姬長信(Redy)

linux – 尝试在Network Namespace中运行OpenVPN


我希望某些应用可以通过OpenVPN访问互联网.我在这个问题/主题的底部找到了最终答案/评论的解决方案:
Feed all traffic through OpenVPN for a specific network namespace only

我引用那篇帖子,我所遇到的问题在底部说明:

您可以在命名空间内启动OpenVPN链接,然后运行您希望在命名空间内使用该OpenVPN链接的每个命令.这里有关于如何做(不是我的工作)的详细信息:

http://www.naju.se/articles/openvpn-netns.html

我尝试了它确实有效;我们的想法是提供一个自定义脚本来执行特定命名空间内OpenVPN连接的上行和路由阶段,而不是全局命名空间.我引用上面的链接,以防它将来离线:

First create an --up script for OpenVPN. This script will create the VPN tunnel interface inside a network namespace called vpn, instead of the default namespace.

$cat > netns-up  /etc/netns/vpn/resolv.conf
                ip link set dev "$1" up netns vpn mtu "$2"
                ip netns exec vpn ip addr add dev "$1" /
                        "$4/${ifconfig_netmask:-30}" /
                        ${ifconfig_broadcast:+broadcast "$ifconfig_broadcast"}
                test -n "$ifconfig_ipv6_local" && /
          ip netns exec vpn ip addr add dev "$1" /
                        "$ifconfig_ipv6_local"/112
                ;;
        route-up)
                ip netns exec vpn ip route add default via "$route_vpn_gateway"
                test -n "$ifconfig_ipv6_remote" && /
          ip netns exec vpn ip route add default via /
                        "$ifconfig_ipv6_remote"
                ;;
        down)
                ip netns delete vpn
                ;;
esac

然后启动OpenVPN并告诉它使用我们的–up脚本而不是执行ifconfig和route.

openvpn --ifconfig-noexec --route-noexec --up netns-up --route-up netns-up --down netns-up

现在你可以像这样启动程序隧道:

ip netns exec vpn command

唯一的问题是你需要root才能调用ip netns exec …也许你不希望你的应用程序以root身份运行.解决方案很简单:

sudo ip netns exec vpn sudo -u $(whoami) command

我的问题:

当我尝试运行调用netns-up脚本的openvpn命令时,我收到两个错误:

:/etc/openvpn$sudo openvpn --ifconfig-noexec --route-noexec --up netns-up --route-up netns-up --down netns-up --config za1.nordvpn.com.tcp443.ovpn
(..)

Tue Mar 22 00:10:56 2016 [vpn-za.nordvpn.com] Peer Connection Initiated with [AF_INET]154.127.61.142:443
Tue Mar 22 00:10:59 2016 SENT CONTROL [vpn-za.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Tue Mar 22 00:10:59 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 78.46.223.24,dhcp-option DNS 162.242.211.137,route 10.7.7.1,topology net30,ping 5,ping-restart 30,ifconfig 10.7.7.102 10.7.7.101'
Tue Mar 22 00:10:59 2016 OPTIONS IMPORT: timers and/or timeouts modified
Tue Mar 22 00:10:59 2016 OPTIONS IMPORT: --ifconfig/up options modified
Tue Mar 22 00:10:59 2016 OPTIONS IMPORT: route options modified
Tue Mar 22 00:10:59 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Mar 22 00:10:59 2016 ROUTE_GATEWAY 192.168.1.254/255.255.255.0 IFACE=eth0 HWADDR=b8:27:eb:39:7e:46
Tue Mar 22 00:10:59 2016 TUN/TAP device tun0 opened
Tue Mar 22 00:10:59 2016 TUN/TAP TX queue length set to 100
Tue Mar 22 00:10:59 2016 netns-up tun0 1500 1592 10.7.7.102 10.7.7.101 init
Tue Mar 22 00:10:59 2016 WARNING: Failed running command (--up/--down): external program exited with error status: 1
Tue Mar 22 00:10:59 2016 Exiting due to fatal error

我尝试使用和不使用sudo重新创建netns-up脚本,但它没有帮助.我究竟做错了什么?