突破防火牆的 OpenVPN

OpenVPN,就像日本人的 Softether 一樣,可以藉由軟體模擬網路卡,透過特定的 port,連上遠端的 server,而模擬像網路卡直接接上 hub 的樣子,如此可以跟遠端的 server 處在同一個 local LAN,從而達到突破公司連外防火牆的目的。 一般公司對於對外的連線,通常只會開放 port 80 (http) 及 port 443 (https SSL),所以其他的網路功能都被限制住了;而透過 OpenVPN 或 Softether 的程式,可以借用 port 443 連到外面的 “hub”,再由沒有限制的 “hub” 執行各種網路功能,有效穿越 firewall。

Softether 是一個很不錯的軟體,可惜的是在 2.x 之後只有日文版本而沒有提供英文版本,對於日文文盲的人來說,連使用都成問題了,更何況需要付費;而 Softether 1.x 在 Windows Vista 上跑不起來,所以我才會來試看看 OpenVPN。OpenVPN 是免費軟體,但基本上 OpenVPN 使用比 Softether 難了一點,不過只要依步驟來,還是 ok 的了。
第一次設定如下:

  1. 執行 init-config — 第一次設定
  2. 執行 vars — 這個檔的內容要依你的資料修改
    clean-all
    build-ca — 產生 CA 檔
  3. 執行 build-key-server server — 產生 server key 檔
  4. 執行 build-key client1
    build-key client2
    build-key client3 — 產生 client key 檔,看有幾個 client 要用就產生幾個。

產生出來的檔,依下表 server 或 client(n) 需要,複製到 C:\Program Files\OpenVPN\config 目錄。

Filename Needed By Purpose Secret
ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh{n}.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
client1.crt client1 only Client1 Certificate NO
client1.key client1 only Client1 Key YES
client2.crt client2 only Client2 Certificate NO
client2.key client2 only Client2 Key YES
client3.crt client3 only Client3 Certificate NO
client3.key client3 only Client3 Key YES

比較複雜的是改 server 端及 client 端的 config 檔,我把 config-example 目錄中附的範例修改,有改動的部份列在下面,並稍加說明,請參考。改完同樣複製到 C:\Program Files\OpenVPN\config 目錄。

Server

...
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 443 # (用 SSL 用的 443 port)
proto tcp # (使用 TLS/SSL 要用 tcp)
;proto udp
...
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert server.crt
key server.key # (這三行用你產生出來的 key 檔案)
...
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
;server 10.8.0.0 255.255.255.0
server 192.168.0.0 255.255.255.0 #(換成我常用的 192.168.0 網段)
...
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel. Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
push "redirect-gateway" # (client端連上後,將 default gateway 改成連到 OpenVPN server)
...

Client

...
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp # (使用 TLS/SSL 要用 tcp)
;proto udp # The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote your.openvpn.server 443 #(你的 OpenVPN server 位置及使用的 port,用 TLS/SSL 用的 443 port)
...
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
http-proxy proxy.your.company.com 8080 #(如果有的話,你公司 proxy 的位置及 port)
...
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client2.crt
key client2.key #(這三行用你產生出來的 key 檔案)
...

最後,Windows 中,在檔案總管中在 config 檔上按右鍵就可以執行。或由下面的命令執行:
openvpn --config server.ovpn
另外,Windows 中也可以以 service 型式執行。

(Visited 47,477 times, 1 visits today)

別人也看了:

Apache 防制 DoS 攻擊的 mod_dosevasive 模組 吃燒餅沒有不掉芝麻的,而開網站的沒有不被攻擊的... 奇怪了,世界上還真多無聊人士,吃飽就想如何攻擊別人的網站,不知道是什麼心態. 一種常見的攻擊是貼廣告或是莫名其妙的留言,這些都是要廣告特定的 UR...
SAMBA 網路芳鄰簡單的設定 Windows 的世界中有「網路上的芳鄰」,使用 Common Internet File System (CIFS) 協定。在 Linux 世界中,如果要與 Windows 網路上的芳鄰溝通,就要有...
比較檔案的免費軟體–WinMerge WinMerge是一個 open source 的工具程式, 網址在 http://winmerge.sourceforge.net/ 或是 http://sourceforge.net/projec...
NAS的DIY 手邊有4個1.5T的硬碟,為了善加利用,找了網路上常用的NAS(網路附加儲存)系統:FreeNAS、NAS4Free、openmediavault,經過在VirtualBox虛擬機器的試裝及試用,覺得...
Vista SP2 修改「同時建立未完成的 TCP 連線數目」(避免 EventID 4226)... 在 Notable Changes in Windows Server 2008 SP2 and Windows Vista SP2 提到關於 Vista Service Pack 2 的一些更新,其...
分享:

“突破防火牆的 OpenVPN” 有 2 則迴響.

發表迴響