Own Networking Freeway OpenVPN vs PPTP Zhu Guoliang tedzhu@163.com What can they do? to start with Basics Routing & Routing Table Concept – 计算机网络概论 Tools linux route -n: show numerical addresses instead of trying to determine symbolic host names. traceroute start up: 内核 IP 路由表 目标 162.105.238.0 169.254.0.0 0.0.0.0 网关 0.0.0.0 0.0.0.0 162.105.238.1 子网掩码 标志 255.255.255.0 U 255.255.0.0 U 0.0.0.0 UG 跃点 引用 2 0 1000 0 0 0 使用 接口 0 wlan0 0 wlan0 0 wlan0 Routing & Routing Table Windows route print netstat –r tracert start up: IPv4 路由表 =========================================================================== 活动路由: 网络目标 网络掩码 网关 接口 跃点数 0.0.0.0 0.0.0.0 162.105.238.1 162.105.238.14 25 127.0.0.0 255.0.0.0 在链路上 127.0.0.1 306 127.0.0.1 255.255.255.255 在链路上 127.0.0.1 306 127.255.255.255 255.255.255.255 在链路上 127.0.0.1 306 162.105.238.0 255.255.255.0 在链路上 162.105.238.14 281 162.105.238.14 255.255.255.255 在链路上 162.105.238.14 281 162.105.238.255 255.255.255.255 在链路上 162.105.238.14 281 224.0.0.0 240.0.0.0 在链路上 127.0.0.1 306 224.0.0.0 240.0.0.0 在链路上 162.105.238.14 281 255.255.255.255 255.255.255.255 在链路上 127.0.0.1 306 255.255.255.255 255.255.255.255 在链路上 162.105.238.14 281 =========================================================================== VPN Virtual private network (Wikipedia) A virtual private network (VPN) is a secure way of connecting to a private Local Area Network at a remote location, using the Internet or any insecure public network to transport the network data packets privately, using encryption. Quotations “我的家用电脑上有6个VPN,用以访问某些被 屏蔽的网站。” “GFW和VPN之间的战争是场永久战。” “只用来检测哪个更厉害,我对那些像反政府 的众多言论不感兴趣。” “到目前为止,GFW处于劣势,仍需要进一步 的提升。” —— powerful tool OpenVPN http://openvpn.net/ OpenVPN is a free and open source software application implements virtual private network (VPN) techniques creates secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities uses SSL/TLS security for encryption capable of traversing network address translators (NATs) and firewalls written by James Yonan and is published under the GNU General Public License (GPL). Installation apt-get sudo apt-get install openvpn Compile, +ipv6 patch Dependencies Openssl openssl-devel ubuntu apt-get: libssl-dev lzo liblzo2-dev ./configure make sudo make install Installation Compile, +ipv6 patch gzip -d openvpn-2.1.1-ipv6-0.4.11.patch.gz mv openvpn-2.1.1-ipv6-0.4.11.patch openvpn- 2.1.1 cd openvpn-2.1.1 patch -p1 < openvpn-2.1.1-ipv6-0.4.11.patch ./configure make sudo make install Configuration We use client – server mode only since 2.0 “allowing multiple clients to connect to a single OpenVPN server process over a single TCP or UDP port.” Others client – client mode site – site mode Configuration use easy-rsa tool $openvpn/easy-rsa/2.0 if apt-get, /usr/share/doc/openvpn/example if compile, your source path Modify vars source vars ./clean-all # Clean keys ./build-ca # Build a root certificate ./build-key-server # Make a certificate/private key pair using a locally generated root certificate. ./build-key # ditto ./build-dh # Build Diffie-Hellman parameters for the server side of an SSL/TLS connection. Configuration - Server use template $openvpn/sample-config-files/server.conf Detail.. proto upd proto udp6 to use ipv6 uncomment push "dhcp-option DNS a.b.c.d", modify uncomment push "redirect-gateway def1 bypass-dhcp" uncomment push "route 192.168.10.0 255.255.255.0", add other routes ca ca.crt # root certificate cert server.crt # certificate key server.key # private key key dh1024.pem # Diffie-Hellman parameters Configuration - Client use template $openvpn/sample-config-files/client.conf Detail.. proto upd proto udp6 to use ipv6 remote a.b.c.d 9999, server address & port ca ca.crt cert client.crt key client.key generated by build-ca, build-key Other platforms OpenVPN GUI for Windows .ovpn ≈ .conf GUI OpenVPN Mac Launch! Server Launch openvpn sudo openvpn --config server.conf Set routing rules sudo iptables -A POSTROUTING -t nat -o eth0 -s 10.8.0.1/24 -d 0/0 -j MASQUERADE Client Launch openvpn sudo openvpn --config client.conf Windows GUI: click Routing rule set if "push"ed in server.conf Under the hood Client side route - Windows before: IPv4 路由表 =========================================================================== 活动路由: 网络目标 网络掩码 网关 接口 跃点数 0.0.0.0 0.0.0.0 162.105.238.1 162.105.238.14 25 127.0.0.0 255.0.0.0 在链路上 127.0.0.1 306 127.0.0.1 255.255.255.255 在链路上 127.0.0.1 306 127.255.255.255 255.255.255.255 在链路上 127.0.0.1 306 162.105.238.0 255.255.255.0 在链路上 162.105.238.14 281 162.105.238.14 255.255.255.255 在链路上 162.105.238.14 281 162.105.238.255 255.255.255.255 在链路上 162.105.238.14 281 224.0.0.0 240.0.0.0 在链路上 127.0.0.1 306 224.0.0.0 240.0.0.0 在链路上 162.105.238.14 281 255.255.255.255 255.255.255.255 在链路上 127.0.0.1 306 255.255.255.255 255.255.255.255 在链路上 162.105.238.14 281 =========================================================================== Under the hood IPv4 路由表 =========================================================================== 活动路由: 网络目标 网络掩码 网关 接口 跃点数 0.0.0.0 0.0.0.0 162.105.238.1 162.105.238.14 25 0.0.0.0 128.0.0.0 10.8.0.5 10.8.0.6 30 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 30 10.8.0.4 255.255.255.252 在链路上 10.8.0.6 286 10.8.0.6 255.255.255.255 在链路上 10.8.0.6 286 10.8.0.7 255.255.255.255 在链路上 10.8.0.6 286 127.0.0.0 255.0.0.0 在链路上 127.0.0.1 306 127.0.0.1 255.255.255.255 在链路上 127.0.0.1 306 127.255.255.255 255.255.255.255 在链路上 127.0.0.1 306 128.0.0.0 128.0.0.0 10.8.0.5 10.8.0.6 30 162.105.238.0 255.255.255.0 在链路上 162.105.238.14 281 162.105.238.14 255.255.255.255 在链路上 162.105.238.14 281 162.105.238.255 255.255.255.255 在链路上 162.105.238.14 281 224.0.0.0 240.0.0.0 在链路上 127.0.0.1 306 224.0.0.0 240.0.0.0 在链路上 10.8.0.6 286 224.0.0.0 240.0.0.0 在链路上 162.105.238.14 281 255.255.255.255 255.255.255.255 在链路上 127.0.0.1 306 255.255.255.255 255.255.255.255 在链路上 10.8.0.6 286 255.255.255.255 255.255.255.255 在链路上 162.105.238.14 281 =========================================================================== Under the hood Client side route - Linux before: 内核 IP 路由表 目标 162.105.238.0 169.254.0.0 0.0.0.0 网关 0.0.0.0 0.0.0.0 162.105.238.1 子网掩码 标志 255.255.255.0 U 255.255.0.0 U 0.0.0.0 UG 跃点 引用 2 0 1000 0 0 0 使用 接口 0 wlan0 0 wlan0 0 wlan0 子网掩码 标志 跃点 引用 255.255.255.255 UGH 0 0 255.255.255.255 UH 0 0 255.255.255.0 U 2 0 255.255.0.0 U 1000 0 128.0.0.0 UG 0 0 128.0.0.0 UG 0 0 0.0.0.0 UG 0 0 使用 接口 0 tun0 0 tun0 0 wlan0 0 wlan0 0 tun0 0 tun0 0 wlan0 after: 内核 IP 路由表 目标 10.8.0.1 10.8.0.9 162.105.238.0 169.254.0.0 0.0.0.0 128.0.0.0 0.0.0.0 网关 10.8.0.9 0.0.0.0 0.0.0.0 0.0.0.0 10.8.0.9 10.8.0.9 162.105.238.1 the easy way PPTP PPTP Point-to-Point Tunneling Protocol is a method for implementing virtual private networks(VPN) uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. Specification: RFC 2637 Implementations MS Windows support since 95, WM since 2003 Server: Routing And Remote Access Service Linux: “lacked full PPTP support” packet: pptp-linux, pptpd SuSE Linux 10 was the first Linux distribution to provide a complete working PPTP client Mac OS X & iOS have PPTP client Palm PDA has PPTP client Android has PPTP client, since 1.6 Installation & Configuration sudo apt-get install pptpd modify /etc/pptpd.conf localip 10.100.0.1 remoteip 10.100.0.2-10 modify /etc/ppp/pptpd-options uncomment require-mppe-128 ms-dns 162.105.129.27 modify /etc/ppp/chap-secrets user pptpd password * sudo /etc/init.d/pptpd restart Installation & Configuration Routing rule sudo iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE Turn on ipv4 forward modify /etc/sysctl.conf net.ipv4.ip_forward=1 sudo sysctl -p Client Windows create new VPN choose PPTP input user, password save connect Mac OS X: same Android: same Linux: apt-get install pptp-linux pptpsetup --create xx --server x.x.x.x --username user --password password –start sudo route add default dev ppp0 Save routing rule So don’t need to do it on each reboot sudo iptables-save > /etc/iptables-rules modify /etc/network/interfaces find eth0 (or wlan0) pre-up iptables-restore < /etc/iptables-rules Compare ... ... ... In a nutshell: OpenVPN is much safer, sometimes the only choice PPTP is easy to configure, widely supported Other choices L2TP IPSec Thanks!