在日本vps上vpn访问美国vps上的有美国ip限制的youtube资源
这次想实现的是就近访问日本vps,然后在日本vps上通过vpn方式访问美国vps上的有美国ip限制的youtube资源。这样客户端就无需做多余的设置通过访问日本vps就可以访问有美国ip限制的youtube资源了。
vpn采用softether vpn server
服务器端
创建虚拟HUB server/管理虚拟HUB/并添加用于客户端连接用的 管理用户
本地网桥设置/将虚拟HUB server 选择创建的类型 新 tap设备的桥接,并输入设备名称soft1
ifconfig tap_soft1 192.168.60.100
ifconfig tap_soft1 mtu 1392
添加ipv6地址,只是为了以后不需要改动服务器配置所以固定一个地址
ip address add fe80::4ac:20ff:fe9c:1000/128 dev tap_soft1
#ip address del fe80::4ac:20ff:fe9c:1000/128 dev tap_soft1
客户端
创建虚拟HUB client/管理虚拟HUB/管理级联连接 创建到服务器端的连接
本地网桥设置/将虚拟HUB client 选择创建的类型 新 tap设备的桥接,并输入设备名称soft1
ifconfig tap_soft1 192.168.60.200
ifconfig tap_soft1 mtu 1392
#ip address add fe80::4ac:20ff:fe9c:2000/128 dev tap_soft1
#ip address del fe80::4ac:20ff:fe9c:2000/128 dev tap_soft1
如果能互相ping通vpn连接已经没有任何问题。
ping 192.168.60.100
ping6 -I tap_soft1 fe80::4ac:20ff:fe9c:1000
参考debian官方的 源码包操作
https://www.debian.org/doc/manuals/apt-howto/ch-sourcehandling.zh-cn.html
注意 Debian 7 (Wheezy) dnsmasq好像是v2.62 通过dnsmasq -v并不支持 ipset。
vi /etc/apt/sources.list
deb-src http://debian.mirror.constant.com/ jessie main
apt-get update
apt-get build-dep dnsmasq #编绎dnsmasq所需要的依赖包
apt-get -b source dnsmasq
dpkg -i file.deb
还有个ipset-dns,当然新版dnsmasq已经内置
http://git.zx2c4.com/ipset-dns/about/
ipset-dns letitgo gov6 5353 8.8.8.8
ipset-dns是一个自动把解析的ip添加到set里的工具,这句命令的意识是创建一个本地的dns服务器,监听5353端口,上游dns服务器使用8.8.8.8,解析的ipv4地址添加到letitgo的set里,ipv6地址添加到gov6里。非常cool,但是不能指定上游服务器的端口,解析的地址会被污染,并不实用。
新建ipset
ipset destroy outwall6
ipset destroy outwall4
ipset -N outwall6 iphash family inet6
ipset -N outwall4 iphash
修改/etc/dnsmasq.conf
ipset=/youtube.com/outwall4,outwall6
#防火墙屏蔽向外查询youtube的AAAA记录,主要是防止ipv4+ipv6服务器,强制访问youtbe时使用ipv4查询结果方便vpn路由操作。
#iptables -I OUTPUT -o eth0 -p udp –dport 53 -m string –hex-string “|07|youtube|03|com|00001c|” –algo bm -j DROP
生成查询结果,注意好像得清空dnsmasq缓存才能得到结果,而且通过nslookup生成的结果很少,
#service dnsmasq restart
kill -HUP $(pidof dnsmasq)
nslookup www.youtube.com
nslookup m.youtube.com
nslookup -type=AAAA www.youtube.com
nslookup -type=AAAA m.youtube.com
ipset -L outwall4
ipset -L outwall6
http://linux-ip.net/html/index.html
添加路由表,由于fwmark好像没有任何结果所以用其它方式添加路由
#iptables -t mangle -A PREROUTING -m set –match-set outwall dst -j MARK –set-mark 3
#iptables -t mangle -A OUTPUT -m set –match-set outwall dst -j MARK –set-mark 3
#ip rule add fwmark 3 table outwall prio 1
#添加方法1,直接添加到main表,可以随着tap_soft1结口消失而消失
ipset -L outwall4 >/tmp/outwall4.tmp
ipset -L outwall6 >/tmp/outwall6.tmp
#for i in `sed -n “7,$ p” /tmp/outwall4.tmp`;do echo $i;route add -net $i netmask 255.255.255.255 gw 192.168.60.100;done
#for i in `sed -n “7,$ p” /tmp/outwall4.tmp`;do echo $i;route del -net $i netmask 255.255.255.255 gw 192.168.60.100;done
route add -host 192.168.60.100 gw 192.168.60.200
for i in `sed -n “7,$ p” /tmp/outwall4.tmp`;do route add -host $i gw 192.168.60.100;done
#for i in `sed -n “7,$ p” /tmp/outwall6.tmp`;do ip -6 route del $i via fe80::4ac:20ff:fe9c:1000 dev tap_soft1;done
for i in `sed -n “7,$ p” /tmp/outwall6.tmp`;do ip -6 route add $i via fe80::4ac:20ff:fe9c:1000 dev tap_soft1;done
ip route flush cache
ip -6 route flush cache
添加方法2,这是因为fwmark无效,学习ip route table跟ip rule关系而写的,有利有蔽并不会随着tap_soft1结果消失而消失会增加无谓的容错处理
echo “200 outwall” >> /etc/iproute2/rt_tables
#清空路由表outwall
ip route flush table outwall
ip -6 route flush table outwall
#添加ipv4路由
ip route add 192.168.60.100 dev tap_soft1 table outwall
ipset -L outwall4 >/tmp/outwall4.tmp
for i in `sed -n “7,$ p” /tmp/outwall4.tmp`;do echo $i;ip route add $i via 192.168.60.100 dev tap_soft1 table outwall;done
#添加ipv6路由
ip -6 route add fe80::4ac:20ff:fe9c:1000 dev tap_soft1 table outwall
ipset -L outwall6 >/tmp/outwall6.tmp
for i in `sed -n “7,$ p” /tmp/outwall6.tmp`;do echo $i;ip -6 route add $i via fe80::4ac:20ff:fe9c:1000 dev tap_soft1 table outwall;done
#显示路由
ip route show table outwall
ip -6 route show table outwall
#生成ipv4寻址规则
ip rule del table outwall
ip rule add from all table outwall pref 1
#ip rule add from 0/0 table outwall pref 1
#生成ipv6寻址规则
ip -6 rule del table outwall
ip -6 rule add from all table outwall pref 1
#清空缓存立刻生效
ip route list cache
ip -6 route list cache
ip route flush cache
ip -6 route flush cache
#验证ipset -L outwall里的一个ip看是否获得正确的查询结果
ip -s route get 216.58.197.110
ip -s -6 route get 2404:6800:4005:801::200e
216.58.197.110 via 192.168.60.100 dev tap_soft1 src 192.168.60.200
cache users 1
* 2015年12月14日星期一
– [bash] iptables iproute2 and multiple routes
http://aftermanict.blogspot.it/2015/11/bash-iptables-iproute2-and-multiple.html
– 今天按这篇文档一路设置下来第一次用fwmark成功设置路由,由于服务器并没有ip6table_nat模块,所以仅能使用iptable_nat
– 另外似乎设置的 set-mark 3 和原先的 QOS 标记有冲突,只有在iptables -t mangle -F 清空原先的标记时才有效果,应该是能解决的
– 这次设置最成功的地方在于不会有vpn客户端拔号时出现因为接口的问题而无法访问网络
– 另外第一次注意到iptabes的全局ACCEPT并不是万能的,像此例必须指定特定接口的MASQUERADE才可以成功。
/etc/sysctl.conf
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
net.ipv4.ip_forward = 1
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 >| $f ; done
iptables -I OUTPUT -o eth0 -p udp –dport 53 -m string –hex-string “|07|youtube|03|com|00001c|” –algo bm -j DROP
dnsmasq.conf
ipset=/youtube.com/outwall4,outwall6
iptables-restore /da/fw
ipset destroy outwall6
ipset -N outwall6 iphash family inet6
ipset destroy outwall4
ipset -N outwall4 iphash
##echo “200 outwall” >> /etc/iproute2/rt_tables
ipset -L outwall4 >/tmp/outwall4.tmp
for i in `sed -n “7,$ p” /tmp/outwall4.tmp`;do echo $i;ipset -D outwall4 $i;done
kill -HUP $(pidof dnsmasq)
nslookup www.youtube.com
nslookup m.youtube.com
nslookup youtube.com
#ipset需要dnsmasq通过本地像192.168.40.253:53进行查询,直接外部dns服务器会没结果
ipset -L outwall4
iptables -t mangle -D PREROUTING -m mark –mark 0x0/0xff00 -m set –match-set outwall4 dst -j MARK –set-xmark 0xfe00/0xff00
iptables -t mangle -D OUTPUT -m mark –mark 0x0/0xff00 -m set –match-set outwall4 dst -j MARK –set-xmark 0xfe00/0xff00
iptables -t mangle -I PREROUTING 2 -m mark –mark 0x0/0xff00 -m set –match-set outwall4 dst -j MARK –set-xmark 0xfe00/0xff00
iptables -t mangle -I OUTPUT -m mark –mark 0x0/0xff00 -m set –match-set outwall4 dst -j MARK –set-xmark 0xfe00/0xff00
##ip route add 192.168.40.0/24 via 192.168.30.254 dev tap_soft
ip route flush table outwall
ip route add default via 192.168.30.254 dev tap_soft table outwall
ip route add 192.168.40.0/24 via 192.168.30.254 dev tap_soft table outwall
ip rule del table outwall
ip rule add fwmark 0xfe00/0xff00 table outwall prio 1
#ip rule add from 192.168.50.0/24 table outwall prio 1
ip route flush cache
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o vpns+ -j MASQUERADE
iptables -t nat -A POSTROUTING -o tap_soft -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
– 调整了原先的qos标记为 0x00/0xff,路由标记为 0xfe00/0xff00,如果标记为 0xff00/0xff00 则变为 or 标记。注意使用iptables -I将规则放在最前面。有关iptables xmark的描述看不懂,有人说可以把不同的mask看成是subnet。
– qos-scripts currently uses the last 8 bits to mark traffic e.g.-j MARK –set-xmark 0x44/0xff
whereas multi-wan uses the next 8 bits (0xff00) to mask its marks:
* 2015年12月13日星期天
– ipset的一个小问题
http://blog.berry10086.com/Tech/Openwrt/ipset-and-dnsmasq/
ipset=/yahoo.com/google.com/vpn,search
ipset也是可以指定多个ipset结果分别对应ipv4 ipv6
– 根据上面的结果,这样就不需要用iptables阻止AAAA查询,只要将两个set的结果分别进行ipv4 ipv6路由就可以了
– 按照这种方式实现的分流,由于在服务器上tap_soft tap_soft1都是使用TAP接口实现的独立接口,在使用代理软件时没问题,但是用vpn拔号到服务器会导致tap_soft无法访问分流到tap_soft1的路由信息。网上的搜索信息显示可能采用真实网卡有效。。。
– 目前一个可行的办法是变动网络为虚拟L3路由方式,这种方式可以保证使用softether建立的vpn客户端没问题,其它的第三方仍然有像上面的因为独立接口互相不可访问的问题。
– 下面两条设置客户端路由信息,在服务器端 3层交换机设置,需要设置路由表,即通过ipset -L结果显示的有关youtube的网段像216.58.0.0/255.255.0.0 192.168.40.253
route add -net 192.168.40.0 netmask 255.255.255.0 gw 192.168.30.254
route add -net 216.58.0.0/16 gw 192.168.30.254
– 按照测试结果可能将ipset的每个ip独立写入好点像route add -net 173.194.126.167 netmask 255.255.255.255 gw 192.168.30.254。服务器端的3层路由表仍然可以使用子网掩码方式。
– 这种方式至少解决了softether vpn客户端也能正常访问分流的网络,但是由于 3层交换机并不提供针对ipv6的路由信息设置,只能再次屏蔽AAAA查询
– 可能的其它解决方法,由于没条件没法测试
http://forum.softether.org/viewtopic.php?t=4542&p=11204
on windows, you could “brigde” directly.
on linux, you have no other change than a “double” bridge if you want the same subnet.
SoftEther-Hub <-Bridge-> tap_soft <-Bridge-> eth0.
I would try it first “step by step”.
get a “life insurance”, like
– shutdown -r 30
(reboot in 30 minutes….just in cause of destroy all connectivity incl. ssh)
“Delete” bridge between sofether and eth0
use softether gui (from a remote windows) or vpncmd to create a bridge to a tap-device (named “tap_soft”)
(take a look in this “nat” tutorial: http://blog.lincoln.hk/blog/2013/05/17/softether-on-vps-using-local-bridge/)
Then install bridgeutils:
– sudo apt-get install bridge-utils
create a “new” empty bridge:
– sudo brctl addbr br0
add eth0 to bridge
– sudo brctl addif br0 eth0
check vpnserver is running an tap_soft exists
– ip a
add tap_soft to bridge
– sudo brctl addif br0 tap_soft
let client connect
– should get dhcp-lease from local dhcp server
If working….read more about ubuntu networkconfig and bridges to start in automaticly. Many ways are possible.
Build a LAN-to-LAN VPN (Using L3 IP Routing)
https://www.softether.org/4-docs/1-manual/A._Examples_of_Building_VPN_Networks/10.6_Build_a_LAN-to-LAN_VPN_(Using_L3_IP_Routing)
* 2015年12月12日星期六
– 生成文档
其它信息
route add -net 192.168.40.0 netmask 255.255.255.0 gw 192.168.30.254
route add -net 216.58.0.0/16 gw 192.168.30.254
route add -net 173.194.0.0/16 gw 192.168.30.254
route add -net 74.125.0.0/16 gw 192.168.30.254
route del -net 173.194.0.0/16 gw 192.168.30.254
route del -net 74.125.0.0/16 gw 192.168.30.254
youtube.com ipset 结果
173.194.22.235
74.125.102.42
74.125.215.213
74.125.215.112
173.194.126.174
209.85.228.180
173.194.26.202
216.58.197.110
74.125.106.136
173.194.126.164
173.194.26.242
216.58.221.78
216.58.220.238
74.125.96.74
74.125.215.49
173.194.126.166
173.194.126.168
173.194.26.116
173.194.126.165
74.125.215.85
173.194.26.230
173.194.26.246
74.125.215.209
216.58.221.46
74.125.215.84
173.194.126.163
173.194.126.161
173.194.126.162
173.194.22.231
173.194.22.248
216.58.221.238
216.58.221.14
173.194.26.74
173.194.126.169
173.194.126.160
173.194.26.234
173.194.126.167
The difference is that xmark XOR bits instead of OR them as mark does.
So the syntax is –set-xmark value/mask. The resulting operation is:
ctmark = (ctmark AND NOT mask) XOR value
Zero-out corresponds to (ctmark AND NOT mask): if a bit in mask is set, then the corresponding bit in ctmark will be zero (before the XOR).
The man page also states:
–and-mark bits
Binary AND the ctmark with bits. (Mnemonic for –set-xmark
0/invbits, where invbits is the binary negation of bits.)
–or-mark bits
Binary OR the ctmark with bits. (Mnemonic for –set-xmark
bits/bits.)
–xor-mark bits
Binary XOR the ctmark with bits. (Mnemonic for –set-xmark
bits/0.)
You can validate the operation above against those definitions:
–and-mark bits == –set-xmark 0/invbits
ctmark AND bits = (ctmark AND NOT invbits) XOR 0
-> bits = NOT invbits
-> anything XOR 0 = anything
so: ctmark AND bits = ctmark AND NOT NOT bits = ctmark AND bits
–or-mark bits == –set-mark bits/bits
ctmark OR bits = (ctmark AND NOT bits) XOR bits
-> should be obvious based on boolean logic
–xor-mark bits == -set-mark bits/0
ctmark XOR bits = (ctmark AND NOT 0) XOR bits
-> anything AND NOT 0 = anything
https://github.com/Adze1502/mwan/blob/master/mwan3/files/etc/hotplug.d/iface/15-mwan3#L83
ip rule add pref 2254 fwmark 0xfe00/0xff00 unreachable
iptables -A mwan3_policy_$policy -t mangle -m mark –mark 0x0/0xff00 -m comment –comment “unreachable” -j MARK –set-xmark 0xfe00/0xff00
iptables -N mwan3_hook -t mangle
iptables -A mwan3_hook -t mangle -j CONNMARK –restore-mark –nfmask 0xff00 –ctmask 0xff00
iptables -A mwan3_hook -t mangle -m mark –mark 0x0/0xff00 -j mwan3_ifaces
iptables -A mwan3_hook -t mangle -m mark –mark 0x0/0xff00 -j mwan3_rules
iptables -A mwan3_hook -t mangle -j CONNMARK –save-mark –nfmask 0xff00 –ctmask 0xff00
iptables -A mwan3_hook -t mangle -j mwan3_connected
https://forum.openwrt.org/viewtopic.php?id=53450
qos-scripts currently uses the last 8 bits to mark traffic e.g.
-j MARK –set-xmark 0x44/0xff
whereas multi-wan uses the next 8 bits (0xff00) to mask its marks:
-A mwan3_policy_balanced -m mark –mark 0x0/0xff00 -m comment –comment “wan 3 3” -j MARK –set-xmark 0x100/0xff00
-A mwan3_policy_wan2_only -m mark –mark 0x0/0xff00 -m comment –comment “wan2 2 2” -j MARK –set-xmark 0x200/0xff00
-A mwan3_policy_wan2_wan -m mark –mark 0x0/0xff00 -m comment –comment “wan2 2 2” -j MARK –set-xmark 0x200/0xff00
-A mwan3_policy_wan_only -m mark –mark 0x0/0xff00 -m comment –comment “wan 3 3” -j MARK –set-xmark 0x100/0xff00
-A mwan3_policy_wan_wan2 -m mark –mark 0x0/0xff00 -m comment –comment “wan 3 3” -j MARK –set-xmark 0x100/0xff00
so they both work fine together.
Let’s say that you want to route host 192.168.10.252 via wlan0:
iptables -t mangle -N MARK1
iptables -t mangle -A MARK1 -j MARK –set-xmark 0x1/0xffffffff
iptables -t mangle -A MARK1 -j CONNMARK –set-xmark 0x1/0xffffffff
iptables -t mangle -A MARK1 -j ACCEPT
# local traffic
iptables -t mangle -A PREROUTING -s 192.168.10.0/24 -d 192.168.10.0/24 -j ACCEPT
# rest
iptables -t mangle -A PREROUTING -i eth0 ! -d 192.168.10.0/24 -j CONNMARK –restore-mark
iptables -t mangle -A PREROUTING -s 192.168.10.252 -i eth0 -j MARK1
iptables -t nat -N SNAT1
iptables -t nat -A SNAT1 -j SNAT1 –to-source 192.168.178.199/32
iptables -t nat -A SNAT1 -j ACCEPT
iptables -t nat -A POSTROUTING -o wlan0 -m mark –mark 0x1 -j SNAT1
Tell iproute2 to read those marks:
ip rule add pref 30000 fwmark 1 lookup alice
ip rule add pref 29000 from 192.168.178.199 lookup alice
ip route add 0.0.0.0 dev wlan0 scope link src 192.168.178.199 table alice
ip route add default via 192.168.178.1 dev wlan0 scope global table alice
ip route add 192.168.10.0/24 dev eth0 scope link src 192.168.10.1 table alice
If host 192.168.10.252 wants to access something that is not intended for the router itself, this connection gets marked as “1”, iproute reads this mark and tries find the appropriate rule. Obviously there are stuff missing here, but this is the main idea.
If you are to follow this solution, you need to remove the route weights. When you are messing around with routing tables and rules, remember to flush the cache.