Pages

Monday, 24 October 2016

成功利用Hans 'IP Over ICMP' vpn翻墙

下面我将在树莓派上安装并配置hans, 下篇文章再介绍kcptun. 只要把树莓派设为默认网关, 局域网内所有设备科学上网.
ProTip: 首先使用手机3G流量, 开放Hotspot供电脑使用, 安装软件后即可停止.

How It Works

  • GFW(iWiFi):
    • allow: icmp,dns
    • deny: all
  • Server:
    • eth0: 1.2.3.4
    • tun0: 10.1.2.1
  • RPi:
    • eth0: 192.168.31.177
    • tun0: 10.1.2.100
  • Client:
    • eth0: 192.168.31.102
Client(Firefox) -> RPi(ss-local&hans-client) -> GFW -> Server(ss-server&hans-server) -> Internet  

Compile

$ wget https://github.com/friedrich/hans/archive/v0.4.4.tar.gz
$ tar xzf hans-0.4.4.tar.gz
$ cd hans-0.4.4
$ make
$ cp hans /usr/local/bin/

Run

$ hans
Hans - IP over ICMP version 0.4.4

RUN AS SERVER  
  hans -s network [-fvr] [-p password] [-u unprivileged_user] [-d tun_device] [-m reference_mtu] [-a ip]

RUN AS CLIENT  
  hans -c server  [-fv]  [-p password] [-u unprivileged_user] [-d tun_device] [-m reference_mtu] [-w polls]

ARGUMENTS  
  -s network    Run as a server with the given network address for the virtual interface. Linux only!
  -c server     Connect to a server.
  -f            Run in foreground.
  -v            Print debug information.
  -r            Respond to ordinary pings. Only in server mode.
  -p password   Use a password.
  -u username   Set the user under which the program should run.
  -d device     Use the given tun device.
  -m mtu        Use this mtu to calculate the tunnel mtu.
                The generated echo packets will not be bigger than this value.
                Has to be the same on client and server. Defaults to 1500.
  -w polls      Number of echo requests the client sends to the server for polling.
                0 disables polling. Defaults to 10.
  -i            Change the echo id for every echo request.
  -q            Change the echo sequence number for every echo request.
  -a ip         Try to get assigned the given tunnel ip address.

Systemd

Unit File

# /etc/systemd/system/hans.service
[Unit]
Description=IP over ICMP  
After=network.target

[Service]
EnvironmentFile=/etc/default/hans  
ExecStart=/usr/local/bin/hans $HANS_OPTS  
Restart=always  
RestartSec=5

[Install]
WantedBy=multi-user.target  

Server Config

# /etc/default/hans
HANS_OPTS="-f -s 10.1.2.0 -p password"  

Client Config

# /etc/default/hans
HANS_OPTS="-f -c 1.2.3.4 -p password"  

Server Setup

$ systemctl daemon-reload
$ systemctl start hans.service

$ ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.1.2.1  P-t-P:10.1.2.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1467  Metric:1
          RX packets:4629 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4620 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:622863 (608.2 KiB)  TX bytes:3991862 (3.8 MiB)

Client Setup

$ systemctl daemon-reload
$ systemctl start hans.service

$ ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.1.2.100  P-t-P:10.1.2.100  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1467  Metric:1
          RX packets:617 errors:0 dropped:0 overruns:0 frame:0
          TX packets:641 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:441280 (430.9 KiB)  TX bytes:93441 (91.2 KiB)

$ ping 10.1.2.1
PING 10.1.2.1 (10.1.2.1) 56(84) bytes of data.  
64 bytes from 10.1.2.1: icmp_seq=1 ttl=64 time=145 ms  
^C

Socks5 Setup

$ cat /etc/shadowsocks-libev/config.json
{
    "server": "10.1.2.1",
    "server_port": 8388,
    "local_address": "0.0.0.0",
    "local_port": 1080,
    "password": "********",
    "timeout": 60,
    "method": "chacha20",
    "auth": true
}
$ nc -v 10.1.2.1 8388
Connection to 10.1.2.1 8388 port [tcp/*] succeeded!  
^C
$ systemctl start shadowsocks-libev-local@config
$ curl -x socks5h://127.0.0.1:1080 ifconfig.co
1.2.3.4  

SSH Setup

# ~/.ssh/config
Host github.com  
    HostName github.com
    ProxyCommand nc -x 192.168.31.177 %h %p

Default Gateway

Server

$ iptables -t nat -A POSTROUTING -o eth0 -s 10.1.2.0/24 -j MASQUERADE

RPi

$ ip route add 1.2.3.4 via 192.168.31.1                                           $ ip route add 0.0.0.0/1 via 10.1.2.1
$ ip route add 128.0.0.0/1 via 10.1.2.1

$ ip route
0.0.0.0/1 via 10.1.2.1 dev tun0  
default via 192.168.31.1 dev wlan0  
10.1.2.0/24 dev tun0  proto kernel  scope link  src 10.1.2.100  
1.2.3.4 via 192.168.31.1 dev wlan0  
128.0.0.0/1 via 10.1.2.1 dev tun0

$ host ifconfig.co
ifconfig.co has address 188.113.88.193  
ifconfig.co has IPv6 address 2001:16d8:ee03::cafe:d00d

$ ip route get 188.113.88.193
188.113.88.193 via 10.1.2.1 dev tun0  src 10.1.2.100  
    cache

$ curl ifconfig.co
1.2.3.4

$ iptables -t nat -A POSTROUTING -o tun0 -s 192.168.31.0/24 -j MASQUERADE

Client

$ sudo route change default 192.168.31.177
$ sudo networksetup -setdnsservers Wi-Fi 8.8.8.8

$ host ifconfig.co
ifconfig.co has address 188.113.88.193  
ifconfig.co has IPv6 address 2001:16d8:ee03::cafe:d00d

$ route get 188.113.88.193
   route to: 188.113.88.193
destination: 188.113.88.193  
    gateway: 192.168.31.177
  interface: en0

$ curl ifconfig.co
1.2.3.4 
-----------

我的补充说明:

在linux vps上。
git clone https://github.com/friedrich/hans
cd hans
make
(会在当前目录下,生成可执行文件hans)
./hans -s 10.1.2.1 -p mypassword -r
会显示:
./hans: opened tunnel device: tun4
./hans: detaching from terminal

iptables -t nat -A POSTROUTING -s 10.1.2.1/24 -o eth0 -j MASQUERADE
服务器端搭建完成。

在客户机器mac上。
git clone https://github.com/friedrich/hans
cd hans
make
(会在当前目录下,生成可执行文件hans)
sudo ./hans -c vps-public-ip -p mypassword

sudo route delete default && sudo route add default 10.1.2.1 && sudo route add vps-public-ip 192.168.1.1 && sudo route add default 192.168.1.1 

sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1

运行ss

sudo ~/goproxy-by-snail007/proxy dns -S socks -T tcp -P 127.0.0.1:1080 -p :53


这样,即可用vpn程序Hans翻墙。


项目地址:https://github.com/friedrich/hans
(its fork: https://github.com/vdveer/pingtunnel) 
 
很类似的项目:
https://github.com/milesdevis/Icmp_tunnel (只能运行在linux桌面系统上)
-------------------------------------------

Hans 'IP over ICMP'

Hans makes it possible to tunnel IPv4 through ICMP echo packets, so you could call it a ping tunnel. This can be useful when you find yourself in the situation that your Internet access is firewalled, but pings are allowed.
Hans runs on Linux as a client and a server. It runs on Mac OS X, iPhone/iPod touch, FreeBSD, OpenBSD and Windows as a client only.
Is is inspired by icmptx and adds some features:

Features

  • Reliability: Hans works reliably in situations when the client is behind a firewall that allows only one echo reply per request.
  • Security: Hans uses a challenge-response based login mechanism.
  • Multiple clients: Hans currently supports up to 253 clients, which is the number of available IPs on the virtual subnet.
  • Easy setup: Hans automatically assigns IP addresses.
For the iPhone/iPod touch version have a look at tunemu.

Get Hans

Hans source. Hans Mac OS X binary. Hans Windows binary.
Browse the source and contribute on Github.
View the changelog.

Use Hans

First, make sure you kernel supports tun devices. For Mac OS X you can get the drivers here. On Windows you have to install a tap device driver by downloading the Windows Installer of OpenVPN and selecting "TAP Virtual Ethernet Adapter" during the installation.
To compile hans, unpack it and run "make":
tar -xzf hans-version.tar.gz
cd hans-version
make

To run as a server (as root):

./hans -s 10.1.2.0 -p password
This will create a new tun device and assign the IP 10.1.2.1 to it. Note that Hans can not receive echo requests on BSD systems. Therefore the server only works on Linux.

To run as a client (as root):

./hans -c server_address -p password
This will connect to the server at "server_addess", create a new tun device and assign an IP from the network 10.1.2.0/24 to it.
Now you can run a proxy on the server or let it act as a router and use NAT to allow the clients to access the Internet.
On Windows you must run your command prompt as Administrator in order for hans to work.

from http://code.gerade.org/hans/
----------------------------------------

相关帖子:http://briteming.blogspot.com/2012/02/ping-tunnel.html