我希望这很容易
up.sh当我从命令行以 root 身份运行以下脚本时,它完美运行。
但是,不是每次新用户连接到 OpenVPN 时手动调用此脚本,以通过 tc (qdisc) 单独限制每个新用户(User1、User2、User3 到无穷大)的带宽、延迟等,我希望脚本每次新用户连接到 OpenVPN 时被调用,并且当新用户连接时能够单独调整新用户的带宽、延迟等,而不会影响当前用户的带宽、延迟等(可能是 100 或1000)
我尝试将脚本移动到以下文件夹/etc/network/if-up.d,以便在新用户连接到 OpenVPN 时执行它,但是由于某种原因,该脚本没有被调用(它对 qdisc 没有任何更改),但它是完全相同的脚本并且可以完美运行当我从命令行执行它时。
我还尝试将脚本重命名为learn-address.sh并将其放在以下文件夹/etc/openvpn/netem/learn-address.sh中,以便在 OpenVPN 学习新地址时自动调用,但这也不起作用
我还更新了 server.conf 文件,内容如下
脚本安全 3
学习地址 /etc/openvpn/netem/learn-address.sh
和
脚本安全 3
向上 /etc/network/if-up.d/up.sh
但它也没有工作
最后,我还尝试更新/etc/sudoers.tmp文件以授予脚本权限,但这似乎也无济于事(见文章末尾)
我正在运行 Ubuntu 14.04
非常感谢您的帮助
当我从命令行调用它时,这是一个名为 up.sh 的脚本:
#!/bin/bash
# Full path to tc binary
TC=$(which tc)
#
# NETWORK CONFIGURATION
# interface - name of your interface device
# interface_speed - speed in mbit of your $interface
# ip - IP address of your server, change this if you don't want to use
# the default catch all filters.
#
interface=eth0
interface_speed=100mbit
ip=4.1.2.3 # The IP address bound to the interface
# Define the upload and download speed limit, follow units can be
# passed as a parameter:
# kbps: Kilobytes per second
# mbps: Megabytes per second
# kbit: kilobits per second
# mbit: megabits per second
# bps: Bytes per second
download_limit=512kbit
upload_limit=10mbit
# Filter options for limiting the intended interface.
FILTER="$TC filter add dev $interface protocol ip parent 1: prio 1 u32"
#
# This function starts the TC rules and limits the upload and download speed
# per already configured earlier.
#
function start_tc {
tc qdisc show dev $interface | grep -q "qdisc pfifo_fast 0"
[ "$?" -gt "0" ] && tc qdisc del dev $interface root; sleep 1
# start the tc configuration
$TC qdisc add dev $interface root handle 1: htb default 30
$TC class add dev $interface parent 1: classid 1:1 htb rate $interface_speed burst 15k
$TC class add dev $interface parent 1:1 classid 1:10 htb rate $download_limit burst 15k
$TC class add dev $interface parent 1:1 classid 1:20 htb rate $upload_limit burst 15k
$TC qdisc add dev $interface parent 1:10 handle 10: sfq perturb 10
$TC qdisc add dev $interface parent 1:20 handle 20: sfq perturb 10
# Apply the filter rules
# Catch-all IP rules, which will set global limit on the server
# for all IP addresses on the server.
$FILTER match ip dst 0.0.0.0/0 flowid 1:10
$FILTER match ip src 0.0.0.0/0 flowid 1:20
# If you want to limit the upload/download limit based on specific IP address
# you can comment the above catch-all filter and uncomment these:
#
# $FILTER match ip dst $ip/32 flowid 1:10
# $FILTER match ip src $ip/32 flowid 1:20
}
#
# Removes the network speed limiting and restores the default TC configuration
#
function stop_tc {
tc qdisc show dev $interface | grep -q "qdisc pfifo_fast 0"
[ "$?" -gt "0" ] && tc qdisc del dev $interface root
}
function show_status {
$TC -s qdisc ls dev $interface
}
#
# Display help
#
function display_help {
echo "Usage: tc [OPTION]"
echo -e "\tstart - Apply the tc limit"
echo -e "\tstop - Remove the tc limit"
echo -e "\tstatus - Show status"
}
# Start
if [ -z "$1" ]; then
display_help
elif [ "$1" == "start" ]; then
start_tc
elif [ "$1" == "stop" ]; then
stop_tc
elif [ "$1" == "status" ]; then
show_status
fi
这是我还更新的以下文件:
/etc/sudoers.tmp
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
#nobody ALL=(ALL) NOPASSWD: /usr/lib/tc
nobody ALL=(ALL) NOPASSWD: /usr/lib/tc
www-data ALL=NOPASSWD: /user/lib/tc
root ALL=NOPASSWD: /user/lib/tc
root ALL=(ALL:ALL) ALL
nobody ALL=(ALL) NOPASSWD
nobody ALL=(ALL) NOPASSWD: /etc/openvpn/netem/learn-address.sh
root ALL=(ALL) NOPASSWD: /etc/openvpn/netem/learn-address.sh
www-data ALL=(ALL) NOPASSWD: /etc/openvpn/netem/learn-address.sh
nobody ALL=(ALL) NOPASSWD: /etc/openvpn/netem/up.sh
www-data ALL=(ALL) NOPASSWD: /etc/openvpn/netem/up.sh
root ALL=(ALL) NOPASSWD: /etc/openvpn/netem/up.sh
nobody ALL=(ALL) NOPASSWD: /etc/network/if-up.d/up.sh
www-data ALL=(ALL) NOPASSWD: /etc/network/if-up.d/up.sh
root ALL=(ALL) NOPASSWD: /etc/network/if-up.d/up.sh
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
这是server.conf
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-128-CBC
comp-lzo
#user nobody
#user openvpn
#group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
script-security 2
down-pre
up /etc/openvpn/tc.sh
down /etc/openvpn/tc.sh
client-connect /etc/openvpn/tc.sh
client-disconnect /etc/openvpn/tc.sh
log /var/log/openvpn.log
OpenVPN 每个客户端流量控制
要针对每个客户端进行流量控制的简单解决方案,您可以执行以下操作。此解决方案仅适用于
/24VPN 子网。在 Ubuntu 14.04 上测试。OpenVPN 服务器示例配置:
交通控制脚本
/etc/openvpn/tc.sh:请注意,这是一个用于测试目的的非常简单的脚本,
tc可以在此答案中找到更复杂的 OpenVPN 流量控制方法。使脚本可执行:
在非特权模式下以 root 身份运行脚本
如果您在非特权模式下运行 OpenVPN 并且脚本需要作为 运行
root,请在服务器配置中修改以下指令:添加一个名为的非特权
openvpn用户:/etc/sudoers使用 command编辑visudo,添加以下行:Ctrl使用+保存并退出x,y
使脚本只能由 root 写入:
请注意,这可能会打开一个安全漏洞,并且可能与以 root 身份运行 OpenVPN 相当。虽然对我来说看起来很安全,但总有人眼睛更好:)
故障排除
该脚本现在应该以 root 身份运行,您可以通过在
tc.sh脚本开头添加以下行来对其进行故障排除:首次启动服务器后,您可以跟踪日志: