标签为 GFW 的文章

在CentOS 6上部署Shadowsocks Server

参考资料:
http://www.shadowsocks.org

背景介绍:
相对于VPN而言,搭建一个Shadowsocks服务,然后通过浏览器代理的方式来使用,要方便很多。
它的原理跟SSH Tunnel类似,就是通过Shadowsocks的服务端与其专用的Shadowsocks客户端建立起一个加密的隧道,然后Shadowsocks客户端会在本地监听一个端口,默认为1080;所有经过这个本地端口的数据都会通过这个加密隧道。

相关配置:
OS: CentOS 6.4 x86_64 Minimal

1. 安装Shadowsocks Server
# pip install shadowsocks

2. 配置/etc/shadowsocks.json
# vim /etc/shadowsocks.json

{
  "server": "0.0.0.0",
  "server_port": 443,
  "local_address": "127.0.0.1",
  "local_port": 1080,
  "password": "shadowsockspass",
  "timeout": 600,
  "method": "aes-256-cfb",
  "fast_open": false,
  "workers": 1
}

注解:在以上配置文件中,
定义了监听的服务器地址为任意地址:"server": "0.0.0.0",
定义了监听的服务器端口为443:"server_port": 443,
定义了客户端本地的监听地址为127.0.0.1:"local_address": "127.0.0.1",
定义了客户端本地的监听端口为1080:"local_port": 1080,
定义了密码为shadowsockspass:"password": "shadowsockspass",
定义了连接超时的时间为600秒:"timeout": 600,
定义了加密的方式为aes-256-cfb:"method": "aes-256-cfb",
默认关闭了fast_open属性:"fast_open": false,
定义了进程数为1:"workers": 1

3. 配置/etc/sysctl.conf,新增如下配置:
# vim /etc/sysctl.conf

# For shadowsocks
fs.file-max = 65535
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5120
net.ipv4.tcp_mem = 25600 51200 102400
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_congestion_control = hybla

# sysctl -p

4. 启动Shadowsocks服务
# ssserver -c /etc/shadowsocks.json -d start

# netstat -lntp | grep 443

tcp      0      0      0.0.0.0:443      0.0.0.0:*      LISTEN      11037/python

5. 下载Shadowsocks客户端
Windows:https://github.com/shadowsocks/shadowsocks-csharp/releases/download/2.5.6/Shadowsocks-win-2.5.6.zip
Mac OS X:https://github.com/shadowsocks/shadowsocks-iOS/releases/download/2.6.3/ShadowsocksX-2.6.3.dmg

6. 配置客户端
创建服务器连接,输入:
服务器地址,如:heylinux.com
端口:443
加密方式:aes-256-cfb
密码:shadowsockspass

启动客户端并一直保持在启动状态,默认选择Auto Proxy Mode,并执行一次Update PAC from GFWList,如下图所示:
shadowsocks_client

7. 配置浏览器插件
安装插件Proxy SwitchySharp:https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm

配置插件,如下图所示:
proxy_switchsharp

启用刚刚配置好的Proxy:shadowsocks

8. 结束

, , ,

No Comments

在CentOS 6上部署PPTP VPN Server

参考资料:
https://www.digitalocean.com/community/tutorials/how-to-setup-your-own-vpn-with-pptp

背景介绍:
搭建PPTP VPN Server应该是非常容易的,可身边有不少朋友在参考了一些文章后仍然来求助于我,走了不少的弯路。
因此,觉得自己有必要写一篇文章来讲解一下。毕竟我写文章的习惯是边操作边记录,所以一步一步照着做就可以完成,大家都喜欢看。

相关配置:
OS: CentOS 6.4 x86_64 Minimal

1. 安装EPEL扩展库
# yum install http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

2. 安装PPTP扩展库
# yum install http://poptop.sourceforge.net/yum/stable/rhel6/pptp-release-current.noarch.rpm

3. 安装PPTP VPN Server
# yum install pptpd

4. 编辑/etc/pptpd.conf
# vim /etc/pptpd.conf

###############################################################################
# $Id: pptpd.conf,v 1.11 2011/05/19 00:02:50 quozl Exp $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################

# TAG: ppp
#	Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd

# TAG: option
#	Specifies the location of the PPP options file.
#	By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/options.pptpd

# TAG: debug
#	Turns on (more) debugging to syslog
#
debug

# TAG: stimeout
#	Specifies timeout (in seconds) on starting ctrl connection
#
stimeout 120

# TAG: noipparam
#       Suppress the passing of the client's IP address to PPP, which is
#       done by default otherwise.
#
#noipparam

# TAG: logwtmp
#	Use wtmp(5) to record client connections and disconnections.
#
#logwtmp

# TAG: vrf <vrfname>
#	Switches PPTP & GRE sockets to the specified VRF, which must exist
#	Only available if VRF support was compiled into pptpd.
#
#vrf test

# TAG: bcrelay <if>
#	Turns on broadcast relay to clients from interface <if>
#
#bcrelay eth1

# TAG: delegate
#	Delegates the allocation of client IP addresses to pppd.
#
#       Without this option, which is the default, pptpd manages the list of
#       IP addresses for clients and passes the next free address to pppd.
#       With this option, pptpd does not pass an address, and so pppd may use
#       radius or chap-secrets to allocate an address.
#
#delegate

# TAG: connections
#       Limits the number of client connections that may be accepted.
#
#       If pptpd is allocating IP addresses (e.g. delegate is not
#       used) then the number of connections is also limited by the
#       remoteip option.  The default is 100.
#connections 100

# TAG: localip
# TAG: remoteip
#	Specifies the local and remote IP address ranges.
#
#	These options are ignored if delegate option is set.
#
#       Any addresses work as long as the local machine takes care of the
#       routing.  But if you want to use MS-Windows networking, you should
#       use IP addresses out of the LAN address space and use the proxyarp
#       option in the pppd options file, or run bcrelay.
#
#	You can specify single IP addresses seperated by commas or you can
#	specify ranges, or both. For example:
#
#		192.168.0.234,192.168.0.245-249,192.168.0.254
#
#	IMPORTANT RESTRICTIONS:
#
#	1. No spaces are permitted between commas or within addresses.
#
#	2. If you give more IP addresses than the value of connections,
#	   it will start at the beginning of the list and go until it
#	   gets connections IPs.  Others will be ignored.
#
#	3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
#	   you must type 234-238 if you mean this.
#
#	4. If you give a single localIP, that's ok - all local IPs will
#	   be set to the given one. You MUST still give at least one remote
#	   IP for each simultaneous client.
#
# (Recommended)
#localip 192.168.0.1
#remoteip 192.168.0.234-238,192.168.0.245
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
localip 10.192.168.1
remoteip 10.192.168.100-200

注解:在以上配置文件中,
指定了PPP配置文件路径:option /etc/ppp/options.pptpd
开启了调试日志:debug
设置了建立连接时的超时时间为120秒:stimeout 120
PPTP VPN Server的本地地址,即客户端会自动获取到的网关地址:localip 10.192.168.1
分配给客户端的地址范围:remoteip 10.192.168.100-200

5. 编辑/etc/ppp/options.pptpd

###############################################################################
# $Id: options.pptpd,v 1.11 2005/12/29 01:21:09 quozl Exp $
#
# Sample Poptop PPP options file /etc/ppp/options.pptpd
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection.  See "man pppd".
#
# You are expected to change this file to suit your system.  As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###############################################################################


# Authentication

# Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
name ec2-tokyo

# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain


# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use.)


# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128
# }}}


# OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o
# {{{
#-chap
#-chapms
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
#+chapms-v2
# Require MPPE encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
#mppe-40	# enable either 40-bit or 128-bit, not both
#mppe-128
#mppe-stateless
# }}}


# Network and Routing

# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients.  The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
#ms-dns 10.0.0.1
#ms-dns 10.0.0.2
ms-dns 172.31.0.2

# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients.  The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4

# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system.  This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp

# Normally pptpd passes the IP address to pppd, but if pptpd has been
# given the delegate option in pptpd.conf or the --delegate command line
# option, then pppd will use chap-secrets or radius to allocate the
# client IP address.  The default local IP address used at the server
# end is often the same as the address of the server.  To override this,
# specify the local IP address here.
# (you must not use this unless you have used the delegate option)
#10.8.0.100


# Logging

# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
debug

# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
dump


# Miscellaneous

# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock

# Disable BSD-Compress compression
nobsdcomp

# Disable Van Jacobson compression
# (needed on some networks with Windows 9x/ME/XP clients, see posting to
# poptop-server on 14th April 2005 by Pawel Pokrywka and followups,
# http://marc.theaimsgroup.com/?t=111343175400006&r=1&w=2 )
novj
novjccomp

# turn off logging to stderr, since this may be redirected to pptpd,
# which may trigger a loopback
nologfd

# put plugins here
# (putting them higher up may cause them to sent messages to the pty)

logfile /var/log/pptpd.log
multilink

注解:在以上配置文件中,
定义了PPTP VPN Server的服务名:name ec2-tokyo
定义了加密的规则,如下:
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
定义了推送到客户端的DNS地址:ms-dns 172.31.0.2 (我通常选择PPTP VPN Server所在服务器的默认DNS设置)
允许相同局域网的主机在PPTP VPN Server上互相可见:proxyarp
开启了调试信息:debug
启用了一些通用的设置,如下:
dump
lock
nobsdcomp
novj
novjccomp
nologfd
指定了日志文件的位置:logfile /var/log/pptpd.log
允许把多个物理通道捆绑为单一逻辑信道:multilink

6. 编辑用户账号密码文件/etc/ppp/chap-secrets
# vim /etc/ppp/chap-secrets

# Secrets for authentication using CHAP
# client	server	secret			IP addresses
"username"  *       "password"        *

7. 编辑/etc/sysconfig/iptables-config
修改 IPTABLES_MODULES="" 为 IPTABLES_MODULES="ip_nat_pptp" 确保在启动iptables服务时自动加载模块。

8. 编辑/etc/sysconfig/iptables(默认eth0为公网IP地址所在网口)
# vim /etc/sysconfig/iptables

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1723 -j ACCEPT
-A INPUT -s 10.192.168.0/255.255.255.0 -m state --state NEW -m tcp -p tcp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.192.168.0/255.255.255.0 -o eth0 -j MASQUERADE
COMMIT

注解:在以上iptables脚本中,
对所有GRE协议的数据包放行;
对TCP端口1723放行;
对整个PPTP VPN的局域网地址段10.192.168.0/24放行;
将整个PPTP VPN的局域网地址段10.192.168.0/24通过NAT映射到eth0网口,实现共享上网;

9. 开启数据转发,编辑/etc/sysctl.conf
修改 net.ipv4.ip_forward = 0 为 net.ipv4.ip_forward = 1
执行 sysctl -p

10. 启动PPTP VPN Server
# /etc/init.d/pptpd restart
# /etc/init.d/iptables restart

11. 设置PPTP VPN Server与iptables服务开机自启动
# chkconfig pptpd on
# chkconfig iptables on

12. 在本地PC上配置客户端并连接PPTP VPN Server

13. 结束

, , ,

No Comments

在CentOS 6上部署OpenVPN Server

参考资料:
https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6
http://www.unixmen.com/setup-openvpn-server-client-centos-6-5/
http://docs.ucloud.cn/software/vpn/OpenVPN4CentOS.html

背景介绍:
最近,GFW开始针对VPN进行了屏蔽,之前在VPS上搭建的PPTP/L2TP VPN在有些时候都开始变得不稳定了。
因此,打算在VPS上再搭建一个OpenVPN Server,以备不时之需。

相关配置:
OS: CentOS 6.4 x86_64 Minimal

1. 安装EPEL扩展库
# yum install http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

2. 安装所需依赖软件包
# yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig

3. 安装OpenVPN
# yum install openvpn

4. 下载easy-rsa 2.x
# wget https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zip
# unzip 2.x.zip
# cd easy-rsa-release-2.x
# cp -rf easy-rsa /etc/openvpn/

5. 配置easy-rsa vars
# cd /etc/openvpn/easy-rsa/2.0/
# ln -s openssl-1.0.0.cnf openssl.cnf
# chmod +x vars

修改vars文件中以下配置项:
# vim vars

...
# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

...
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="JP"
export KEY_PROVINCE="JP"
export KEY_CITY="Tokyo"
export KEY_ORG="heylinux.com"
export KEY_EMAIL="guosuiyu@gmail.com"
export KEY_OU="MyOrganizationalUnit"
...

执行vars文件使环境变量生效:
# source ./vars

NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys

6. 生成所需的各种证书文件
清除旧的证书:
# ./clean-all

生成服务器端CA证书,由于在vars文件中做过缺省设置,在出现交互界面时,直接一路回车即可:
# ./build-ca

Generating a 1024 bit RSA private key
..............................++++++
.....................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [JP]:
Locality Name (eg, city) [Tokyo]:
Organization Name (eg, company) [heylinux.com]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [heylinux.com CA]:
Name [EasyRSA]:
Email Address [guosuiyu@gmail.com]:

生成服务器证书,仍然是在出现交互界面时,直接一路回车,并在结尾询问[y/n]时输入y即可:
# ./build-key-server heylinux.com

Generating a 1024 bit RSA private key
............++++++
................++++++
writing new private key to 'heylinux.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [JP]:
Locality Name (eg, city) [Tokyo]:
Organization Name (eg, company) [heylinux.com]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [heylinux.com]:
Name [EasyRSA]:
Email Address [guosuiyu@gmail.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'JP'
localityName          :PRINTABLE:'Tokyo'
organizationName      :PRINTABLE:'heylinux.com'
organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
commonName            :PRINTABLE:'heylinux.com'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'guosuiyu@gmail.com'
Certificate is to be certified until Jan 26 09:49:38 2025 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

生成DH验证文件:
# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
................................+.............++*++*++*

生成TLS私密文件:
# cd keys
# openvpn --genkey --secret ta.key
# cd ..

生成客户端证书,例如eric与rainbow两个用户:
# ./build-key eric

Generating a 1024 bit RSA private key
.++++++
..........................................................................++++++
writing new private key to 'eric.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [JP]:
Locality Name (eg, city) [Tokyo]:
Organization Name (eg, company) [heylinux.com]:nginxs.com
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [eric]:
Name [EasyRSA]:
Email Address [guosuiyu@gmail.com]:eric@nginxs.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'JP'
localityName          :PRINTABLE:'Tokyo'
organizationName      :PRINTABLE:'nginxs.com'
organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
commonName            :PRINTABLE:'eric'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'eric@nginxs.com'
Certificate is to be certified until Jan 26 09:52:03 2025 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

# ./build-key rainbow

Generating a 1024 bit RSA private key
......................++++++
......................++++++
writing new private key to 'rainbow.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [JP]:
Locality Name (eg, city) [Tokyo]:
Organization Name (eg, company) [heylinux.com]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [rainbow]:
Name [EasyRSA]:
Email Address [guosuiyu@gmail.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'JP'
localityName          :PRINTABLE:'Tokyo'
organizationName      :PRINTABLE:'heylinux.com'
organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
commonName            :PRINTABLE:'rainbow'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'guosuiyu@gmail.com'
Certificate is to be certified until Jan 26 09:52:49 2025 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

7. 编辑服务器配置文件:
# vim /etc/openvpn/server.conf

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/heylinux.com.crt
key /etc/openvpn/easy-rsa/2.0/keys/heylinux.com.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.192.170.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 172.31.0.2"
push "dhcp-option DOMAIN-SEARCH ap-northeast-1.compute.internal"
push "dhcp-option DOMAIN-SEARCH ec2.drawbrid.ge"
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 3

注解:在以上配置文件中,
采用了udp协议,较tcp协议而言,在较差的网络情况下效果更好;
指定了ca, cert, key, dh等文件的具体路径;
分配了virtual IP地址段10.192.170.0给VPN客户端;
启用了ipp.txt作为客户端和virtual IP的对应表,以方便客户端重新连接可以获得同样的IP;
启用了redirect-gateway的push功能,这样客户端会在连接后默认设置为所有流量都经过服务器;
启用了dhcp-option的push功能,这样可以将EC2的默认DNS解析配置推送到客户端,并自动配置其DNS解析文件(如MacOS中的/etc/resolv.conf);
启用了client-to-client,使客户端之间能够直接通讯;
启用了nobody作为user和group来降低OpenVPN的执行用户权限;
启用了TLS认证;
启用了lzo压缩;
指定了独立的日志文件;

创建日志文件目录:
# mkdir -p /var/log/openvpn
# chown openvpn:openvpn /var/log/openvpn

8. 启动OpenVPN服务
# /etc/init.d/openvpn start
# chkconfig openvpn on

9. 配置服务器,开启NAT数据转发和相关端口
# vim /etc/sysctl.conf

...
net.ipv4.ip_forward = 1
...

# sysctl -p

# iptables -t nat -A POSTROUTING -s 10.192.170.0/24 -o eth0 -j MASQUERADE

# iptables -A INPUT -p udp --dport 1194 -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# /etc/init.d/iptables save
# /etc/init.d/iptables restart
# chkconfig iptables on
注意:如果使用的是云主机如EC2,端口过滤相关的配置则需要跳过,然后到Security Group中进行设置。

10. 配置OpenVPN客户端
将服务器端生成的相关证书统一复制到一处,如针对rainbow用户:
# mkdir -p /home/rainbow/tmp/openvpn_heylinux
# cd /home/rainbow/tmp/openvpn_heylinux
# cp -rpa /etc/openvpn/easy-rsa/2.0/keys/ta.key .
# cp -rpa /etc/openvpn/easy-rsa/2.0/keys/ca.crt .
# cp -rpa /etc/openvpn/easy-rsa/2.0/keys/rainbow.crt .
# cp -rpa /etc/openvpn/easy-rsa/2.0/keys/rainbow.key .

配置rainbow用户的ovpn配置文件:
# vim rainbow.ovpn

client
dev tun
proto udp
remote 54.238.131.140 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert rainbow.crt
key rainbow.key
remote-cert-tls server
tls-auth ta.key 1
comp-lzo
verb 3

将相关证书文件与ovpn配置打包:
# cd /home/rainbow/tmp
# tar cf openvpn_heylinux.tar openvpn_heylinux

将打包过后的openvpn_heylinux.tar下载到本地;

在Windows中,下载并安装OpenVPN Client:
下载地址:http://openvpn.net/index.php/download.html
然后将相关的证书文件和rainbow.ovpn配置放到C:/Program Files/OpenVPN/config目录下,到桌面双击OpenVPN图标并选择指定的选项即可;

在MacOS中,下载并安装Tunnelblick:
下载地址:https://code.google.com/p/tunnelblick/
然后,将openvpn_heylinux.tar解压并重命名为heylinux.com.tblk;
再通过Finder找到heylinux.com.tblk并双击即可;

11. 以下,是我在MacOS中成功连接后的相关截图:



12. 更简单容易的解决方案:https://www.digitalocean.com/community/tutorials/openvpn-access-server-centos

, , ,

No Comments

脚本分享 之 天朝全静态路由

背景介绍:
由于近期“伟大的墙”越来越坚固,很多人不得不用上了VPN。但在VPN连接状态下,我们访问国内网站的速度会受到影响,同时也会造成VPN流量的浪费。

有没有可能在系统中把所有天朝的静态路由都加上呢?这样,即使VPN连接状态下,所有的数据请求都会自动分流。
答案是可以的,因为在APNIC上可以获取到所有天朝的公网IP段,我统计了一下总共有4000多个IP段,于是我写了一个脚本将其全部取出再循环添加到系统中,用起来效果真的很不错。

脚本地址:https://github.com/mcsrainbow/shell-scripts/blob/master/scripts/smartroutes.sh

注意:目前我的脚本仅支持Mac OS X,如果想要运行在Linux上,需要做一些简单的修改。

操作示例:

[dong@Dong-MacBookPro scripts]$ sudo ./smartroutes.sh
Downloading the latest APNIC data as ./apnic.data...
######################################################################## 100.0%
Usage:
./smartroutes.sh {on|off|status}
./smartroutes.sh [force|exception] {on|off}

[dong@Dong-MacBookPro scripts]$ sudo ./smartroutes.sh on
Adding the routes... Done

[dong@Dong-MacBookPro scripts]$ netstat -rn | head -n 20
Routing tables

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            10.192.168.1       UGSc           23        2    ppp0
default            192.168.0.1        UGScI           1        0     en1
1.0.1/24           192.168.0.1        UGSc            0        0     en1
1.0.2/23           192.168.0.1        UGSc            0        0     en1
1.0.8/21           192.168.0.1        UGSc            0        0     en1
1.0.32/19          192.168.0.1        UGSc            0        0     en1
1.1/24             192.168.0.1        UGSc            0        0     en1
1.1.2/23           192.168.0.1        UGSc            0        0     en1
1.1.4/22           192.168.0.1        UGSc            0        0     en1
1.1.8/21           192.168.0.1        UGSc            0        0     en1
1.1.16/20          192.168.0.1        UGSc            0        0     en1
1.1.32/19          192.168.0.1        UGSc            0        0     en1
1.2/23             192.168.0.1        UGSc            0        0     en1
1.2.2/24           192.168.0.1        UGSc            0        0     en1
1.2.4/24           192.168.0.1        UGSc            0        0     en1
1.2.5/24           192.168.0.1        UGSc            0        0     en1

[dong@Dong-MacBookPro scripts]$ sudo ./smartroutes.sh off
Deleting the routes... Done

然后,可以分别通过 ip138.com 和 ifconfig.me 确认分流是否生效。

,

3 Comments

在CentOS 6上部署L2TP over IPSec VPN Server

参考资料:
https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_on_CentOS_-_Red_Hat_Enterprise_Linux_or_Scientific_-_Linux_6.html
http://www.stormacq.com/build-a-private-vpn-server-on-amazons-ec2/
http://www.esojourn.org/blog/post/setup-l2tp-vpn-server-with-ipsec-in-centos6.php?page=2&part=1

背景介绍:
近期,墙屏蔽了所有的Google服务,也加强了对翻墙工具的屏蔽,例如使用goagent和修改hosts的方法都很难奏效。
因为我一直使用着PPTP VPN,本以为可以高枕无忧了,结果可恶的中国电信竟对PPTP VPN协议开始了干扰,导致连接非常不稳定,频繁的断开。
这也促使了我在VPS再搭建一个L2TP over IPSec VPN的想法,以下便是我的整个安装与配置过程。

安装与配置:
环境介绍:
OS:CentOS 6.4 x86_64 Minimal

1. 修改 /etc/sysctl.conf,新增如下配置:
# vim /etc/sysctl.conf

# For xl2tpd
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

# sysctl -p

2. 安装EPEL扩展库
# yum install http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

3. 安装所需软件包
# yum install wget bind-utils lsof
# yum install openswan xl2tpd ppp
# yum downgrade openswan

4. 通过如下脚本完成配置文件的修改
# vim l2tpvpn.sh

#!/bin/sh

IPSEC_PSK=SharedSecret
#修改以上变量的值,作为共享密码

PRIVATE_IP=`wget -q -O - 'http://instance-data/latest/meta-data/local-ipv4'`
PUBLIC_IP=`wget -q -O - 'http://instance-data/latest/meta-data/public-ipv4'`
#修改以上变量的值,我通过命令来自动获取服务器的本地内网IP和公网IP,但仅适用于EC2

cat > /etc/ipsec.conf <<EOF
version 2.0

config setup
 dumpdir=/var/run/pluto/
 nat_traversal=yes
 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
 oe=off
 protostack=netkey
 nhelpers=0
 interfaces=%defaultroute
 plutostderrlog=/var/log/pluto.log

conn vpnpsk
 auto=add
 left=$PRIVATE_IP
 leftid=$PUBLIC_IP
 leftsubnet=$PRIVATE_IP/32
 leftnexthop=%defaultroute
 leftprotoport=17/1701
 rightprotoport=17/%any
 right=%any
 rightsubnetwithin=0.0.0.0/0
 forceencaps=yes
 authby=secret
 pfs=no
 type=transport
 auth=esp
 ike=3des-sha1
 phase2alg=3des-sha1
 dpddelay=30
 dpdtimeout=120
 dpdaction=clear
EOF

cat > /etc/ipsec.secrets <<EOF
$PUBLIC_IP %any : PSK "$IPSEC_PSK"
EOF

cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[global]
 port = 1701
 
 ;debug avp = yes
 ;debug network = yes
 ;debug state = yes
 ;debug tunnel = yes

[lns default]
 ip range = 10.192.169.10-10.192.169.250
 local ip = 10.192.169.1
 ;修改以上虚拟地址范围
 require chap = yes
 refuse pap = yes
 require authentication = yes
 name = l2tpd
 ;ppp debug = yes
 pppoptfile = /etc/ppp/options.xl2tpd
 length bit = yes
EOF

cat > /etc/ppp/options.xl2tpd <<EOF
ipcp-accept-local
ipcp-accept-remote
ms-dns 172.31.0.2
;修改以上DNS服务器
noccp
auth
crtscts
idle 1800
mtu 1280
mru 1280
lock
connect-delay 5000
EOF

# chmod +x l2tpvpn.sh
# ./l2tpvpn.sh

5. 配置用户名与密码
# vim /etc/ppp/chap-secrets

# 修改以下用户名与密码
# Secrets for authentication using CHAP
# client	server	  secret	IP addresses
"username"    *      "password"      * 

6. 编辑/etc/sysconfig/iptables(默认eth0为公网IP地址所在网口)
# vim /etc/sysconfig/iptables

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1194 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 1701 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 500 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 4500 -j ACCEPT
-A INPUT -s 10.192.169.0/255.255.255.0 -m state --state NEW -m tcp -p tcp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.192.169.0/255.255.255.0 -o eth0 -j MASQUERADE
COMMIT

注解:在以上iptables脚本中,
对TCP端口1194放行;
对UDP端口1701,500,4500放行;
对整个PPTP VPN的局域网地址段10.192.169.0/24放行;
将整个PPTP VPN的局域网地址段10.192.169.0/24通过NAT映射到eth0网口,实现共享上网;

7. 启动相关服务,并设置为自动启动
# service ipsec restart
# service xl2tpd restart
# service iptables restart

# chkconfig ipsec on
# chkconfig xl2tpd on
# chkconfig iptables on

8. 结束

, , , ,

1 Comment