Bash 在openvpn之后运行脚本_Bash_Expect_Openvpn

Bash 在openvpn之后运行脚本

bash

Bash 在openvpn之后运行脚本,bash,expect,openvpn,Bash,Expect,Openvpn,我已经编写了一个启动openvpn的脚本（称为vpn\u up），但我希望它在启动vpn后也运行我的防火墙脚本（称为firewall\u up）。以下是有效的脚本： #!/bin/bash #script called vpn_up exp_login=mylogin exp_pass=mypass config_file=$1 expect -c " spawn openvpn --config $config_file --script-security 2 --up /e

我已经编写了一个启动openvpn的脚本（称为vpn\u up），但我希望它在启动vpn后也运行我的防火墙脚本（称为firewall\u up）。以下是有效的脚本：

#!/bin/bash
#script called vpn_up

exp_login=mylogin
exp_pass=mypass

config_file=$1

expect -c "

spawn openvpn --config $config_file --script-security 2 --up /etc/openvpn/update-systemd-resolved --down /etc/openvpn/update-systemd-resolved --dhcp-option 'DOMAIN-ROUTE .' --down-pre

expect \"Auth Username:\"
send \"$exp_login\r\";
expect \"for no echo)\"
send \"$exp_pass\r\";
interact
"

打开vpn后，我希望它运行我的脚本防火墙

#!/bin/bash
#script called firewall_up
# get your IP address

curl -s ifconfig.me > /tmp/ip_address

#Clear any iptables rules you might have at the moment
iptables -F
#Start building the firewall by allowing tun and your localhost
iptables -A INPUT -i tun+ -j ACCEPT 
iptables -A OUTPUT -o tun+ -j ACCEPT

#Add the IP address of the VPN to the firewall
IP_LIST=$(tr '\n' ' ' < /tmp/ip_address)
for IP in $IP_LIST; do
iptables -A INPUT -s $IP -j ACCEPT
iptables -A OUTPUT -d $IP -j ACCEPT
done

iptables -A INPUT -p udp --sport 1195 -j ACCEPT
iptables -A INPUT -p udp --dport 1195 -j ACCEPT
iptables -A OUTPUT -p udp --sport 1195 -j ACCEPT
iptables -A OUTPUT -p udp --dport 1195 -j ACCEPT

#iptables -A INPUT -p udp --sport 53 -j ACCEPT
#iptables -A INPUT -p udp --dport 53 -j ACCEPT
#iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
#iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp -j DROP
iptables -A OUTPUT -p udp -j DROP

# Stop anything not from VPN or localhost
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

#Clean up your tempoary files
rm /tmp/ip_address

在一个终端窗口中，然后运行

sudo firewall_up

在另一个窗口，然后一切正常

我想用一个脚本来完成所有的事情。我试着加上

--up /usr/sbin/firewall_up

将

spawn openvpn

命令添加到我的第一个脚本，即

#!/bin/bash
# script called vpn_up

exp_login=mylogin
exp_pass=mypass

config_file=$1

expect -c "

spawn openvpn --config $config_file --script-security 2 --up /etc/openvpn/update-systemd-resolved --up /usr/sbin/firewall_up --down /etc/openvpn/update-systemd-resolved --dhcp-option 'DOMAIN-ROUTE .' --down-pre

expect \"Auth Username:\"
send \"$exp_login\r\";
expect \"for no echo)\"
send \"$exp_pass\r\";
interact
"

但它最终在vpn实际启动之前运行防火墙。也就是说，它使用我的初始IP地址，而不是vpn启动并运行后的IP地址。在expect完成和openvpn完成后，有没有办法只添加更多代码

有什么建议吗

谢谢

如前所述，以下是openvpn的关键（我认为）输出：

Fri May 14 11:39:31 2021 /sbin/ip link set dev tun0 up mtu 1500
Fri May 14 11:39:31 2021 /sbin/ip addr add dev tun0 local 10.167.0.50 peer 10.167.0.49
Fri May 14 11:39:31 2021 /usr/sbin/firewall_up tun0 1500 1557 10.167.0.50 10.167.0.49 init
Fri May 14 11:39:33 2021 /sbin/ip route add 185.195.19.203/32 via 192.168.0.1
Fri May 14 11:39:33 2021 /sbin/ip route add 0.0.0.0/1 via 10.167.0.49
Fri May 14 11:39:33 2021 /sbin/ip route add 128.0.0.0/1 via 10.167.0.49
Fri May 14 11:39:33 2021 /sbin/ip route add 10.167.0.1/32 via 10.167.0.49
Fri May 14 11:39:33 2021 Initialization Sequence Completed

Fri May 14 13:18:04 2021 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Fri May 14 13:18:04 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep  5 2019
Fri May 14 13:18:04 2021 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Enter Auth Username: mylogin
Enter Auth Password: ************************
Fri May 14 13:18:10 2021 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Fri May 14 13:18:10 2021 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri May 14 13:18:10 2021 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri May 14 13:18:10 2021 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri May 14 13:18:10 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]185.195.19.203:1195
Fri May 14 13:18:10 2021 Socket Buffers: R=[212992->425984] S=[212992->425984]
Fri May 14 13:18:10 2021 UDP link local: (not bound)
Fri May 14 13:18:10 2021 UDP link remote: [AF_INET]185.195.19.203:1195
Fri May 14 13:18:10 2021 TLS: Initial packet from [AF_INET]185.195.19.203:1195, sid=6dc3ebd7 4f71f9e5
Fri May 14 13:18:10 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri May 14 13:18:10 2021 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Fri May 14 13:18:10 2021 VERIFY OK: nsCertType=SERVER
Fri May 14 13:18:10 2021 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-3732-0a, emailAddress=support@expressvpn.com
Fri May 14 13:18:10 2021 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-3732-0a, emailAddress=support@expressvpn.com
Fri May 14 13:18:11 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Fri May 14 13:18:11 2021 [Server-3732-0a] Peer Connection Initiated with [AF_INET]185.195.19.203:1195
Fri May 14 13:18:12 2021 SENT CONTROL [Server-3732-0a]: 'PUSH_REQUEST' (status=1)
Fri May 14 13:18:12 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.167.0.1,comp-lzo no,route 10.167.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.167.0.86 10.167.0.85,peer-id 19,cipher AES-256-GCM'
Fri May 14 13:18:12 2021 OPTIONS IMPORT: timers and/or timeouts modified
Fri May 14 13:18:12 2021 OPTIONS IMPORT: compression parms modified
Fri May 14 13:18:12 2021 OPTIONS IMPORT: --ifconfig/up options modified
Fri May 14 13:18:12 2021 OPTIONS IMPORT: route options modified
Fri May 14 13:18:12 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri May 14 13:18:12 2021 OPTIONS IMPORT: peer-id set
Fri May 14 13:18:12 2021 OPTIONS IMPORT: adjusting link_mtu to 1629
Fri May 14 13:18:12 2021 OPTIONS IMPORT: data channel crypto options modified
Fri May 14 13:18:12 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri May 14 13:18:12 2021 NCP: overriding user-set keysize with default
Fri May 14 13:18:12 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri May 14 13:18:12 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri May 14 13:18:12 2021 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=wlp2s0 HWADDR=1c:1b:b5:46:ec:45
Fri May 14 13:18:12 2021 TUN/TAP device tun0 opened
Fri May 14 13:18:12 2021 TUN/TAP TX queue length set to 100
Fri May 14 13:18:12 2021 /sbin/ip link set dev tun0 up mtu 1500
Fri May 14 13:18:12 2021 /sbin/ip addr add dev tun0 local 10.167.0.86 peer 10.167.0.85
Fri May 14 13:18:12 2021 /etc/openvpn/update-systemd-resolved tun0 1500 1557 10.167.0.86 10.167.0.85 init
<14>May 14 13:18:12 update-systemd-resolved: Link 'tun0' coming up
<14>May 14 13:18:12 update-systemd-resolved: Adding DNS Routed Domain .
<14>May 14 13:18:12 update-systemd-resolved: Adding IPv4 DNS Server 10.167.0.1
<14>May 14 13:18:12 update-systemd-resolved: SetLinkDNS(15 1 2 4 10 167 0 1)
<14>May 14 13:18:12 update-systemd-resolved: SetLinkDomains(15 1 . true)
Fri May 14 13:18:14 2021 /sbin/ip route add 185.195.19.203/32 via 192.168.0.1
Fri May 14 13:18:14 2021 /sbin/ip route add 0.0.0.0/1 via 10.167.0.85
Fri May 14 13:18:14 2021 /sbin/ip route add 128.0.0.0/1 via 10.167.0.85
Fri May 14 13:18:14 2021 /sbin/ip route add 10.167.0.1/32 via 10.167.0.85
Fri May 14 13:18:14 2021 Initialization Sequence Completed

问题似乎是它在完成初始化之前运行了防火墙。

首先，我仍然在计算Stackoverflow。很抱歉在几个地方发布了对格伦·杰克曼问题的回答。我想我终于找到了答案

openvpn的关键输出是：

Fri May 14 11:39:31 2021 /sbin/ip link set dev tun0 up mtu 1500
Fri May 14 11:39:31 2021 /sbin/ip addr add dev tun0 local 10.167.0.50 peer 10.167.0.49
Fri May 14 11:39:31 2021 /usr/sbin/firewall_up tun0 1500 1557 10.167.0.50 10.167.0.49 init
Fri May 14 11:39:33 2021 /sbin/ip route add 185.195.19.203/32 via 192.168.0.1
Fri May 14 11:39:33 2021 /sbin/ip route add 0.0.0.0/1 via 10.167.0.49
Fri May 14 11:39:33 2021 /sbin/ip route add 128.0.0.0/1 via 10.167.0.49
Fri May 14 11:39:33 2021 /sbin/ip route add 10.167.0.1/32 via 10.167.0.49
Fri May 14 11:39:33 2021 Initialization Sequence Completed

看起来好像是在openvpn实际完成之前运行了防火墙

这里是openvpn的完整输出，以防我遗漏了一些有用的东西

Fri May 14 11:39:29 2021 Multiple --up scripts defined.  The previously configured script is overridden.
Fri May 14 11:39:29 2021 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Fri May 14 11:39:29 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep  5 2019
Fri May 14 11:39:29 2021 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Enter Auth Username: myusername
Enter Auth Password: ************************
Fri May 14 11:39:29 2021 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Fri May 14 11:39:29 2021 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri May 14 11:39:29 2021 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri May 14 11:39:29 2021 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri May 14 11:39:29 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]185.195.19.203:1195
Fri May 14 11:39:29 2021 Socket Buffers: R=[212992->425984] S=[212992->425984]
Fri May 14 11:39:29 2021 UDP link local: (not bound)
Fri May 14 11:39:29 2021 UDP link remote: [AF_INET]185.195.19.203:1195
Fri May 14 11:39:29 2021 TLS: Initial packet from [AF_INET]185.195.19.203:1195, sid=9940570e 7191c7bb
Fri May 14 11:39:29 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri May 14 11:39:29 2021 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Fri May 14 11:39:29 2021 VERIFY OK: nsCertType=SERVER
Fri May 14 11:39:29 2021 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-3732-0a, emailAddress=support@expressvpn.com
Fri May 14 11:39:29 2021 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-3732-0a, emailAddress=support@expressvpn.com
Fri May 14 11:39:29 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Fri May 14 11:39:29 2021 [Server-3732-0a] Peer Connection Initiated with [AF_INET]185.195.19.203:1195
Fri May 14 11:39:31 2021 SENT CONTROL [Server-3732-0a]: 'PUSH_REQUEST' (status=1)
Fri May 14 11:39:31 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.167.0.1,comp-lzo no,route 10.167.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.167.0.50 10.167.0.49,peer-id 11,cipher AES-256-GCM'
Fri May 14 11:39:31 2021 OPTIONS IMPORT: timers and/or timeouts modified
Fri May 14 11:39:31 2021 OPTIONS IMPORT: compression parms modified
Fri May 14 11:39:31 2021 OPTIONS IMPORT: --ifconfig/up options modified
Fri May 14 11:39:31 2021 OPTIONS IMPORT: route options modified
Fri May 14 11:39:31 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri May 14 11:39:31 2021 OPTIONS IMPORT: peer-id set
Fri May 14 11:39:31 2021 OPTIONS IMPORT: adjusting link_mtu to 1629
Fri May 14 11:39:31 2021 OPTIONS IMPORT: data channel crypto options modified
Fri May 14 11:39:31 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri May 14 11:39:31 2021 NCP: overriding user-set keysize with default
Fri May 14 11:39:31 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri May 14 11:39:31 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri May 14 11:39:31 2021 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=wlp2s0 HWADDR=1c:1b:b5:46:ec:45
Fri May 14 11:39:31 2021 TUN/TAP device tun0 opened
Fri May 14 11:39:31 2021 TUN/TAP TX queue length set to 100
Fri May 14 11:39:31 2021 /sbin/ip link set dev tun0 up mtu 1500
Fri May 14 11:39:31 2021 /sbin/ip addr add dev tun0 local 10.167.0.50 peer 10.167.0.49
Fri May 14 11:39:31 2021 /usr/sbin/firewall_up tun0 1500 1557 10.167.0.50 10.167.0.49 init
Fri May 14 11:39:33 2021 /sbin/ip route add 185.195.19.203/32 via 192.168.0.1
Fri May 14 11:39:33 2021 /sbin/ip route add 0.0.0.0/1 via 10.167.0.49
Fri May 14 11:39:33 2021 /sbin/ip route add 128.0.0.0/1 via 10.167.0.49
Fri May 14 11:39:33 2021 /sbin/ip route add 10.167.0.1/32 via 10.167.0.49
Fri May 14 11:39:33 2021 Initialization Sequence Completed

首先感谢Rfroes87和格伦·杰克曼。使用exec解决了一半的问题，但现在我有了一个新问题。因此，我将vpn_编辑如下：

#!/bin/bash

exp_login=mylogin
exp_pass=mypass

config_file=$1

expect -c "

spawn openvpn --config $config_file --script-security 2 --up /etc/openvpn/update-systemd-resolved --down /etc/openvpn/update-systemd-resolved --dhcp-option 'DOMAIN-ROUTE .' --down-pre

expect \"Auth Username:\"
send \"$exp_login\r\";
expect \"for no echo)\"
send \"$exp_pass\r\";
expect \"Sequence Completed\"    
exec /usr/sbin/firewall_up;
interact
"

添加：

expect \"Sequence Completed\"    
exec /usr/sbin/firewall_up;

看来我做到了，只是我无法连接到互联网。我可以ping我自己的IP地址，但其他任何东西都无法连接到internet。据我所知，openvpn不喜欢从脚本调用。如果我输入以下命令，则从shell：

 openvpn --config config_file --script-security 2 --up /etc/openvpn/update-systemd-resolved --down /etc/openvpn/update-systemd-resolved --dhcp-option 'DOMAIN-ROUTE .' --down-pre

我从openvpn获得以下输出：

Fri May 14 11:39:31 2021 /sbin/ip link set dev tun0 up mtu 1500
Fri May 14 11:39:31 2021 /sbin/ip addr add dev tun0 local 10.167.0.50 peer 10.167.0.49
Fri May 14 11:39:31 2021 /usr/sbin/firewall_up tun0 1500 1557 10.167.0.50 10.167.0.49 init
Fri May 14 11:39:33 2021 /sbin/ip route add 185.195.19.203/32 via 192.168.0.1
Fri May 14 11:39:33 2021 /sbin/ip route add 0.0.0.0/1 via 10.167.0.49
Fri May 14 11:39:33 2021 /sbin/ip route add 128.0.0.0/1 via 10.167.0.49
Fri May 14 11:39:33 2021 /sbin/ip route add 10.167.0.1/32 via 10.167.0.49
Fri May 14 11:39:33 2021 Initialization Sequence Completed

Fri May 14 13:18:04 2021 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Fri May 14 13:18:04 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep  5 2019
Fri May 14 13:18:04 2021 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Enter Auth Username: mylogin
Enter Auth Password: ************************
Fri May 14 13:18:10 2021 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Fri May 14 13:18:10 2021 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri May 14 13:18:10 2021 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri May 14 13:18:10 2021 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri May 14 13:18:10 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]185.195.19.203:1195
Fri May 14 13:18:10 2021 Socket Buffers: R=[212992->425984] S=[212992->425984]
Fri May 14 13:18:10 2021 UDP link local: (not bound)
Fri May 14 13:18:10 2021 UDP link remote: [AF_INET]185.195.19.203:1195
Fri May 14 13:18:10 2021 TLS: Initial packet from [AF_INET]185.195.19.203:1195, sid=6dc3ebd7 4f71f9e5
Fri May 14 13:18:10 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri May 14 13:18:10 2021 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Fri May 14 13:18:10 2021 VERIFY OK: nsCertType=SERVER
Fri May 14 13:18:10 2021 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-3732-0a, emailAddress=support@expressvpn.com
Fri May 14 13:18:10 2021 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-3732-0a, emailAddress=support@expressvpn.com
Fri May 14 13:18:11 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Fri May 14 13:18:11 2021 [Server-3732-0a] Peer Connection Initiated with [AF_INET]185.195.19.203:1195
Fri May 14 13:18:12 2021 SENT CONTROL [Server-3732-0a]: 'PUSH_REQUEST' (status=1)
Fri May 14 13:18:12 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.167.0.1,comp-lzo no,route 10.167.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.167.0.86 10.167.0.85,peer-id 19,cipher AES-256-GCM'
Fri May 14 13:18:12 2021 OPTIONS IMPORT: timers and/or timeouts modified
Fri May 14 13:18:12 2021 OPTIONS IMPORT: compression parms modified
Fri May 14 13:18:12 2021 OPTIONS IMPORT: --ifconfig/up options modified
Fri May 14 13:18:12 2021 OPTIONS IMPORT: route options modified
Fri May 14 13:18:12 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri May 14 13:18:12 2021 OPTIONS IMPORT: peer-id set
Fri May 14 13:18:12 2021 OPTIONS IMPORT: adjusting link_mtu to 1629
Fri May 14 13:18:12 2021 OPTIONS IMPORT: data channel crypto options modified
Fri May 14 13:18:12 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri May 14 13:18:12 2021 NCP: overriding user-set keysize with default
Fri May 14 13:18:12 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri May 14 13:18:12 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri May 14 13:18:12 2021 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=wlp2s0 HWADDR=1c:1b:b5:46:ec:45
Fri May 14 13:18:12 2021 TUN/TAP device tun0 opened
Fri May 14 13:18:12 2021 TUN/TAP TX queue length set to 100
Fri May 14 13:18:12 2021 /sbin/ip link set dev tun0 up mtu 1500
Fri May 14 13:18:12 2021 /sbin/ip addr add dev tun0 local 10.167.0.86 peer 10.167.0.85
Fri May 14 13:18:12 2021 /etc/openvpn/update-systemd-resolved tun0 1500 1557 10.167.0.86 10.167.0.85 init
<14>May 14 13:18:12 update-systemd-resolved: Link 'tun0' coming up
<14>May 14 13:18:12 update-systemd-resolved: Adding DNS Routed Domain .
<14>May 14 13:18:12 update-systemd-resolved: Adding IPv4 DNS Server 10.167.0.1
<14>May 14 13:18:12 update-systemd-resolved: SetLinkDNS(15 1 2 4 10 167 0 1)
<14>May 14 13:18:12 update-systemd-resolved: SetLinkDomains(15 1 . true)
Fri May 14 13:18:14 2021 /sbin/ip route add 185.195.19.203/32 via 192.168.0.1
Fri May 14 13:18:14 2021 /sbin/ip route add 0.0.0.0/1 via 10.167.0.85
Fri May 14 13:18:14 2021 /sbin/ip route add 128.0.0.0/1 via 10.167.0.85
Fri May 14 13:18:14 2021 /sbin/ip route add 10.167.0.1/32 via 10.167.0.85
Fri May 14 13:18:14 2021 Initialization Sequence Completed

区别似乎在第一种情况下（不使用脚本），我得到：

5月14日13:18:12更新系统D已解决：添加DNS路由域。

在第二种情况下（使用脚本），我得到：

May 14 13:20:15更新系统D已解决：无法识别DHCP设置：“”域路由。“”

这种差异使我的脚本

防火墙在第一种情况下工作，在第二种情况下阻止所有互联网访问
知道为什么吗？谢谢
Kathy
成功验证后，也许您可以尝试使用。vpn\u up脚本是否会返回？显示有关openvpn输出的更多详细信息。我认为您需要期望
某种模式来表示成功，然后，正如Rfroes87所建议的，使用exec启动防火墙脚本。
<14>May 14 13:18:12 update-systemd-resolved: Adding DNS Routed Domain .

<12>May 14 13:20:15 update-systemd-resolved: Not a recognized DHCP setting: ''DOMAIN-ROUTE .''