OpenVPN For Android实现手机刷Twitter
笔者有时候也会刷刷Twitter,或者上Facebook吹吹牛逼,目前的Android对于VPN支持实在是渣渣,用了很多免费的VPN方案都让人欲哭无泪。于是有了自己弄一套VPN的想法,以实现笔者刷刷Twitter,吹吹牛逼的梦想!
基本配置:
1、服务器一台(位于美帝的洛杉矶),CentOS5 64bit,编译安装OpenVPN Server v2.3.4
2、Android手机一部(酷派,android4.2,VPN在Android4.0以上,依赖Google提供的VPNService服务,无需root),安装Ics-OpenVPN(OpenVPN的Android版本)
基本网络拓扑图:
Server配置:
#Set OpenVPN major mode. By default, OpenVPN runs in point-to-point mode ("p2p"). OpenVPN 2.0 introduces a new mode ("server") which impl#ements a multi-client server capability.
#mode server
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
duplicate-cn
#listen on IPv4
local 0.0.0.0
#we use a non-default port
port 11194
#UDP protocol chosen for better protection against DoS attacks and port scanning
proto tcp
#using routed IP tunnel
dev tun
#relative paths to keys and certificates
ca /usr/local/openvpn/easy-rsa/keys/ca.crt
cert /usr/local/openvpn/easy-rsa/keys/server.crt
key /usr/local/openvpn/easy-rsa/keys/server.key
dh /usr/local/openvpn/easy-rsa/keys/dh1024.pem
#set OpenVPN subnet
server 10.6.0.0 255.255.0.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
#for route stunnel from gateway directly
push "route your server IP 255.255.255.255 net_gateway"
#maintain a record of client-to-virtual-IP-address
ifconfig-pool-persist ipp.txt
#ping every 10 seconds, assume that remote peer is down if no ping received during 60
keepalive 10 60
#cryptographic cipher, must be the same (copied) on the client config file as well
cipher AES-256-CBC
#enable compression on VPN link
comp-lzo
max-clients 500
#try to preserve some state across restarts
persist-key
persist-tun
#status log file
status /usr/local/openvpn/conf/openvpn-status.log
#log file
#log-append /usr/local/openvpn/conf/openvpn.log
#log file verbosity
verb 3Client配置:
client dev tun proto tcp remote your vpn server IP 11194 resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings ns-cert-type server cipher AES-256-CBC comp-lzo verb 3 #tun-mtu 1500 #tun-mtu-extra 32 #fragment 1450 #mssfix <ca> -----BEGIN CERTIFICATE----- CA -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- CERTIFICATE -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- PRIVATE KEY -----END PRIVATE KEY----- </key>
关于Openvpn的安装,以及CA等证书的生成操作可参考网络相关资料,不再赘述。
这里重点说明一点,服务端配置要加上:
push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1"将修改Android路由,重定向所有web流量至vpn,默认只定向vpn私网段的流量,这里是10.6.0.0/16。
后面两条配置是修改客户端dns为google public dns,切记!
好了,我们连上vpn后,打开浏览器浏览看看,貌似和我们想的不太一样,还是不能愉快的刷facebook,经常断?经常连不上?于是乎,又开始了漫长的Google之旅,大致找到原因,因为GFW~~~,据说采用了新的DPI牛逼技术,可以探测OpenVPN的连接握手过程,并采用终极大招,将连接重置,于是乎就悲剧了,还是不能愉快的玩耍!
好吧,继续下一招,采用stunnel来封装openvpn tunnel,说白了就是再加上一层保险,让Openvpn的流量看起来更像普通的SSL连接,以不那么容易被识别。
笔者采用的stunnel客户端版本为stunnel 5.06 on arm-unknown-linux-androideabi platform。
Stunnel服务端配置:
sslVersion = all options = -NO_SSLv2 options = -NO_SSLv3 cert = /etc/stunnel/server.pem pid = /var/run/stunnel.pid output = /var/log/stunnel ;debug = 7 ;foreground = yes [openvpn] client = no accept=993 connect=11194
Stunnel客户端配置:
debug = 7 foreground = yes [openvpn] client = yes accept = 127.0.0.1:1194 connect = your vpn server IP:993
好了,大功告成,终于可以愉快的玩耍了!另外,针对OpenVPN对于Http URL级别的过滤机制不完善(也很正常,毕竟VPN是个IP层面的东西,都是IP,没有什么URL),笔者也做了测试,可以通过Squid透明代理来在服务端实现基于URL的过滤机制,毕竟咱捣鼓这玩意只是自己玩玩,被用来上那些什么非法网站就不好了。
另外,服务端的iptables需要做NAT,附上:
-A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j DNAT --to-destination your server IP:8080 -A POSTROUTING -s 10.6.0.0/255.255.0.0 -o eth0 -j MASQUERADE -A POSTROUTING -s 10.6.0.0/255.255.0.0 -j SNAT --to-source your server IP
好了,开始愉快的玩耍了
申明:本文仅限于技术研究之目的,请勿用于其他目的,转载请注明来源!
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。
