Transcript Document
Own Networking Freeway
OpenVPN vs PPTP
Zhu Guoliang
[email protected]
What can they do?
to start with
Basics
Routing & Routing Table
Concept – 计算机网络概论
Tools
linux
route
-n: show numerical addresses instead of trying to determine
symbolic host names.
traceroute
start up:
内核 IP 路由表
目标
162.105.238.0
169.254.0.0
0.0.0.0
网关
0.0.0.0
0.0.0.0
162.105.238.1
子网掩码
标志
255.255.255.0
U
255.255.0.0
U
0.0.0.0
UG
跃点
引用
2
0
1000
0
0
0
使用 接口
0 wlan0
0 wlan0
0 wlan0
Routing & Routing Table
Windows
route print
netstat –r
tracert
start up:
IPv4 路由表
===========================================================================
活动路由:
网络目标
网络掩码
网关
接口
跃点数
0.0.0.0
0.0.0.0
162.105.238.1
162.105.238.14
25
127.0.0.0
255.0.0.0
在链路上
127.0.0.1
306
127.0.0.1 255.255.255.255
在链路上
127.0.0.1
306
127.255.255.255 255.255.255.255
在链路上
127.0.0.1
306
162.105.238.0
255.255.255.0
在链路上
162.105.238.14
281
162.105.238.14 255.255.255.255
在链路上
162.105.238.14
281
162.105.238.255 255.255.255.255
在链路上
162.105.238.14
281
224.0.0.0
240.0.0.0
在链路上
127.0.0.1
306
224.0.0.0
240.0.0.0
在链路上
162.105.238.14
281
255.255.255.255 255.255.255.255
在链路上
127.0.0.1
306
255.255.255.255 255.255.255.255
在链路上
162.105.238.14
281
===========================================================================
VPN
Virtual private network
(Wikipedia) A virtual private network (VPN) is a
secure way of connecting to a private Local Area
Network at a remote location, using the Internet or any
insecure public network to transport the network data
packets privately, using encryption.
Quotations
“我的家用电脑上有6个VPN,用以访问某些被
屏蔽的网站。”
“GFW和VPN之间的战争是场永久战。”
“只用来检测哪个更厉害,我对那些像反政府
的众多言论不感兴趣。”
“到目前为止,GFW处于劣势,仍需要进一步
的提升。”
——
powerful tool
OpenVPN
http://openvpn.net/
OpenVPN
is a free and open source software application
implements virtual private network (VPN)
techniques
creates secure point-to-point or site-to-site
connections in routed or bridged configurations
and remote access facilities
uses SSL/TLS security for encryption
capable of traversing network address translators
(NATs) and firewalls
written by James Yonan and is published under
the GNU General Public License (GPL).
Installation
apt-get
sudo apt-get install openvpn
Compile, +ipv6 patch
Dependencies
Openssl
openssl-devel
ubuntu apt-get: libssl-dev
lzo
liblzo2-dev
./configure
make
sudo make install
Installation
Compile, +ipv6 patch
gzip -d openvpn-2.1.1-ipv6-0.4.11.patch.gz
mv openvpn-2.1.1-ipv6-0.4.11.patch openvpn-
2.1.1
cd openvpn-2.1.1
patch -p1 < openvpn-2.1.1-ipv6-0.4.11.patch
./configure
make
sudo make install
Configuration
We use client – server mode
only since 2.0
“allowing multiple clients to connect to a single
OpenVPN server process over a single TCP or UDP
port.”
Others
client – client mode
site – site mode
Configuration
use easy-rsa tool
$openvpn/easy-rsa/2.0
if apt-get, /usr/share/doc/openvpn/example
if compile, your source path
Modify vars
source vars
./clean-all
# Clean keys
./build-ca
# Build a root certificate
./build-key-server # Make a certificate/private
key pair using a locally generated root
certificate.
./build-key
# ditto
./build-dh
# Build Diffie-Hellman
parameters for the server side of an SSL/TLS
connection.
Configuration - Server
use template
$openvpn/sample-config-files/server.conf
Detail..
proto upd
proto udp6 to use ipv6
uncomment push "dhcp-option DNS a.b.c.d",
modify
uncomment push "redirect-gateway def1
bypass-dhcp"
uncomment push "route 192.168.10.0
255.255.255.0", add other routes
ca ca.crt
# root certificate
cert server.crt # certificate
key server.key
# private key
key dh1024.pem
# Diffie-Hellman parameters
Configuration - Client
use template
$openvpn/sample-config-files/client.conf
Detail..
proto upd
proto udp6 to use ipv6
remote a.b.c.d 9999, server address & port
ca ca.crt
cert client.crt
key client.key
generated by build-ca, build-key
Other platforms
OpenVPN GUI for Windows
.ovpn ≈ .conf
GUI
OpenVPN Mac
Launch!
Server
Launch openvpn
sudo openvpn --config server.conf
Set routing rules
sudo iptables -A POSTROUTING -t nat -o eth0 -s
10.8.0.1/24 -d 0/0 -j MASQUERADE
Client
Launch openvpn
sudo openvpn --config client.conf
Windows GUI: click
Routing rule set if "push"ed in server.conf
Under the hood
Client side route - Windows
before:
IPv4 路由表
===========================================================================
活动路由:
网络目标
网络掩码
网关
接口
跃点数
0.0.0.0
0.0.0.0
162.105.238.1
162.105.238.14
25
127.0.0.0
255.0.0.0
在链路上
127.0.0.1
306
127.0.0.1 255.255.255.255
在链路上
127.0.0.1
306
127.255.255.255 255.255.255.255
在链路上
127.0.0.1
306
162.105.238.0
255.255.255.0
在链路上
162.105.238.14
281
162.105.238.14 255.255.255.255
在链路上
162.105.238.14
281
162.105.238.255 255.255.255.255
在链路上
162.105.238.14
281
224.0.0.0
240.0.0.0
在链路上
127.0.0.1
306
224.0.0.0
240.0.0.0
在链路上
162.105.238.14
281
255.255.255.255 255.255.255.255
在链路上
127.0.0.1
306
255.255.255.255 255.255.255.255
在链路上
162.105.238.14
281
===========================================================================
Under the hood
IPv4 路由表
===========================================================================
活动路由:
网络目标
网络掩码
网关
接口
跃点数
0.0.0.0
0.0.0.0
162.105.238.1
162.105.238.14
25
0.0.0.0
128.0.0.0
10.8.0.5
10.8.0.6
30
10.8.0.1 255.255.255.255
10.8.0.5
10.8.0.6
30
10.8.0.4 255.255.255.252
在链路上
10.8.0.6
286
10.8.0.6 255.255.255.255
在链路上
10.8.0.6
286
10.8.0.7 255.255.255.255
在链路上
10.8.0.6
286
127.0.0.0
255.0.0.0
在链路上
127.0.0.1
306
127.0.0.1 255.255.255.255
在链路上
127.0.0.1
306
127.255.255.255 255.255.255.255
在链路上
127.0.0.1
306
128.0.0.0
128.0.0.0
10.8.0.5
10.8.0.6
30
162.105.238.0
255.255.255.0
在链路上
162.105.238.14
281
162.105.238.14 255.255.255.255
在链路上
162.105.238.14
281
162.105.238.255 255.255.255.255
在链路上
162.105.238.14
281
224.0.0.0
240.0.0.0
在链路上
127.0.0.1
306
224.0.0.0
240.0.0.0
在链路上
10.8.0.6
286
224.0.0.0
240.0.0.0
在链路上
162.105.238.14
281
255.255.255.255 255.255.255.255
在链路上
127.0.0.1
306
255.255.255.255 255.255.255.255
在链路上
10.8.0.6
286
255.255.255.255 255.255.255.255
在链路上
162.105.238.14
281
===========================================================================
Under the hood
Client side route - Linux
before:
内核 IP 路由表
目标
162.105.238.0
169.254.0.0
0.0.0.0
网关
0.0.0.0
0.0.0.0
162.105.238.1
子网掩码
标志
255.255.255.0
U
255.255.0.0
U
0.0.0.0
UG
跃点
引用
2
0
1000
0
0
0
使用 接口
0 wlan0
0 wlan0
0 wlan0
子网掩码
标志 跃点
引用
255.255.255.255 UGH
0
0
255.255.255.255 UH
0
0
255.255.255.0
U
2
0
255.255.0.0
U
1000
0
128.0.0.0
UG
0
0
128.0.0.0
UG
0
0
0.0.0.0
UG
0
0
使用 接口
0 tun0
0 tun0
0 wlan0
0 wlan0
0 tun0
0 tun0
0 wlan0
after:
内核 IP 路由表
目标
10.8.0.1
10.8.0.9
162.105.238.0
169.254.0.0
0.0.0.0
128.0.0.0
0.0.0.0
网关
10.8.0.9
0.0.0.0
0.0.0.0
0.0.0.0
10.8.0.9
10.8.0.9
162.105.238.1
the easy way
PPTP
PPTP
Point-to-Point Tunneling Protocol
is a method for implementing virtual private
networks(VPN)
uses a control channel over TCP and a GRE
tunnel operating to encapsulate PPP packets.
Specification: RFC 2637
Implementations
MS Windows support since 95, WM since 2003
Server: Routing And Remote Access Service
Linux: “lacked full PPTP support”
packet: pptp-linux, pptpd
SuSE Linux 10 was the first Linux distribution to
provide a complete working PPTP client
Mac OS X & iOS have PPTP client
Palm PDA has PPTP client
Android has PPTP client, since 1.6
Installation & Configuration
sudo apt-get install pptpd
modify /etc/pptpd.conf
localip 10.100.0.1
remoteip 10.100.0.2-10
modify /etc/ppp/pptpd-options
uncomment require-mppe-128
ms-dns 162.105.129.27
modify /etc/ppp/chap-secrets
user
pptpd
password
*
sudo /etc/init.d/pptpd restart
Installation & Configuration
Routing rule
sudo iptables -t nat -A POSTROUTING -s
10.100.0.0/24 -o eth0 -j MASQUERADE
Turn on ipv4 forward
modify /etc/sysctl.conf
net.ipv4.ip_forward=1
sudo sysctl -p
Client
Windows
create new VPN
choose PPTP
input user, password
save
connect
Mac OS X: same
Android: same
Linux:
apt-get install pptp-linux
pptpsetup --create xx --server x.x.x.x --username
user --password password –start
sudo route add default dev ppp0
Save routing rule
So don’t need to do it on each reboot
sudo iptables-save > /etc/iptables-rules
modify /etc/network/interfaces
find eth0 (or wlan0)
pre-up iptables-restore < /etc/iptables-rules
Compare
...
...
...
In a nutshell:
OpenVPN is much safer, sometimes the only choice
PPTP is easy to configure, widely supported
Other choices
L2TP
IPSec
Thanks!