突破防火牆的 OpenVPN

OpenVPN，就像日本人的 Softether 一樣，可以藉由軟體模擬網路卡，透過特定的 port，連上遠端的 server，而模擬像網路卡直接接上 hub 的樣子，如此可以跟遠端的 server 處在同一個 local LAN，從而達到突破公司連外防火牆的目的。 一般公司對於對外的連線，通常只會開放 port 80 (http) 及 port 443 (https SSL)，所以其他的網路功能都被限制住了；而透過 OpenVPN 或 Softether 的程式，可以借用 port 443 連到外面的 “hub”，再由沒有限制的 “hub” 執行各種網路功能，有效穿越 firewall。

Softether 是一個很不錯的軟體，可惜的是在 2.x 之後只有日文版本而沒有提供英文版本，對於日文文盲的人來說，連使用都成問題了，更何況需要付費；而 Softether 1.x 在 Windows Vista 上跑不起來，所以我才會來試看看 OpenVPN。OpenVPN 是免費軟體，但基本上 OpenVPN 使用比 Softether 難了一點，不過只要依步驟來，還是 ok 的了。
第一次設定如下：

1. 執行 init-config — 第一次設定
2. 執行 vars — 這個檔的內容要依你的資料修改
   clean-all
   build-ca — 產生 CA 檔
3. 執行 build-key-server server — 產生 server key 檔
4. 執行 build-key client1
   build-key client2
   build-key client3 — 產生 client key 檔，看有幾個 client 要用就產生幾個。

產生出來的檔，依下表 server 或 client(n) 需要，複製到 C:\Program Files\OpenVPN\config 目錄。

比較複雜的是改 server 端及 client 端的 config 檔，我把 config-example 目錄中附的範例修改，有改動的部份列在下面，並稍加說明，請參考。改完同樣複製到 C:\Program Files\OpenVPN\config 目錄。

Server

...
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 443 # (用 SSL 用的 443 port)
proto tcp # (使用 TLS/SSL 要用 tcp)
;proto udp
...
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert server.crt
key server.key # (這三行用你產生出來的 key 檔案)
...
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
;server 10.8.0.0 255.255.255.0
server 192.168.0.0 255.255.255.0 #(換成我常用的 192.168.0 網段)
...
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel. Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
push "redirect-gateway" # (client端連上後，將 default gateway 改成連到 OpenVPN server)
...


Client

...
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp # (使用 TLS/SSL 要用 tcp)
;proto udp # The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote your.openvpn.server 443 #(你的 OpenVPN server 位置及使用的 port，用 TLS/SSL 用的 443 port)
...
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
http-proxy proxy.your.company.com 8080 #(如果有的話，你公司 proxy 的位置及 port)
...
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client2.crt
key client2.key #(這三行用你產生出來的 key 檔案)
...


最後，Windows 中，在檔案總管中在 config 檔上按右鍵就可以執行。或由下面的命令執行:
openvpn --config server.ovpn
另外，Windows 中也可以以 service 型式執行。