OpenVPN是一个基于SSL加密的纯应用层VPN协议,是SSL VPN的一种,支持UDP与TCP两种方式。UDP和TCP是2种通讯协议,这里通常UDP的效率会比较高,速度也相对较快。所以尽量使用UDP连接方式,实在UDP没法使用的时候,再使用TCP连接方式。
由于其运行在纯应用层,避免了PPTP和L2TP在某些NAT设备后面不被支持的情况,并且可以绕过一些网络的封锁.通俗点讲,基本上能上网的地方就能用OpenVPN.
OpenVPN客户端软件可以很方便地配合路由表,实现不同线路(如国内和国外)的路由选择,实现一部分IP走VPN,另一部分IP走原网络。
http://briteming.blogspot.com/2016/08/openvpn.html ,只是当时未在linux vps上安装它。今天安装后, 发现又可用openvpn翻墙了。
安装方法如下:
登录linux vps.
wget https://github.com/Nyr/openvpn-install/raw/master/openvpn-install.sh
bash openvpn-install.sh
运行此条命令bash openvpn-install.sh,最后显示:
...
Generating a 2048 bit RSA private key
................+++
.............................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.bMvlQu5Gie'
-----
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'server'
Certificate is to be certified until Jul 2 04:22:38 2027 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Generating a 2048 bit RSA private key
...........+++
..........................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/client2.key.7nwUyrULSK'
-----
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'client2'
Certificate is to be certified until Jul 2 04:22:39 2027 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
* Stopping virtual private network daemon(s)... * No VPN is running.
* Starting virtual private network daemon(s)... * Autostarting VPN 'server'
Finished!
Your client configuration is available at /root/client2.ovpn
If you want to add more clients, you simply need to run this script again!
root@localhost:~#
root@localhost:~# ps aux|grep openvpn
nobody 7875 0.0 0.1 28492 1048 ? Ss 05:22 0:00 /usr/sbin/openvpn --config server.conf --daemon
root 7926 0.0 0.0 11740 904 pts/6 S+ 05:27 0:00 grep openvpn
root@localhost:~#
(服务器端的配置文件的完整路径:/etc/openvpn/server/server.conf)
服务器端的配置文件内容如下:
root@localhost:~# cat /etc/openvpn/server/server.conf
port 1278
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
root@localhost:~#
下载的客户端的配置文件client2.ovpn的内容:
client dev tun proto udp sndbuf 0 rcvbuf 0 remote my-vps-ip 1278 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server auth SHA512 cipher AES-256-CBC comp-lzo setenv opt block-outside-dns key-direction 1 verb 3
<ca>
....
</ca>
<cert>
.....
</cert>
<key>
....
</key>
<tls-crypt>
....
</tls-crypt>
可见2边的配置文件里都有cipher AES-256-CBC 这行代码,而众所周知AES-256-CBC 是用来加密的,就像shadowsocks的4个参数之一:加密方式,我们常用的是aes-256-cfb.估计就是
cipher AES-256-CBC这行代码给openvpn的链接加了一层密:加密连接,从而使得gfw无法侦测openvpn的流量特征,无法封锁openvpn,于是又可用openvpn翻墙了。
注:proto的值建议选择udp, udp协议比tcp协议更抗干扰。vps类型则建议选择openvz之外的类型,比如kvm/xen.如果你一定要用openvz vps,建议你使用bandwagonhost.com提供的openvz vps,这家的openvz vps默认开启了tun/tap。如果使用其他vps供应商(比如alpharacks.com)的openvz vps,最好发ticket给其客服,要求enable tun/tap.(在其vps control panel里,用户自行enable tun/tap的话,其实并未真正的生效),然后运行:
openvpn --config /etc/openvpn/server/server.conf
如果你运行openvpn --config /etc/openvpn/server/server.conf ,遇到如下错误:
Options error: --dh fails with 'dh.pem': No such file or directory
Options error: --ca fails with 'ca.crt': No such file or directory
Options error: --cert fails with 'server.crt': No such file or directory
Options error: --key fails with 'server.key': No such file or directory
Options error: --crl-verify fails with 'crl.pem': No such file or directory
Options error: --tls-crypt fails with 'tc.key': No such file or directory
Options error: Please correct these errors.
Use --help for more information.
解决办法就是:把ca.crt,server.crt,server.key,dh.pem,ta.key,crl.pem那些文件写成完整路径:
port 1278
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
auth SHA512
tls-crypt /etc/openvpn/server/tc.key
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify /etc/openvpn/server/crl.pem
先运行openvpn --config /etc/openvpn/server/server.conf ,看看是否正常:
如果屏幕的最下一行为initialization sequence completed,则说明openvpn运行正常。
如果正常,才带“--daemon”运行:
openvpn --config /etc/openvpn/server/server.conf --daemon
然后设置OpenVPN访问外网:
echo 1 > /proc/sys/net/ipv4/ip_forward
(或者:sysctl -w net.ipv4.ip_forward=1)
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE (注意:如果你的vps是xen/kvm平台,则需把venet0改为eth0)
至此,服务器端的设置完毕。注意:如果你的vps重启了,一定要记得重新运行上面的这2条命令。当然这条命令:openvpn --config /etc/openvpn/server/server.conf --daemon也不能忘了运行。
在运行openvpn client app后,服务器端的配置文件/etc/openvpn/server/server.conf里的这2行内容:
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
会被推送到客户机器上,也即:客户机器的本地dns server地址会被强行改为:
8.8.8.8
8.8.4.4
但是客户机器不一定能连上8.8.8.8或8.8.4.4,所以我们可以修改服务器端的配置文件/etc/openvpn/server/server.conf里的这2行内容:
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
为:
push "dhcp-option DNS 127.0.0.1"
因为修改了openvpn服务器端的配置文件,所以需要重启openvpn:
killall openvpn
openvpn --config /etc/openvpn/server/server.conf --daemon
在运行openvpn client app后,服务器端的配置文件/etc/openvpn/server/server.conf里的这1行内容:
push "dhcp-option DNS 127.0.0.1"
会被推送到客户机器上,也即:客户机器的本地dns server地址会被强行自动改为:
127.0.0.1
这样就无需手动去修改客户机器的本地dns server地址为127.0.0.1了。
如果你的本地机器是mac,请下载/安装mac上面的openvpn客户端程序tunnelblick.然后在mac的finder里面,进入“下载”文件夹,双击下载到“下载”文件夹中的客户端配置文件(.ovpn文件),即可导入该配置文件到tunnelblick,然后就可用tunnelblick翻墙了:
首先运行openvpn client,然后客户机器的本地dns server地址会被强行自动改为:
127.0.0.1,
然后运行一个dns proxy程序,比如:dns-over-tls-forwarder,dns-over-tls-forwarder的用法见https://briteming.blogspot.com/2020/01/unbounddns-over-tls.html
如果你使用一段时间翻不了墙了,重启openvpn客户端即可。如果还是不行,请重启系统,再运行客户端。
使用10来天后,觉得在openvz vps上搭建的openvpn不易连上,因此强烈建议在kvm vps/xen vps上搭建openvpn!!!
如果不易连上vps上搭建的openvpn,简单的解决办法-在vps上,重装openvpn:运行bash openvpn-install.sh
来卸载openvpn,然后运行bash openvpn-install.sh ,重装openvpn,然后下载生成的配置文件(ovpn文件),导入此配置文件到openvpn客户端程序,你就又可以翻墙了。
在ios device上,切换app store到香港区,搜索openvpn connect,进行安装。( 在
app store的中国区,openvpn connect已经下架)
然后把下载的客户端的配置文件client2.ovpn作为附件发到自己的邮箱,登录邮箱,点击附件client2.ovpn,会显示‘在openvpn中打开‘的链接,点击该链接,再点击弹出的页面中的“+”号,即可把客户端的配置文件client2.ovpn导入到客户端程序openvpn connect中,然后在openvpn connect中启用连接,稍等片刻,ios device的右上角就会出现VPN字样,ios device即可翻墙。
如果你在服务器上运行了此3条命令:
openvpn --config /etc/openvpn/server.conf --daemon
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
相关帖子:
http://briteming.blogspot.com/2016/05/openvpn-connectiosopenvpn-client.html
https://itunes.apple.com/app/openvpn-connect/id590379981
http://briteming.blogspot.com/2016/08/openvpn.html
本帖即是用此法翻墙后发布的。
-----------------------
https://github.com/Angristan做出的改进版:https://github.com/Angristan/OpenVPN-install
Usage
You have to enable the TUN module otherwise OpenVPN won't work. Ask your host if you don't know how to do it. If the TUN module is not enabled, the script will warn you and exit.You can get a cheap VPS to run this script for $2.50/month worldwide at Vultr or 3€/month for unlimited bandwidth in France at PulseHeberg.
First, get the script and make it executable :
wget https://raw.githubusercontent.com/Angristan/OpenVPN-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
Then run it :./openvpn-install.sh
The first time you run it, you'll have to follow the assistant and answer a few questions to setup your VPN server.
When OpenVPN is installed, you can run the script again, and you will get the choice to :
- Add a client
- Remove a client
- Uninstall OpenVPN
Why make a fork ?
This script is based on the great work of Nyr and its contributors.I made it because I wanted to have a more secured OpenVPN out-of-the-box. It works like the original script, but is more focused on privacy and espicially better encryption. Nyr's original script uses mainly default parameters regarding encryption, and some of them are unsecure. See #encryption.
Also, Nyr and myself clearly have not the same point of view regarding this script, that's why it's a fork.
The only drawback is that you need to use a recent version of OpenVPN, because some parameters that requires TLS 1.2 are only availble since OpenVPN 2.3.3. Therefore I restrain the compatibility of this script to a few but widely used GNU/Linux distributions, to get a recent version of OpenVPN from trusted third-party repositories, if needed. That is not a complete drawback tough, because it means that you can have the latest version with all the new features and security fixes. See compatibilty.
On the client-side, it's less problematic, but if you want to use an OpenVPN server installed with this script with an old client (<2.3.3), it won't work. However I don't see why you would use an outdated client.
TL;DR, this script is relatively secure, and you can just press enter in the setup.
Compatibility
The script is made to work on these OS and architectures :- Debian 7 (i386, amd64)
- Debian 8 (i386, amd64)
- Debian 9 (i386, amd64, armhf, arm64)
- Ubuntu 12.04 LTS (i386, amd64)
- Ubuntu 14.04 LTS (i386, amd64)
- Ubuntu 16.04 LTS (i386, amd64)
- Ubuntu 16.10 (i386, amd64, armhf, arm64)
- Ubuntu 17.04 (i386, amd64, armhf, arm64)
- CentOS 6 (i386, amd64)
- CentOS 7 (i386, amd64, arm64)
- Arch Linux (i686, amd64)
If your're using an Ubuntu version that is not supported by the script, be aware that it's not supported by Ubuntu either, thus it's insecure.
Features
This fork includes the following features :- Every feature of the original script
- Better encryption, see below
- Better DNS resolvers, see below
- Choice between TCP and UDP (UDP is still recommended)
- Run server in unprivileged mode, reducing risks to the system
- Block DNS leak on Windows 10
- No comp-lzo, as compression is a vector for oracle attacks, e.g. CRIME or BREACH
- Arch Linux support
- Up-to-date OpenVPN thanks to EPEL for CentOS and swupdate.openvpn.net for Ubuntu and Debian. These are third-party yet trusted repositories.
- Other improvements !
DNS
The script will ask you which DNS resolvers you want to use when connected to the VPN.Here are the possibilities :
- Current system resolvers, those that are in
/etc/resolv.conf
- FDN's DNS Servers, recommended if you're in western europe (France)
- DNS.WATCH DNS Servers, recommended if you're in western europe (Germany)
- OpenDNS, not recommened but fast wordlwide (Anycast servers)
- Google Public DNS, not recommended, but fast worldwide (Anycast servers)
- Yandex Basic DNS, not recommended, but fast in Russia
- Soon : local resolver :D
Encryption
The main reason why I made this fork is to improve the encryption. Indeed, OpenVPN's default parameters are weak (and that's what Nyr's script uses).I want to justify all my choices regarding the encryption settings I have chosen, to prove that I'm not some random noob as some may think. 😉
However I'm far from a crypto expert, so don't hesitate to doubt what I say (I put links to my sources anyway), and to open an issue to correct me.
OpenVPN 2.4 will be a great update on the encryption part, because we'll be able to use elliptic curves, so ECDSA and ECDH (as well for the control channel), and AES GCM. They are faster and more secure. I will, of course, update the script when it will be available.
Note: With OpenVPN's default parameters, you have a relatively weak encryption. Nonetheless, your trafic is still encrypted, so unless you're under surveillance, probably no one will try to decrypt it. Yet it's not a reason to use old and weak algorithm when there are much better ones available. 😉
TLS version
OpenVPN uses TLS 1.0 by default, which is nearly 20 years old.With
tls-version-min 1.2
we use at least TLS 1.2, which the best protocol available currently. I could have used tls-version-min highest
but this does not ensure we use TLS 1.2 which is the only secure protocol available.OpenVPN documentation for tls-version-min
TLS 1.2 is only supported since OpenVPN 2.3.3. This is one of the reasons of the script uses third-party repositories, because some distributions have an older version of OpenVPN.
Certificate
Key
OpenVPN uses an RSA certificate with a 2048 bits key by default.2048 bits is OK, but both NSA and ANSSI recommend at least a 3072 bits for a future-proof key. As the size of the key will have an impact on speed, I leave the choice to use 2048, 3072 or 4096 bits RSA key. 4096 bits is what's most used and recommened today, but 3072 bits is still good.
In OpenVPN 2.4, we will be able to use an ECDSA certificate. This algorithm uses elliptic curves instead of prime numbers' factorization for a reduced key size and calculation time, thus it's faster and more secure.
Signature hash
OpenVPN uses SHA-256 by default.It also supports SHA1 and MD5, which are unsafe, and all the SHA2 family. I didn't find any reason to use something other than SHA-256 in the SHA2 group, so the script still uses the default hash algorithm.
Data channel's cipher
By default, OpenVPN usesBF-CBC
as the data channel cipher. Blowfish is an old (1993) an weak alogorithm. What's funny is that even the official OpenVPN documentation admits it.The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode. Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See https://community.openvpn.net/openvpn/wiki/SWEET32 for details.Source
Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See https://sweet32.info/ for a much better and more elaborate explanation. OpenVPN's default cipher, BF-CBC, is affected by this attack.Source
Blowfish's use of a 64-bit block size (as opposed to e.g. AES's 128-bit block size) makes it vulnerable to birthday attacks, particularly in contexts like HTTPS. In 2016, the SWEET32 attack demonstrated how to leverage birthday attacks to perform plaintext recovery (i.e. decrypting ciphertext) against ciphers with a 64-bit block size such as Blowfish.[9]
A reduced-round variant of Blowfish is known to be susceptible to known-plaintext attacks on reflectively weak keys. Blowfish implementations use 16 rounds of encryption, and are not susceptible to this attack. Blowfish users are encouraged by Bruce Schneier, Blowfish's creator, to use the more modern and computationally efficient alternative Twofish. He is quoted in 2007 as saying:
"At this point, though, I'm amazed it's still being used. If people ask, I recommend Twofish instead."Source
Convinced ?
The SWEET32 vulnerability page from OpenVPN's documentation says :
The following ciphers are affected, and should no longer be used:
- BF-*
- DES* (including 3DES variants)
- RC2-*
The following ciphers are not affected:
- AES-*
- CAMELLIA-*
- SEED-*
As they have not any proven vulnerabilities, I decided to give the user the choice to use them, though I don't see any particular reason to this day to use it. Maybe someday if AES happens to be broken. Here is an exemple about why Camellia is good, but AES is better and should be used.
Currently AES is only available in its CBC mode, which is weaker than GCM.
To quote the OpenVPN documentation :
Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For 2.4+, we recommend using AES-256-GCM or AES-128-GCM.Of course I will update the script to add AES-GCM mode (as well as ECDH and ECDSA) as soon as OpenVPN 2.4 is released.
For now, these cipher are available in the setup :
- AES-128-CBC
- AES-192-CBC
- AES-256-CBC
- CAMELLIA-128-CBC
- CAMELLIA-192-CBC
- CAMELLIA-256-CBC
- SEED-CBC
Moreover, AES-256 is more vulnerable to Timing attacks.
Thus, the best data channel cipher currently available in OpenVPN is
AES-128-CBC
.Control channel's cipher
According to the Hardening page of the OpenVPN wiki, TLS 1.2 is not supported by OpenVPN <2.3.3, so it uses a TLS 1.0 cipher by default, which is unsecure.The following are TLSv1.2 DHE + RSA choices, requiring a compatible peer running at least OpenVPN 2.3.3:
- TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
- TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
- TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
- TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
Thus, I have chosen
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
as the control channel cipher.Diffie-Hellman key
OpenVPN uses a 2048 bits DH key by default.2048 bits is OK, but both NSA and ANSSI recommend at least a 3072 bits for a future-proof key. Like RSA, the size of the key will have an impact on speed, I leave the choice to use a 2048, 3072 or 4096 bits key. 4096 bits is what's most used and recommened today, but 3072 bits is still good.
In OpenVPN 2.4, we will be able to use ECDH key. It uses elliptic curves instead of prime numbers' factorization for a reduced key size and calculation time, thus it's faster and more secure.
HMAC authentication algorithm
To quote the OpenVPN wiki :Authenticate packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature. OpenVPN's usage of HMAC is to first encrypt a packet, then HMAC the resulting ciphertext.SHA-1 is not safe anymore, so I use SHA-256 which is safe and widely used.
TLS-crypt
The --tls-crypt option uses a static pre-shared key (PSK) that must be generated in advance and shared among all peers. This features adds "extra protection" to the TLS channel by requiring that incoming packets have a valid signature generated using the PSK key. If this key is ever changed, it must be changed on all peers at the same time (there is no support for rollover.)
The primary benefit is that an unauthenticated client cannot cause the same CPU/crypto load against a server as the junk traffic can be dropped much sooner. This can aid in mitigating denial-of-service attempts.
This feature by itself does not improve the TLS auth in any way, although it offers a 2nd line of defense if a future flaw is discovered in a particular TLS cipher-suite or implementation (such as CVE-2014-0160, Heartbleed, where the tls-crypt key provided protection against attackers who did not have a copy). However, it offers no protection at all in the event of a complete cryptographic break that can allow decryption of a cipher-suite's traffic.Source
TLS-crypt is not enabled by default by OpenVPN, but it is in this script。
from https://github.com/Angristan/OpenVPN-install
---------
安装OpenVPN
服务端配置文件(server.conf)
- 编辑位于/etc/openvpn/server.conf, 以下附上我的配置文件的一部分并加以解释
备注0
- proto可选的有TCP/TCP6/UDP/UDP6 其中IPv6版本向下兼容IPv4, 这里我们显然需要使用IPv6. 请注意,请尽量不要在普通IPv4环境下使用OpenVPN, 因为防火墙能准确识别OpenVPN.
备注1
- OpenVPN工作在三层, 因此网络流量是否走VPN隧道完全由路由表控制.
- 此处的redirect-gateway是将默认路由改为走VPN隧道
- def1是可选参数, 此处是一个OpenVPN的feature(真feature!不是Bug!), 当没有此参数时, 连接VPN时给客户端推的路由为”0.0.0.0/0″, 此时, 系统中可能存在两条0.0.0.0的路由(一条是本来的默认网关, 根据不同系统情况可能有所不同), 而如果有def1参数, 向客户端推得路由表为0.0.0.0/1和128.0.0.0/1这两条, 根据最长匹配原则, 数据就一定会通过VPN隧道走了!
备注2
- push “route address netmask vpn_gateway/net_gateway”这是向客户端推送一条通过VPN隧道走或通过本来的网关走的路由表, 如果细心的话, 会发现166.111.204.120就是net.tsinghua.edu.cn的地址…这样我就能把它给劫持了.
- 至于其他的校内IP地址, 你可以在bgp.he.net上找到或找我要一份…
备注3
- 向客户端interface推DNS地址
备注4
- auth-user-pass-verify 表示通过用户名密码方式验证
- xxx 是你的自定义验证脚本, 每次有用户连接时, OpenVPN会自动运行一次此脚本, 返回值为0表示认证成功, 为1表示认证失败
- via-env 表示用户名密码通过环境变量传递
- 更多信息请查阅官方文档
备注5
- 这两处是自定义的连接和断开连接时运行的脚本. 劫持的net.tsinghua页面的用户名对应就是在连接时处理的, 流量统计是在断开连接时处理的.
- 更多信息请查阅官方文档
开启转发
iptables配置
保存iptables配置
服务端基本配置完成
客户端配置文件
完成
1 服务端部署(Ubuntu)
1.1 安装OpenVPN 所需插件
|
|
1.2 安装OpenVPN
1.2.1 apt-get安装OpenVPN
|
|
1.2.2 源码安装OpenVPN(建议使用2.2.2版本)
|
|
1.3 开启内核转发并配置源地址路由
|
|
1.4 服务端配置
1.4.1 生成密钥
|
|
1.4.2 服务端配目录及文件
|
|
1.4.3 服务端配置文件参数指定
|
|
1.5 启动OpenVPN服务端
|
|
1.6 检查验证
|
|
1.7 设置OpenVPN服务端开机启动
|
|
2 OpenVPN 客户端部署(MAC系统)
2.1 安装OpenVPN 所需插件
|
|
2.2 安装OpenVPN
2.2.1 Brew 安装
|
|
2.2.2 源码安装(建议使用2.2.2版本)
|
|
2.3 服务端生成客户端所需密钥(客户端部署可忽略此步骤)
2.3.1 服务端连接
|
|
2.3.2 生成密钥
|
|
|
|
2.3.3设置客户端密钥验证信息
|
|
10.8.0.119 指客户端被虚拟出来的IP
2.4 客户端配置
2.4.1 拷贝密钥到客户端
|
|
2.4.2 配置客户端密码文件
|
|
2.4.3 客户端配置文件
|
|
2.5 启动客户端
2.5.1 命令行启动OpenVPN
|
|
2.5.2 GUI启动OpenVPN
- 下载Tunnelblick客户端
直接官网下载: https://tunnelblick.net/downloads.html - 安装Tunnelblick客户端
Tunnelblick具体安装使用流程见:Mac系统Tunnelblick下载以及安装流程
2.6 检查验证
|
|
|
|
2.7 服务加入开机自启动
|
|
3 OpenVPN 客户端部署(Ubuntu系统)
3.1 安装OpenVPN 所需插件
|
|
3.2 安装OpenVPN
3.2.1 apt-get安装OpenVPN
|
|
3.2.2 源码安装OpenVPN(建议使用2.2.2版本)
|
|
3.3 服务端生成客户端所需密钥(客户端部署可忽略此步骤)
3.3.1 服务端连接
|
|
3.3.2 生成密钥
|
|
|
|
3.3.3设置客户端密钥验证信息
|
|
10.8.0.120 指客户端被虚拟出来的IP
3.4 客户端配置
3.4.1 拷贝密钥到客户端
|
|
3.4.2 配置客户端密码文件
|
|
3.4.3 客户端配置文件
|
|
3.5 启动客户端
|
|
3.6 检查验证
|
|
|
|
3.7 服务加入开机自启动
|
|
OPENVPN使用PAM及MYSQL进行用户认证
1.使用PAM模块PAM简介:
Pluggable Authentication Module (PAM) 是行业标准验证框架。
PAM 为系统管理员提供了选择系统上可用的任何验证服务来执行验证的灵活性。使用 PAM 框架还可以插入新的验证服务模块,并且无需修改应用程序即可使用,
包含帐户管理,用户验证,口令管理,会话管理四个模块.指定如何处理同一个 service-name 和 module-type 的多个定义的关键字。它为下列值之一
required模块测试必须成功。
optional模块测试可以失败。
sufficient如果测试成功,则不执行进一步的测试。
1>OPENVPN服务器端配置:
client-cert-not-required //客户端数字证书无需指定
username-as-common-name //用户名作为common name
需要增加相应的用户名及密码,使用useradd password命令
重新启动OPENVPN,则在客户端登录OPENVPN的时候会提示输入用户名及密码
2.使用PAM-MYSQL
1>安装MYSQL,添加用户名vpn 密码设置为vpn,用户表为库openvpn中的user
2>安装pam_mysql ,下载位置http://internap.dl.sourceforge.net/sourceforge/pam-mysql/pam_mysql-0.5.tar.gz
3>配置pam配置文件,在/etc/pam.d中新建openvpn内容如下
account required pam_mysql.so user=vpn passwd=vpn host=192.168.1.11 db=openvpn table=user usercolumn=username passwdcolumn=password
4>OPENVPN服务器配置
plugin /usr/sharelib/openvpn-auth-pam.so openvpn 其余配置与上同//加载/etc/pam.d/openvpn配置文件
5>客户端配置与上同.
-------------------------------
How to install a OpenVPN System Based On User/Password Authentication with mysql
Source Page: http://sysadmin.compxtreme.ro/how-to-install-a-openvpn-system-based-on-userpassword-authentication-with-mysql-day-control-libpam-mysql/
here comes the article:
This document describes how to install a OpenVPN server with User/Password authentication with mysql and day control using libpam-mysql. This will be a brief, but a very practical document.
Install mysql server
Create user
CREATE DATABASE openvpn;
USE openvpn;
GRANT ALL PRIVILEGES ON `openvpn`.* TO 'openvpn'@'localhost';
FLUSH PRIVILEGES;
`user_id` varchar(32) COLLATE utf8_unicode_ci NOT NULL,
`user_pass` varchar(32) COLLATE utf8_unicode_ci NOT NULL DEFAULT '1234',
`user_mail` varchar(64) COLLATE utf8_unicode_ci DEFAULT NULL,
`user_phone` varchar(16) COLLATE utf8_unicode_ci DEFAULT NULL,
`user_start_date` date NOT NULL,
`user_end_date` date NOT NULL,
`user_online` enum('yes','no') NOT NULL DEFAULT 'no',
`user_enable` enum('yes','no') NOT NULL DEFAULT 'yes',
PRIMARY KEY (`user_id`),
KEY `user_pass` (`user_pass`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
`log_id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`user_id` varchar(32) COLLATE utf8_unicode_ci NOT NULL,
`log_trusted_ip` varchar(32) COLLATE utf8_unicode_ci DEFAULT NULL,
`log_trusted_port` varchar(16) COLLATE utf8_unicode_ci DEFAULT NULL,
`log_remote_ip` varchar(32) COLLATE utf8_unicode_ci DEFAULT NULL,
`log_remote_port` varchar(16) COLLATE utf8_unicode_ci DEFAULT NULL,
`log_start_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
`log_end_time` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',
`log_received` float NOT NULL DEFAULT '0',
`log_send` float NOT NULL DEFAULT '0',
PRIMARY KEY (`log_id`),
KEY `user_id` (`user_id`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
cd /etc/openvpn/easy-rsa/2.0/
export KEY_COUNTRY="SE"
export KEY_PROVINCE="SE"
export KEY_CITY="STOCKHOLM"
export KEY_ORG="Company Name"
export KEY_EMAIL="email@example.org"
export KEY_CN=vpn.example.org
export KEY_NAME=operations
export KEY_OU=operations
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
Disable unqiue subject
./clean-all
./build-ca
./build-key-server vpn.example.org
./build-dh
cp -a keys /etc/openvpn/.
account required pam_mysql.so user=openvpn passwd=lNPg5TAIy82zFpEn host=localhost db=openvpn [table=user] usercolumn=user.user_id passwdcolumn=user.user_pass [where=user.user_enable=1 AND user.user_start_date!=user.user_end_date AND TO_DAYS(now()) >= TO_DAYS(user.user_start_date) AND (TO_DAYS(now()) <= TO_DAYS(user.user_end_date) OR user.user_end_date='0000-00-00')] sqllog=0 crypt=0
##Dababase Server
HOST='127.0.0.1'
#Default port = 3306
PORT='3306'
#Username
USER='openvpn'
#Password
PASS='lNPg5TAIy82zFpEn'
#database name
DB='openvpn'
. /etc/openvpn/scripts/config.sh
##insert data connection to table log
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "INSERT INTO log (log_id,user_id,log_trusted_ip,log_trusted_port,log_remote_ip,log_remote_port,log_start_time,log_end_time,log_received,log_send) VALUES(NULL,'$common_name','$trusted_ip','$trusted_port','$ifconfig_pool_remote_ip','$remote_port_1',now(),'0000-00-00 00:00:00','$bytes_received','$bytes_sent')"
##set status online to user connected
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE user SET user_online='yes' WHERE user_id='$common_name'"
. /etc/openvpn/scripts/config.sh
##set status offline to user disconnected
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE user SET user_online='no' WHERE user_id='$common_name'"
##insert data disconnected to table log
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE log SET log_end_time=now(),log_received='$bytes_received',log_send='$bytes_sent' WHERE log_trusted_ip='$trusted_ip' AND log_trusted_port='$trusted_port' AND user_id='$common_name' AND log_end_time='0000-00-00 00:00:00'"
chmod 600 /etc/openvpn/pw-management-file
port 1194
proto udp
dev tun
##keys
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/vpn.example.org.crt
key /etc/openvpn/keys/vpn.example.org.key
dh /etc/openvpn/keys/dh2048.pem
##FIXME: ip for the clients
server 10.0.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
##FIXME: routes pushed to the client
push "route 172.16.1.0 255.255.255.0"
push "route 10.0.0.0 255.0.0.0"
push "route 195.248.229.19 255.255.255.255"
##Auth
comp-lzo
user nobody
#group nogroup
client-to-client
#client-cert-not-required
username-as-common-name
##user/pass auth from mysql
plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
##script connect-disconnect
script-security 3 system
client-connect /etc/openvpn/scripts/connect.sh
client-disconnect /etc/openvpn/scripts/disconnect.sh
##management
management localhost 1194 pw-management-file
keepalive 10 120
persist-key
persist-tun
status status.log
verb 3
openvpn是一种搭建非常简单,并且穿透能力极强的SSLVPN,使用TLS作为会话握手机制,握手成功之后会建立非常安全的SSL隧道,并且有TCP和UDP两种模式可选,没有IPSECVPN等同IP穿透和连接数等烦恼的限制,同一个IP最大可连接数量可达512个,正因为OPENVPN使用起来如此方便并且广泛的原因,所以在国内也受到了相当强大的干扰。
那么,有没有稳定使用它的方法呢?虽然现在有更稳定的shadowsocks等代理方式,但是shadowsocks可没有和VPN一样的组建局域网的功能呀。
有,现在呢我就分享一下我稳定使用openvpn的方式。
一.在windows桌面系统的方案。
1.可以使用openvpn over shadowsocks的方式来解决,不过这也要求openvpn需要使用tcp模式才可以,方法很简单,导入openvpn配置文件之后,用管理员程序运行客户端,然后再打开shadowsocks客户端,设置好shadowsocks。
再然后,在任务栏鼠标右击,选择settings,找到弹出窗口中的proxy选择,选择自定义proxy,类型为socks,端口就是shadowsocks本地代理那里填写的1080,填写好,保存确定,保持shadowsocks客户端开启,此时就可以连接openvpn了,感受下,是不是不会被阻断呢?
2.忽略RST。
如果你的电脑是在linux下,在linux下连接openvpn的话,完全可以使用iptables忽略RST的方式进行连接,只不过需要你的服务器是自己的可以操作。(因为需要双方都忽略)。
3.手机端可以用的方式
同上,把iptables规则写成一个.sh结尾的脚本放到手机里,用RE管理器打开执行就好。(需要ROOT,并且每次重启需要连接openvpn的时候都需要执行一次)(双方忽略RST)
双方忽略之后就可以成功连上了,再也不会有任何ERROR。
此外,openwrt等路由器有ssh权限的话也可以通过双方忽略RST包的方式来连接OPENVPN,起码不会被干扰。(要是因为电信等QOS原因的话我也没办法,你需要选择合适的线路才可以达到夜夜满速)
--------------------------
(http://web.archive.org/web/20130424012150/http://www.lostriver.net/efficiency-problem-on-win32-openvpn/)
比较有用。总结而言,就是在server.conf中加上(根据ipv4v4或ipv6自选):
https://www.linode.com/docs/networking/vpn/secure-communications-with-openvpn-on-ubuntu-10-04-lucid/
https://www.linode.com/docs/networking/vpn/secure-communications-with-openvpn-on-ubuntu-10-04-lucid/#sph_installing-openvpn
----------------
安装openvpn
If you want more than just pre-shared keys OpenVPN makes it easy to setup and use a Public Key Infrastructure (PKI) to use SSL/TLS certificates for authentication and key exchange between the VPN server and clients. OpenVPN can be used in a routed or bridged VPN mode and can be configured to use either UDP or TCP. The port number can be configured as well, but port 1194 is the official one. And it is only using that single port for all communication. VPN client implementations are available for almost anything including all Linux distributions, OS X, Windows and OpenWRT based WLAN routers.
Server Installation
sudo apt-get install openvpn
Public Key Infrastructure Setup
- a separate certificate (also known as a public key) and private key for the server and each client, and
- a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.
Both server and client will authenticate the other by first verifying that the presented certificate was signed by the master certificate authority (CA), and then by testing information in the now-authenticated certificate header, such as the certificate common name or certificate type (client or server).
Certificate Authority Setup
mkdir /etc/openvpn/easy-rsa/ cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
export KEY_COUNTRY="US" export KEY_PROVINCE="NC" export KEY_CITY="Winston-Salem" export KEY_ORG="Example Company" export KEY_EMAIL="steve@example.com"
cd /etc/openvpn/easy-rsa/ source vars ./clean-all ./build-ca
Server Certificates
./build-key-server myservername
Diffie Hellman parameters must be generated for the OpenVPN server:
./build-dh
cd keys/ cp myservername.crt myservername.key ca.crt dh1024.pem /etc/openvpn/
Client Certificates
cd /etc/openvpn/easy-rsa/ source vars ./build-key client1
- /etc/openvpn/ca.crt
- /etc/openvpn/easy-rsa/keys/client1.crt
- /etc/openvpn/easy-rsa/keys/client1.key
Simple Server Configuration
root@server:/# ls -l /usr/share/doc/openvpn/examples/sample-config-files/ total 68 -rw-r--r-- 1 root root 3427 2011-07-04 15:09 client.conf -rw-r--r-- 1 root root 4141 2011-07-04 15:09 server.conf.gz
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ sudo gzip -d /etc/openvpn/server.conf.gz
ca ca.crt cert myservername.crt key myservername.key dh dh1024.pem
root@server:/etc/openvpn# /etc/init.d/openvpn start * Starting virtual private network daemon(s)... * Autostarting VPN 'server' [ OK ]
root@server:/etc/openvpn# ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 [...]
Simple Client Configuration
sudo apt-get install openvpn
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
ca ca.crt cert client1.crt key client1.key
client remote vpnserver.example.com 1194
root@client:/etc/openvpn# /etc/init.d/openvpn start * Starting virtual private network daemon(s)... * Autostarting VPN 'client' [ OK ]
root@client:/etc/openvpn# ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
root@client:/etc/openvpn# ping 10.8.0.1 PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. 64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=0.920 ms
root@client:/etc/openvpn# netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0 192.168.42.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.42.1 0.0.0.0 UG 0 0 0 eth0
First trouble shooting
- Check your syslog, e.g. grep -i vpn /var/log/syslog
- Can the client connect to the server machine? Maybe a firewall is blocking access? Check syslog on server.
- Client and server must use same protocol and port, e.g. UDP port 1194, see port and proto config option
- Client and server must use same config regarding compression, see comp-lzo config option
- Client and server must use same config regarding bridged vs routed mode, see server vs server-bridge config option
Advanved configuration
Advanced routed VPN configuration on server
Or you might push a default gateway to all the clients to send all their internet traffic to the VPN gateway first and from there via the company firewall into the internet. This section shows you some possible options.
Push routes to the client to allow it to reach other private subnets behind the server. Remember that these private subnets will also need to know to route the OpenVPN client address pool (10.8.0.0/24) back to the OpenVPN server.
push "route 10.0.0.0 255.0.0.0"
push "redirect-gateway def1 bypass-dhcp"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 10.0.0.2" push "dhcp-option DNS 10.1.0.2"
client-to-client
comp-lzo
keepalive 1 3
user nobody group nogroup
# client config! auth-user-pass
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
Advanced bridged VPN configuration on server
Prepare interface config for bridging on server
sudo apt-get install bridge-utils
auto eth0 iface eth0 inet static address 1.2.3.4 netmask 255.255.255.248 default 1.2.3.1 auto eth1 iface eth1 inet static address 10.0.0.4 netmask 255.255.255.0
auto eth0 iface eth0 inet static address 1.2.3.4 netmask 255.255.255.248 default 1.2.3.1 auto eth1 iface eth1 inet manual up ip link set $IFACE up promisc on auto br0 iface br0 inet static address 10.0.0.4 netmask 255.255.255.0 bridge_ports eth1
sudo /etc/init.d/network restart
Prepare server config for bridging
;dev tun dev tap up "/etc/openvpn/up.sh br0 eth1" ;server 10.8.0.0 255.255.255.0 server-bridge 10.0.0.4 255.255.255.0 10.0.0.128 10.0.0.254
#!/bin/sh BR=$1 ETHDEV=$2 TAPDEV=$3 /sbin/ip link set "$TAPDEV" up /sbin/ip link set "$ETHDEV" promisc on /sbin/brctl addif $BR $TAPDEV
sudo chmod 755 /etc/openvpn/up.sh
sudo /etc/init.d/openvpn restart
Client Configuration
sudo apt-get install openvpn
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn
dev tap ;dev tun
sudo /etc/init.d/openvpn restart
Client software implementations
Linux Network-Manager GUI for OpenVPN
root@client:~# apt-get install network-manager-openvpn Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: liblzo2-2 libpkcs11-helper1 network-manager-openvpn-gnome openvpn Suggested packages: resolvconf The following NEW packages will be installed: liblzo2-2 libpkcs11-helper1 network-manager-openvpn network-manager-openvpn-gnome openvpn 0 upgraded, 5 newly installed, 0 to remove and 631 not upgraded. Need to get 700 kB of archives. After this operation, 3,031 kB of additional disk space will be used. Do you want to continue [Y/n]?
root@client:~# restart network-manager network-manager start/running, process 3078
OpenVPN with GUI for Mac OS X: Tunnelblick
# sample client.ovpn for Tunnelblick client remote blue.example.com port 1194 proto udp dev tun dev-type tun ns-cert-type server reneg-sec 86400 auth-user-pass auth-nocache auth-retry interact comp-lzo yes verb 3 ca ca.crt cert client.crt key client.key
OpenVPN with GUI for Win 7
You need to start the OpenVPN service. Goto Start > Computer > Manage > Services and Applications > Services. Find the OpenVPN service and start it. Set it’s startup type to automatic. When you start the OpenVPN MI GUI the first time you need to run it as an administrator. You have to right click on it and you will see that option.
You will have to write your OpenVPN config in a textfile and place it in C:\Program Files\OpenVPN\config\client.ovpn along with the CA certificate. You could put the user certificate in the user’s home directory like in the follwing example.
# C:\Program Files\OpenVPN\config\client.ovpn client remote server.example.com port 1194 proto udp dev tun dev-type tun ns-cert-type server reneg-sec 86400 auth-user-pass auth-retry interact comp-lzo yes verb 3 ca ca.crt cert "C:\\Users\\username\\My Documents\\openvpn\\client.crt" key "C:\\Users\\username\\My Documents\\openvpn\\client.key" management 127.0.0.1 1194 management-hold management-query-passwords auth-retry interact
OpenVPN for OpenWRT
Log into your OpenWRT router and install OpenVPN:
opkg update opkg install openvpn
config openvpn client1 option enable 1 option client 1 # option dev tap option dev tun option proto udp option ca /etc/openvpn/ca.crt option cert /etc/openvpn/client.crt option key /etc/openvpn/client.key option comp_lzo 1
/etc/init.d/openvpn restart
References
- See the OpenVPN website for additional information.
- OpenVPN hardening security guide
http://colekcolek.com/2011/07/21/how-to-install-openvpn-in-ubuntu-11-04/ ,这个仅供参考。
http://archive.is/wP8J7
------------
https://github.com/dustinmhorvath/EasyOpenVPN
-------------
openvpn实现用户名/密码登陆
0x00 openvpn安装
网上教程一堆,这里采用懒人傻瓜式安装方式,感谢大佬的脚本:https://github.com/Nyr/openvpn-install.bash openvpn-install.sh然后一路回车不到一分钟即可搭建好一个openVPN服务器。。。
0x01 服务端配置
在server.conf中添加如下内容vim /etc/openvpn/server.conf
1 2 3 | auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env username-as-common-name script-security 3 execve |
vim /etc/openvpn/checkpsw.sh
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | !/bin/sh ########################################################## |
chmod 755 /etc/openvpn/checkpsw.sh在/etc/openvpn目录下添加用户名密码文件psw-file:
vim /etc/openvpn/psw-file
1 2 | user1 pass1 # 用户名 密码以空格隔开 user2 pass2 |
chmod 400 /etc/openvpn/psw-file重启服务:
service openvpn restart
0x02 客户端配置
在服务器安装openvpn时生成的client.ovpn末尾加入一行:1
| auth-user-pass
|
0x03 坑点
使用openvpn-install.sh安装时,选择TCP(默认)方式无法使用用户名密码登陆,选择UDP则没有问题。-------
一个基于openvpn的vpn程序:diy-vpn
Install
cd
into it, and sudo bash install.sh
.Usage
Configure
client.conf
, you'll need to replace
(L42) with the hostname or address of your VPN server. You can modify other configuration options in client.conf
and server.conf
if you feel so inclined.Add a client
cd
into the project directory on the host and run the following command:$ sudo bash add-client.sh
client.conf
, the CA certificate, a private key and certificate for the client. Then it zips and encrypts the directory with a password you provide.clients/.zip
. If you have SSH access to the VPN host, sftp
should work.$ unzip -d ~ .zip
$ rm .zip
~/openvpn
.Start the VPN server
diy-vpn
as a systemd service:$ sudo systemctl start diy-vpn
$ sudo systemctl stop diy-vpn
$ sudo systemctl restart diy-vpn
Remove a client
$ sudo bash remove-client.sh
Connect the client
On macOS
client.conf
file into "Configurations" on the left side of the app window. Tunnelblick should ask you a few questions and install the client configuration.On Ubuntu
$ sudo apt install network-manager-openvpn-gnome
- Open "Settings" and click on "Network"
- Add (+) a VPN and select the "OpenVPN" option
- Name the VPN whatever you want
- Under "General", enter the address/hostname of the VPN server for "Gateway"
- Under "Authentication", choose the "CA certificate"
~/openvpn/ca.crt
- Choose the "User certificate"
~/openvpn/client.crt
- Choose the "User private key"
~/openvpn/private/client.key
- You can save your "User key password" or click the (?) on the right and select another option (e.g. "Ask for this password every time")
- Click "Advanced" and then "TLS Authentication"
- Under "Additional TLS authentication or encryption", select "TLS-crypt" for "Mode"
- Choose
~/openvpn/private/ta.key
for "Key file" - Select 1 for "Key Direction" and click OK!
--------------------------------
OpenVPN设置条件代理的方法
route命令第一参数为IP地址,第二地址为网子掩码,位与得到网段。下面我们以SHUVPN为例:
如何设置条件代理
- 假设我们在vpn.shu.edu.cn下载了一个ovpn文件,并且修改ovpn文件添加如下一行:
route-nopull 命令解释:不从服务端拉取代理配置。
- 如果我们修改ovpn文件添加如下一行:
route 202.120.127.0 255.255.255.0 vpn_gateway 命令解释:将202.120.127.*设置为使用OpenVPN代理。
如何设置代理例外
- 如果我们修改ovpn文件添加如下第二行:
route 202.120.127.0 255.255.255.0 vpn_gateway 命令解释:将202.120.127.*设置为OpenVPN代理,但202.120.127.105走本地网络(202.120.127.105是我们VPN连接的目标服务器的IP地址,应该加入例外)。
route 202.120.127.105 255.255.255.255 net_gateway
一个SHUVPN的条件代理demo
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 | client dev tun proto tcp remote 202.120.127.105 80 comp-lzo resolv-retry infinite nobind persist-key persist-tun setenv CLIENT_CERT 0 auth-user-pass remote-cert-tls server verb 3 sndbuf 0 rcvbuf 0 cipher none route-nopull route 10.95.192.1 255.255.255.255 vpn_gateway route 9.9.9.2 255.255.255.255 vpn_gateway route 10.105.3.129 255.255.255.255 vpn_gateway route 172.16.255.253 255.255.255.255 vpn_gateway #route 172.31.0.0 255.255.0.0 vpn_gateway route 202.120.0.0 255.255.0.0 vpn_gateway route 202.121.0.0 255.255.0.0 vpn_gateway route 202.120.127.105 255.255.255.255 net_gateway |
思路:linux下挂上全局OpenVPN,使用traceroute命令访问被教育网墙掉的几个网站,记录经过的几个IP地址,逐一添加到条件代理中去。经查询,202.120.112~202.120.127段与202.121.192~202.121.199是SHU的公网段。由于202.120.127.105是目标服务器IP地址,因此加入例外,否则OpenVPN将无法正常工作。
Linux下添加开机自启
1
| sudo openvpn --daemon --config ~/shu.ovpn --auth-user-pass ~/pass.txt
|
linux版本不同方法也不同,有的linux版本自启时没有su权限,使用sudo会无法进入图形界面(好像是Fedora),下面仅以deepin为例(debian系):
使用systemd执行rc.local
在使用了systemd作为启动器的系统(如较新版的deepin)中,默认不包含rc.local文件。此时请在/etc目录下以管理员权限创建一个名为rc.local的纯文本文件,并写入如下内容:
1 2 3 4 5 6 7 > #!/bin/bash > # rc.local config file created by use > > 把你需要执行的命令写在这里 > > exit 0 >
保存后,赋予该文件可执行权限:sudo chmod +x /etc/rc.local
。下次重启时,systemd就会自动执行rc.local里面的命令了
因此我们如法炮制,把sudo openvpn --daemon --config ~/shu.ovpn --auth-user-pass ~/pass.txt
写入即可(deepin自启有su权限,故可以加sudo)。Shell中敲入reboot回车,一切明朗
------------------
OpenVPN笔记-01
安装与配置OpenVPN服务端
服务端为Debian 10,其他发行版如Ubuntu 20.04和CentOS 7,也都一键就可以安装OpenVPN,版本都为2.4.xx。这里使用tap模式,用户名密码认证,且使用临时文件验证
|
|
安装后创建配置文件 /etc/openvpn/server/tap0.conf,内容如下:
# 监听443端口 port 443 # 使用TCP作为传输方式,客户端会在一个TCP连接上承载所有流量 proto tcp # 使用TAP模式 dev tap # 设置MTU为1500 tun-mtu 1500 # 设置拓扑结构为子网 topology subnet # 设置VPN网段,转换为CIDR格式对应10.100.0.0/24 server 10.100.0.0 255.255.255.0 # 客户端配置文件,若需要为客户端分配固定IP可以在此设置,按用户名(或CN)存放文件 # client-config-dir /etc/openvpn/ccd # 自签名的根证书 ca /etc/openvpn/server/ca.crt # 自签名的服务端证书 cert /etc/openvpn/server/server.crt # 自签名的服务端密钥 key /etc/openvpn/server/server.key # dh交换参数 dh /etc/openvpn/server/dh2048.pem tls-server tls-version-min 1.2 # 认证方式设置 verify-client-cert none # 使用用户名作为CN username-as-common-name # 设置脚本安全等级,等级2允许通过文件传递认证信息 script-security 2 # 使用临时文件验证,用户名和密码保存在临时文件中,作为参数传给可执行文件 auth-user-pass-verify /etc/openvpn/server/verify via-file # others keepalive 10 120
cipher AES-256-CBC
persist-key persist-tun # 状态文件,在此文件中可查看已连接的客户端信息 status /var/log/openvpn/openvpn-status.log # 日志文件 log-append /var/log/openvpn/openvpn.log verb 3
使用openssl生成随机的账号密码和配置文件:
|
|
启动服务:
|
|
检查网卡与日志:
|
|
3. 安装与配置OpenVPN客户端
tap模式仅支持Linux和安装了tap插件的Windows系统,这里使用Linux演示,客户端也使用Debian 10,安装好openvpn后,创建配置文件 /etc/openvpn/client/tap0.conf,内容如下:
|
|
启动服务:
|
|
检查网卡与日志:
|
|
可以看到分配了10.100.0.2的内网IP,测试一下联通性:
|
|
10.100.0.0/24段的流量默认路由到了tap0,如果需要全局代理,设置默认路由即可.
4. 公网IP绑定与内网服务暴露
上述的配置中,笔者只将VPN作为一个打通内网的工具来使用,如果需要为内网设备绑定外网IP或暴露内网服务到公网时,需要使用iptables设置转发规则。
回到server,查看所有网卡,如下:
|
|
假设我们在eth0上绑定了200.59.100.2~200.59.100.6的IP,现在需要将这些IP一对一绑定到10.100.0.2~10.100.0.6的内网设置,且每个设备需要暴露80端口,则执行以下iptables命令:
|
|
在配置完成后,以 10.100.0.2 设备为例:
- 访问内网IP:10.100.0.2 -> 10.100.0.1 -> 10.00.0.3
- 访问外网IP:10.100.0.2 -> 10.100.0.1 -> 200.59.100.2 -> 8.8.8.8
- 外网访问80端口:8.8.8.8 -> 200.59.100.2:80 -> 10.100.0.1 -> 10.100.0.2:80
OpenVPN笔记-02
1. 前言
最近有时间又研究了下OpenVPN,发现这个老牌VPN还是有许多闪光点,例如:
- 在用户空间运行,几乎适配所有操作系统
- 使用OpenSSL加密库的SSL/TLS,能受益于这些标准组件的升级和优化
- 支持TCP/UDP的方式创建隧道承载上层流量,UDP丢包率高的环境下可以切换TCP,并绕过一些防火墙限制,例如只允许443端口的进出站的环境
- 支持配置SOCKS代理,能嵌套其他代理工具组合使用
除了配置复杂外(配置是在占了太多),剩下的都是优点,上一篇中讨论了TAP模式的配置,但除了Linux外,其他系统对TAP都不太友好,这里就对比下TAP与TUN,并记录下TUN模式部署方法
2. TAP vs TUN
OpenVPN的维基中已经详细论述了TAP与TUN的区别:BridgingAndRouting
什么情况下需要TAP:
- 需要桥接
- 需要在OpenVPN 2.2或更早版本传输非IP流量或IPv6流量
- 需要LAN和VPN客户端位于同一个广播域中
- 需要LAN的DHCP服务器为VPN客户端提供DHCP地址
- 需要访问Windows服务器,并且需要网络邻居发现才能通过VPN工作
TAP看上去似乎比TUN更简洁,但是也带来很多隐藏的问题,下面是两者的优缺点比较:
TAP的优点:
- 表现得像一个真实的网络适配器
- 可以传输任何网络协议(IPv4、IPv6、Nettalk、IPX 等)
- 工作在第2层,以太网帧可通过VPN隧道传递
- 可用于桥接
TAP的缺点:
- 在VPN隧道上有更多的广播开销
- 在VPN隧道传输的所有数据包都会添加以太网数据帧头部造成额外开销
- 不能用于Android或iOS设备
- 扩展性差
TUN的优点:
- 较低的流量开销,仅传输发往VPN客户端的流量
- 仅传输第3层的IP数据包
TUN 缺点:
- 无法传输广播流量
- 只能传输 IPv4(OpenVPN 2.3 增加了 IPv6)
- 不能用于桥接
综上所述:
- 只需要使用VPN的代理功能或客户端设备受限于安卓/iOS/macOS等时,可以选择TUN模式
- 需要更复杂的网络配置时,使用TAP模式,例如UDP广播、公网IP绑定、虚拟机接入VPN等等
3. 安装与配置OpenVPN服务端
安装内容不再赘述,安装后创建配置文件 /etc/openvpn/server/tun0.conf,内容如下:
|
|
启动服务:
|
|
检查网卡与日志:
|
|
4. 安装与配置OpenVPN客户端
客户端使用macOS,通过homebrew安装openvpn-connect:
|
|
编写openvpn.opvn配置文件:
|
|
将openvpn.ovpn与auth.txt文件放在同一个目录下,然后打开OpenVPN导入配置.
------
OpenVPN是VPN商家防止被墙的主力,OpenVPN防墙有verify-x509-name验证,TLS Crypt v2验证,XOR-Patched VPN混淆等方式。
https://github.com/angristan/openvpn-install 搭建脚本,默认启用verify-x509-name验证
https://github.com/alinhayati/openvpn-install 搭建脚本,添加TLS Crypt v2支持.
openvpn-xor混淆可以参考:
https://github.com/x0r2d2/openvpn-xor
https://github.com/xeon2650/openvpn-xor
支持的xor混淆的客户端:
Windows: https://github.com/lawtancool/openvpn-windows-xor
macOS:https://tunnelblick.net/cOpenvpn_xorpatch.html
Android: https://github.com/lawtancool/ics-openvpn-xor
iOS: https://apps.apple.com/us/app/passepartout-vpn-client/id1433648537
国外主流VPN商家对待封锁都采取了不同的策略,比如VyprVPN基于openvpn修改的Chameleon协议,expressvpn基于WireGuard修改的Lightway协议,不过效果都不算很好。
------------
相关帖子:
https://briteming.blogspot.com/2017/08/openvpncipher.html