これは、特定のDNSサーバーを使用するようにOpenVPNクライアントを構成する方法に関する簡単なチュートリアルです。 OpenVPNサーバーは、クライアントがホスト名の解決に特定のDNSサーバーを使用できるように構成できます。
OpenVPN
以前のチュートリアルでは、OpenVPNサーバーをインストールして構成する方法について説明しました。
Adobe 11 /Debian10にOpenVPNサーバーをインストールする
特定のDNSサーバーを使用するようにOpenVPNクライアントを構成する
特定のDNSサーバーを使用するようにOpenVPNクライアントを構成するには;
名前解決のために特定のDNSサーバーをプッシュする方法はさまざまです。
- OpenVPNサーバーからクライアントにDNSアドレスをプッシュする
- OpenVPNクライアント構成でDNSアドレスを定義する
OpenVPNサーバーからクライアントにDNSアドレスをプッシュする
DNSアドレスをクライアントにプッシュするようにOpenVPNサーバーを構成するには、OpenVPNサーバー構成ファイルを編集し、次の行を追加します;
push "dhcp-option DNS X.X.X.X"
ここで、X.X.X.X DNSサーバーのIPアドレスです。
複数のDNSサーバーエントリを追加できます;
push "dhcp-option DNS 192.168.58.22"
push "dhcp-option DNS 8.8.8.8"DNSドメイン部分を指定するには;
push "dhcp-option DOMAIN DOMAIN-NAME"例;
push "dhcp-option DOMAIN kifarunix-demo.com"これが私のOpenVPNサーバー構成ファイルのサンプルです;
cat /etc/openvpn/server/server.confport 1194 proto udp dev tun ca ca.crt cert issued/server.crt key private/server.key # This file should be kept secret dh dh.pem topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 192.168.58.22" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DOMAIN kifarunix-demo.com" client-to-client keepalive 10 120 tls-auth ta.key 0 # This file is secret cipher AES-256-CBC data-ciphers AES-256-CBC comp-lzo no persist-key persist-tun status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log verb 3 explicit-exit-notify 1 auth SHA512
DNSサーバーを再起動します;
systemctl restart [email protected]OpenVPNクライアント構成でDNSアドレスを定義する
上記の構成を実施するためのOpenVPNサーバーへのアクセス権がない場合は、OpenVPNクライアント構成ファイルを編集して行を追加できます。
dhcp-option DNS X.X.X.X
dhcp-option DNS DNS-IP-1
dhcp-option DNS DNS-IP-2
push "dhcp-option DOMAIN DOMAIN-NAME"これがOpenVPNクライアントのサンプルです;
cat client-1.ovpnclient tls-client pull dev tun proto udp4 remote 192.168.58.22 1194 resolv-retry infinite nobind #user nobody #group nogroup persist-key persist-tun key-direction 1 remote-cert-tls server auth-nocache comp-lzo verb 3 auth SHA512 cipher AES-256-CBC data-ciphers AES-256-CBC comp-lzo no# # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- ec31b288a9a3865c4b5f3583b481ff5c 434e957be6569ed573a58a102ce53efc b9528f15f5412046c5a603e6916b565b fe2c6a0f955dcec2d3f7e6cec7e373bb dff40b041f1488d4177c3de04bdff43b e361eff6328c499621e0846ec72565ef 734fc02e51540d1c5c19102156a080f7 fde124822bf6fc802dff9facf24998de 6f91f081dafcdd28f4bca9223afe694d 12d57beb6aed96753d651a2ca4722214 5fa87829b9f53f2ccb89d9f15112c9cd 3594ead75bc1df737b50188c2829d724 3aff136577b3c79e6f863112aadf5aeb 8b6d53c607874c71104acfa22e587bd3 22b14a2c0a91e15569d99d5e35a52a8b 0aa4f24ccf10d8757dfd75da14fd21ac -----END OpenVPN Static key V1----- -----BEGIN CERTIFICATE----- MIIDSzCCAjOgAwIBAgIUW5NhoHubpdB2QE1IdTqCZeD4CK4wDQYJKoZIhvcNAQEL BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjExMTA1MTcxNDQ4WhcNMzEx MTAzMTcxNDQ4WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALGvwj57vpugazdMtjIVngKybzapSfT7rm1Rv+d2 SssBwsTf4kDXqfwQiQLPEDo5mpxIO1XBEhsNS3CeBBSfGHgvT3EbiXKLS0mpMiIK nayJJh2+v3xg+3EU5jemNJ8p3iqsWz566ds/C6haZsp9cM5oGBOOSbHOMJo4S6+6 XmZfi8sdCWlSxrntd74MmEPI7wvmClA5xaM3hfzpHXdhrcTr9JDVMf0sYSkXUbc5 nyDQrLtcZiVyoPCJxB41OoTYd1aLDV/7F+A6ShSQSw/04jQq3yoyQd9qMZUfPieE edjBiVtaN/ecNGdJM7u7k2L3ADe+ObX9o3Dq6evmxWPUtSECAwEAAaOBkDCBjTAd BgNVHQ4EFgQUvMfE2qXU2IZw4c5X+i48cGji1/owUQYDVR0jBEowSIAUvMfE2qXU 2IZw4c5X+i48cGji1/qhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghRbk2Gg e5ul0HZATUh1OoJl4PgIrjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq hkiG9w0BAQsFAAOCAQEAn5mckexf90rXn/xjzhKSbc2pNarQJ/YcmQ5xpRwv8D6x GQieEk9BB8iWzaufH0cW+LI80zZYpjMg1qygKDoPIRryn0MVsr03XRCxnQRlkC7f ow62PMXOp31ru1vq0ar/BjYE9EhQVEFdErhmc0FMmrkWP7H5rwRX7GO5T3wNfO3q +rftpJiCVeY4lFWyNuHKZv3n8DtfwOoT5ybpJ31/mn6i/SWfaJa5gY9I8+jh6q7m bRcTvNQk+G1ApgJZuoV5shAPZg6oJZVvU9q8FryMmcPxB4dTZwA3NIZfjQs8Q7lD B0/XhJ+bjQvtC2YLfNLZgsEwOrUGs+ZCbL3T1FyLpg== -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: a8:92:f9:c5:d7:40:22:75:38:b8:b6:b6:1e:b1:8c:2c Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Easy-RSA CA Validity Not Before: Nov 5 17:20:19 2021 GMT Not After : Feb 8 17:20:19 2024 GMT Subject: CN=koromicha Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:d1:f5:5f:c8:1e:6c:c5:35:fe:9a:68:d1:91:2d: cb:11:b3:08:ed:47:3a:b8:32:74:df:f1:b7:78:be: 25:fc:95:73:be:6b:de:c8:89:1d:39:5e:72:4d:ea: a3:13:2a:c9:29:44:2e:17:fc:48:d9:6c:8b:2f:ca: a4:e5:90:43:a9:8b:a2:7a:bb:b5:c8:7a:6a:fe:9d: 4b:aa:67:78:e8:3f:53:9e:9d:b3:25:77:a1:22:f3: b1:f0:82:97:9e:f5:14:b2:93:de:c5:20:84:05:54: d5:70:ad:d5:4f:41:04:a6:56:04:08:e9:45:ea:eb: c2:00:da:ee:1b:b4:30:74:c5:9e:76:6d:49:0c:8c: 7e:45:8a:e5:93:1a:d0:f6:70:1a:73:df:b2:eb:68: 2d:7a:1e:68:00:9e:b1:1f:1d:14:75:1b:89:56:b2: e8:8e:84:e6:ea:39:50:93:0d:0e:30:6d:fc:97:3e: 6a:66:c3:cc:f3:93:12:5c:38:b4:62:ef:58:7f:a7: 70:05:2c:2d:f0:54:5e:7e:7a:98:ea:af:8d:6d:2e: 9c:47:80:1f:26:67:b4:2d:44:11:2f:6d:a5:9a:96: 7f:b5:ae:f8:48:61:ca:5c:f8:d5:1b:44:40:8b:fc: 97:01:5e:15:24:28:c6:24:81:39:d4:e0:3d:1f:81: 9a:11 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: B1:97:65:D8:90:01:7E:57:CA:11:73:4D:E2:E3:83:6F:71:B9:1B:6E X509v3 Authority Key Identifier: keyid:BC:C7:C4:DA:A5:D4:D8:86:70:E1:CE:57:FA:2E:3C:70:68:E2:D7:FA DirName:/CN=Easy-RSA CA serial:5B:93:61:A0:7B:9B:A5:D0:76:40:4D:48:75:3A:82:65:E0:F8:08:AE X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: Digital Signature Signature Algorithm: sha256WithRSAEncryption 57:ae:78:40:08:84:4f:4a:ec:53:b3:85:96:e8:c9:25:2b:3f: 37:16:37:53:e4:7b:eb:c5:0b:29:36:75:44:75:cc:47:a2:b1: 3a:fa:a1:07:88:89:99:b4:6e:21:82:1a:8e:42:1d:6c:b9:b5: e2:21:85:55:a8:34:9e:80:52:27:81:c2:f7:af:e7:94:27:bf: cb:7c:a2:cf:39:90:95:95:29:75:a1:c7:9c:68:5b:5e:5c:aa: 81:3d:c7:8a:79:54:9c:bc:9c:73:a2:76:02:56:42:56:4f:82: 80:23:0e:a3:8d:2f:86:0e:3e:08:7d:a8:b6:55:e7:2a:8f:6b: 4a:68:99:93:44:57:02:19:11:7d:cc:cf:05:a6:ce:4a:a0:41: df:a1:88:8e:b3:0d:f3:67:cf:f9:82:27:41:bc:3b:4e:fb:7f: 60:e5:43:bb:7f:61:63:71:89:cf:55:fc:ce:82:bb:8c:2a:11: 9b:e7:e0:97:e3:ba:e0:cd:b0:12:35:56:41:58:62:0d:63:58: ec:55:50:2b:82:5a:b5:4f:42:23:c7:e8:e6:8a:91:10:8b:a2: 40:47:85:ed:98:7f:e5:df:96:06:30:6b:ec:6f:9c:2d:5a:5a: 0a:71:fb:e2:1d:3e:f6:35:cd:ec:19:9b:67:c2:44:e3:b7:b6: 9f:81:51:c5 -----BEGIN CERTIFICATE----- MIIDWDCCAkCgAwIBAgIRAKiS+cXXQCJ1OLi2th6xjCwwDQYJKoZIhvcNAQELBQAw FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjExMTA1MTcyMDE5WhcNMjQwMjA4 MTcyMDE5WjAUMRIwEAYDVQQDDAlrb3JvbWljaGEwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDR9V/IHmzFNf6aaNGRLcsRswjtRzq4MnTf8bd4viX8lXO+ a97IiR05XnJN6qMTKskpRC4X/EjZbIsvyqTlkEOpi6J6u7XIemr+nUuqZ3joP1Oe nbMld6Ei87Hwgpee9RSyk97FIIQFVNVwrdVPQQSmVgQI6UXq68IA2u4btDB0xZ52 bUkMjH5FiuWTGtD2cBpz37LraC16HmgAnrEfHRR1G4lWsuiOhObqOVCTDQ4wbfyX Pmpmw8zzkxJcOLRi71h/p3AFLC3wVF5+epjqr41tLpxHgB8mZ7QtRBEvbaWaln+1 rvhIYcpc+NUbRECL/JcBXhUkKMYkgTnU4D0fgZoRAgMBAAGjgaIwgZ8wCQYDVR0T BAIwADAdBgNVHQ4EFgQUsZdl2JABflfKEXNN4uODb3G5G24wUQYDVR0jBEowSIAU vMfE2qXU2IZw4c5X+i48cGji1/qhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENB ghRbk2Gge5ul0HZATUh1OoJl4PgIrjATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNV HQ8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAFeueEAIhE9K7FOzhZboySUrPzcW N1Pke+vFCyk2dUR1zEeisTr6oQeIiZm0biGCGo5CHWy5teIhhVWoNJ6AUieBwvev 55Qnv8t8os85kJWVKXWhx5xoW15cqoE9x4p5VJy8nHOidgJWQlZPgoAjDqONL4YO Pgh9qLZV5yqPa0pomZNEVwIZEX3MzwWmzkqgQd+hiI6zDfNnz/mCJ0G8O077f2Dl Q7t/YWNxic9V/M6Cu4wqEZvn4JfjuuDNsBI1VkFYYg1jWOxVUCuCWrVPQiPH6OaK kRCLokBHhe2Yf+XflgYwa+xvnC1aWgpx++IdPvY1zewZm2fCROO3tp+BUcU= -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDR9V/IHmzFNf6a aNGRLcsRswjtRzq4MnTf8bd4viX8lXO+a97IiR05XnJN6qMTKskpRC4X/EjZbIsv yqTlkEOpi6J6u7XIemr+nUuqZ3joP1OenbMld6Ei87Hwgpee9RSyk97FIIQFVNVw rdVPQQSmVgQI6UXq68IA2u4btDB0xZ52bUkMjH5FiuWTGtD2cBpz37LraC16HmgA nrEfHRR1G4lWsuiOhObqOVCTDQ4wbfyXPmpmw8zzkxJcOLRi71h/p3AFLC3wVF5+ epjqr41tLpxHgB8mZ7QtRBEvbaWaln+1rvhIYcpc+NUbRECL/JcBXhUkKMYkgTnU 4D0fgZoRAgMBAAECggEBAMBTVd7Zx+dK06Ob+sRTP15CMx4vjmFmjtsI73jiLafX O0QmSdhGiYegtXIcSi9nlQeBFfwQtKa+IC2yIiTLZr+rUjW9NwKi6Nm9Oq+owv9z 6uQ0LwNWNzvuIYRgDAWnGMOQYpMOewDrOe1Sv0AvHdREnMOQ8+QC/B6ObWjhQTXk mqyvCY2IEg22upif5kDPLul6FtGuGwzUQwxYVfyOem0ECVJ4yotuS4ie8D36fxKD utY18RJGhG9J1gRHJmQYcuB9jRkuVuno8pBdR3jabCE68DzpzOXvV4LHTIAxJtEz NEZbzgwmf7TPg84pahaLYQOyxQpu8P6xm6QhBfTEPAECgYEA+UIKiGTlvy/EX8st 5I7PI8yhPJI8fbq/9oqjd5nwsUbzngdeuyy7HxruzAPQA/bFGSTikyf9jHPYAqZ0 7GGx9KCgbXyGNUk90ipHEqzXomrEjIh9y3qAQu+VLt4XILAfrDgV+QUITXIsRCnY tOg4CdUJFJg5uQblR/AZCSx+9MECgYEA16M1SiSImoydUKvtl+4Jzqn4CSg3cKya xWWtXYQLrh6PMOoKy/idGV6Xcl5H57xASqxjehyL5VzaBw6mSmcIuuovbuMWpI4Q zVZQEgizsDtEFNr8tQ+qtlXR7DwEkUOLtfQaULDD9LR1OMM06x9Py9UxCbfi3/Dl Kod8GFazaVECgYAleV1WBj1YUhknAcgDjcjsq+4tyhqYGISVz2AmMhmyvWURBDCk 2WPEmGsAdy5F+krFrfr2ftOq0xvNwjLf+wwjKCcWbttKlZlayIpo7114CK9GJZss BV3VMmnuYut9OZ15afE7wBrwcdLf6J6xDByotcOouf4rqDK+bwWEkJEBwQKBgQDN 4OIhDq5puDT+b5fhhYBRkw/gVkhQSEtgigoyjb7FGCIoVlvGkHAVZ616oS9Pvfk4 EkzLqnOaocL8F+2GfcblBnARE7lrlMPP+EdsYGiGqp7+tnGtwO6BNYC+ZjMKKg46 w3tYbNw6RwzgC+f7UCLUfpBaMfnnS0zRBRfi+OxEcQKBgEMEes7DT5sqoQkam9lk AmP8NK+eAoB7RWk8A1ADBlz48xmIH/lR99su9bWWd0xthYuBvx3ZpPRTqp0Z2ehm 7w3jnw+A7BZn1/gmcXLCXexQl+tn0nfm87xpwXCDmHjZzdldzLMpjOMHZDmOcufN y30Rsmt3vdeo5Rv+whSSypnq -----END PRIVATE KEY-----
特定のDNSサーバーを使用するようにOpenVPNクライアントを構成する
したがって、DNSサーバーアドレスを定義するために上記で使用した方法に応じて、次のように特定のDNSサーバーを使用するようにOpenVPNクライアントを構成することができます。
このチュートリアルでは、デモ用のOpenVPNクライアントとしてLinuxシステム、具体的にはDebian 11 / RockyLinux8を使用しています。
Ubuntu / Debianシステムの場合:
openresolをインストールします package.Ubuntu/Debianシステムの場合;
apt install openresolv次に、OpenVPNクライアント構成ファイルを編集し、以下の行を追加します;
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf更新されたOpenVPNクライアント構成ファイルのサンプルを参照してください;
cat client-1.ovpnclient tls-client pull dev tun proto udp4 remote 192.168.58.22 1194 resolv-retry infinite nobind persist-key persist-tun key-direction 1 remote-cert-tls server auth-nocache comp-lzo verb 3 auth SHA512 cipher AES-256-CBC data-ciphers AES-256-CBC comp-lzo no script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf-----BEGIN OpenVPN Static key V1----- ec31b288a9a3865c4b5f3583b481ff5c 434e957be6569ed573a58a102ce53efc b9528f15f5412046c5a603e6916b565b fe2c6a0f955dcec2d3f7e6cec7e373bb dff40b041f1488d4177c3de04bdff43b e361eff6328c499621e0846ec72565ef 734fc02e51540d1c5c19102156a080f7 fde124822bf6fc802dff9facf24998de 6f91f081dafcdd28f4bca9223afe694d 12d57beb6aed96753d651a2ca4722214 5fa87829b9f53f2ccb89d9f15112c9cd 3594ead75bc1df737b50188c2829d724 3aff136577b3c79e6f863112aadf5aeb 8b6d53c607874c71104acfa22e587bd3 22b14a2c0a91e15569d99d5e35a52a8b 0aa4f24ccf10d8757dfd75da14fd21ac -----END OpenVPN Static key V1----- -----BEGIN CERTIFICATE----- MIIDSzCCAjOgAwIBAgIUW5NhoHubpdB2QE1IdTqCZeD4CK4wDQYJKoZIhvcNAQEL BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjExMTA1MTcxNDQ4WhcNMzEx MTAzMTcxNDQ4WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALGvwj57vpugazdMtjIVngKybzapSfT7rm1Rv+d2 SssBwsTf4kDXqfwQiQLPEDo5mpxIO1XBEhsNS3CeBBSfGHgvT3EbiXKLS0mpMiIK nayJJh2+v3xg+3EU5jemNJ8p3iqsWz566ds/C6haZsp9cM5oGBOOSbHOMJo4S6+6 XmZfi8sdCWlSxrntd74MmEPI7wvmClA5xaM3hfzpHXdhrcTr9JDVMf0sYSkXUbc5 nyDQrLtcZiVyoPCJxB41OoTYd1aLDV/7F+A6ShSQSw/04jQq3yoyQd9qMZUfPieE edjBiVtaN/ecNGdJM7u7k2L3ADe+ObX9o3Dq6evmxWPUtSECAwEAAaOBkDCBjTAd BgNVHQ4EFgQUvMfE2qXU2IZw4c5X+i48cGji1/owUQYDVR0jBEowSIAUvMfE2qXU 2IZw4c5X+i48cGji1/qhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghRbk2Gg e5ul0HZATUh1OoJl4PgIrjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq hkiG9w0BAQsFAAOCAQEAn5mckexf90rXn/xjzhKSbc2pNarQJ/YcmQ5xpRwv8D6x GQieEk9BB8iWzaufH0cW+LI80zZYpjMg1qygKDoPIRryn0MVsr03XRCxnQRlkC7f ow62PMXOp31ru1vq0ar/BjYE9EhQVEFdErhmc0FMmrkWP7H5rwRX7GO5T3wNfO3q +rftpJiCVeY4lFWyNuHKZv3n8DtfwOoT5ybpJ31/mn6i/SWfaJa5gY9I8+jh6q7m bRcTvNQk+G1ApgJZuoV5shAPZg6oJZVvU9q8FryMmcPxB4dTZwA3NIZfjQs8Q7lD B0/XhJ+bjQvtC2YLfNLZgsEwOrUGs+ZCbL3T1FyLpg== -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: a8:92:f9:c5:d7:40:22:75:38:b8:b6:b6:1e:b1:8c:2c Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Easy-RSA CA Validity Not Before: Nov 5 17:20:19 2021 GMT Not After : Feb 8 17:20:19 2024 GMT Subject: CN=koromicha Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:d1:f5:5f:c8:1e:6c:c5:35:fe:9a:68:d1:91:2d: cb:11:b3:08:ed:47:3a:b8:32:74:df:f1:b7:78:be: 25:fc:95:73:be:6b:de:c8:89:1d:39:5e:72:4d:ea: a3:13:2a:c9:29:44:2e:17:fc:48:d9:6c:8b:2f:ca: a4:e5:90:43:a9:8b:a2:7a:bb:b5:c8:7a:6a:fe:9d: 4b:aa:67:78:e8:3f:53:9e:9d:b3:25:77:a1:22:f3: b1:f0:82:97:9e:f5:14:b2:93:de:c5:20:84:05:54: d5:70:ad:d5:4f:41:04:a6:56:04:08:e9:45:ea:eb: c2:00:da:ee:1b:b4:30:74:c5:9e:76:6d:49:0c:8c: 7e:45:8a:e5:93:1a:d0:f6:70:1a:73:df:b2:eb:68: 2d:7a:1e:68:00:9e:b1:1f:1d:14:75:1b:89:56:b2: e8:8e:84:e6:ea:39:50:93:0d:0e:30:6d:fc:97:3e: 6a:66:c3:cc:f3:93:12:5c:38:b4:62:ef:58:7f:a7: 70:05:2c:2d:f0:54:5e:7e:7a:98:ea:af:8d:6d:2e: 9c:47:80:1f:26:67:b4:2d:44:11:2f:6d:a5:9a:96: 7f:b5:ae:f8:48:61:ca:5c:f8:d5:1b:44:40:8b:fc: 97:01:5e:15:24:28:c6:24:81:39:d4:e0:3d:1f:81: 9a:11 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: B1:97:65:D8:90:01:7E:57:CA:11:73:4D:E2:E3:83:6F:71:B9:1B:6E X509v3 Authority Key Identifier: keyid:BC:C7:C4:DA:A5:D4:D8:86:70:E1:CE:57:FA:2E:3C:70:68:E2:D7:FA DirName:/CN=Easy-RSA CA serial:5B:93:61:A0:7B:9B:A5:D0:76:40:4D:48:75:3A:82:65:E0:F8:08:AE X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: Digital Signature Signature Algorithm: sha256WithRSAEncryption 57:ae:78:40:08:84:4f:4a:ec:53:b3:85:96:e8:c9:25:2b:3f: 37:16:37:53:e4:7b:eb:c5:0b:29:36:75:44:75:cc:47:a2:b1: 3a:fa:a1:07:88:89:99:b4:6e:21:82:1a:8e:42:1d:6c:b9:b5: e2:21:85:55:a8:34:9e:80:52:27:81:c2:f7:af:e7:94:27:bf: cb:7c:a2:cf:39:90:95:95:29:75:a1:c7:9c:68:5b:5e:5c:aa: 81:3d:c7:8a:79:54:9c:bc:9c:73:a2:76:02:56:42:56:4f:82: 80:23:0e:a3:8d:2f:86:0e:3e:08:7d:a8:b6:55:e7:2a:8f:6b: 4a:68:99:93:44:57:02:19:11:7d:cc:cf:05:a6:ce:4a:a0:41: df:a1:88:8e:b3:0d:f3:67:cf:f9:82:27:41:bc:3b:4e:fb:7f: 60:e5:43:bb:7f:61:63:71:89:cf:55:fc:ce:82:bb:8c:2a:11: 9b:e7:e0:97:e3:ba:e0:cd:b0:12:35:56:41:58:62:0d:63:58: ec:55:50:2b:82:5a:b5:4f:42:23:c7:e8:e6:8a:91:10:8b:a2: 40:47:85:ed:98:7f:e5:df:96:06:30:6b:ec:6f:9c:2d:5a:5a: 0a:71:fb:e2:1d:3e:f6:35:cd:ec:19:9b:67:c2:44:e3:b7:b6: 9f:81:51:c5 -----BEGIN CERTIFICATE----- MIIDWDCCAkCgAwIBAgIRAKiS+cXXQCJ1OLi2th6xjCwwDQYJKoZIhvcNAQELBQAw FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjExMTA1MTcyMDE5WhcNMjQwMjA4 MTcyMDE5WjAUMRIwEAYDVQQDDAlrb3JvbWljaGEwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDR9V/IHmzFNf6aaNGRLcsRswjtRzq4MnTf8bd4viX8lXO+ a97IiR05XnJN6qMTKskpRC4X/EjZbIsvyqTlkEOpi6J6u7XIemr+nUuqZ3joP1Oe nbMld6Ei87Hwgpee9RSyk97FIIQFVNVwrdVPQQSmVgQI6UXq68IA2u4btDB0xZ52 bUkMjH5FiuWTGtD2cBpz37LraC16HmgAnrEfHRR1G4lWsuiOhObqOVCTDQ4wbfyX Pmpmw8zzkxJcOLRi71h/p3AFLC3wVF5+epjqr41tLpxHgB8mZ7QtRBEvbaWaln+1 rvhIYcpc+NUbRECL/JcBXhUkKMYkgTnU4D0fgZoRAgMBAAGjgaIwgZ8wCQYDVR0T BAIwADAdBgNVHQ4EFgQUsZdl2JABflfKEXNN4uODb3G5G24wUQYDVR0jBEowSIAU vMfE2qXU2IZw4c5X+i48cGji1/qhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENB ghRbk2Gge5ul0HZATUh1OoJl4PgIrjATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNV HQ8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAFeueEAIhE9K7FOzhZboySUrPzcW N1Pke+vFCyk2dUR1zEeisTr6oQeIiZm0biGCGo5CHWy5teIhhVWoNJ6AUieBwvev 55Qnv8t8os85kJWVKXWhx5xoW15cqoE9x4p5VJy8nHOidgJWQlZPgoAjDqONL4YO Pgh9qLZV5yqPa0pomZNEVwIZEX3MzwWmzkqgQd+hiI6zDfNnz/mCJ0G8O077f2Dl Q7t/YWNxic9V/M6Cu4wqEZvn4JfjuuDNsBI1VkFYYg1jWOxVUCuCWrVPQiPH6OaK kRCLokBHhe2Yf+XflgYwa+xvnC1aWgpx++IdPvY1zewZm2fCROO3tp+BUcU= -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDR9V/IHmzFNf6a aNGRLcsRswjtRzq4MnTf8bd4viX8lXO+a97IiR05XnJN6qMTKskpRC4X/EjZbIsv yqTlkEOpi6J6u7XIemr+nUuqZ3joP1OenbMld6Ei87Hwgpee9RSyk97FIIQFVNVw rdVPQQSmVgQI6UXq68IA2u4btDB0xZ52bUkMjH5FiuWTGtD2cBpz37LraC16HmgA nrEfHRR1G4lWsuiOhObqOVCTDQ4wbfyXPmpmw8zzkxJcOLRi71h/p3AFLC3wVF5+ epjqr41tLpxHgB8mZ7QtRBEvbaWaln+1rvhIYcpc+NUbRECL/JcBXhUkKMYkgTnU 4D0fgZoRAgMBAAECggEBAMBTVd7Zx+dK06Ob+sRTP15CMx4vjmFmjtsI73jiLafX O0QmSdhGiYegtXIcSi9nlQeBFfwQtKa+IC2yIiTLZr+rUjW9NwKi6Nm9Oq+owv9z 6uQ0LwNWNzvuIYRgDAWnGMOQYpMOewDrOe1Sv0AvHdREnMOQ8+QC/B6ObWjhQTXk mqyvCY2IEg22upif5kDPLul6FtGuGwzUQwxYVfyOem0ECVJ4yotuS4ie8D36fxKD utY18RJGhG9J1gRHJmQYcuB9jRkuVuno8pBdR3jabCE68DzpzOXvV4LHTIAxJtEz NEZbzgwmf7TPg84pahaLYQOyxQpu8P6xm6QhBfTEPAECgYEA+UIKiGTlvy/EX8st 5I7PI8yhPJI8fbq/9oqjd5nwsUbzngdeuyy7HxruzAPQA/bFGSTikyf9jHPYAqZ0 7GGx9KCgbXyGNUk90ipHEqzXomrEjIh9y3qAQu+VLt4XILAfrDgV+QUITXIsRCnY tOg4CdUJFJg5uQblR/AZCSx+9MECgYEA16M1SiSImoydUKvtl+4Jzqn4CSg3cKya xWWtXYQLrh6PMOoKy/idGV6Xcl5H57xASqxjehyL5VzaBw6mSmcIuuovbuMWpI4Q zVZQEgizsDtEFNr8tQ+qtlXR7DwEkUOLtfQaULDD9LR1OMM06x9Py9UxCbfi3/Dl Kod8GFazaVECgYAleV1WBj1YUhknAcgDjcjsq+4tyhqYGISVz2AmMhmyvWURBDCk 2WPEmGsAdy5F+krFrfr2ftOq0xvNwjLf+wwjKCcWbttKlZlayIpo7114CK9GJZss BV3VMmnuYut9OZ15afE7wBrwcdLf6J6xDByotcOouf4rqDK+bwWEkJEBwQKBgQDN 4OIhDq5puDT+b5fhhYBRkw/gVkhQSEtgigoyjb7FGCIoVlvGkHAVZ616oS9Pvfk4 EkzLqnOaocL8F+2GfcblBnARE7lrlMPP+EdsYGiGqp7+tnGtwO6BNYC+ZjMKKg46 w3tYbNw6RwzgC+f7UCLUfpBaMfnnS0zRBRfi+OxEcQKBgEMEes7DT5sqoQkam9lk AmP8NK+eAoB7RWk8A1ADBlz48xmIH/lR99su9bWWd0xthYuBvx3ZpPRTqp0Z2ehm 7w3jnw+A7BZn1/gmcXLCXexQl+tn0nfm87xpwXCDmHjZzdldzLMpjOMHZDmOcufN y30Rsmt3vdeo5Rv+whSSypnq -----END PRIVATE KEY-----
クライアントをVPNに接続します;
openvpn client-1.ovpn2021-11-08 14:25:09 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set. 2021-11-08 14:25:09 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021 2021-11-08 14:25:09 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10 2021-11-08 14:25:09 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2021-11-08 14:25:09 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2021-11-08 14:25:09 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2021-11-08 14:25:09 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.58.22:1194 2021-11-08 14:25:09 Socket Buffers: R=[212992->212992] S=[212992->212992] 2021-11-08 14:25:09 UDPv4 link local: (not bound) 2021-11-08 14:25:09 UDPv4 link remote: [AF_INET]192.168.58.22:1194 2021-11-08 14:25:09 TLS: Initial packet from [AF_INET]192.168.58.22:1194, sid=0a6596f7 2db76aa3 2021-11-08 14:25:09 VERIFY OK: depth=1, CN=Easy-RSA CA 2021-11-08 14:25:09 VERIFY KU OK 2021-11-08 14:25:09 Validating certificate extended key usage 2021-11-08 14:25:09 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2021-11-08 14:25:09 VERIFY EKU OK 2021-11-08 14:25:09 VERIFY OK: depth=0, CN=server 2021-11-08 14:25:09 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA 2021-11-08 14:25:09 [server] Peer Connection Initiated with [AF_INET]192.168.58.22:1194 2021-11-08 14:25:09 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 192.168.58.22,dhcp-option DNS 8.8.8.8,dhcp-option DOMAIN kifarunix-demo.com,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-CBC' 2021-11-08 14:25:09 OPTIONS IMPORT: timers and/or timeouts modified 2021-11-08 14:25:09 OPTIONS IMPORT: --ifconfig/up options modified 2021-11-08 14:25:09 OPTIONS IMPORT: route options modified 2021-11-08 14:25:09 OPTIONS IMPORT: route-related options modified 2021-11-08 14:25:09 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2021-11-08 14:25:09 OPTIONS IMPORT: peer-id set 2021-11-08 14:25:09 OPTIONS IMPORT: adjusting link_mtu to 1625 2021-11-08 14:25:09 OPTIONS IMPORT: data channel crypto options modified 2021-11-08 14:25:09 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key 2021-11-08 14:25:09 Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication 2021-11-08 14:25:09 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key 2021-11-08 14:25:09 Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication 2021-11-08 14:25:09 net_route_v4_best_gw query: dst 0.0.0.0 2021-11-08 14:25:09 net_route_v4_best_gw result: via 10.0.2.2 dev enp0s3 2021-11-08 14:25:09 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:36:23:40 2021-11-08 14:25:09 TUN/TAP device tun0 opened 2021-11-08 14:25:09 net_iface_mtu_set: mtu 1500 for tun0 2021-11-08 14:25:09 net_iface_up: set tun0 up 2021-11-08 14:25:09 net_addr_v4_add: 10.8.0.2/24 dev tun0 2021-11-08 14:25:09 /etc/openvpn/update-resolv-conf tun0 1500 1625 10.8.0.2 255.255.255.0 init dhcp-option DNS 192.168.58.22 dhcp-option DNS 8.8.8.8 dhcp-option DOMAIN kifarunix-demo.com 2021-11-08 14:25:10 net_route_v4_add: 192.168.58.22/32 via 10.0.2.2 dev [NULL] table 0 metric -1 2021-11-08 14:25:10 net_route_v4_add: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1 2021-11-08 14:25:10 net_route_v4_add: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1 2021-11-08 14:25:10 Initialization Sequence Completed
これにより、/etc/resolv.conf カスタムDNSエントリを含むファイル;
cat /etc/resolv.conf# Generated by resolvconf
search kifarunix-demo.com
nameserver 192.168.58.22
nameserver 8.8.8.8私の内部DNS解決;
dig debian11.kifarunix-demo.com +short192.168.59.14DNSガイドを参照してください。
Debian11でWebminを使用してBINDDNSサーバーを構成する
CentOS / RHEL / Rocky Linuxの場合:
update-systemd-resolved
git clone https://github.com/jonathanio/update-systemd-resolved.git
cd update-systemd-resolved
makeサンプル出力;
update-systemd-resolvedを/etc/ openvpn / scripts / update-systemd-resolvedに正常にインストールしました。/etc/nsswitch.confを更新する良い機会です。#最初にsystemd-resolvedを使用してから、/etc/にフォールバックします。 resolv.confhosts:files resolve dns myhostname#最初に/etc/resolv.confを使用してから、systemd-resolvedhostsにフォールバックします:files dns resolve myhostnameまた、OpenVPN構成を更新する必要があります:setenv PATH / usr / local / sbin:/ usr / local / bin:/ usr / sbin:/ usr / bin:/ sbin:/ binscript-security 2up / etc / openvpn / scripts / update-systemd-resolvedup-restartdown / etc / openvpn / scripts / update-systemd-resolveddown-preor pass –config /etc/openvpn/scripts/update-systemd-resolved.confに加えて、openvpnコマンドに対する他の–config引数。
次に、systemd-resolved.serviceを有効にします 。
systemctl enable --now systemd-resolved.service
更新 /etc/nsswitch.conf resolveを介してDNSを検索するファイル (systemd-resolved.service)サービス。 (最初に/etc/resolv.confを使用してから、systemd-resolvedにフォールバックします)
sed -i '/hosts:/s/dns/dns resolve/' /etc/nsswitch.conf次に、クライアント構成ファイルを更新して、次の行を含めます。
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
script-security 2
up /etc/openvpn/scripts/update-systemd-resolved
up-restart
down /etc/openvpn/scripts/update-systemd-resolved
down-preそして、これは私のサンプル構成がどのように見えるかです;
cat client-1.ovpnclient tls-client pull dev tun proto udp4 remote 192.168.58.22 1194 resolv-retry infinite nobind persist-key persist-tun key-direction 1 remote-cert-tls server auth-nocache comp-lzo verb 3 auth SHA512 cipher AES-256-CBC comp-lzo no setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin script-security 2 up /etc/openvpn/scripts/update-systemd-resolved up-restart down /etc/openvpn/scripts/update-systemd-resolved down-pre# # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- ec31b288a9a3865c4b5f3583b481ff5c 434e957be6569ed573a58a102ce53efc b9528f15f5412046c5a603e6916b565b fe2c6a0f955dcec2d3f7e6cec7e373bb dff40b041f1488d4177c3de04bdff43b e361eff6328c499621e0846ec72565ef 734fc02e51540d1c5c19102156a080f7 fde124822bf6fc802dff9facf24998de 6f91f081dafcdd28f4bca9223afe694d 12d57beb6aed96753d651a2ca4722214 5fa87829b9f53f2ccb89d9f15112c9cd 3594ead75bc1df737b50188c2829d724 3aff136577b3c79e6f863112aadf5aeb 8b6d53c607874c71104acfa22e587bd3 22b14a2c0a91e15569d99d5e35a52a8b 0aa4f24ccf10d8757dfd75da14fd21ac -----END OpenVPN Static key V1----- -----BEGIN CERTIFICATE----- MIIDSzCCAjOgAwIBAgIUW5NhoHubpdB2QE1IdTqCZeD4CK4wDQYJKoZIhvcNAQEL BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjExMTA1MTcxNDQ4WhcNMzEx MTAzMTcxNDQ4WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALGvwj57vpugazdMtjIVngKybzapSfT7rm1Rv+d2 SssBwsTf4kDXqfwQiQLPEDo5mpxIO1XBEhsNS3CeBBSfGHgvT3EbiXKLS0mpMiIK nayJJh2+v3xg+3EU5jemNJ8p3iqsWz566ds/C6haZsp9cM5oGBOOSbHOMJo4S6+6 XmZfi8sdCWlSxrntd74MmEPI7wvmClA5xaM3hfzpHXdhrcTr9JDVMf0sYSkXUbc5 nyDQrLtcZiVyoPCJxB41OoTYd1aLDV/7F+A6ShSQSw/04jQq3yoyQd9qMZUfPieE edjBiVtaN/ecNGdJM7u7k2L3ADe+ObX9o3Dq6evmxWPUtSECAwEAAaOBkDCBjTAd BgNVHQ4EFgQUvMfE2qXU2IZw4c5X+i48cGji1/owUQYDVR0jBEowSIAUvMfE2qXU 2IZw4c5X+i48cGji1/qhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghRbk2Gg e5ul0HZATUh1OoJl4PgIrjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq hkiG9w0BAQsFAAOCAQEAn5mckexf90rXn/xjzhKSbc2pNarQJ/YcmQ5xpRwv8D6x GQieEk9BB8iWzaufH0cW+LI80zZYpjMg1qygKDoPIRryn0MVsr03XRCxnQRlkC7f ow62PMXOp31ru1vq0ar/BjYE9EhQVEFdErhmc0FMmrkWP7H5rwRX7GO5T3wNfO3q +rftpJiCVeY4lFWyNuHKZv3n8DtfwOoT5ybpJ31/mn6i/SWfaJa5gY9I8+jh6q7m bRcTvNQk+G1ApgJZuoV5shAPZg6oJZVvU9q8FryMmcPxB4dTZwA3NIZfjQs8Q7lD B0/XhJ+bjQvtC2YLfNLZgsEwOrUGs+ZCbL3T1FyLpg== -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: a8:92:f9:c5:d7:40:22:75:38:b8:b6:b6:1e:b1:8c:2c Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Easy-RSA CA Validity Not Before: Nov 5 17:20:19 2021 GMT Not After : Feb 8 17:20:19 2024 GMT Subject: CN=koromicha Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:d1:f5:5f:c8:1e:6c:c5:35:fe:9a:68:d1:91:2d: cb:11:b3:08:ed:47:3a:b8:32:74:df:f1:b7:78:be: 25:fc:95:73:be:6b:de:c8:89:1d:39:5e:72:4d:ea: a3:13:2a:c9:29:44:2e:17:fc:48:d9:6c:8b:2f:ca: a4:e5:90:43:a9:8b:a2:7a:bb:b5:c8:7a:6a:fe:9d: 4b:aa:67:78:e8:3f:53:9e:9d:b3:25:77:a1:22:f3: b1:f0:82:97:9e:f5:14:b2:93:de:c5:20:84:05:54: d5:70:ad:d5:4f:41:04:a6:56:04:08:e9:45:ea:eb: c2:00:da:ee:1b:b4:30:74:c5:9e:76:6d:49:0c:8c: 7e:45:8a:e5:93:1a:d0:f6:70:1a:73:df:b2:eb:68: 2d:7a:1e:68:00:9e:b1:1f:1d:14:75:1b:89:56:b2: e8:8e:84:e6:ea:39:50:93:0d:0e:30:6d:fc:97:3e: 6a:66:c3:cc:f3:93:12:5c:38:b4:62:ef:58:7f:a7: 70:05:2c:2d:f0:54:5e:7e:7a:98:ea:af:8d:6d:2e: 9c:47:80:1f:26:67:b4:2d:44:11:2f:6d:a5:9a:96: 7f:b5:ae:f8:48:61:ca:5c:f8:d5:1b:44:40:8b:fc: 97:01:5e:15:24:28:c6:24:81:39:d4:e0:3d:1f:81: 9a:11 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: B1:97:65:D8:90:01:7E:57:CA:11:73:4D:E2:E3:83:6F:71:B9:1B:6E X509v3 Authority Key Identifier: keyid:BC:C7:C4:DA:A5:D4:D8:86:70:E1:CE:57:FA:2E:3C:70:68:E2:D7:FA DirName:/CN=Easy-RSA CA serial:5B:93:61:A0:7B:9B:A5:D0:76:40:4D:48:75:3A:82:65:E0:F8:08:AE X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: Digital Signature Signature Algorithm: sha256WithRSAEncryption 57:ae:78:40:08:84:4f:4a:ec:53:b3:85:96:e8:c9:25:2b:3f: 37:16:37:53:e4:7b:eb:c5:0b:29:36:75:44:75:cc:47:a2:b1: 3a:fa:a1:07:88:89:99:b4:6e:21:82:1a:8e:42:1d:6c:b9:b5: e2:21:85:55:a8:34:9e:80:52:27:81:c2:f7:af:e7:94:27:bf: cb:7c:a2:cf:39:90:95:95:29:75:a1:c7:9c:68:5b:5e:5c:aa: 81:3d:c7:8a:79:54:9c:bc:9c:73:a2:76:02:56:42:56:4f:82: 80:23:0e:a3:8d:2f:86:0e:3e:08:7d:a8:b6:55:e7:2a:8f:6b: 4a:68:99:93:44:57:02:19:11:7d:cc:cf:05:a6:ce:4a:a0:41: df:a1:88:8e:b3:0d:f3:67:cf:f9:82:27:41:bc:3b:4e:fb:7f: 60:e5:43:bb:7f:61:63:71:89:cf:55:fc:ce:82:bb:8c:2a:11: 9b:e7:e0:97:e3:ba:e0:cd:b0:12:35:56:41:58:62:0d:63:58: ec:55:50:2b:82:5a:b5:4f:42:23:c7:e8:e6:8a:91:10:8b:a2: 40:47:85:ed:98:7f:e5:df:96:06:30:6b:ec:6f:9c:2d:5a:5a: 0a:71:fb:e2:1d:3e:f6:35:cd:ec:19:9b:67:c2:44:e3:b7:b6: 9f:81:51:c5 -----BEGIN CERTIFICATE----- MIIDWDCCAkCgAwIBAgIRAKiS+cXXQCJ1OLi2th6xjCwwDQYJKoZIhvcNAQELBQAw FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjExMTA1MTcyMDE5WhcNMjQwMjA4 MTcyMDE5WjAUMRIwEAYDVQQDDAlrb3JvbWljaGEwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDR9V/IHmzFNf6aaNGRLcsRswjtRzq4MnTf8bd4viX8lXO+ a97IiR05XnJN6qMTKskpRC4X/EjZbIsvyqTlkEOpi6J6u7XIemr+nUuqZ3joP1Oe nbMld6Ei87Hwgpee9RSyk97FIIQFVNVwrdVPQQSmVgQI6UXq68IA2u4btDB0xZ52 bUkMjH5FiuWTGtD2cBpz37LraC16HmgAnrEfHRR1G4lWsuiOhObqOVCTDQ4wbfyX Pmpmw8zzkxJcOLRi71h/p3AFLC3wVF5+epjqr41tLpxHgB8mZ7QtRBEvbaWaln+1 rvhIYcpc+NUbRECL/JcBXhUkKMYkgTnU4D0fgZoRAgMBAAGjgaIwgZ8wCQYDVR0T BAIwADAdBgNVHQ4EFgQUsZdl2JABflfKEXNN4uODb3G5G24wUQYDVR0jBEowSIAU vMfE2qXU2IZw4c5X+i48cGji1/qhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENB ghRbk2Gge5ul0HZATUh1OoJl4PgIrjATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNV HQ8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAFeueEAIhE9K7FOzhZboySUrPzcW N1Pke+vFCyk2dUR1zEeisTr6oQeIiZm0biGCGo5CHWy5teIhhVWoNJ6AUieBwvev 55Qnv8t8os85kJWVKXWhx5xoW15cqoE9x4p5VJy8nHOidgJWQlZPgoAjDqONL4YO Pgh9qLZV5yqPa0pomZNEVwIZEX3MzwWmzkqgQd+hiI6zDfNnz/mCJ0G8O077f2Dl Q7t/YWNxic9V/M6Cu4wqEZvn4JfjuuDNsBI1VkFYYg1jWOxVUCuCWrVPQiPH6OaK kRCLokBHhe2Yf+XflgYwa+xvnC1aWgpx++IdPvY1zewZm2fCROO3tp+BUcU= -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDR9V/IHmzFNf6a aNGRLcsRswjtRzq4MnTf8bd4viX8lXO+a97IiR05XnJN6qMTKskpRC4X/EjZbIsv yqTlkEOpi6J6u7XIemr+nUuqZ3joP1OenbMld6Ei87Hwgpee9RSyk97FIIQFVNVw rdVPQQSmVgQI6UXq68IA2u4btDB0xZ52bUkMjH5FiuWTGtD2cBpz37LraC16HmgA nrEfHRR1G4lWsuiOhObqOVCTDQ4wbfyXPmpmw8zzkxJcOLRi71h/p3AFLC3wVF5+ epjqr41tLpxHgB8mZ7QtRBEvbaWaln+1rvhIYcpc+NUbRECL/JcBXhUkKMYkgTnU 4D0fgZoRAgMBAAECggEBAMBTVd7Zx+dK06Ob+sRTP15CMx4vjmFmjtsI73jiLafX O0QmSdhGiYegtXIcSi9nlQeBFfwQtKa+IC2yIiTLZr+rUjW9NwKi6Nm9Oq+owv9z 6uQ0LwNWNzvuIYRgDAWnGMOQYpMOewDrOe1Sv0AvHdREnMOQ8+QC/B6ObWjhQTXk mqyvCY2IEg22upif5kDPLul6FtGuGwzUQwxYVfyOem0ECVJ4yotuS4ie8D36fxKD utY18RJGhG9J1gRHJmQYcuB9jRkuVuno8pBdR3jabCE68DzpzOXvV4LHTIAxJtEz NEZbzgwmf7TPg84pahaLYQOyxQpu8P6xm6QhBfTEPAECgYEA+UIKiGTlvy/EX8st 5I7PI8yhPJI8fbq/9oqjd5nwsUbzngdeuyy7HxruzAPQA/bFGSTikyf9jHPYAqZ0 7GGx9KCgbXyGNUk90ipHEqzXomrEjIh9y3qAQu+VLt4XILAfrDgV+QUITXIsRCnY tOg4CdUJFJg5uQblR/AZCSx+9MECgYEA16M1SiSImoydUKvtl+4Jzqn4CSg3cKya xWWtXYQLrh6PMOoKy/idGV6Xcl5H57xASqxjehyL5VzaBw6mSmcIuuovbuMWpI4Q zVZQEgizsDtEFNr8tQ+qtlXR7DwEkUOLtfQaULDD9LR1OMM06x9Py9UxCbfi3/Dl Kod8GFazaVECgYAleV1WBj1YUhknAcgDjcjsq+4tyhqYGISVz2AmMhmyvWURBDCk 2WPEmGsAdy5F+krFrfr2ftOq0xvNwjLf+wwjKCcWbttKlZlayIpo7114CK9GJZss BV3VMmnuYut9OZ15afE7wBrwcdLf6J6xDByotcOouf4rqDK+bwWEkJEBwQKBgQDN 4OIhDq5puDT+b5fhhYBRkw/gVkhQSEtgigoyjb7FGCIoVlvGkHAVZ616oS9Pvfk4 EkzLqnOaocL8F+2GfcblBnARE7lrlMPP+EdsYGiGqp7+tnGtwO6BNYC+ZjMKKg46 w3tYbNw6RwzgC+f7UCLUfpBaMfnnS0zRBRfi+OxEcQKBgEMEes7DT5sqoQkam9lk AmP8NK+eAoB7RWk8A1ADBlz48xmIH/lR99su9bWWd0xthYuBvx3ZpPRTqp0Z2ehm 7w3jnw+A7BZn1/gmcXLCXexQl+tn0nfm87xpwXCDmHjZzdldzLMpjOMHZDmOcufN y30Rsmt3vdeo5Rv+whSSypnq -----END PRIVATE KEY-----
Connecting to the VPN;
openvpn client-1.ovpnTue Nov 9 00:02:52 2021 OpenVPN 2.4.11 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021 Tue Nov 9 00:02:52 2021 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 Tue Nov 9 00:02:52 2021 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Tue Nov 9 00:02:52 2021 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Tue Nov 9 00:02:52 2021 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Tue Nov 9 00:02:52 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.58.22:1194 Tue Nov 9 00:02:52 2021 Socket Buffers: R=[212992->212992] S=[212992->212992] Tue Nov 9 00:02:52 2021 UDPv4 link local: (not bound) Tue Nov 9 00:02:52 2021 UDPv4 link remote: [AF_INET]192.168.58.22:1194 Tue Nov 9 00:02:52 2021 TLS: Initial packet from [AF_INET]192.168.58.22:1194, sid=f89234f0 4a96fc1e Tue Nov 9 00:02:52 2021 VERIFY OK: depth=1, CN=Easy-RSA CA Tue Nov 9 00:02:52 2021 VERIFY KU OK Tue Nov 9 00:02:52 2021 Validating certificate extended key usage Tue Nov 9 00:02:52 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Tue Nov 9 00:02:52 2021 VERIFY EKU OK Tue Nov 9 00:02:52 2021 VERIFY OK: depth=0, CN=server Tue Nov 9 00:02:52 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA Tue Nov 9 00:02:52 2021 [server] Peer Connection Initiated with [AF_INET]192.168.58.22:1194 Tue Nov 9 00:02:53 2021 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Tue Nov 9 00:02:53 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 192.168.58.22,dhcp-option DNS 8.8.8.8,dhcp-option DOMAIN kifarunix-demo.com,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-CBC' Tue Nov 9 00:02:53 2021 OPTIONS IMPORT: timers and/or timeouts modified Tue Nov 9 00:02:53 2021 OPTIONS IMPORT: --ifconfig/up options modified Tue Nov 9 00:02:53 2021 OPTIONS IMPORT: route options modified Tue Nov 9 00:02:53 2021 OPTIONS IMPORT: route-related options modified Tue Nov 9 00:02:53 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Tue Nov 9 00:02:53 2021 OPTIONS IMPORT: peer-id set Tue Nov 9 00:02:53 2021 OPTIONS IMPORT: adjusting link_mtu to 1625 Tue Nov 9 00:02:53 2021 OPTIONS IMPORT: data channel crypto options modified Tue Nov 9 00:02:53 2021 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key Tue Nov 9 00:02:53 2021 Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication Tue Nov 9 00:02:53 2021 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key Tue Nov 9 00:02:53 2021 Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication Tue Nov 9 00:02:53 2021 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:3e:fe:0e Tue Nov 9 00:02:53 2021 TUN/TAP device tun0 opened Tue Nov 9 00:02:53 2021 TUN/TAP TX queue length set to 100 Tue Nov 9 00:02:53 2021 /sbin/ip link set dev tun0 up mtu 1500 Tue Nov 9 00:02:53 2021 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255 Tue Nov 9 00:02:53 2021 /etc/openvpn/scripts/update-systemd-resolved tun0 1500 1605 10.8.0.2 255.255.255.0 init <14>Nov 9 00:02:53 update-systemd-resolved: Link 'tun0' coming up <14>Nov 9 00:02:53 update-systemd-resolved: Adding IPv4 DNS Server 192.168.58.22 <14>Nov 9 00:02:53 update-systemd-resolved: Adding IPv4 DNS Server 8.8.8.8 <14>Nov 9 00:02:53 update-systemd-resolved: Adding DNS Domain kifarunix-demo.com <14>Nov 9 00:02:53 update-systemd-resolved: SetLinkDNS(22 2 2 4 192 168 58 22 2 4 8 8 8 8) <14>Nov 9 00:02:53 update-systemd-resolved: SetLinkDomains(22 1 kifarunix-demo.com false) Tue Nov 9 00:02:53 2021 /sbin/ip route add 192.168.58.22/32 via 10.0.2.2 Tue Nov 9 00:02:53 2021 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1 Tue Nov 9 00:02:53 2021 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1 Tue Nov 9 00:02:53 2021 Initialization Sequence Completed
Your local DNS should now be working when connected to VPN.
Read more about DNS leakage.
And that is how you can configure OpenVPN clients to use specific DNS Server.
Other Tutorials
Make Permanent DNS Changes on resolv.conf in Linux
Easily Install and Setup PowerDNS Admin on Ubuntu 20.04