Total Pageviews

Saturday, 24 November 2012

使用SSH tunnel作为前置代理,连接OpenVPN,然后通过openvpn翻墙(已失效)

在同一台linux vps上,用SSH连接OpenVPN,这样即可反制gfw对于证书模式的openvpn的破解,从而顺利连上openvpn server.
(真是个好办法,我测试成功!


  • Modify the server vpn configuration file by adding proto tcp-server
  • Start the VPN server
  • Modify the client by changing the first line to remote localhost and adding the line proto tcp-client
  • Tunnel your local port 1194 (what OpenVPN uses) to 1194 on the machine you want to access – via the web server hosting the SSH daemon:
    ssh -L 1194:vpnserver:1194 user@webserver
  • Start the VPN client

  • 原文是http://www.classy.dk/hacks/archives/002287.html。我翻译一下,并作出一定修饰。
    首先,在你的OPENVPN的客户端配置文件里,把“remote VPN服务器地址 端口”这样的行去掉,替换为“remote localhost 2194”
    然后,在windows桌面系统下,使用命令:
    plink.exe -L 2194:VPN服务器地址:VPN的端口号 用户名@SSH地址 -pw 密码 -P SSH的端口号

    你可以把“plink.exe -L 2194:VPN服务器地址:VPN的端口号 用户名@SSH地址 -pw 密码 -P SSH的端口号”保存为一个bat文件,把此bat文件放在plink.exe所在的文件夹下,以后双击此bat文件即可。

    “L”参数的意思是,把远程vpn服务器的端口映射到本地机器的端口2194.

    最后,启动OpenVPN客户端。

    注意: 由于SSH端口转发不支持UDP,所以要把openVPN的连接协议改成tcp,才能顺利连接.(服务器端的配置文件和客户端的配置文件里的连接协议都要改成tcp).
    ------------------------------------------

    OpenVPN tunneling over SSH

    The classy.dk kitchen server sits behind an ADSL router provided by my ISP. That router is sensibly almost closed with only FTP, HTTP, SMTP and DNS ports open by defaut and none of these mapped to NATted addreses that are assigned by default through DHCP on the router. I'm fine with that even if it is stupid ISP control of my actions - less security threats to worry about, and I can actually turn on windows on new machines without being owned by virus after 5 seconds.
    The only server I have setup to listen to inbound traffic is the old warhorse classy.dk web server (and yes it is in fact located in my kitchen like it says on the blog.
    Occasionally I'd like to access resources on other machines on the net though and that just blows. The problem is that the other machines sometimes run windows and most certainly shouldn't be listening to network traffic. I could use SSH tunneling via the webserver and then a terminal emulator to look at the hidden machines, but that's just annoying. I want full access with file browsing. The works.
    A real VPN is needed but which one, how to set it up and how to pass it through an interface on the webserver?
    Here's a way: OpenVPN with SSH tunneling.
    Since I'm not talking more than one machine at a time I can just use the simple point to point setup with a static key. I want to modify the howto to work through an SSH tunnel.

    1. Modify the server vpn configuration file by adding proto tcp-server
    2. Start the VPN server
    3. Modify the client by changing the first line to remote localhost and adding the line proto tcp-client
    4. Tunnel your local port 1194 (what OpenVPN uses) to 1194 on the machine you want to access - via the web server hosting the SSH daemon:
      ssh -L 1194:vpnserver:1194 user@webserver
    5. Start the VPN client

    That's it. Great stuff I've been looking for. Now I can drop files to and from servers at home that are safely stashed away out of reach it the wild and dangerous internets.
    from http://www.classy.dk/hacks/archives/002287.html