这个很奇怪撒,仔细查了下,原作者是这么说的:
I have created a patch which introduces some forms of scrambling to the packet payload of any OpenVPN connection.
I have been successfully using the patch with Iranian and Chinese users for some time now.
看来伊朗也比较糟糕啊。
无语,鉴于在森华易腾无法拨接openvpn,不知道是直接封了1194的udp端口,还是从协议上封掉了openvpn,总之,都很shit。
简单说就是对openvpn协议进行了混淆,多了一个配置项:
scramble 参数
scramble reverse #对传输的数据进行反转,通常这一句就已经可以绕过China和Iran的检测机制了
scramble xorptrpos #对传输的package中的有效数据进行xor运算
scramble obfuscate password #更强烈的加密。反转+xor+密码三种方式全用上. "password" 是你设定的密码
用上这个配置项后,建议设置cipher none, 因为如此这般以后,没有必要再制定cipher方式了。另外,用cipher会消耗cpu,而采用scramble消耗cpu的程度比cipher低。
搭一个试试看 这里采用的是openvpn 2.4.4版本和相应的patch
下载:
wget http://img.rendoumi.com/soft/vpn/2.4.4.zip
wget http://img.rendoumi.com/soft/vpn/master.zip
unzip -x 2.4.4.zip
unzip -x master.zip
应用补丁并编译:
cd openvpn-release-2.4/
git apply ../openvpn_xorpatch-master/openvpn_xor.patch
autoreconf -i -v -f
./configure --prefix=/export/servers/openvpn
make
make install
安装easy-rsa-3.0,不得不击节叫好啊,easy-rsa 3.0比2.0进化多了,就一个可执行文件,也轻省多了:
wget http://img.rendoumi.com/soft/vpn/easy-rsa.zip
unzip -x easy-rsa.zip
建立openvpn配置文件夹
mkdir -p /etc/openvpn/conf
cp -r easy-rsa-master/easyrsa3/* /etc/openvpn
看看新版easy-rsa-3.0都有什么命令
cd /etc/openvpn
./easyrsa
Easy-RSA 3 usage and overview
USAGE: easyrsa [options] COMMAND [command-options]
A list of commands is shown below. To get detailed usage and help for a
command, run:
./easyrsa help COMMAND
For a listing of options that can be supplied before the command, use:
./easyrsa help options
Here is the list of commands available with a short syntax reminder. Use the
'help' command above to get full usage details.
init-pki
build-ca [ cmd-opts ]
gen-dh
gen-req <filename_base> [ cmd-opts ]
sign-req <type> <filename_base>
build-client-full <filename_base> [ cmd-opts ]
build-server-full <filename_base> [ cmd-opts ]
revoke <filename_base>
gen-crl
update-db
show-req <filename_base> [ cmd-opts ]
show-cert <filename_base> [ cmd-opts ]
import-req <request_file_path> <short_basename>
export-p7 <filename_base> [ cmd-opts ]
export-p12 <filename_base> [ cmd-opts ]
set-rsa-pass <filename_base> [ cmd-opts ]
set-ec-pass <filename_base> [ cmd-opts ]
DIRECTORY STATUS (commands would take effect on these locations)
EASYRSA: .
PKI: /etc/openvpn/pki
简单明了,一目了然,来吧,一气呵成
cd /etc/openvpn
./easyrsa init-pki
./easyrsa --batch build-ca nopass
./easyrsa --batch build-server-full server nopass
./easyrsa --batch build-client-full client1 nopass
./easyrsa gen-dh
什么都不用管,就全弄好了,比起easy-rsa 2.0一堆脚本,修改vars,省事多了!!!
准备server端的配置文件:
cd /etc/openvpn/
cp pki/ca.crt pki/dh.pem pki/private/client1.key pki/private/server.key issued/* /etc/openvpn/conf
cd /etc/openvpn/conf
/export/servers/openvpn/sbin/openvpn --genkey --secret ta.key
这样/etc/openvpn/conf下就会有7个文件
ca.crt
server.key
client1.key
client1.crt
dh.pem
server.crt
ta.key
准备个模板:
cat<<EOF>>/etc/openvpn/conf/server.conf
port 1194
proto udp
dev tun
server 10.8.0.0 255.255.255.0
scramble obfuscate fuckfuckfuck
ca /etc/openvpn/conf/ca.crt
cert /etc/openvpn/conf/server.crt
key /etc/openvpn/conf/server.key
tls-auth /etc/openvpn/ta.key 0
dh /etc/openvpn/conf/dh.pem
cipher none
#push "route 172.16.0.0 255.255.0.0"
client-to-client
comp-lzo
persist-key
persist-tun
user nobody
group nobody
ifconfig-pool-persist /etc/openvpn/conf/ipp.txt
status /var/log/openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
keepalive 5 30
verb 3
EOF
启动server端
/export/servers/openvpn/sbin/openvpn --config /etc/openvpn/server.conf --daemon
准备客户端文件
cat<<EOF>>/etc/openvpn/conf/client1.ovpn
client
dev tun
proto udp
remote change_this_to_server_address 1194
scramble obfuscate fuckfuckfuck
resolv-retry infinite
nobind
persist-key
persist-tun
user nobody
group nogroup
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
remote-cert-tls server
cipher none
comp-lzo
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
keepalive 5 30
verb 3
EOF
合并出一个单独的客户端文件
注意merge.sh里面文件的配置:
ca="ca.crt"
cert="client1.crt"
key="client1.key"
tlsauth="ta.key"
ovpndest="client1.ovpn"
cd /etc/openvpn/conf
wget http://img.rendoumi.com/soft/vpn/merge.sh
chmod 755 merge.sh
./merge.sh
这样就会合并出一个client1.ovpn客户端连接文件来,全部合一,其实server.conf也可以把所有东西包括进去
client
dev tun
proto udp
remote change_this_to_server_address 1194
scramble obfuscate fuckfuckfuck
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher none
comp-lzo
verb 3
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
MIIDKzCCAhOgAwIBAgIJAOG5arbs5t9RMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
BAMTCENoYW5nZU1lMB4XDTE4MDMyODAzNDkyMloXDTI4MDMyNTAzNDkyMlowEzER
MA8GA1UEAxMIQ2hhbmdlTWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDMOUuQg49OstGbfPLjTgzwb5YBmBeVxyF3+5jmKbgPXujZ3dvdBwxaslVUwre6
XsMUBz3vbB7Kf1BBDHe2jt60p2x2O+ptTb3rRhTPLhdhd9C3HUhwkNYc7jv1+ua3
sUlwiYikltKhXGVU3e/XYB+Aiw63mem4ex5T4kJ/KIKoulGhUsaOl9JtPPKbeIlV
BgUzBLHNt/9bY7r7m2Fh0VmbD5p5YMZEGrg+WX0qzT4wKD/734VdxuAoFwd7as6s
CH73w0ykscV7evUJEaNu1keTqgqG5SuE3HzQ1cmWSSeF84gUes+l2JAivpQ/XTkF
wdLnq2caXVTMDF8t/Y1e8JfVAgMBAAGjgYEwfzAdBgNVHQ4EFgQU+SKBqluAW6hQ
p8y9Q22ZBhkTw5IwQwYDVR0jBDwwOoAU+SKBqluAW6hQp8y9Q22ZBhkTw5KhF6QV
MBMxETAPBgNVBAMTCENoYW5nZU1lggkA4blqtuzm31EwDAYDVR0TBAUwAwEB/zAL
BgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAL9ZqyMSrrJ2ss/5pQhUBw71
nmjeT8DPg7Optiq02oAPdIo06WdJ77Y+mFypGKw8uUHp/h0mL5wBr6NBYbdw+5Lc
vv4tCpOzzNW7PJngJWilIdvL1W+y3i3/AolSs7jAradaOQOpI23tOeQAQUmwchmt
hvgKH8kyIWlOzxGIHdG9Spv8Oi1X6dwD0t4ddaNqcnCbyC2cBX4TvlXeVixMdBLY
xq/5+G6dlJhaUzD4lG9Co7PTctwOFzKIP+mCrhLFCh7v5L6HCqL5ZLI7bWYTy0rm
XURbleynyld95FKuul5YFRyb/j+I8iBd3Sw9TWhVuqKb4JX9n6zB1FxkNUX1r4g=
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIDRTCCAi2gAwIBAgIRALV3i3gqfdbfWujom75JgiwwDQYJKoZIhvcNAQELBQAw
EzERMA8GA1UEAxMIQ2hhbmdlTWUwHhcNMTgwMzI4MDg1NjQ5WhcNMjgwMzI1MDg1
NjQ5WjASMRAwDgYDVQQDEwdjbGllbnQxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAqXq+oaXFyp24OBuXrAPRxnyg4t7eKl7jh4EmL+T2xnQ5qZfwDBz/
0mI6MDgqPFDC8DWeO3iJZlNlIBNrHpza2kj53Fw7UB1yyi9fArt3Luj2HdjqXyDw
yLTX6dVV/m+dP7Jq1OnnpaG7gbkjKaaS8inc79v1ismJK9ZAwaiQobv1T3Th7eL+
nrKfjCJ/gevHfXocR7PuEe1CwyUEp124Z5fhq7S6JAgmt3WbiBVPIg5lp/pCyfbh
K6z1Y5abPVCAJXTqgbaYBLIorO88wn5zn5D6ZFXDTdo3gJgQSlbax6AN5CqyK+Qi
U2mF7Cf8+Ma+0eLbOFM62kulaqXX+uUojwIDAQABo4GUMIGRMAkGA1UdEwQCMAAw
HQYDVR0OBBYEFJaAOw/CP8O/dnncm/VwlPow8kM9MEMGA1UdIwQ8MDqAFPkigapb
gFuoUKfMvUNtmQYZE8OSoRekFTATMREwDwYDVQQDEwhDaGFuZ2VNZYIJAOG5arbs
5t9RMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0B
AQsFAAOCAQEAmU9Y+dP4PH0eh4KMNW0QhseN0t0CK1Nzyu3hNcuIntns3J3VpJ1u
1WKA16mnH8nLu2hNUKnWkOnuvPnwXIprWdg9Zvmct/QEtys4THnG3+5Ni7wVexhU
lNU0qZcwGNwqQiZBrHcZZq6pAKtrAH0kD6/l5qCeScPrDIy6w3eFfGa/AJcEBNEN
Wruj3hUQxRsv35XFfxEROaklfuLrfr0U1OlWDySSGMQafXjZCmLdxRb5IkI90255
t3yksT9Bj7v/2n++ttlQTH0FK5zY7Uz76A21idiRCw/aVeXvJkafYqi+o/9kkVJh
w+Q9Lm+AKGkaaMgz0dt0cmVZgHsnyzOzhQ==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCper6hpcXKnbg4
G5esA9HGfKDi3t4qXuOHgSYv5PbGdDmpl/AMHP/SYjowOCo8UMLwNZ47eIlmU2Ug
E2senNraSPncXDtQHXLKL18Cu3cu6PYd2OpfIPDItNfp1VX+b50/smrU6eelobuB
uSMpppLyKdzv2/WKyYkr1kDBqJChu/VPdOHt4v6esp+MIn+B68d9ehxHs+4R7ULD
JQSnXbhnl+GrtLokCCa3dZuIFU8iDmWn+kLJ9uErrPVjlps9UIAldOqBtpgEsiis
7zzCfnOfkPpkVcNN2jeAmBBKVtrHoA3kKrIr5CJTaYXsJ/z4xr7R4ts4UzraS6Vq
pdf65SiPAgMBAAECggEAKwlSUzYHTfZTC1xmXXXy1RZcvH+fpt7FpGk1S0A3Mhnd
cqV0fX73r3LmF8yLXRmdBuZ2sd9f9K4EpeqIbxOht4CEgmKhZSy1M4Zn+AemsjDS
Hq4whcuVmUHi+iwEVEH/imdCHaLwAe1Z8g0TUsZL1lavFfGjHoUi4hDcDNFDOO5Z
+gOL+ZLtAwCibcdTgdW7xXZMY6U4Mg4f7VggFqpuxe90ebaa1DHUYOm4XFQdrEOg
KtC93wkFKuz9fXvyCyjk5t3oXO3EQvLSsm0W1LhBYkdZp8fUmkgh7Lz2J/h7/qK9
FYxbkvbFE7Zl1FE0g4kYNgMRq94Dy7IPhrbCXh1XUQKBgQDXYJt0KlfNdIQrZVsg
kGkvE9eeEw3XhRCzsKIqnD3DkvkgowD6kpq9rU3tTg1x830QbfPu9L5cQEt5Hlsg
zzCWKsjvC8Gnblz4ctvUvl+o9jbIKBf1aSykGGLZqB8rITd+gY8jcRDE637pxmKO
HHhN0hjXyhSpjSCeWfvHHt4OdQKBgQDJcfq3nVmO6JBjn8Csywi9OHhodI4IKcLH
EuEoJR0akv5l07UQGZXjkT60UUg5uAIU+z/Bk7UOErJckxvMCLzg9/O1ZRCEppdP
GKMP4DM/xxdf37zEifBtFzBG9LCoIEJqRwzhaD7jyEg8jEv9G+ege/Bp5W9WDS2P
9bWWF3DCcwKBgHN+0t4QdtUuTlIXIC7uQfmE4nNaNGoGaVZyugOvlU9zWTUvNC8q
vuBINymyWXNp5v8Qd2cEx7Agqlhg9u05LgzZFLdbzpVCkYiJz2jeTd4FaosbNP3d
UJsOmLOvfEdcoK2uPFv9Hcj7oCssv10F112j9L6DF2F01LEV//ZfjyShAoGAEHjo
hoEwZJYx0GOszrRfh5GJjwkQ4CwCCGNL1AuM4LJqaQsxwBpHfm9PEFGhNU8NpIeT
BBI++OKggR9qY3nHcCH2ZLvZ6O7yan5aPx8XMbzm9WkHN48MAO+ne/XgSC8zHxum
OvxaQCgNeB4EzLKucxoPY6lmPEQhmKb/7UEHcG8CgYEAxhtREMFAL0+uDAJ72WLx
qCEM0x9zet5DOLOqxUSlBJILAwwcgGA1DXdjMej/BxZbIHgZANZ3Gj+k3D5m4GQl
Pe3DtI3HBLbVH8DeyZC6fJxjaNi16/mbD6puRpPs+w0D2pQwJr6k2uR8+G883RW5
4vcpovBkutR5n1M09M3DyeU=
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
79a3add18ba52b97045de864939a9a9e
a0a07657bce8a0210c41b7d83d48ec48
81c89db3dbec8b4bfc13424d3813711d
f34a4770ebeaf181eeffcd3f38cea425
78006c5b7506a5d9dcb0079daa3b3412
5434af9df560f3a0d29bc8b333479943
0f5839fee349f2079d03c9d31d6e2bf4
26a32180c8e4f6c1579acbfef7596335
a4147c64395ff77927ebe02f2a757d17
a2df3245670c1eff89f9e1025dbc4b07
8d3fcfaf4fbad44d9becf17f5d6d34ee
50d616fb58bc0e29da54a934353701a9
973df9b1f9041706642ff8ed00b24462
5cb52768dd5472093855d0e8fa5b8762
cca2aa48bda3d8964a19842fbf9d2081
ff0075295379f663129723ee9319a789
-----END OpenVPN Static key V1-----
</tls-auth>
ok,把这个client1.ovpn拷贝出来,准备弄到windows上用
在windows上下载原始的openvpn-gui:
http://img.rendoumi.com/soft/vpn/openvpn-install-2.4.4-I601.exe
然后看自己的系统是32位还是64位,下载对应的openvpn主文件
http://img.rendoumi.com/soft/vpn/openvpn-2.4-32.exe
http://img.rendoumi.com/soft/vpn/openvpn-2.4-64.exe
先安装好openvpn,然后到
C:\Program Files\OpenVPN\config
把client1.ovpn放进去
然后以管理员身份启动桌面上的OpenVPN-GUI,右键点击连接就可以连上了。
