chinagfwblog(at)gmail.com。
作者:chocli 来源:http://docs.google.com/View?id=dgbsbz6v_854htzfcj
学习笔记 VPS爬墙123
以下内容参考了众多前辈的文章,因学习时没有能够记下出处,在此处无法一一致谢,深表歉意。本文可自由修改、传播,本人不对以下内容所造成的结果负任何责任,本人仅保证以下内容在本人的测试环境下可以正常工作。
目录
安装OpenVPN
推荐使用Bitvise Tunnelier进行SSH连接,能方 便保存帐号,且自带SFTP安全文件传输功能。
安装环境:Centos 5.4 x86
虚拟化方式:OpenVZ# rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
# yum -y install openvpn
复制证书生成程序
# cp -R /usr/share/openvpn/easy-rsa /etc/openvpn/
# cd /etc/openvpn/easy-rsa/2.0
生成证书
# vi vars
#根据自己需要修改以下内容,不熟悉vi的童鞋也可以使用SFTP将/etc/openvpn/easy-rsa/2.0/vars文件传回本地修改# . vars
export KEY_EXPIRE=3650 #生成的证书的有效期,默认3650天
export KEY_COUNTRY="US" #国家
export KEY_PROVINCE="CA" #州
export KEY_CITY="SanFrancisco" #市
export KEY_ORG="Fort-Funston" #组织名
export KEY_EMAIL="me@myhost.mydomain" #邮箱
注意,点和var间有一空格# ./clean-all
# ./build-ca server
此步将生成CA证书,正常情况下会有如下内容输出,# ./build-key-server server
Generating a 1024 bit RSA private key
.............++++++
.........................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:【此处直接按回车】
State or Province Name (full name) [CA]:【此处直接按回车】
Locality Name (eg, city) [SanFrancisco]:【此处直接按回车】
Organization Name (eg, company) [Fort-Funston]:【此处直接按回车】
Organizational Unit Name (eg, section) []:【此处直接按回车】
Common Name (eg, your name or your server's hostname) [server]:【此处直接按回车】
Name []:【此处直接按回车】
Email Address [me@myhost.mydomain]:【此处直接按回车】
Generating a 1024 bit RSA private key# ./build-key client01
.......++++++
.......++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:【此处直接按回车】
State or Province Name (full name) [CA]:【此处直接按回车】
Locality Name (eg, city) [SanFrancisco]:【此处直接按回车】
Organization Name (eg, company) [Fort-Funston]:【此处直接按回车】
Organizational Unit Name (eg, section) []:【此处直接按回车】
Common Name (eg, your name or your server's hostname) [server]:【此处直接按回车】
Name []:【此处直接按回车】
Email Address [me@myhost.mydomain]:【此处直接按回车】
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:【此处输入一复杂密码然后按回车】
An optional company name []:【此处直接按回车】
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Fort-Funston'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Mar 30 01:28:56 2020 GMT (3650 days)
Sign the certificate? [y/n]:【此处输入y然后按回车】
1 out of 1 certificate requests certified, commit? [y/n]【此处输入y然后按回车】
Write out database with 1 new entries
Data Base Updated
此处将生成客户证书,正常情况下会有如下内容输出,# ./build-dh
Generating a 1024 bit RSA private key
..............++++++
.........................++++++
writing new private key to 'client01.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:【此处直接按回车】
State or Province Name (full name) [CA]:【此处直接按回车】
Locality Name (eg, city) [SanFrancisco]:【此处直接按回车】
Organization Name (eg, company) [Fort-Funston]:【此处直接按回车】
Organizational Unit Name (eg, section) []:【此处直接按回车】
Common Name (eg, your name or your server's hostname) [client01]:【此处直接按回车】
Name []:【此处直接按回车】
Email Address [me@myhost.mydomain]:【此处直接按回车】
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:【此处输入一复杂密码然后按回车】
An optional company name []:【此处直接按回车】
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Fort-Funston'
commonName :PRINTABLE:'client01'
emailAddress :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Apr 2 01:19:58 2011 GMT (365 days)
Sign the certificate? [y/n]:【此处输入y然后按回车】
1 out of 1 certificate requests certified, commit? [y/n]【此处输入y然后按回车】
Write out database with 1 new entries
Data Base Updated
若需要生成更多证书,则运行# ./build-key client02,# ./build-key client03…
另,若今后需要生成更多客户证书以让更多人使用,登录ssh,# cd /etc/openvpn/easy-rsa/2.0,# . vars, # ./build-key client**
# cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn/ca.crt
# cp /etc/openvpn/easy-rsa/2.0/keys/server.crt /etc/openvpn/server.crt
# cp /etc/openvpn/easy-rsa/2.0/keys/server.key /etc/openvpn/server.key
# cp /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn/dh1024.pem
返回目录
生成OpenVPN配置文件
# vi /etc/openvpn/server_49775.conf#以下是本人的配置文件,大家可以在此基础上根据自己需要进行修改,详细内容请参考OpenVPN文档# vi /etc/openvpn/server_49776.conf
local *.*.*.* #服务器所在IP地址,如果服务器有多个IP地址,仅此处输入的IP地址可用于连接VPN,此行可省略
port 49775 #端口
proto udp #用udp方式连接
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 172.16.1.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp_server_49775.txt #将IP地址分配情况记录于txt文档中,每次连接分配给客户端指定的IP地址
push "redirect-gateway def1" #VPN连接后,客户端所有流量通过VPN传输
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
user nobody
group nobody
comp-lzo
persist-key
persist-tun
verb 3
#以下是本人的配置文件,49776端口的VPN与上一个的区别在于,VPN的作用仅为建立客户端与服务器间的加密通道,以安全地访问服务器端的HTTP代理服务器# vi /etc/openvpn/server_49777.conf
local *.*.*.*
port 49776
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 172.16.2.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp_server_49776.txt
push "route 172.16.2.0 255.255.255.0"
keepalive 10 120
user nobody
group nobody
comp-lzo
persist-key
persist-tun
status /etc/openvpn/server_49776.log
verb 3
#以下是本人的配置文件,49777端口的VPN与第一个基本相同,用于WM手机的爬墙启动OpenVPN服务,并使之自动启动
local *.*.*.*
port 49777
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 172.16.3.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp_server_49777.txt
push "dhcp-option DNS 172.16.3.1" #WM手机的DNS查询比较奇怪,VPN连接后仍使用手机网络进行DNS查询,存在DNS污染的问题
keepalive 20 120 #增加keepalive时间的间隔,可以节省电量
user nobody
group nobody
comp-lzo
persist-key
persist-tun
status /etc/openvpn/server_49777.log
verb 3
# /etc/init.d/openvpn restart
这一部如果发生错误,请检查配置文件,另,使用如下命令检查tun/tap设备是否启用# chkconfig --add openvpn
#cat /dev/net/tun
若返回内容为cat: /dev/net/tun: File descriptor in bad state,表明tun设备已经启用;
若返回内容为cat: /dev/net/tun: No such device,需向客服发送ticket以要求开启tun/tap设备
# chkconfig openvpn on
打开数据转发
# vi /etc/sysctl.conf
#找到net.ipv4.ip_forward,将等号后的0改为1# sysctl -p
net.ipv4.ip_forward = 1 #初始值为0
返回目录
HTTP代理服务器(squid)的安装和配置
# yum -y install squid# vi /etc/squid/squid.conf
#在文件最前端插入如下四行,用于允许openvpn和ssh使用squid服务# /etc/init.d/squid restart
acl openvpn src 172.16.0.0/16
http_access allow openvpn
acl ssh src 127.0.0.1
http_access allow ssh
#找到以下相应片段,进行修改
forwarded_for off
header_access Via deny all
header_access All allow all
# chkconfig squid on
返回目录
dns代理(dnsmasq)的安装
# yum -y install dnsmasq# /etc/init.d/dnsmasq restart
# chkconfig dnsmasq on
返回目录
iptables设置
# cd ~# vi setiptables.sh
#创建一批处理以控制服务器端口的开闭,根据自己情况调整内容,熟练iptables操作的童鞋请忽略,新手请自行查阅相关文档# chmod +x setiptables.sh
rm -f /etc/sysconfig/iptables
/etc/init.d/iptables restart
iptables -F
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j SNAT --to-source *.*.*.* #服务器ip地址
iptables -t nat -A POSTROUTING -s 172.16.3.0/24 -j SNAT --to-source *.*.*.* #服务器ip地址
iptables -A INPUT -i lo -j ACCEPT
iptables -P FORWARD ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#ssh
iptables -A INPUT -p tcp --dport 22-j ACCEPT
#apache,若没有则关闭
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#squid
iptables -A INPUT -p tcp --dport 53 -s 172.16.0.0/16 --dport 3128-j ACCEPT
#openvpn
iptables -A INPUT -p udp --dport 49775 -j ACCEPT
iptables -A INPUT -p udp --dport 49776 -j ACCEPT
iptables -A INPUT -p udp --dport 49777 -j ACCEPT
#dnsmasq
iptables -A INPUT -p udp --dport 53 -s 172.16.0.0/16 -j ACCEPT #仅允许来自openvpn连接的dns查询
#icmp,允许ping,若不需要则删掉以下一行
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -j DROP
/etc/init.d/iptables save
/etc/init.d/iptables restart
# ./setiptables.sh
返回目录
PC客户端操作
测试环境:Windows 71.OpenVPN
使用SFTP从服务器上下载如下文件:/etc/openvpn/ca.crt,/etc/openvpn/easy-rsa/2.0/keys/client01.crt,/etc/openvpn/easy-rsa/2.0/keys/client01.key
下载OpenVPN客户端,安装,
使用记事本(推荐Notepad++),在C:\Program files\openvpn\config\(默认安装目录)目录下创建一后缀为.ovpn的文件,内容如下
client复制以上文件,修改端口为49776,保存
dev tun
proto udp
remote *.*.*.* 49775 #服务器IP及端口
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
mssfix 1330 #ADSL用户可能会碰到MTU的问题,具体状况为传送大文件、观看Youtube时掉线,mssfix值不可超过1500,参考http://openvpn.net/index.php/open-source/faq.html#mtu
#将ca.crt内容复制至此
<ca>
-----BEGIN CERTIFICATE-----
MIIDWTCCAsKgAwIBAgIJAMx5bBbYiQhLMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMRUwEwYD
**********************************************************
-----END CERTIFICATE-----
</ca>
#将client01.crt中最后一段内容复制至此
<cert>
-----BEGIN CERTIFICATE-----
MIIDozCCAwygAwIBAgIBAjANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMGA1UEChMMRm9y
**********************************************************
-----END CERTIFICATE-----
</cert>
#将client01.key中内容复制至此
<key>
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQC3S25j/kcxiclCn/7B5RiFOEBFT7xApjPp0uHPWKsg+RxThr2W
uGsdLVhLxrcoq+jYae1O6jOkXzof6EFVT22E5BMJZt6OFtE51V5USKlH3jpbA6xE
**********************************************************
-----END RSA PRIVATE KEY-----
</key>
打开OpenVPN GUI,用第一个配置文件连接,则全局爬墙,用第二个配置连接,则需在浏览器中设置代理服务器地址172.16.2.1:3128后爬墙。
2.SSH转发HTTP代理服务器端口到本地
打开Bitvise Tunnelier(理论上其他程序如putty也可实现此操作,此外,wm手机上可用token2shell/mobile进行相同操作,将在后文中提及),
切换至C2S Fwding标签,点add,Listen Interface处填入127.0.0.1,List. Port填入3128,Dist. Port同填入3128,保存设置,连接SSH,
在浏览器中设置HTTP代理服务器地址127.0.0.1:3128
返回目录
WM客户端操作
测试环境:HTC Touch Diamond WM6.1 207791.OpenVPN
前往此处下载OpenVPN PPC版,安装完毕后重启。
OpenVPN PPC版的操作界面与TouchFlo、WM6.5的Titanium不相兼容,
对于TouchFlo,可以安装TouchFlo Detacher进行快速切换,Titanium则可以在此处下载一Mortscript脚本以快速切换Titanium界面。
在电脑端生成两配置文件,ovpn_wifi.ovpn和ovpn_gprs.ovpn,内容分别为:
#ovpn_wifi.ovpn,和PC端配置基本相同
remote *.*.*.* 49777 #IP地址、端口
client
proto udp
nobind
dev tun
comp-lzo
verb 3
resolv-retry infinite
persist-key
persist-tun
mssfix 1300
ns-cert-type server
redirect-gateway #此处不能用redirect-gateway def1,否则dns查询会出现问题
dhcp-option DNS 172.16.3.1 #使用服务器端的DNS
#ca.crt
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
#client.crt
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
#client.key
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
#ovpn_gprs.ovpn将两配置文件传入/Program Files/OpenVPN/config/目录。
remote *.*.*.* 49777 #IP地址、端口
client
proto udp
nobind
dev tun
comp-lzo
verb 3
resolv-retry infinite
persist-key
persist-tun
mssfix 1300
ns-cert-type server
redirect-gateway def1 #与ovpn_wifi.ovpn仅此一处区别
dhcp-option DNS 172.16.3.1 #使用服务器端的DNS
#ca.crt
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
#client.crt
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
#client.key
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
若使用wifi爬墙,至此设置已经完成,打开OpenVPN连接管理器,在菜单中选择Start From Config,选择ovpn_wifi,待连接图标变绿,连接成功。
(要注意,默认情况下关闭屏幕后wifi连接会断开,请参考此帖修改注册表,但要注意的是,关屏保持wifi会使电量消耗增加)
若使用gprs爬墙,还需进一步设置,在pc端生成两个注册表文件,文件名分别为gprs_openvpn.reg、gprs_opendns.reg,内容如下:
#gprs_openvpn.reg,本注册表内容为设定gprs所用dns服务器地址为172.16.3.1
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Comm\Cellular Line\Parms\TcpIp]
"DNS"=hex(7):31,00,37,00,32,00,2E,00,31,00,36,00,2E,00,33,00,2E,00,31,00,00,00,31,\
00,37,00,32,00,2E,00,31,00,36,00,2E,00,33,00,2E,00,31,00,00,00,00,00
#gprs_opendns.reg,本注册表内容为设定gprs所用dns服务器为opendns在OpenVPN连接管理器中选择ovpn_gprs配置连接,连接成功后导入gprs_openvpn.reg即可,待断开OpenVPN连接后,再将gprs_opendns.reg导入注册表。
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Comm\Cellular Line\Parms\TcpIp]
"DNS"=hex(7):32,00,30,00,38,00,2E,00,36,00,37,00,2E,00,32,00,32,00,32,00,2E,00,32,\
00,32,00,32,00,00,00,32,00,30,00,38,00,2E,00,36,00,37,00,2E,00,32,00,32,00,\
30,00,2E,00,32,00,32,00,30,00,00,00,00,
(对于dns容易被污染的问题,也可以使用本地hosts文件的方法解决,具体方法请自行Google)
2.SSH转发HTTP代理服务器端口至本地
本方法仅能使Opera Mobile 9,10爬墙上网,也可供Pocketwit上推,暂时还不能供其他程序使用。
下载Token2Shell/Mobile(共享软件,30天试用。另,可用免费软件zaTunnel替代,但zaTunnel不甚稳定)程序,安装后,打开Token2Shell/Mobile,依次选择Menu,Tools,SSH Port Forward Manager,
Menu,New,Port Forwarding,
Server Address处填入服务器地址,Port处填入端口,随后点击SSH Options,在最底端勾上Auto Login,并输入用户名和密码,点OK回到前一页,
勾上Local Gateway和Remote Gateway,
点Port软键,New,Local,
Local Port输入squid服务端口(3128),Address输入127.0.0.1,Port输入3128,保存设置,点击Start开始连接。
连接成功后,在Opera Mobile地址栏中输入opera:config(可以将这页存入书签以方便设置),找到Proxy大项,展开,
在HTTP Server和HTTPS Server处输入127.0.0.1:3128,并勾上Use HTTP和Use HTTPS,点击下方的Save保存设置即可。
对于Pocketwit,需要先用Openvpn登录帐号,随后才能在设定中设置HTTP代理服务器地址。
SSH转发HTTP代理至本地相对OpenVPN更为方便,且稳定性相对更好,但弊端在于支持的程序较少。
返回目录
以上,欢迎交流经验、指正错误
@chocli
02/04/2010 20:31
--
Posted By GFW Blog to GFW BLOG at 4/05/2010 05:53:00 PM --
1、请点击www.chinagfw.org访问我们,订阅地址:http://feeds2.feedburner.com/chinagfwblog。2、需要Psiphon2注册邀请的朋友,请向english@sesawe.net发送电子邮件请求,说明 "can I have psiphon2 access" 并告诉您所在的国家。也可以使用Twitter Direct Messages或登陆Psiphon网站直接向Psiphon索取使用邀请。3、GFW Blog现提供最新翻墙工具下载(地址一、二、三),翻墙(突破网络封锁)方法介绍请见本站anti-censorship部分。4、本站热烈欢迎各位朋友投稿或推荐文章,请发邮件至chinagfwblog[at]gmail.com。5、敬请关注、支持、参与Sesawe和黑箱监管集体诉讼。
To unsubscribe from this group, send email to
gfw-blog+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/gfw-blog?hl=zh-CN
没有评论:
发表评论