager[761]: <warn> /sys/devices/virtual/net/tun0: couldn't determine device driver; ignoring...

ip a返回:

5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
   link/none 
   inet 10.8.0.10 peer 10.8.0.9/32 scope global tun0
      valid_lft forever preferred_lft forever

route -n返回:

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.123.123.1    0.0.0.0         UG    0      0        0 wlan0
10.8.0.1        10.8.0.9        255.255.255.255 UGH   0      0        0 tun0
10.8.0.9        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.123.123.0    0.0.0.0         255.255.255.0   U     0      0        0 wlan0

所以基本上一切正常,除了 DNS 被推送……哦!對,我的/etc/resolv.conf

# Generated by NetworkManager
domain home
search home
nameserver 10.123.123.1

問題出在哪裡?

(我收到了來自帶有 openvpn 客戶端的 Windows 使用者的回复,他的 DNS 工作正常,所以這是我這邊的一個問題。

好的,現在我有另一個響應(在我在伺服器端重新啟動 openvpn 服務之後) - 它不工作。

我必須說它昨天也在我的機器上工作了..所以我在伺服器上搞砸了一些東西嗎?會是什麼呢?)

編輯: 好的,我得到了另一個 Windows 使用者響應(與以前相同的使用者)-它現在正在工作。所以.. 我猜這是由 openvpn 重啟和一些延遲引起的。從那以後我什麼都沒做。所以我們回到我的機器上。

我還追踪到昨天也出現了那個奇怪的tun0消息,昨天它起作用了。或者也許我自己添加了條目resolv.conf?我不記得了..(該死的)

這對我有用:http: //www.softwarepassion.com/solving-dns-problems-with-openvpn-on-ubuntu-box/

重要的一步是將以下兩行配置添加到您的客戶端openvpn 配置文件中:

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

還要確保該resolvconf軟體包已安裝在客戶端上,因為該update-resolv-conf腳本依賴於它。

它與 openvpn 客戶端服務或命令一起使用以手動啟動它。

但是,Ubuntu 網路管理器不這樣做。到目前為止這是一個問題:https ://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1211110

引用自:https://serverfault.com/questions/528773

相關問答

Domain-Name-System

我正在嘗試確定我的 Networkmanager 如何接收特定的名稱伺服器資訊 - 可能與 Cobbler 相關

  • September 21, 2016
檢視問答
Domain-Name-System

如何將 localhost DNS 伺服器 (dnsmasq) 自動添加到 resolv.conf

  • November 12, 2015
檢視問答
Ubuntu

Ubuntu resolv.conf,不去下一個域名伺服器?

  • October 9, 2014
檢視問答
Domain-Name-System

如何在 NetworkManager 中設置單請求選項?

  • April 25, 2022
檢視問答
Domain-Name-System

在更改 Route53 DNS 記錄值之前是否需要設置不同的 ttl?

  • February 25, 2022
檢視問答
Resolv.conf

安裝 RHEL 8 後 /etc/resolv.conf 失去

  • October 26, 2021
檢視問答