筆者有時候也會刷刷Twitter，或者上Facebook吹吹牛逼，目前的Android對於VPN支援實在是渣渣，用了很多免費的VPN方案都讓人慾哭無淚。於是有了自己弄一套VPN的想法，以實現筆者刷刷Twitter，吹吹牛逼的夢想！

     基本配置：

    1、伺服器一臺（位於美帝的洛杉磯），CentOS5 64bit，編譯安裝OpenVPN Server v2.3.4

    2、Android手機一部（酷派，android4.2，VPN在Android4.0以上，依賴Google提供的VPNService服務，無需root），安裝Ics-OpenVPN（OpenVPN的Android版本）

    基本網路拓撲圖：

    Server配置：

#Set OpenVPN major mode. By default, OpenVPN runs in point-to-point mode ("p2p"). OpenVPN 2.0 introduces a new mode ("server") which impl#ements a multi-client server capability.
#mode server
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
duplicate-cn

#listen on IPv4
local 0.0.0.0

#we use a non-default port
port 11194

#UDP protocol chosen for better protection against DoS attacks and port scanning
proto tcp

#using routed IP tunnel
dev tun


#relative paths to keys and certificates
ca /usr/local/openvpn/easy-rsa/keys/ca.crt
cert /usr/local/openvpn/easy-rsa/keys/server.crt
key /usr/local/openvpn/easy-rsa/keys/server.key
dh /usr/local/openvpn/easy-rsa/keys/dh1024.pem

#set OpenVPN subnet
server 10.6.0.0 255.255.0.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

#for route stunnel from gateway directly
push "route your server IP 255.255.255.255 net_gateway"

#maintain a record of client-to-virtual-IP-address
ifconfig-pool-persist ipp.txt

#ping every 10 seconds, assume that remote peer is down if no ping received during 60
keepalive 10 60

#cryptographic cipher, must be the same (copied) on the client config file as well
cipher AES-256-CBC

#enable compression on VPN link
comp-lzo

max-clients 500

#try to preserve some state across restarts
persist-key
persist-tun

#status log file
status /usr/local/openvpn/conf/openvpn-status.log

#log file
#log-append /usr/local/openvpn/conf/openvpn.log

#log file verbosity
verb 3
 

client
dev tun
proto tcp
remote your vpn server IP 11194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3

#tun-mtu 1500
#tun-mtu-extra 32
#fragment 1450
#mssfix 

<ca>
-----BEGIN CERTIFICATE-----
CA
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
CERTIFICATE
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
PRIVATE KEY
-----END PRIVATE KEY-----
</key>
 

關於Openvpn的安裝，以及CA等證書的生成操作可參考網路相關資料，不再贅述。

這裡重點說明一點，服務端配置要加上：

push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

push "redirect-gateway  def1"將修改Android路由，重定向所有web流量至vpn，預設只定向vpn私網段的流量，這裡是10.6.0.0/16。

後面兩條配置是修改客戶端dns為google public dns，切記！

好了，我們連上vpn後，開啟瀏覽器瀏覽看看，貌似和我們想的不太一樣，還是不能愉快的刷facebook，經常斷？經常連不上？於是乎，又開始了漫長的Google之旅，大致找到原因，因為GFW~~~，據說採用了新的DPI牛逼技術，可以探測OpenVPN的連線握手過程，並採用終極大招，將連線重置，於是乎就悲劇了，還是不能愉快的玩耍！

    好吧，繼續下一招，採用stunnel來封裝openvpn tunnel，說白了就是再加上一層保險，讓Openvpn的流量看起來更像普通的SSL連線，以不那麼容易被識別。

筆者採用的stunnel客戶端版本為stunnel 5.06 on arm-unknown-linux-androideabi platform。

Stunnel服務端配置：

sslVersion = all
options = -NO_SSLv2
options = -NO_SSLv3
cert = /etc/stunnel/server.pem
pid = /var/run/stunnel.pid
output = /var/log/stunnel
;debug = 7
;foreground = yes
[openvpn]
client = no
accept=993
connect=11194

debug = 7
foreground = yes
[openvpn]
client = yes
accept = 127.0.0.1:1194
connect = your vpn server IP:993

好了，大功告成，終於可以愉快的玩耍了！另外，針對OpenVPN對於Http URL級別的過濾機制不完善（也很正常，畢竟VPN是個IP層面的東西，都是IP，沒有什麼URL），筆者也做了測試，可以通過Squid透明代理來在服務端實現基於URL的過濾機制，畢竟咱搗鼓這玩意只是自己玩玩，被用來上那些什麼非法網站就不好了。

另外，服務端的iptables需要做NAT，附上：

-A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j DNAT --to-destination your server IP:8080 
-A POSTROUTING -s 10.6.0.0/255.255.0.0 -o eth0 -j MASQUERADE 
-A POSTROUTING -s 10.6.0.0/255.255.0.0 -j SNAT --to-source your server IP 

申明：本文僅限於技術研究之目的，請勿用於其他目的，轉載請註明來源！