openvpn的一个一键安装脚本“openvpn-install”让openvpn重放光彩,又可用openvpn翻墙了
990 views
Skip to first unread message
brit...@gmail.com
Jul 13, 2017, 2:08:44 AM7/13/17
to 翻墙论坛
今天安装后, 发现又可用openvpn翻墙了。
安装方法如下:
登录linux vps.
wget https://github.com/Nyr/openvpn-install/raw/master/openvpn-install.sh
bash openvpn-install.sh
运行此条bash openvpn-install.sh,最后显示:
...
Generating a 2048 bit RSA private key
................+++
.............................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.bMvlQu5Gie'
-----
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'server'
Certificate is to be certified until Jul 2 04:22:38 2027 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Generating a 2048 bit RSA private key
...........+++
..........................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/client2.key.7nwUyrULSK'
-----
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'client2'
Certificate is to be certified until Jul 2 04:22:39 2027 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
* Stopping virtual private network daemon(s)... * No VPN is running.
* Starting virtual private network daemon(s)... * Autostarting VPN 'server'
Finished!
Your client configuration is available at /root/client2.ovpn
If you want to add more clients, you simply need to run this script again!
root@localhost:~#
root@localhost:~# ps aux|grep openvpn
nobody 7875 0.0 0.1 28492 1048 ? Ss 05:22 0:00 /usr/sbin/openvpn --writepid /run/openvpn/server.pid --daemon ovpn-server --cd /etc/openvpn --config /etc/openvpn/server.conf --script-security 2
root 7926 0.0 0.0 11740 904 pts/6 S+ 05:27 0:00 grep openvpn
root@localhost:~#
服务器端的配置文件内容如下:
root@localhost:~# cat /etc/openvpn/server.conf
port 1278
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
root@localhost:~#
下载的客户端的配置文件client2.ovpn的内容:
可见2边的配置文件里都有cipher AES-256-CBC 这行代码,而众所周知AES-256-CBC 是用来加密的,就像shadowsocks的4个参数之一:加密方式,我们常用的是aes-256-cfb.估计就是
cipher AES-256-CBC这行代码给openvpn的链接加了一道密:加密连接,从而使得gfw无法侦测openvpn的流量特征,无法封锁openvpn,于是又可用openvpn翻墙了。
注:proto的值建议选择udp, udp协议比tcp协议更抗干扰。vps类型则建议选择openvz之外的类型,比如kvm/xen.如果你一定要用openvz vps,建议你使用bandwagonhost.com提供的openvz vps,这家的openvz vps默认开启了tun/tap。如果使用其他vps供应商(比如alpharacks.com)的openvz vps,最好发ticket给其客服,要求enable tun/tap.(在其vps control panel里,用户自行enable tun/tap的话,其实并未真正的生效),然后运行:
openvpn --writepid /run/openvpn/server.pid --daemon ovpn-server --cd /etc/openvpn --config /etc/openvpn/server.conf --script-security 2
然后设置OpenVPN访问外网:
echo 1 > /proc/sys/net/ipv4/ip_forward
(或者:sysctl -w net.ipv4.ip_forward=1)
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE (注意:如果你的vps是xen/kvm平台,则需把venet0改为eth0)
至此,服务器端设置完毕。
如果你的本地机器是mac,请下载/安装mac上面的openvpn客户端程序tunnelblick.然后在mac的finder里面,进入“下载”文件夹,双击下载到“下载”文件夹中的客户端配置文件(.ovpn文件),即可导入该配置文件到tunnelblick,然后就可用tunnelblick翻墙了。
相关帖子:http://briteming.blogspot.com/2016/08/openvpn.html
本帖即是用此法翻墙后发布的。
如果你使用一段时间翻不了墙了,重启客户端即可。如果还是不行,请重启系统,再运行客户端。
注:最好设置本地操作系统的dns为8.8.8.8,否则即使连上了openvpn server,也还是翻墙失败。mac下的设置方法见此:
http://briteming.blogspot.com/2017/06/blog-post_87.html
如果你的mac系统翻墙一段时间后,你发现翻墙越来越慢,估计是mac系统的dns又变回了isp的dns, 此时请按此文
http://briteming.blogspot.com/2017/06/blog-post_87.html ,
设置本地操作系统的dns为8.8.8.8,翻墙速度就会立刻变得飞快。
from http://briteming.blogspot.com/2017/07/openvpnopenvpn-installopenvpnopenvpn.html
安装方法如下:
登录linux vps.
wget https://github.com/Nyr/openvpn-install/raw/master/openvpn-install.sh
bash openvpn-install.sh
运行此条bash openvpn-install.sh,最后显示:
...
Generating a 2048 bit RSA private key
................+++
.............................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.bMvlQu5Gie'
-----
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'server'
Certificate is to be certified until Jul 2 04:22:38 2027 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Generating a 2048 bit RSA private key
...........+++
..........................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/client2.key.7nwUyrULSK'
-----
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'client2'
Certificate is to be certified until Jul 2 04:22:39 2027 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
* Stopping virtual private network daemon(s)... * No VPN is running.
* Starting virtual private network daemon(s)... * Autostarting VPN 'server'
Finished!
Your client configuration is available at /root/client2.ovpn
If you want to add more clients, you simply need to run this script again!
root@localhost:~#
root@localhost:~# ps aux|grep openvpn
nobody 7875 0.0 0.1 28492 1048 ? Ss 05:22 0:00 /usr/sbin/openvpn --writepid /run/openvpn/server.pid --daemon ovpn-server --cd /etc/openvpn --config /etc/openvpn/server.conf --script-security 2
root 7926 0.0 0.0 11740 904 pts/6 S+ 05:27 0:00 grep openvpn
root@localhost:~#
服务器端的配置文件内容如下:
root@localhost:~# cat /etc/openvpn/server.conf
port 1278
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
root@localhost:~#
下载的客户端的配置文件client2.ovpn的内容:
client dev tun proto udp sndbuf 0 rcvbuf 0 remote my-vps-ip 1278 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server auth SHA512 cipher AES-256-CBC comp-lzo setenv opt block-outside-dns key-direction 1 verb 3
可见2边的配置文件里都有cipher AES-256-CBC 这行代码,而众所周知AES-256-CBC 是用来加密的,就像shadowsocks的4个参数之一:加密方式,我们常用的是aes-256-cfb.估计就是
cipher AES-256-CBC这行代码给openvpn的链接加了一道密:加密连接,从而使得gfw无法侦测openvpn的流量特征,无法封锁openvpn,于是又可用openvpn翻墙了。
注:proto的值建议选择udp, udp协议比tcp协议更抗干扰。vps类型则建议选择openvz之外的类型,比如kvm/xen.如果你一定要用openvz vps,建议你使用bandwagonhost.com提供的openvz vps,这家的openvz vps默认开启了tun/tap。如果使用其他vps供应商(比如alpharacks.com)的openvz vps,最好发ticket给其客服,要求enable tun/tap.(在其vps control panel里,用户自行enable tun/tap的话,其实并未真正的生效),然后运行:
openvpn --writepid /run/openvpn/server.pid --daemon ovpn-server --cd /etc/openvpn --config /etc/openvpn/server.conf --script-security 2
然后设置OpenVPN访问外网:
echo 1 > /proc/sys/net/ipv4/ip_forward
(或者:sysctl -w net.ipv4.ip_forward=1)
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE (注意:如果你的vps是xen/kvm平台,则需把venet0改为eth0)
至此,服务器端设置完毕。
如果你的本地机器是mac,请下载/安装mac上面的openvpn客户端程序tunnelblick.然后在mac的finder里面,进入“下载”文件夹,双击下载到“下载”文件夹中的客户端配置文件(.ovpn文件),即可导入该配置文件到tunnelblick,然后就可用tunnelblick翻墙了。
相关帖子:http://briteming.blogspot.com/2016/08/openvpn.html
本帖即是用此法翻墙后发布的。
如果你使用一段时间翻不了墙了,重启客户端即可。如果还是不行,请重启系统,再运行客户端。
注:最好设置本地操作系统的dns为8.8.8.8,否则即使连上了openvpn server,也还是翻墙失败。mac下的设置方法见此:
http://briteming.blogspot.com/2017/06/blog-post_87.html
如果你的mac系统翻墙一段时间后,你发现翻墙越来越慢,估计是mac系统的dns又变回了isp的dns, 此时请按此文
http://briteming.blogspot.com/2017/06/blog-post_87.html ,
设置本地操作系统的dns为8.8.8.8,翻墙速度就会立刻变得飞快。
from http://briteming.blogspot.com/2017/07/openvpnopenvpn-installopenvpnopenvpn.html
brit...@gmail.com
Jul 17, 2017, 4:09:15 AM7/17/17
to 翻墙论坛, brit...@gmail.com
使用10来天后,觉得在openvz vps上搭建的openvpn不易连上,因此强烈建议在kvm vps/xen vps上搭建openvpn!!!
在 2017年7月13日星期四 UTC+8下午2:08:44,brit...@gmail.com写道:
在 2017年7月13日星期四 UTC+8下午2:08:44,brit...@gmail.com写道:
brit...@gmail.com
Jul 17, 2017, 9:27:20 AM7/17/17
to 翻墙论坛, brit...@gmail.com
在ios device上,切换app store到香港区,搜索openvpn connect,进行安装。( 在
app store的中国区,openvpn connect已经下架)
然后把下载的客户端的配置文件client2.ovpn作为附件发到自己的邮箱,登录邮箱,点击附件client2.ovpn,会显示‘在openvpn中打开‘的链接,点击该链接,再点击弹出的页面中的“+”号,即可把客户端的配置文件client2.ovpn导入到客户端程序openvpn connect中,然后在openvpn connect中启用连接,稍等片刻,ios device的右上角就会出现VPN字样,ios device即可翻墙
app store的中国区,openvpn connect已经下架)
然后把下载的客户端的配置文件client2.ovpn作为附件发到自己的邮箱,登录邮箱,点击附件client2.ovpn,会显示‘在openvpn中打开‘的链接,点击该链接,再点击弹出的页面中的“+”号,即可把客户端的配置文件client2.ovpn导入到客户端程序openvpn connect中,然后在openvpn connect中启用连接,稍等片刻,ios device的右上角就会出现VPN字样,ios device即可翻墙
今天安装后, 发现又可用openvpn翻墙了。
Reply all
Reply to author
Forward
0 new messages