Total Pageviews

Saturday 29 October 2016

利用minivtun vpn翻墙

A fast, secure and reliable VPN service based on non-standard protocol.

A fast secure and reliable VPN service in non-standard protocol for rapidly deploying VPN servers/clients or getting through firewalls

Key features
Fast: direct UDP-encapsulated without complex authentication handshakes.
Secure: both header and tunnel data are encrypted, which is impossible to be tracked by protocol characteristics and blocked, unless all UDP ports are blocked by your firewall; spoofed packets from unauthorized peer are dropped immediately.
Reliable: communication recovers immediately from next received packet from client after the previous session was dead, which makes the connection extremely reliable.
Rapid to deploy: a standalone program to run; all configuration are specified in command line with very few options.
Installation for Linux
Install required development components

sudo apt-get install build-essential libssl-dev   # for Ubuntu / Debian
sudo yum install make gcc openssl-devel   # for CentOS / Fedora / RedHat

Installation for Mac OS X
Install TUNTAP driver for Mac OS X: http://tuntaposx.sourceforge.net

git clone https://github.com/rssnsj/minivtun
cd minivtun/src
make (这步会在当前目录下,生成可执行文件minivtun.)
./minivtun -h
Usage
Mini virtual tunneller in non-standard protocol.
Usage:
  minivtun [options]
Options:
  -l, --local <ip:port>               IP:port for server to listen
  -r, --remote <ip:port>              IP:port of server to connect
  -a, --ipv4-addr <tun_lip/tun_rip>   pointopoint IPv4 pair of the virtual interface
                  <tun_lip/pfx_len>   IPv4 address/prefix length pair
  -A, --ipv6-addr <tun_ip6/pfx_len>   IPv6 address/prefix length pair
  -m, --mtu <mtu>                     set MTU size, default: 1300.
  -t, --keepalive <keepalive_timeo>   interval of keep-alive packets, default: 13
  -n, --ifname <ifname>               virtual interface name
  -p, --pidfile <pid_file>            PID file of the daemon
  -e, --key <encryption_key>          shared password for data encryption
  -v, --route <network/prefix=gateway>
                                      route a network to a client address, can be multiple
  -w, --wait-dns                      wait for DNS resolve ready after service started.
  -d, --daemon                        run as daemon process
  -h, --help                          print this help
Examples
Server: Run a VPN server on port 1414, with local virtual address 10.7.0.1, client address space 10.7.0.0/24, encryption password 'Hello':

/usr/sbin/minivtun -l 0.0.0.0:1414 -a 10.7.0.1/24 -e Hello -d
Client: Connect VPN to the above server (assuming address vpn.abc.com), with local virtual address 10.7.0.33:

/usr/sbin/minivtun -r vpn.abc.com:1414 -a 10.7.0.33/24 -e Hello -d
Multiple clients on different devices can be connected to the same server:

/usr/sbin/minivtun -r vpn.abc.com:1414 -a 10.7.0.34/24 -e Hello -d
/usr/sbin/minivtun -r vpn.abc.com:1414 -a 10.7.0.35/24 -e Hello -d
/usr/sbin/minivtun -r vpn.abc.com:1414 -a 10.7.0.36/24 -e Hello -d

from https://github.com/rssnsj/minivtun
-------------

我的补充说明

登陆Linux vps(最好是kvm vps.若是openvz vps,容易遇错)
git clone https://github.com/rssnsj/minivtun
cd minivtun/src
make (这步会在当前目录下,生成可执行文件minivtun.)
./minivtun -l 0.0.0.0:1414 -a 10.7.0.1/24 --key my-key -d
会显示:
Mini virtual tunneling server on 0.0.0.0:1414, interface: mv0.
(会在vps中,生成虚拟网卡mv0)
以上的命令/root/minivtun/src/minivtun -l 0.0.0.0:1414 -a 10.7.0.1/24 --key my-key -d
并不会随着vps的启动而自动运行,所以建议用systemd来设置一下:
nano /etc/systemd/system/minivtun.service
内容如下:
[Unit]
After=network.target 

[Service]
ExecStart=/root/minivtun/src/minivtun -l 0.0.0.0:1414 -a 10.7.0.1/24 --key my-key
Restart=always

[Install]
WantedBy=multi-user.target

然后,
systemctl start minivtun
systemctl enable minivtun

root@wh:~/minivtun/src# nano /etc/sysctl.conf,
(把net.ipv4.ip_forward那一行的#号去掉并把net.ipv4.ip_forward的值改为1)
sysctl -p
会显示:
net.ipv4.ip_forward = 1

root@wh:~/minivtun/src# iptables -t nat -A POSTROUTING -s 10.7.0.1/24 -o eth0 -j MASQUERADE
服务器端设置完毕。

在客户机器mac上。
安装TUNTAP driver for Mac OS X: http://tuntaposx.sourceforge.net,然后,

git clone https://github.com/rssnsj/minivtun
cd minivtun/src
make (这步会在当前目录下,生成可执行文件minivtun.)
sudo ./minivtun -r my-vps-ip:1414 -a 10.7.0.2/24 --key my-key
Password:

会显示:
Mini virtual tunnelling client to my-vps-ip:1414, interface: tun0.
(会在mac机器中,生成虚拟网卡tun0)
保持该terminal窗口不要关闭。
然后新开一个terminal窗口,
ping 10.7.0.1
显示:
PING 10.7.0.1 (10.7.0.1): 56 data bytes
64 bytes from 10.7.0.1: icmp_seq=0 ttl=64 time=26.829 ms
64 bytes from 10.7.0.1: icmp_seq=1 ttl=64 time=22.975 ms
64 bytes from 10.7.0.1: icmp_seq=2 ttl=64 time=23.071 ms
64 bytes from 10.7.0.1: icmp_seq=3 ttl=64 time=23.547 ms
64 bytes from 10.7.0.1: icmp_seq=4 ttl=64 time=23.713 ms
64 bytes from 10.7.0.1: icmp_seq=5 ttl=64 time=23.456 ms
64 bytes from 10.7.0.1: icmp_seq=6 ttl=64 time=23.693 ms
64 bytes from 10.7.0.1: icmp_seq=7 ttl=64 time=25.982 ms
^C
--- 10.7.0.1 ping statistics ---
8 packets transmitted, 8 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 22.975/24.158/26.829/1.338 ms

可见,可以成功ping通vps的内网ip:10.7.0.1,
不过光能ping通vps的内网ip是不够的,mac机器依然不能翻墙。
(可以把sudo ./minivtun -r my-vps-ip:1414 -a 10.7.0.2/24 --key my-key保存为:
start-minivtun.sh文件)

紧接着运行:
sudo route delete default 
sudo route add default vps-internal-ip 
sudo route add vps-public-ip 192.168.1.1

(router-ip指路由器的ip,比如192.168.1.1,你需根据你的路由器的具体ip,写出其值,比如
有的是10.0.0.1;vps-internal-ip指vps在内网的ip,比如10.7.0.1)

然后运行:
sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1

然后运行某款dns proxy程序:

cd ~/dns2socks/DNS2SOCKS && sudo ./DNS2SOCKS 127.0.0.1:1080 8.8.8.8:53 127.0.0.1:53

(dns2socks的搭建,请参见https://briteming.blogspot.com/2019/07/socksdns-query-dns2socks.html

这样,mac机器就可以用此minivtun vpn翻墙了。

每隔25分钟,第一步会断开所以需要重新运行所有的4步:
sudo killall minivtun && cd ~/minivtun/src && sudo ./minivtun -r my-vps-ip:1414 -a 10.7.0.2/24 --key my-key

sudo route delete default 
sudo route add default vps-internal-ip 
sudo route add vps-public-ip 192.168.1.1 

sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1

cd ~/dns2socks/DNS2SOCKS && sudo ./DNS2SOCKS 127.0.0.1:1080 8.8.8.8:53 127.0.0.1:53
参见https://github.com/rssnsj/minivtun/issues/11

在终止minivtun进程后,还需运行:
sudo route add default 192.168.1.1  

sudo networksetup -setdnsservers "Wi-Fi" empty

这样,才恢复为墙内状态。

https://github.com/fanyueciyuan/eazy-for-ss/tree/master/minivtun ,此脚本我没用过。
---------------

minivtun在 windows下的客户端: minivtun-win

The minivtun is a tiny layer 3 vpn service on posix platform. And this is a windows client for it.

No IPv6 tunnel and point-to-point mode due to limitation of driver

Installation:
Install windows tap driver
site: https://github.com/OpenVPN/tap-windows https://github.com/OpenVPN/tap-windows6

precompiled binary:

NIDS 5 (windows xp and above) https://swupdate.openvpn.org/community/releases/tap-windows-9.9.2_3.exe
NIDS 6 (windows vista and above) https://swupdate.openvpn.org/community/releases/tap-windows-9.21.1.exe

Install required development components

python 2.7 python package: ipaddress pywin32 M2Crypto

Compile and pack

python setup.py py2exe

Usage
Mini virtual tunneller in non-standard protocol.
Usage:
  minivtun [options]
Options:
  -r, --remote <ip:port>            IP:port of server to connect
  -a, --ipv4-addr <tun_lip/pfx_len> IPv4 address/prefix length pair
  -k, --keepalive <keepalive_timeo> seconds between sending keep-alive packets, default: 13
  -t, --type <encryption_type>      encryption type, default: aes_128_cbc
  -e, --key <encrypt_key>           shared password for data encryption (if this option is missing, turn off encryption)
  -d                                run as daemon process
  -h, --help                        print this help
Supported encryption types:
  rc4, des, desx, aes-256, aes-128

Examples

Client: Connect VPN to the server (assuming address vpn.abc.com), with local virtual address 10.7.0.33, encryption with password "Hello":

python tun.py -r vpn.abc.com:1414 -a 10.7.0.33/24 -e Hello

Client: Connect VPN to the server (assuming address vpn.abc.com), with local virtual address 10.7.0.33, no encryption:

python tun.py -r vpn.abc.com:1414 -a 10.7.0.33/24

from https://github.com/boytm/minivtun-win
https://libraries.io/github/boytm/minivtun-win
---------------

利用minivtun实现点对点非公网NAT穿透,在学校轻松访问家里的路由器。 
一般这种情况用于:
  • 家里路由器挂载离线下载
  • 家里的WEB网络摄像头监控
  • 远程修改某些路由设置
  • 远程控制路由器相关的“智能家居”
现在仅考虑以下拓朴图,本文的目的是想让路由C访问路由A,实现C远程控制A。其中A是非智能路由器,使用非Openwrt系统。A下面挂接一个Openwrt路由器B
前提是A和C能顺利访问该VPS,而且B工作正常。

minivtun互访

这个minivtun是我常用的tun点对点隧道软件,工作原理与shadowvpn类似,可以当梯子使用。现有我移植的的minivtun-openwrt,可以自行编译安装在路由上面。
按照文档编译安装,服务端运行监听555端口
/usr/sbin/minivtun -l 0.0.0.0:555 -a 172.16.0.1/24 -e password -n mv0 -d
路由器B和C,同样使用minivtun实现与VPS对接,这里指定网络设备为mv001
# Router B: ip 172.16.0.3
/usr/sbin/minivtun -r [YOUR_VPS]:555 -a 172.16.0.3/24 -e password -n mv001 -d

# Router C: ip 172.16.0.55
/usr/sbin/minivtun -r [YOUR_VPS]:555 -a 172.16.0.55/24 -e password -n mv001 -d
使用Ping等工具测试路由B能否顺利访问VPS
ping 172.16.0.1

Openwrt端口转发

以下三个步骤均在路由B操作

新建接口

在network->interface标签下添加一个interface: 命名随意,这里命名为minivtun_intf,协议为DHCP Client,手动输入mv001这个物理接口进行绑定(因上面minivtun启动参数设定了mv001网络设备)
检查这个接口minivtun_intf是否获得正确的172.16.0.3/24地址,并且从数字变化过程中看到能有Tx/Rx流量通过。

入站防火墙

切换到Network->Firewall->Gerneral,添加一个新的Zone,随意命名为minivtun,指定入站出站转发三个都accept,勾选masquerading和MSS clamping进行伪装路由器。Covered Network只需要勾选两个区域即可,其中必选的是minivtun_intf表示源,另一个是目的地根据需要,可以选WAN或者LAN,如果访问Openwrt局域网就指定LAN,如果要访问WAN(比如上一级路由)就指定WAN
因为我是利用B去访问上一级的A,因此我勾选了WAN

端口转发

切换到Network->Firewall->Port Forward,新建一个转发规则
外部端口随意,(比如外部端口是444,那么在路由C使用minivtun访问172.16.0.3:444就触发端口转发条件)
项目备注我的值
名字随意起名minivtun_port_fwd
外部区域入站防火墙名字minivtun
外部端口供外部访问端口800
内部区域目的端口区域LAN
内部IP目的地址192.168.200.1
内部端口目的端口800

测试方法

从路由器C浏览器地址栏输入http://172.16.0.3:800即可访问路由A的800端口。
from http://lixingcong.github.io/2016/10/03/openwrt-port-forward/
----------
A simple tunnel for Linux. 
This repo is an unoffical port of minivtun for openwrt.

minivtun-openwrt

A fast secure and reliable VPN service in non-standard protocol for rapidly deploying VPN servers/clients or getting through firewall. Created by @rssnsj
It's a very simple point-to-point tunnel client/server. only less than 20kB size.
This repo is an unoffical port for openwrt, if you prefer the offical one, please visit minivtun-tools.
The default route and init.d files was copied from openwrt-shadowvpn. I am so lazy!

For Linux

Show you the Offical compile guide below
Install devel libs
# ubuntu
sudo apt-get install build-essential libssl-dev
# CentOS
sudo yum install make gcc openssl-devel
Compile and install
git clone https://github.com/rssnsj/minivtun.git minivtun
cd minivtun/src
make
sudo make install
Run and listen(my script copied from shadowvpn, not offical)
# modify your listenig port and password, etc
cd minivtun/linux-server
vi run.sh

# use bash to run, not sh
bash run.sh
if your want to run as linux-client, do the same as linux-server but under linux-client folders. You could turn the China-route mode on, just set isUseRouteFile to True
Enjoy it!

Complie for Openwrt (Client-side)

# ar71xx platform
tar xjf OpenWrt-SDK-ar71xx-for-linux-x86_64-gcc-4.8-linaro_uClibc-0.9.33.2.tar.bz2
cd OpenWrt-SDK-ar71xx-*
cd openwrt
git clone https://github.com/lixingcong/minivtun-openwrt package/minivtun-openwrt

# Select Network -> minivtun
make menuconfig
make package/minivtun-openwrt/compile V=99

Configuration for Openwrt

Change password or port
vi /etc/config/minivtun
# Switch: enable = 1 or 0
Restart service
/etc/init.d/minivtun restart
Use Chnroute.txt
Same as ShadowVPN or Shadowsocks, the chnroute.txt is available for Chinese user to change route.
Please visit  openwrt-shadowvpn for more details on route-mode.
# update route file
wget -O- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /tmp/chinadns_chnroute.txt
cp /tmp/chinadns_chnroute.txt /etc/

vi /etc/config/minivtun
# set the route-mode to 1 (Domestic Mode)
# set route-file to /etc/chinadns_chnroute.txt

/etc/init.d/minivtun restart

Luci-app

A luci-app-minivtun was available, please vist openwrt-dist-luci.

Wiki

Please visit offical page minivtun
from https://github.com/lixingcong/minivtun-openwrt
------------------------

minivtun-rs

A Rust implementation of minivtun.

Usage

minivtun-rs 0.1
Mini virtual tunneller in non-standard protocol

USAGE:
    minivtun-rs [FLAGS] [OPTIONS]

FLAGS:
    -d, --daemon     run as daemon process
    -h, --help       Prints help information
    -V, --version    Prints version information

OPTIONS:
    -F, --fwmark <fwmark_num>              fwmark set on vpn traffic
    -n, --ifname <ifname>                  virtual interface name
    -a, --ipv4-addr <tun_lip/prf_len>      pointopoint IPv4 pair of the virtual interface
    -A, --ipv6-addr <tun_ip6/pfx_len>
    -K, --keepalive <N>                    seconds between keep-alive tests, default:7
    -e, --key <encryption_key>             shared password for data encryption
    -l, --local <ip:port>                  local IP:port for server to listen
    -M, --metric <metric>                  metric of attached routes
    -m, --mtu <mtu>                        set MTU size, default:1300
    -R, --reconnect-timeo <N>              maximum inactive time (seconds) before reconnect, default:47
    -r, --remote <host:port>               host:port of server to connect (brace with [] for bare IPv6)
    -v, --route <network/prefix[=gw>...    attached IPv4/IPv6 route on this link, can be multiple
    -T, --table <table_name>               route table of the attached routes
    -t, --type <encryption_type>           encryption type(aes-128, aes-256), default:aes-128
from https://github.com/optman/minivtun-rs