Total Pageviews

Friday, 18 August 2017

编译openvpn(配置文件里启用cipher),从而成功翻墙 (原创文章)

我在bandwagonhost.com的一款kvm vps上,安装openvpn-install一键安装脚本,没想到竟然失败了。于是就想着自己编译openvpn.

wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.10.tar.gz
tar zxvf lzo-2.10.tar.gz
cd lzo-2.10
./configure
make
make install

cd ~
wget https://swupdate.openvpn.org/community/releases/openvpn-2.4.3.tar.gz
(或者wget https://build.openvpn.net/downloads/releases/openvpn-2.4.3.tar.gz)
tar zxvf openvpn-2.4.3.tar.gz
cd openvpn-2.4.3
./configure
make
make install


root@host openvpn-2.4.3]# cd sample
[root@host sample]# ls
Makefile     Makefile.in          sample-keys     sample-scripts
Makefile.am  sample-config-files  sample-plugins  sample-windows
[root@host sample]# ls sample-keys
ca.crt         client-ec.key    dh2048.pem          server.crt     ta.key
ca.key         client.key       gen-sample-keys.sh  server-ec.crt
client.crt     client.p12       openssl.cnf         server-ec.key
client-ec.crt  client-pass.key  README              server.key
[root@host sample]# mkdir /etc/openvpn-2.4.3
[root@host sample]# cp -rf sample-keys/* /etc/openvpn-2.4.3/
[root@host sample]# ls sample-config-files
client.conf      loopback-server      README              tls-home.conf
firewall.sh      office.up            server.conf         tls-office.conf
home.up          openvpn-shutdown.sh  static-home.conf    xinetd-client-config
loopback-client  openvpn-startup.sh   static-office.conf  xinetd-server-config
[root@host sample]# cp sample-config-files/client.conf /etc/openvpn-2.4.3/
[root@host sample]# cp sample-config-files/server.conf /etc/openvpn-2.4.3/
[root@host sample]# cd /etc/openvpn-2.4.3/
[root@host openvpn-2.4.3]# nano openvpn-server.conf
 (openvpn-server.conf的内容如下)
[root@host openvpn-2.4.3]# cat openvpn-server.conf
port 1278
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca /etc/openvpn-2.4.3/ca.crt
cert /etc/openvpn-2.4.3/server.crt
key /etc/openvpn-2.4.3/server.key
dh /etc/openvpn-2.4.3/dh2048.pem
auth SHA512
tls-auth /etc/openvpn-2.4.3/ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 9.9.9.9"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
[root@host openvpn-2.4.3]# nano client1.ovpn
(client1.ovpn的内容如下)
[root@host openvpn-2.4.3]# cat client1.ovpn
client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote my-vps-ip 1278
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
auth SHA512
setenv opt block-outside-dns
key-direction 1

verb 3
<ca>
here paste the contents of ca.crt
</ca>
<cert>
here paste the contents of client.crt
</cert>
<key>
here paste the contents of client.key
</key>
<tls-auth>
here paste the contents of ta.key
</tls-auth>
[root@host openvpn-2.4.3]#
(运行当前目录下的gen-sample-keys.sh,可以生成另外的证书/私匙等文件.另外,注意:上面的push "dhcp-option DNS 9.9.9.9"不要改成push "dhcp-option DNS 8.8.8.8",因为8.8.8.8已被封,而9.9.9.9尚未被封。如果哪一天9.9.9.9也被封,则自己搭建dns server程序,比如用bind或powerdns搭建,搭建成功后,把9.9.9.9改为自己的vps的ip)

OpenVPN服务器访问外网的设置:

开启路由转发功能:
echo 1 > /proc/sys/net/ipv4/ip_forward
#为了使vps重启后仍然开启路由转发功能我们需要再执行下列命令
sysctl -w net.ipv4.ip_forward=1
添加iptables转发规则:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE


启动OpenVPN服务器:
openvpn --config /etc/openvpn-2.4.3/openvpn-server.conf --daemon
不过这种启动方法并不能使openvpn随vps的重启而自动启动,建议用systemd来设置。
先killall openvpn
nano /etc/systemd/system/openvpn.service
其内容为:
[Unit]
After=network.target 

[Service]
ExecStart=/usr/local/sbin/openvpn --config /etc/openvpn-2.4.3/openvpn-server.conf
Restart=always

[Install]

WantedBy=multi-user.target

然后,

systemctl start openvpn
systemctl enable openvpn

把客户端配置文件client1.ovpn下载到你的本地电脑(windows上,则是下载到
c:\program files\openvpn\config\目录中;mac系统,则先安装tunnelblick,然后在
finder中,搜索文件client1.ovpn,双击它,导入到tunnelblick)

启动客户端程序,待连接成功后,即可翻墙。

我下载了openvpn在2007年的版本:
http://openvpn.net/release/openvpn-2.1_rc15.tar.gz

解压后,进入openvpn-2.1_rc15目录,然后进入sample-config-files目录,
打开server.conf,一看里面有如下内容:
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

而打开client.conf,一看里面有如下内容:
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x


当年很少有人启用cipher AES-128-CBC这一行,导致2012年11月左右,openvpn的流量
特征被gfw识别而予以封杀,这样openvpn就阵亡了。如果启用了
cipher AES-128-CBC这一行,估计当时gfw对openvpn还是无可奈何的。

现在服务器/客户端2边的配置文件启用cipher AES-256-CBC后,gfw对openvpn就无可奈何了。

补充:
在此文https://briteming.blogspot.com/2019/05/vpnyoutube.html里,我说“有时较难连接上openvpn server“,其实,如果你第一次连接openvpn server时(在mac上,我用的客户端程序叫tunnelblick), tunnelblick显示“正在认证”,然后显示“正在获取设定”,一般不到30秒,就连上服务器了。如果过了30秒,还显示“正在获取设定”,就不要再等下去了。退出tunnelblick程序,重启它,然后就会如上所说‘tunnelblick显示“正在认证”,然后显示“正在获取设定”,一般不到30秒,就连上服务器了。’

所以, 连接上openvpn server其实是很容易的。

这里https://github.com/xl-tech/OpenVPN-easy-setup 是个一键安装包,我没试过。

相关帖子:
http://www.briten.info/2017/10/openvpn-mysterium-network.html
https://briteming.blogspot.com/2017/07/openvpnopenvpn-installopenvpnopenvpn.html
https://briteming.blogspot.com/2016/05/openvpn-connectiosopenvpn-client.html
---------

http://openvpn.net/release/,这里只有旧版(openvpn2.0/2.1版)
https://build.openvpn.net/downloads/snapshots/,
https://build.openvpn.net/downloads/releases/,这里有全部版本的openvpn.

No comments:

Post a Comment