OpenVPN For Android實現手機刷Twitter
筆者有時候也會刷刷Twitter,或者上Facebook吹吹牛逼,目前的Android對於VPN支援實在是渣渣,用了很多免費的VPN方案都讓人慾哭無淚。於是有了自己弄一套VPN的想法,以實現筆者刷刷Twitter,吹吹牛逼的夢想!
基本配置:
1、伺服器一臺(位於美帝的洛杉磯),CentOS5 64bit,編譯安裝OpenVPN Server v2.3.4
2、Android手機一部(酷派,android4.2,VPN在Android4.0以上,依賴Google提供的VPNService服務,無需root),安裝Ics-OpenVPN(OpenVPN的Android版本)
基本網路拓撲圖:
Server配置:
#Set OpenVPN major mode. By default, OpenVPN runs in point-to-point mode ("p2p"). OpenVPN 2.0 introduces a new mode ("server") which impl#ements a multi-client server capability. #mode server # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", # UNCOMMENT THIS LINE OUT. duplicate-cn #listen on IPv4 local 0.0.0.0 #we use a non-default port port 11194 #UDP protocol chosen for better protection against DoS attacks and port scanning proto tcp #using routed IP tunnel dev tun #relative paths to keys and certificates ca /usr/local/openvpn/easy-rsa/keys/ca.crt cert /usr/local/openvpn/easy-rsa/keys/server.crt key /usr/local/openvpn/easy-rsa/keys/server.key dh /usr/local/openvpn/easy-rsa/keys/dh1024.pem #set OpenVPN subnet server 10.6.0.0 255.255.0.0 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" #for route stunnel from gateway directly push "route your server IP 255.255.255.255 net_gateway" #maintain a record of client-to-virtual-IP-address ifconfig-pool-persist ipp.txt #ping every 10 seconds, assume that remote peer is down if no ping received during 60 keepalive 10 60 #cryptographic cipher, must be the same (copied) on the client config file as well cipher AES-256-CBC #enable compression on VPN link comp-lzo max-clients 500 #try to preserve some state across restarts persist-key persist-tun #status log file status /usr/local/openvpn/conf/openvpn-status.log #log file #log-append /usr/local/openvpn/conf/openvpn.log #log file verbosity verb 3
Client配置:
client dev tun proto tcp remote your vpn server IP 11194 resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings ns-cert-type server cipher AES-256-CBC comp-lzo verb 3 #tun-mtu 1500 #tun-mtu-extra 32 #fragment 1450 #mssfix <ca> -----BEGIN CERTIFICATE----- CA -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- CERTIFICATE -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- PRIVATE KEY -----END PRIVATE KEY----- </key>
關於Openvpn的安裝,以及CA等證書的生成操作可參考網路相關資料,不再贅述。
這裡重點說明一點,服務端配置要加上:
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1"將修改Android路由,重定向所有web流量至vpn,預設只定向vpn私網段的流量,這裡是10.6.0.0/16。
後面兩條配置是修改客戶端dns為google public dns,切記!
好了,我們連上vpn後,開啟瀏覽器瀏覽看看,貌似和我們想的不太一樣,還是不能愉快的刷facebook,經常斷?經常連不上?於是乎,又開始了漫長的Google之旅,大致找到原因,因為GFW~~~,據說採用了新的DPI牛逼技術,可以探測OpenVPN的連線握手過程,並採用終極大招,將連線重置,於是乎就悲劇了,還是不能愉快的玩耍!
好吧,繼續下一招,採用stunnel來封裝openvpn tunnel,說白了就是再加上一層保險,讓Openvpn的流量看起來更像普通的SSL連線,以不那麼容易被識別。
筆者採用的stunnel客戶端版本為stunnel 5.06 on arm-unknown-linux-androideabi platform。
Stunnel服務端配置:
sslVersion = all
options = -NO_SSLv2
options = -NO_SSLv3
cert = /etc/stunnel/server.pem
pid = /var/run/stunnel.pid
output = /var/log/stunnel
;debug = 7
;foreground = yes
[openvpn]
client = no
accept=993
connect=11194
Stunnel客戶端配置:
debug = 7
foreground = yes
[openvpn]
client = yes
accept = 127.0.0.1:1194
connect = your vpn server IP:993
好了,大功告成,終於可以愉快的玩耍了!另外,針對OpenVPN對於Http URL級別的過濾機制不完善(也很正常,畢竟VPN是個IP層面的東西,都是IP,沒有什麼URL),筆者也做了測試,可以通過Squid透明代理來在服務端實現基於URL的過濾機制,畢竟咱搗鼓這玩意只是自己玩玩,被用來上那些什麼非法網站就不好了。
另外,服務端的iptables需要做NAT,附上:
-A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j DNAT --to-destination your server IP:8080
-A POSTROUTING -s 10.6.0.0/255.255.0.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.6.0.0/255.255.0.0 -j SNAT --to-source your server IP
好了,開始愉快的玩耍了
申明:本文僅限於技術研究之目的,請勿用於其他目的,轉載請註明來源!