【问题标题】:VPN clients to resolve private DNS hostnames in AWS [closed]VPN 客户端在 AWS 中解析私有 DNS 主机名 [关闭]
【发布时间】:2018-06-10 11:59:23
【问题描述】:

我最近在 AWS EC2 实例上设置了 OpenVPN 服务器,以便将我的办公室连接到 AWS VPC 环境。

我使用 TunnelBlick 作为 VPN 客户端,一切都很好!我可以 ssh 到 VPC 中的私有 IP。但是,从我的办公室主机解析 DNS VPC 名称(如果我从 VPC 中的 EC2 实例运行它,我可以)不起作用。

我当前的解决方案是在 EC2 实例上使用 Unbound 设置 DNS 转发器(这恰好是我正在运行 OpenVPN 服务器的实例) - 但由于某种原因它无法正常工作。一旦连接到 VPN 服务器,您将如何启用 VPN 客户端以解析 VPC 中的私有主机名?

我很迷茫,所以如果您有任何其他想法,或者可以根据我当前的设置找出问题所在,我将永远感激不尽:)

OpenVPN 服务器配置

port 1194 #- change the port you want

proto udp #- protocol can be tcp or udp

dev tun

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt

cert /etc/openvpn/easy-rsa/2.0/keys/server.crt

key /etc/openvpn/easy-rsa/2.0/keys/server.key

dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem

server 10.8.0.0 255.255.255.0

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 8.8.4.4"

push "dhcp-option DNS <PUBLIC_IP_OF_THE_SERVER_RUNNING_OPENVPN_AND_UNBOUND>"

keepalive 5 30

comp-lzo

persist-key

persist-tun

status server-tcp.log

verb 3

未绑定的服务器配置

172.31.0.2 是 VPC DNS 服务器

server:
        interface: 0.0.0.0
        access-control: 0.0.0.0/0 allow
remote-control:
forward-zone:
        name: "."
        forward-addr: 172.31.0.2

VPN 客户端配置

##############################################
# Client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote <PUBLIC_IP_OF_THE_SERVER_RUNNING_OPENVPN_AND_UNBOUND> 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca /Users/antoniogomez/ca.crt
cert /Users/antoniogomez/client.crt
key /Users/antoniogomez/client.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20

# This updates the resolvconf with dns settings
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
script-security 2
up /etc/openvpn/update-resolv-conf.sh
down /etc/openvpn/update-resolv-conf.sh
down-pre

现在,一旦我连接到 VPN,我的 resolv.conf(客户端)如下所示:

nameserver 8.8.8.8
nameserver 8.8.8.4
nameserver PUBLIC_IP_OF_THE_SERVER_RUNNING_OPENVPN_AND_UNBOUND

从客户端到 DNS 服务器的 Telnet 工作正常(正确应用 AWS 安全组)

[antoniogomez:~]$ telnet PUBLIC_IP_OF_THE_SERVER_RUNNING_OPENVPN_AND_UNBOUND 53
Trying PUBLIC_IP_OF_THE_SERVER_RUNNING_OPENVPN_AND_UNBOUND...
Connected to ec2-instance.us-west-1.compute.amazonaws.com.
Escape character is '^]'. 

在此先感谢大家的帮助,

安东尼奥

【问题讨论】:

    标签: amazon-web-services dns openvpn aws-vpc


    【解决方案1】:

    这就是我让它工作的方式!首先,我开始使用 Bind 而不是 Unbound (灵感来自此视频 here

    绑定服务器配置

    //
    // named.conf
    //
    // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
    // server as a caching only nameserver (as a localhost DNS resolver only).
    //
    // See /usr/share/doc/bind*/sample/ for example named configuration files.
    //    
    
    options {
        directory           "/var/named";
        dump-file           "/var/named/data/cache_dump.db";
        statistics-file     "/var/named/data/named_stats.txt";
        memstatistics-file  "/var/named/data/named_mem_stats.txt";
        dnssec-enable no;
        dnssec-validation no;
        allow-query     { any;};
        allow-recursion { any;};
        forward only;
        forwarders { 172.31.0.2; }; # This is my VPC internal DNS Server
    };
    
    logging {
            channel default_debug {
                    file "data/named.run";
                    severity dynamic;
            };
    };
    
    zone "." IN {
        type hint;
        file "named.ca";
    };
    
    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";
    

    现在确保向您的 VPN 客户端推送您安装的 DNS 服务器的 IP(在本例中为绑定服务器)

    OpenVPN 服务器配置

    port 1194 #- change the port you want
    
    proto udp #- protocol can be tcp or udp
    
    dev tun
    
    tun-mtu 1500
    
    tun-mtu-extra 32
    
    mssfix 1450
    
    ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
    
    cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
    
    key /etc/openvpn/easy-rsa/2.0/keys/server.key
    
    dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
    
    server 10.8.0.0 255.255.255.0
       
    push "redirect-gateway def1"
    
    push "dhcp-option DNS <IP_OF_SERVER_RUNNING_BOTH_OPENVPN_AND_BIND>" # This line push your DNS server to be used by the VPN clients
    
    keepalive 5 30
    
    comp-lzo
    
    persist-key
    
    persist-tun
    
    status server-tcp.log
    
    verb 3
    

    显然,在 linux 上运行的 VPN 客户端需要“一些帮助”才能将“新”DNS 服务器与以下配置一起使用(请参阅配置中的最后几行,从 here 获取脚本):

    VPN 客户端配置

    ##############################################
    # Client-side OpenVPN 2.0 config file #
    # for connecting to multi-client server.     #
    #                                            #
    # This configuration can be used by multiple #
    # clients, however each client should have   #
    # its own cert and key files.                #
    #                                            #
    # On Windows, you might want to rename this  #
    # file so it has a .ovpn extension           #
    ##############################################
    
    # Specify that we are a client and that we
    # will be pulling certain config file directives
    # from the server.
    client
    
    # Use the same setting as you are using on
    # the server.
    # On most systems, the VPN will not function
    # unless you partially or fully disable
    # the firewall for the TUN/TAP interface.
    ;dev tap
    dev tun
    
    # Windows needs the TAP-Win32 adapter name
    # from the Network Connections panel
    # if you have more than one.  On XP SP2,
    # you may need to disable the firewall
    # for the TAP adapter.
    ;dev-node MyTap
    
    # Are we connecting to a TCP or
    # UDP server?  Use the same setting as
    # on the server.
    ;proto tcp
    proto udp
    
    # The hostname/IP and port of the server.
    # You can have multiple remote entries
    # to load balance between the servers.
    remote <IP_OF_SERVER_RUNNING_BOTH_OPENVPN_AND_BIND> 1194
    ;remote my-server-2 1194
    
    # Choose a random host from the remote
    # list for load-balancing.  Otherwise
    # try hosts in the order specified.
    ;remote-random
    
    # Keep trying indefinitely to resolve the
    # host name of the OpenVPN server.  Very useful
    # on machines which are not permanently connected
    # to the internet such as laptops.
    resolv-retry infinite
    
    # Most clients don't need to bind to
    # a specific local port number.
    nobind
    
    # Downgrade privileges after initialization (non-Windows only)
    ;user nobody
    ;group nobody
    
    # Try to preserve some state across restarts.
    persist-key
    persist-tun
    
    # If you are connecting through an
    # HTTP proxy to reach the actual OpenVPN
    # server, put the proxy server/IP and
    # port number here.  See the man page
    # if your proxy server requires
    # authentication.
    ;http-proxy-retry # retry on connection failures
    ;http-proxy [proxy server] [proxy port #]
    
    # Wireless networks often produce a lot
    # of duplicate packets.  Set this flag
    # to silence duplicate packet warnings.
    ;mute-replay-warnings
    
    # SSL/TLS parms.
    # See the server config file for more
    # description.  It's best to use
    # a separate .crt/.key file pair
    # for each client.  A single ca
    # file can be used for all clients.
    ca /Users/myusername/name_of_my_ca.crt
    cert /Users/myusername/name_of_my_client.crt
    key /Users/myusername/name_of_my_client.key
    
    # Verify server certificate by checking
    # that the certicate has the nsCertType
    # field set to "server".  This is an
    # important precaution to protect against
    # a potential attack discussed here:
    #  http://openvpn.net/howto.html#mitm
    #
    # To use this feature, you will need to generate
    # your server certificates with the nsCertType
    # field set to "server".  The build-key-server
    # script in the easy-rsa folder will do this.
    ;ns-cert-type server
    
    # If a tls-auth key is used on the server
    # then every client must also have the key.
    ;tls-auth ta.key 1
    
    # Select a cryptographic cipher.
    # If the cipher option is used on the server
    # then you must also specify it here.
    ;cipher x
    # Enable compression on the VPN link.
    # Don't enable this unless it is also
    # enabled in the server config file.
    comp-lzo
    # Set log file verbosity.
    verb 3
    # Silence repeating messages
    ;mute 20
    
    # This updates the resolvconf with dns settings
    setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    script-security 2
    up /etc/openvpn/update-resolv-conf.sh
    down /etc/openvpn/update-resolv-conf.sh
    down-pre
    

    现在,一旦您的 VPN 服务器和绑定服务器正确设置了上述 VPN 客户端(您的私有 mac/办公室计算机等),在连接到 VPN 服务器时,不仅可以ssh private IP,但也解析 VPC 中的内部 AWS 主机名,例如 ip-172-31-0-63.us-west-1.compute.internal

    编辑: 以下有助于创建单个文件来设置 VPN 客户端,这对移动设备很有用。

    一体化 VPN 客户端配置

    client
    dev tun
    proto udp
    remote PUBLIC_IP 1194
    tls-version-min 1.2
    tls-cipher <CIPHERS>
    cipher AES-256-CBC
    auth SHA512
    resolv-retry infinite
    auth-retry none
    nobind
    persist-key
    persist-tun
    remote-cert-tls server
    comp-lzo
    verb 3
    tls-client
    <ca>
    ...
    </ca>
    <cert>
    ...
    </cert>
    <key>
    ...
    </key>
    <tls-auth>
    ...
    </tls-auth>
    

    【讨论】:

    • 您是否设法在 android/ios 客户端上使用此客户端配置?
    • @Kein 今天我们使用的是一体化配置,它在一个文件中包含凭据和客户端配置。是的,它也适用于移动客户端,请参阅我的编辑
    猜你喜欢
    • 2022-07-26
    • 2021-01-17
    • 2021-07-17
    • 2022-01-11
    • 2019-02-06
    • 2020-10-03
    • 2016-02-24
    • 1970-01-01
    • 2021-11-08
    相关资源
    最近更新 更多