Total Pageviews

Saturday, 29 October 2016

利用minivtun vpn翻墙

A fast, secure and reliable VPN service based on non-standard protocol.

A fast secure and reliable VPN service in non-standard protocol for rapidly deploying VPN servers/clients or getting through firewalls

Key features

  • Fast: direct UDP-encapsulated without complex authentication handshakes.
  • Secure: both header and tunnel data are encrypted, which is impossible to be tracked by protocol characteristics and blocked, unless all UDP ports are blocked by your firewall; spoofed packets from unauthorized peer are dropped immediately.
  • Reliable: communication recovers immediately from next received packet from client after the previous session was dead, which makes the connection extremely reliable.
  • Rapid to deploy: a standalone program to run; all configuration are specified in command line with very few options.

Installation for Linux

Install required development components
sudo apt-get install build-essential libssl-dev   # for Ubuntu / Debian
sudo yum install make gcc openssl-devel   # for CentOS / Fedora / RedHat
Compile and install
git clone https://github.com/rssnsj/minivtun.git minivtun
cd minivtun/src
make (这步会在当前目录下,生成可执行文件minivtun.)
make install (这步可以不运行)

Installation for Mac OS X

Install TUNTAP driver for Mac OS X: http://tuntaposx.sourceforge.net/
Compile and install
git clone https://github.com/rssnsj/minivtun.git minivtun
cd minivtun/src
make (这步会在当前目录下,生成可执行文件minivtun.)
./minivtun -h

Usage

Mini virtual tunneller in non-standard protocol.
Usage:
  minivtun [options]
Options:
  -l, --local <ip:port>               IP:port for server to listen
  -r, --remote <ip:port>              IP:port of server to connect
  -a, --ipv4-addr <tun_lip/tun_rip>   pointopoint IPv4 pair of the virtual interface
                  <tun_lip/pfx_len>   IPv4 address/prefix length pair
  -A, --ipv6-addr <tun_ip6/pfx_len>   IPv6 address/prefix length pair
  -m, --mtu <mtu>                     set MTU size, default: 1300.
  -t, --keepalive <keepalive_timeo>   interval of keep-alive packets, default: 13
  -n, --ifname <ifname>               virtual interface name
  -p, --pidfile <pid_file>            PID file of the daemon
  -e, --key <encryption_key>          shared password for data encryption
  -v, --route <network/prefix=gateway>
                                      route a network to a client address, can be multiple
  -w, --wait-dns                      wait for DNS resolve ready after service started.
  -d, --daemon                        run as daemon process
  -h, --help                          print this help

Examples

Server: Run a VPN server on port 1414, with local virtual address 10.7.0.1, client address space 10.7.0.0/24, encryption password 'Hello':
/usr/sbin/minivtun -l 0.0.0.0:1414 -a 10.7.0.1/24 -e Hello -d
Client: Connect VPN to the above server (assuming address vpn.abc.com), with local virtual address 10.7.0.33:
/usr/sbin/minivtun -r vpn.abc.com:1414 -a 10.7.0.33/24 -e Hello -d
Multiple clients on different devices can be connected to the same server:
/usr/sbin/minivtun -r vpn.abc.com:1414 -a 10.7.0.34/24 -e Hello -d
/usr/sbin/minivtun -r vpn.abc.com:1414 -a 10.7.0.35/24 -e Hello -d
/usr/sbin/minivtun -r vpn.abc.com:1414 -a 10.7.0.36/24 -e Hello -d
...
from https://github.com/rssnsj/minivtun
----------------

minivtun在 windows下的客户端: minivtun-win

The minivtun is a tiny layer 3 vpn service on posix platform. And this is a windows client for it.
No IPv6 tunnel and point-to-point mode due to limitation of driver

Installation

Install windows tap driver

precompiled binary: 

Install required development components

python 2.7 python package: ipaddress pywin32 M2Crypto 

Compile and pack

python setup.py py2exe

Usage

Mini virtual tunneller in non-standard protocol.
Usage:
  minivtun [options]
Options:
  -r, --remote <ip:port>            IP:port of server to connect
  -a, --ipv4-addr <tun_lip/pfx_len> IPv4 address/prefix length pair
  -k, --keepalive <keepalive_timeo> seconds between sending keep-alive packets, default: 13
  -t, --type <encryption_type>      encryption type, default: aes_128_cbc
  -e, --key <encrypt_key>           shared password for data encryption (if this option is missing, turn off encryption)
  -d                                run as daemon process
  -h, --help                        print this help
Supported encryption types:
  rc4, des, desx, aes-256, aes-128

Examples

Client: Connect VPN to the server (assuming address vpn.abc.com), with local virtual address 10.7.0.33, encryption with password "Hello":
python tun.py -r vpn.abc.com:1414 -a 10.7.0.33/24 -e Hello 
Client: Connect VPN to the server (assuming address vpn.abc.com), with local virtual address 10.7.0.33, no encryption:
python tun.py -r vpn.abc.com:1414 -a 10.7.0.33/24 
from https://github.com/boytm/minivtun-win
https://libraries.io/github/boytm/minivtun-win
---------------
利用minivtun实现点对点非公网NAT穿透,在学校轻松访问家里的路由器。 一般这种情况用于
  • 家里路由器挂载离线下载
  • 家里的WEB网络摄像头监控
  • 远程修改某些路由设置
  • 远程控制路由器相关的“智能家居”
现在仅考虑以下拓朴图,本文的目的是想让路由C访问路由A,实现C远程控制A。其中A是非智能路由器,使用非Openwrt系统。A下面挂接一个Openwrt路由器B
前提是A和C能顺利访问该VPS,而且B工作正常。

minivtun互访

这个minivtun是我常用的tun点对点隧道软件,工作原理与shadowvpn类似,可以当梯子使用。现有我移植的的minivtun-openwrt,可以自行编译安装在路由上面。
按照文档编译安装,服务端运行监听555端口
/usr/sbin/minivtun -l 0.0.0.0:555 -a 172.16.0.1/24 -e password -n mv0 -d
路由器B和C,同样使用minivtun实现与VPS对接,这里指定网络设备为mv001
# Router B: ip 172.16.0.3
/usr/sbin/minivtun -r [YOUR_VPS]:555 -a 172.16.0.3/24 -e password -n mv001 -d

# Router C: ip 172.16.0.55
/usr/sbin/minivtun -r [YOUR_VPS]:555 -a 172.16.0.55/24 -e password -n mv001 -d
使用Ping等工具测试路由B能否顺利访问VPS
ping 172.16.0.1

Openwrt端口转发

以下三个步骤均在路由B操作

新建接口

在network->interface标签下添加一个interface: 命名随意,这里命名为minivtun_intf,协议为DHCP Client,手动输入mv001这个物理接口进行绑定(因上面minivtun启动参数设定了mv001网络设备)
检查这个接口minivtun_intf是否获得正确的172.16.0.3/24地址,并且从数字变化过程中看到能有Tx/Rx流量通过。

入站防火墙

切换到Network->Firewall->Gerneral,添加一个新的Zone,随意命名为minivtun,指定入站出站转发三个都accept,勾选masquerading和MSS clamping进行伪装路由器。Covered Network只需要勾选两个区域即可,其中必选的是minivtun_intf表示源,另一个是目的地根据需要,可以选WAN或者LAN,如果访问Openwrt局域网就指定LAN,如果要访问WAN(比如上一级路由)就指定WAN
因为我是利用B去访问上一级的A,因此我勾选了WAN

端口转发

切换到Network->Firewall->Port Forward,新建一个转发规则
外部端口随意,(比如外部端口是444,那么在路由C使用minivtun访问172.16.0.3:444就触发端口转发条件)
项目备注我的值
名字随意起名minivtun_port_fwd
外部区域入站防火墙名字minivtun
外部端口供外部访问端口800
内部区域目的端口区域LAN
内部IP目的地址192.168.200.1
内部端口目的端口800

测试方法

从路由器C浏览器地址栏输入http://172.16.0.3:800即可访问路由A的800端口。
from http://lixingcong.github.io/2016/10/03/openwrt-port-forward/
----------
A simple tunnel for Linux. This repo is an unoffical port of minivtun for openwrt.

minivtun-openwrt

A fast secure and reliable VPN service in non-standard protocol for rapidly deploying VPN servers/clients or getting through firewall. Created by @rssnsj
It's a very simple point-to-point tunnel client/server. only less than 20kB size.
This repo is an unoffical port for openwrt, if you prefer the offical one, please visit minivtun-tools.
The default route and init.d files was copied from openwrt-shadowvpn. I am so lazy!

For Linux

Show you the Offical compile guide below
Install devel libs
# ubuntu
sudo apt-get install build-essential libssl-dev
# CentOS
sudo yum install make gcc openssl-devel
Compile and install
git clone https://github.com/rssnsj/minivtun.git minivtun
cd minivtun/src
make
sudo make install
Run and listen(my script copied from shadowvpn, not offical)
# modify your listenig port and password, etc
cd minivtun/linux-server
vi run.sh

# use bash to run, not sh
bash run.sh
if your want to run as linux-client, do the same as linux-server but under linux-client folders. You could turn the China-route mode on, just set isUseRouteFile to True
Enjoy it!

Complie for Openwrt (Client-side)

# ar71xx platform
tar xjf OpenWrt-SDK-ar71xx-for-linux-x86_64-gcc-4.8-linaro_uClibc-0.9.33.2.tar.bz2
cd OpenWrt-SDK-ar71xx-*
cd openwrt
git clone https://github.com/lixingcong/minivtun-openwrt package/minivtun-openwrt

# Select Network -> minivtun
make menuconfig
make package/minivtun-openwrt/compile V=99

Configuration for Openwrt

Change password or port
vi /etc/config/minivtun
# Switch: enable = 1 or 0
Restart service
/etc/init.d/minivtun restart
Use Chnroute.txt
Same as ShadowVPN or Shadowsocks, the chnroute.txt is available for Chinese user to change route.
Please visit  openwrt-shadowvpn for more details on route-mode.
# update route file
wget -O- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /tmp/chinadns_chnroute.txt
cp /tmp/chinadns_chnroute.txt /etc/

vi /etc/config/minivtun
# set the route-mode to 1 (Domestic Mode)
# set route-file to /etc/chinadns_chnroute.txt

/etc/init.d/minivtun restart

Luci-app

A luci-app-minivtun was available, please vist openwrt-dist-luci.

Wiki

Please visit offical page minivtun
from https://github.com/lixingcong/minivtun-openwrt