下面我将在树莓派上安装并配置hans, 下篇文章再介绍kcptun. 只要把树莓派设为默认网关, 局域网内所有设备科学上网.
ProTip: 首先使用手机3G流量, 开放Hotspot供电脑使用, 安装软件后即可停止.
我的补充说明:
在linux vps上。
git clone
ProTip: 首先使用手机3G流量, 开放Hotspot供电脑使用, 安装软件后即可停止.
How It Works
- GFW(iWiFi):
- allow: icmp,dns
- deny: all
- Server:
- eth0: 1.2.3.4
- tun0: 10.1.2.1
- RPi:
- eth0: 192.168.31.177
- tun0: 10.1.2.100
- Client:
- eth0: 192.168.31.102
Client(Firefox) -> RPi(ss-local&hans-client) -> GFW -> Server(ss-server&hans-server) -> Internet
Compile
$ wget https://github.com/friedrich/hans/archive/v0.4.4.tar.gz
$ tar xzf hans-0.4.4.tar.gz
$ cd hans-0.4.4
$ make
$ cp hans /usr/local/bin/
Run
$ hans
Hans - IP over ICMP version 0.4.4
RUN AS SERVER
hans -s network [-fvr] [-p password] [-u unprivileged_user] [-d tun_device] [-m reference_mtu] [-a ip]
RUN AS CLIENT
hans -c server [-fv] [-p password] [-u unprivileged_user] [-d tun_device] [-m reference_mtu] [-w polls]
ARGUMENTS
-s network Run as a server with the given network address for the virtual interface. Linux only!
-c server Connect to a server.
-f Run in foreground.
-v Print debug information.
-r Respond to ordinary pings. Only in server mode.
-p password Use a password.
-u username Set the user under which the program should run.
-d device Use the given tun device.
-m mtu Use this mtu to calculate the tunnel mtu.
The generated echo packets will not be bigger than this value.
Has to be the same on client and server. Defaults to 1500.
-w polls Number of echo requests the client sends to the server for polling.
0 disables polling. Defaults to 10.
-i Change the echo id for every echo request.
-q Change the echo sequence number for every echo request.
-a ip Try to get assigned the given tunnel ip address.
Systemd
Unit File
# /etc/systemd/system/hans.service
[Unit]
Description=IP over ICMP
After=network.target
[Service]
EnvironmentFile=/etc/default/hans
ExecStart=/usr/local/bin/hans $HANS_OPTS
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
Server Config
# /etc/default/hans
HANS_OPTS="-f -s 10.1.2.0 -p password"
Client Config
# /etc/default/hans
HANS_OPTS="-f -c 1.2.3.4 -p password"
Server Setup
$ systemctl daemon-reload
$ systemctl start hans.service
$ ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.1.2.1 P-t-P:10.1.2.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1467 Metric:1
RX packets:4629 errors:0 dropped:0 overruns:0 frame:0
TX packets:4620 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:622863 (608.2 KiB) TX bytes:3991862 (3.8 MiB)
Client Setup
$ systemctl daemon-reload
$ systemctl start hans.service
$ ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.1.2.100 P-t-P:10.1.2.100 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1467 Metric:1
RX packets:617 errors:0 dropped:0 overruns:0 frame:0
TX packets:641 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:441280 (430.9 KiB) TX bytes:93441 (91.2 KiB)
$ ping 10.1.2.1
PING 10.1.2.1 (10.1.2.1) 56(84) bytes of data.
64 bytes from 10.1.2.1: icmp_seq=1 ttl=64 time=145 ms
^C
Socks5 Setup
$ cat /etc/shadowsocks-libev/config.json
{
"server": "10.1.2.1",
"server_port": 8388,
"local_address": "0.0.0.0",
"local_port": 1080,
"password": "********",
"timeout": 60,
"method": "chacha20",
"auth": true
}
$ nc -v 10.1.2.1 8388
Connection to 10.1.2.1 8388 port [tcp/*] succeeded!
^C
$ systemctl start shadowsocks-libev-local@config
$ curl -x socks5h://127.0.0.1:1080 ifconfig.co
1.2.3.4
SSH Setup
# ~/.ssh/config
Host github.com
HostName github.com
ProxyCommand nc -x 192.168.31.177 %h %p
Default Gateway
Server
$ iptables -t nat -A POSTROUTING -o eth0 -s 10.1.2.0/24 -j MASQUERADE
RPi
$ ip route add 1.2.3.4 via 192.168.31.1 $ ip route add 0.0.0.0/1 via 10.1.2.1
$ ip route add 128.0.0.0/1 via 10.1.2.1
$ ip route
0.0.0.0/1 via 10.1.2.1 dev tun0
default via 192.168.31.1 dev wlan0
10.1.2.0/24 dev tun0 proto kernel scope link src 10.1.2.100
1.2.3.4 via 192.168.31.1 dev wlan0
128.0.0.0/1 via 10.1.2.1 dev tun0
$ host ifconfig.co
ifconfig.co has address 188.113.88.193
ifconfig.co has IPv6 address 2001:16d8:ee03::cafe:d00d
$ ip route get 188.113.88.193
188.113.88.193 via 10.1.2.1 dev tun0 src 10.1.2.100
cache
$ curl ifconfig.co
1.2.3.4
$ iptables -t nat -A POSTROUTING -o tun0 -s 192.168.31.0/24 -j MASQUERADE
Client
$ sudo route change default 192.168.31.177
$ sudo networksetup -setdnsservers Wi-Fi 8.8.8.8
$ host ifconfig.co
ifconfig.co has address 188.113.88.193
ifconfig.co has IPv6 address 2001:16d8:ee03::cafe:d00d
$ route get 188.113.88.193
route to: 188.113.88.193
destination: 188.113.88.193
gateway: 192.168.31.177
interface: en0
$ curl ifconfig.co
1.2.3.4 我的补充说明:
在linux vps上。
git clone
https://github.com/friedrich/hanscd hansmake(会在当前目录下,生成可执行文件hans)./hans -s 10.1.2.1 -p mypassword -r会显示:./hans: opened tunnel device: tun4
./hans: detaching from terminaliptables -t nat -A POSTROUTING -s 10.1.2.1/24 -o eth0 -j MASQUERADE
服务器端搭建完成。在客户机器mac上。git clone
https://github.com/friedrich/hanscd hansmake(会在当前目录下,生成可执行文件hans)sudo ./hans -c vps-public-ip -p mypasswordsudo route delete default && sudo route add default 10.1.2.1 && sudo route add vps-public-ip 192.168.1.1 && sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1运行ss
Hans runs on Linux as a client and a server. It runs on Mac OS X, iPhone/iPod touch, FreeBSD, OpenBSD and Windows as a client only.
Is is inspired by icmptx and adds some features:
Browse the source and contribute on Github.
View the changelog.
To compile hans, unpack it and run "make":
Now you can run a proxy on the server or let it act as a router and use NAT to allow the clients to access the Internet.
On Windows you must run your command prompt as Administrator in order for hans to work.
from http://code.gerade.org/hans/
sudo ~/goproxy-by-snail007/proxy dns -S socks -T tcp -P 127.0.0.1:1080 -p :53
这样,即可用vpn程序Hans翻墙。
项目地址:https://github.com/friedrich/hans(its fork:https://github.com/vdveer/pingtunnel)
很类似的项目:https://github.com/milesdevis/Icmp_tunnel (只能运行在linux桌面系统上)-------------------------------------------Hans 'IP over ICMP'
Hans makes it possible to tunnel IPv4 through ICMP echo packets, so you could call it a ping tunnel. This can be useful when you find yourself in the situation that your Internet access is firewalled, but pings are allowed.Hans runs on Linux as a client and a server. It runs on Mac OS X, iPhone/iPod touch, FreeBSD, OpenBSD and Windows as a client only.
Is is inspired by icmptx and adds some features:
Features
- Reliability: Hans works reliably in situations when the client is behind a firewall that allows only one echo reply per request.
- Security: Hans uses a challenge-response based login mechanism.
- Multiple clients: Hans currently supports up to 253 clients, which is the number of available IPs on the virtual subnet.
- Easy setup: Hans automatically assigns IP addresses.
Get Hans
Hans source. Hans Mac OS X binary. Hans Windows binary.Browse the source and contribute on Github.
View the changelog.
Use Hans
First, make sure you kernel supports tun devices. For Mac OS X you can get the drivers here. On Windows you have to install a tap device driver by downloading the Windows Installer of OpenVPN and selecting "TAP Virtual Ethernet Adapter" during the installation.To compile hans, unpack it and run "make":
tar -xzf hans-version.tar.gz
cd hans-version
make
To run as a server (as root):
./hans -s 10.1.2.0 -p password
To run as a client (as root):
./hans -c server_address -p password
Now you can run a proxy on the server or let it act as a router and use NAT to allow the clients to access the Internet.
On Windows you must run your command prompt as Administrator in order for hans to work.
from http://code.gerade.org/hans/
----------------------------------------在 Mac OS X 上使用 hans 配置 ICMP 隧道
最近因为电信白名单,高端口基本无法使用,解决办法就是将翻墙服务启动在80,443等可访问端口。但是最近防火墙又一次升级,国外的服务器基本只能 ping 通,TCP 请求无法完成,能访问世界的方式越来越困难。本文介绍一种方法,将数据包封装在 ping 包中进行传输。本方法中使用 hans 这个项目结合 shadowsocks-libev 翻墙。
安装
服务器端
同样,需要在服务器端编译安装 hans:
wget -c https://github.com/friedrich/hans/archive/v1.0.tar.gz
tar zxvf v1.0.tar.gz
cd hans-1.0/
make
编译完成后会产生 hans 执行程序,按以下命令以 root 启动,程序会进入 Deamon 模式。如果要看到输出,可以加上 -f 参数。
./hans -s 10.1.2.0 -p password
其中,password 为设置的密码。然后使用 netstat -rn 可以看到多了一个 tun0 设备
$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
(省略其他的)
10.1.2.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
客户端
在 Mac OS X 上,先安装 tuntap 内核扩展来允许创建虚拟网卡,可以直接使用 Homebrew-Cask 安装,安装过程中需要按照指示给程序权限。
$ brew cask install tuntap
下载 Mac 版本程序并解压:hans
运行程序:
sudo ./hans -c <server-ip> -p password -d tun0
其中 server-ip 是你服务器的 IP,-d 指定Mac上新启设备的名称。Mac 上停止 hans 程序请使用 kill -9。如果启动正常,这时在Mac上也同样可以观察到tun0设备:
$ ifconfig
(省略其他)
tun0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1467
inet 10.1.2.100 --> 10.1.2.1 netmask 0xffffffff
open (pid 74236)
理论上这时服务器 IP 是无法 ping 通了:
$ ping <server-ip>
PING <server-ip>: 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
^C
--- <server-ip> ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss
此时,就建立了一条从本地到服务器的 hanstunnel tunnel 了。
现在只需要将本地 ss-local 的配置中的 server 参数改为 tun0 的 gateway 地址(本例为10.1.2.1)即可,其他不需要做任何修改。
检查流量
在服务器网卡上抓包可以不断看到 ICMP 的 `echo request` 和 `echo reply` 包,在 tun0 上可以看到实际的数据包。
$ tcpdump -ni ens3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
02:16:29.146644 IP <local-ip> > <server-ip>: ICMP echo request, id 38174, seq 7330, length 93
02:16:29.146647 IP <local-ip> > <server-ip>: ICMP echo request, id 38174, seq 7330, length 13
02:16:29.146652 IP <local-ip> > <server-ip>: ICMP echo request, id 38174, seq 7330, length 13
02:16:29.146684 IP <local-ip> > <server-ip>: ICMP echo request, id 38174, seq 7330, length 93
02:16:29.146704 IP <server-ip> > <local-ip>: ICMP echo reply, id 38174, seq 7330, length 257
02:16:29.146858 IP <server-ip> > <local-ip>: ICMP echo reply, id 38174, seq 7330, length 833
02:16:29.146942 IP <server-ip> > <local-ip>: ICMP echo reply, id 38174, seq 7330, length 257
(略去一堆)
以上就是使用 TCP over ICMP 的方法进行数据传输的配置过程.
from https://qiwihui.com/blogs/qiwihui-blog-52.html
https://github.com/qiwihui/blog/issues/52
