Document

advertisement
Own Networking Freeway
OpenVPN vs PPTP
Zhu Guoliang
tedzhu@163.com
What can they do?
to start with
Basics
Routing & Routing Table
 Concept – 计算机网络概论
 Tools
 linux
 route
 -n: show numerical addresses instead of trying to determine
symbolic host names.
 traceroute
 start up:
内核 IP 路由表
目标
162.105.238.0
169.254.0.0
0.0.0.0
网关
0.0.0.0
0.0.0.0
162.105.238.1
子网掩码
标志
255.255.255.0
U
255.255.0.0
U
0.0.0.0
UG
跃点
引用
2
0
1000
0
0
0
使用 接口
0 wlan0
0 wlan0
0 wlan0
Routing & Routing Table
 Windows
 route print
 netstat –r
 tracert
 start up:
IPv4 路由表
===========================================================================
活动路由:
网络目标
网络掩码
网关
接口
跃点数
0.0.0.0
0.0.0.0
162.105.238.1
162.105.238.14
25
127.0.0.0
255.0.0.0
在链路上
127.0.0.1
306
127.0.0.1 255.255.255.255
在链路上
127.0.0.1
306
127.255.255.255 255.255.255.255
在链路上
127.0.0.1
306
162.105.238.0
255.255.255.0
在链路上
162.105.238.14
281
162.105.238.14 255.255.255.255
在链路上
162.105.238.14
281
162.105.238.255 255.255.255.255
在链路上
162.105.238.14
281
224.0.0.0
240.0.0.0
在链路上
127.0.0.1
306
224.0.0.0
240.0.0.0
在链路上
162.105.238.14
281
255.255.255.255 255.255.255.255
在链路上
127.0.0.1
306
255.255.255.255 255.255.255.255
在链路上
162.105.238.14
281
===========================================================================
VPN
 Virtual private network
 (Wikipedia) A virtual private network (VPN) is a
secure way of connecting to a private Local Area
Network at a remote location, using the Internet or any
insecure public network to transport the network data
packets privately, using encryption.
Quotations
 “我的家用电脑上有6个VPN,用以访问某些被
屏蔽的网站。”
 “GFW和VPN之间的战争是场永久战。”
 “只用来检测哪个更厉害,我对那些像反政府
的众多言论不感兴趣。”
 “到目前为止,GFW处于劣势,仍需要进一步
的提升。”
——
powerful tool
OpenVPN
 http://openvpn.net/
OpenVPN
 is a free and open source software application
 implements virtual private network (VPN)




techniques
creates secure point-to-point or site-to-site
connections in routed or bridged configurations
and remote access facilities
uses SSL/TLS security for encryption
capable of traversing network address translators
(NATs) and firewalls
written by James Yonan and is published under
the GNU General Public License (GPL).
Installation
 apt-get
 sudo apt-get install openvpn
 Compile, +ipv6 patch
 Dependencies
 Openssl
 openssl-devel
 ubuntu apt-get: libssl-dev
 lzo
 liblzo2-dev
./configure
make
sudo make install
Installation
 Compile, +ipv6 patch
 gzip -d openvpn-2.1.1-ipv6-0.4.11.patch.gz
 mv openvpn-2.1.1-ipv6-0.4.11.patch openvpn-
2.1.1
 cd openvpn-2.1.1
 patch -p1 < openvpn-2.1.1-ipv6-0.4.11.patch
./configure
make
sudo make install
Configuration
 We use client – server mode
 only since 2.0
 “allowing multiple clients to connect to a single
OpenVPN server process over a single TCP or UDP
port.”
 Others
 client – client mode
 site – site mode
Configuration
 use easy-rsa tool
 $openvpn/easy-rsa/2.0
 if apt-get, /usr/share/doc/openvpn/example
 if compile, your source path





Modify vars
source vars
./clean-all
# Clean keys
./build-ca
# Build a root certificate
./build-key-server # Make a certificate/private
key pair using a locally generated root
certificate.
 ./build-key
# ditto
 ./build-dh
# Build Diffie-Hellman
parameters for the server side of an SSL/TLS
connection.
Configuration - Server
 use template
 $openvpn/sample-config-files/server.conf
 Detail..
 proto upd
 proto udp6 to use ipv6
 uncomment push "dhcp-option DNS a.b.c.d",
modify
 uncomment push "redirect-gateway def1
bypass-dhcp"
 uncomment push "route 192.168.10.0
255.255.255.0", add other routes
 ca ca.crt
# root certificate
cert server.crt # certificate
key server.key
# private key
key dh1024.pem
# Diffie-Hellman parameters
Configuration - Client
 use template
 $openvpn/sample-config-files/client.conf
 Detail..
 proto upd
 proto udp6 to use ipv6
 remote a.b.c.d 9999, server address & port
 ca ca.crt
cert client.crt
key client.key
 generated by build-ca, build-key
Other platforms
 OpenVPN GUI for Windows
 .ovpn ≈ .conf
 GUI
 OpenVPN Mac
Launch!
 Server
 Launch openvpn
 sudo openvpn --config server.conf
 Set routing rules
 sudo iptables -A POSTROUTING -t nat -o eth0 -s
10.8.0.1/24 -d 0/0 -j MASQUERADE
 Client
 Launch openvpn
 sudo openvpn --config client.conf
 Windows GUI: click
 Routing rule set if "push"ed in server.conf
Under the hood
 Client side route - Windows
 before:
IPv4 路由表
===========================================================================
活动路由:
网络目标
网络掩码
网关
接口
跃点数
0.0.0.0
0.0.0.0
162.105.238.1
162.105.238.14
25
127.0.0.0
255.0.0.0
在链路上
127.0.0.1
306
127.0.0.1 255.255.255.255
在链路上
127.0.0.1
306
127.255.255.255 255.255.255.255
在链路上
127.0.0.1
306
162.105.238.0
255.255.255.0
在链路上
162.105.238.14
281
162.105.238.14 255.255.255.255
在链路上
162.105.238.14
281
162.105.238.255 255.255.255.255
在链路上
162.105.238.14
281
224.0.0.0
240.0.0.0
在链路上
127.0.0.1
306
224.0.0.0
240.0.0.0
在链路上
162.105.238.14
281
255.255.255.255 255.255.255.255
在链路上
127.0.0.1
306
255.255.255.255 255.255.255.255
在链路上
162.105.238.14
281
===========================================================================
Under the hood
IPv4 路由表
===========================================================================
活动路由:
网络目标
网络掩码
网关
接口
跃点数
0.0.0.0
0.0.0.0
162.105.238.1
162.105.238.14
25
0.0.0.0
128.0.0.0
10.8.0.5
10.8.0.6
30
10.8.0.1 255.255.255.255
10.8.0.5
10.8.0.6
30
10.8.0.4 255.255.255.252
在链路上
10.8.0.6
286
10.8.0.6 255.255.255.255
在链路上
10.8.0.6
286
10.8.0.7 255.255.255.255
在链路上
10.8.0.6
286
127.0.0.0
255.0.0.0
在链路上
127.0.0.1
306
127.0.0.1 255.255.255.255
在链路上
127.0.0.1
306
127.255.255.255 255.255.255.255
在链路上
127.0.0.1
306
128.0.0.0
128.0.0.0
10.8.0.5
10.8.0.6
30
162.105.238.0
255.255.255.0
在链路上
162.105.238.14
281
162.105.238.14 255.255.255.255
在链路上
162.105.238.14
281
162.105.238.255 255.255.255.255
在链路上
162.105.238.14
281
224.0.0.0
240.0.0.0
在链路上
127.0.0.1
306
224.0.0.0
240.0.0.0
在链路上
10.8.0.6
286
224.0.0.0
240.0.0.0
在链路上
162.105.238.14
281
255.255.255.255 255.255.255.255
在链路上
127.0.0.1
306
255.255.255.255 255.255.255.255
在链路上
10.8.0.6
286
255.255.255.255 255.255.255.255
在链路上
162.105.238.14
281
===========================================================================
Under the hood
 Client side route - Linux
 before:
内核 IP 路由表
目标
162.105.238.0
169.254.0.0
0.0.0.0
网关
0.0.0.0
0.0.0.0
162.105.238.1
子网掩码
标志
255.255.255.0
U
255.255.0.0
U
0.0.0.0
UG
跃点
引用
2
0
1000
0
0
0
使用 接口
0 wlan0
0 wlan0
0 wlan0
子网掩码
标志 跃点
引用
255.255.255.255 UGH
0
0
255.255.255.255 UH
0
0
255.255.255.0
U
2
0
255.255.0.0
U
1000
0
128.0.0.0
UG
0
0
128.0.0.0
UG
0
0
0.0.0.0
UG
0
0
使用 接口
0 tun0
0 tun0
0 wlan0
0 wlan0
0 tun0
0 tun0
0 wlan0
 after:
内核 IP 路由表
目标
10.8.0.1
10.8.0.9
162.105.238.0
169.254.0.0
0.0.0.0
128.0.0.0
0.0.0.0
网关
10.8.0.9
0.0.0.0
0.0.0.0
0.0.0.0
10.8.0.9
10.8.0.9
162.105.238.1
the easy way
PPTP
PPTP
 Point-to-Point Tunneling Protocol
 is a method for implementing virtual private
networks(VPN)
 uses a control channel over TCP and a GRE
tunnel operating to encapsulate PPP packets.
 Specification: RFC 2637
Implementations
 MS Windows support since 95, WM since 2003
 Server: Routing And Remote Access Service
 Linux: “lacked full PPTP support”
 packet: pptp-linux, pptpd
 SuSE Linux 10 was the first Linux distribution to
provide a complete working PPTP client
 Mac OS X & iOS have PPTP client
 Palm PDA has PPTP client
 Android has PPTP client, since 1.6
Installation & Configuration
 sudo apt-get install pptpd
 modify /etc/pptpd.conf
 localip 10.100.0.1
 remoteip 10.100.0.2-10
 modify /etc/ppp/pptpd-options
 uncomment require-mppe-128
 ms-dns 162.105.129.27
 modify /etc/ppp/chap-secrets
 user
pptpd
password
*
 sudo /etc/init.d/pptpd restart
Installation & Configuration
 Routing rule
 sudo iptables -t nat -A POSTROUTING -s
10.100.0.0/24 -o eth0 -j MASQUERADE
 Turn on ipv4 forward
 modify /etc/sysctl.conf
 net.ipv4.ip_forward=1
 sudo sysctl -p
Client
 Windows





create new VPN
choose PPTP
input user, password
save
connect
 Mac OS X: same
 Android: same
 Linux:
 apt-get install pptp-linux
 pptpsetup --create xx --server x.x.x.x --username
user --password password –start
 sudo route add default dev ppp0
Save routing rule
 So don’t need to do it on each reboot
 sudo iptables-save > /etc/iptables-rules
 modify /etc/network/interfaces
 find eth0 (or wlan0)
 pre-up iptables-restore < /etc/iptables-rules
Compare
 ...
 ...
 ...
 In a nutshell:
 OpenVPN is much safer, sometimes the only choice
 PPTP is easy to configure, widely supported
Other choices
 L2TP
 IPSec
Thanks!
Download