无法访问Github,该如何更新OpenStack代码? ( by quqi99 )
来源:互联网 发布:多线程ping java 编辑:程序博客网 时间:2024/06/07 08:55
无法访问Github,该如何更新OpenStack代码? ( by quqi99 )
作者:张华 发表于:2013-08-26
版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明
( http://blog.csdn.net/quqi99)
最近一段时间通过git pull命令更新openstack代码,或者使用git review命令提交代码时总是超时,失败。只能尝试使用goagent这种免费的http代理来穿透长城防火墙实现代码的顺利下载。
1, 安装配置goagent代理,goagent是一个运行在google云(一台国外虚机)上的一个python写的https代理程序,所以需要你在google云上注册一个帐户并将goagent这个代理程序的服务端上传到云上,另外在你的机器上运行goagent客户端(sudo python /bak/java/goagent-goagent/local/proxy.py),具体方法请google之,如:http://www.wheattime.com/over-the-wall-of-the-gae-goolge-app-engine-goagent-switchysharp.html,略。(git clone https://github.com/goagent/goagent.git)
2, 设置http及https代理,这要求将git url改为"git clone http://**"或者"git clone https://**", 如果是"git://**"打头,需配置tscoks代理来实现。
export https_proxy="https://127.0.0.1:8087"
export http_proxy="http://127.0.0.1:8087"
3, 安装证书,下列命令会将github的证书“/bak/java/goagent-goagent/local/certs/github.com.crt”安装。
sudo yum install nss-tools
浏览所有证书: sudo certutil -d sql:/home/hua/.pki/nssdb -L
查看证书详情: sudo certutil -d sql:/home/hua/.pki/nssdb -L -n github
导入证书:sudo certutil -d sql:/home/hua/.pki/nssdb -A -t TC -n "github" -i /bak/java/goagent/local/CA.crt
删除证书:sudo certutil -d sql:/home/hua/.pki/nssdb -n "github" -D /bak/java/goagent/local/CA.crt
4, 这时候可成功通过"git pull"来更新openstack的代码时,日志如下:
INFO - [Aug 26 13:47:03] 127.0.0.1:50390 "GAE CONNECT github.com:443 HTTP/1.1" - -
INFO - [Aug 26 13:47:10] 127.0.0.1:50390 "GAE GET https://github.com/openstack/neutron.git/info/refs?service=git-upload-pack HTTP/1.1" 200 562208
INFO - [Aug 26 13:49:33] 127.0.0.1:50504 "GAE CONNECT github.com:443 HTTP/1.1" - -
INFO - [Aug 26 13:49:37] 127.0.0.1:50504 "GAE POST https://github.com/openstack/neutron.git/git-upload-pack HTTP/1.1" 200 89357
其它:
1, 浏览器想使用上述http代理的话,可以在Internet选择中设置Network proxy的Method为"Automatic", URI设置为”http://127.0.0.1:8086/proxy.pac“
如果想要浏览https的网站,同样需要在浏览器中导入证书, 打开FireFox->选项->高级->加密->查看证书->导入证书, 选择/bak/java/goagent-goagent/local/CA.crt, 勾选所有项,导入。
Chrome可安装SwitchySharp (https://code.google.com/p/wwqgtxx-goagent/downloads/detail?name=SwitchyOptions.bak&can=2&q=),它设置为”自动切换模式”,这样“墙外”“墙内”就可以自动切换了。
Firefox可安装FoxyProxy (https://addons.mozilla.org/zh-cn/firefox/addon/foxyproxy-standard/)
2, 如果goagent出问题的话,一是保证程序最新,二是可以试着修改goagent-goagent/local/proxy.ini文件中的profile = google_cn参数。
3, 有一个叫qrouter的代理项目,可以叠加多个代理的带宽,是不同的tcp连接走不通的线路,达到同时使用多个线路的效果。
2013.9.9添加:
1, 使用squid建立http代理的方法:
a. Install squid in the computer, config it to use 21 port and start it.
sudo vim /etc/squid/squid.conf
##################################
http_access allow localnet
http_access allow all
# And finally deny all other access to this proxy
#http_access deny all
# Squid normally listens to port 3128
http_port 21
##################################
sudo service squid start
b. In the server, you need export http_proxy=http://<the computer IP>:21 in shell.
c. Now you can use any program which use http_proxy.
for example: wget www.google.com
2, 使用tsock建立socket代理的方法:
a. Set socks proxy in the server using ssh command
ssh -D 8008 -l<your username> -o serveraliveinterval=60 <your IP> -fN (serveraliveinterval让server给client发心跳让ssh保持在线,-f指后台运行,-N指不开终端)
this command will specifies a local “dynamic” application-level port forwarding using 8008.
b. Using tsocks command to access Internet through the port 8008.
You need install tsocks first.
sudo yum install tsocks
Conifg it to use 8008.
sudo vim /etc/tsocks.conf
##################################
local = 192.168.1.0/255.255.255.0
local = 127.0.0.0/255.0.0.0
server = 127.0.0.1
server_type = 4
server_port = 8008
##################################
Then you can using the socks proxy like:
sudo tsocks wget www.google.com
2013.11.22日更新:
http://www.freecanadavpn.com/
今天goagent用不了了,无法从github更新代码,都干不了活了,群上的一个好心人给我一个vpn帐号,继续翻墙成功更新openstack代码:
1, PPTP客户端
经测试在fedora 17上不好使,最后我用的是L2TP客户端。
在Fedora 19 NetworkManager自带的PPTP连接器是好使的,诀窍是身份验证勾选MSCHAP和MSCHAPv2,MPPE也要开启, 关掉PAP,否则伟大的长城防火墙会继续干扰明文PAP的PPTP报文。
在windows 8.1中,需要将vpn属性那块的数据加密选择“最大强度的加密”,”使用可扩展的身份验证协议(EAP)中“的"MS-CHAP v2"
1) 安装, sudo yum install pptp pptp-setup, http://sourceforge.net/projects/pptpclient/
2) sudo ln -s /usr/sbin/ip /bin/ip
3) 建立连接
sudo pptpsetup --create vpntunnel --server na.vpnip.net --username vpnip.net --password 2013 --encrypt --start
sudo pptpsetup --delete vpntunnel
4) 设置到github.com的路由 (在/etc/hosts里设置:192.30.252.131 github.com)
sudo route add -net 192.30.252.0 netmask 255.255.252.0 dev ppp0
5) 图形化GUI工具,http://code.google.com/p/vpnpptp/
2, L2TP客户端
1)sudo yum install xl2tpd
2)配置使用xl2ptd作为客户端(它也可以做服务端的,类似于strongwan)
$ cat /etc/xl2tpd/xl2tpd.conf
[lac quqi99]
name = myvpn
lns = <vpn-server-ip-address>
refuse chap = yes
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/peers/options.l2tpd.client
ppp debug = yes
length bit =yes
$ cat /etc/ppp/peers/options.l2tpd.client
ipcp-accept-local
ipcp-accept-remote
refuse-pap
refuse-chap
refuse-eap
refuse-mschap
require-mschap-v2
require-mppe-128
noccp noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
connect-delay 5000
name "<vpn-use-name>"
password "<vpn-password>"
注意: 下列不使用明文确保数据都加密的配置(启用MSCHAPv2和MPPE,关掉其他如chap, pap, chap)是避免GWF的干扰不总是断连接的关键.
/etc/xl2tpd/xl2tpd.conf
refuse chap = yes
refuse pap = yes
require authentication = yes
/etc/ppp/peers/options.l2tpd.client
refuse-pap
refuse-chap
refuse-eap
refuse-mschap
require-mschap-v2
require-mppe-128
且为防gfw断线还要在/etc/ppp/options.xl2tpd中添加下列配置吗?
refuse-pap
refuse-chap
refuse-eap
refuse-mschap
require-mschap-v2
require-mppe-128
3)启动服务,sudo service xl2tpd restart
4)切换到root服务开始拨号,成功之后会看到ppp0这个网卡,echo 'c quqi99' >/var/run/xl2tpd/l2tp-control
断开连接 echo 'd quqi99' >/var/run/xl2tpd/l2tp-control
5) 设置到github.com的路由 (在/etc/hosts里设置:192.30.252.131 github.com)
sudo route add -net 192.30.252.0 netmask 255.255.252.0 dev ppp0
当时成功过,但今天又报错:xl2tpd Maximum retries exceeded for tunnel
2013.12.11添加,
今天发现无法执行git review提交代码,一开始就怀疑又是长城防火墙导的鬼,gerrit使用的地址是ssh://<username>@review.openstack.org:29418/openstack/neutron.git,可见是ssh协议,平时使用的像goagent这样的https_proxy代理肯定是不好使的,实在没办法,只好花钱买了个vpn,按上述方法架好vpn,再添加到review.openstack.org的静态路由(sudo route add -host 198.101.231.251 dev ppp0),终于成功提交代码。
# traceroute review.openstack.orgtraceroute to review.openstack.org (198.101.231.251), 30 hops max, 60 byte packets
1 10.10.11.1 (10.10.11.1) 287.837 ms 287.814 ms 287.801 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 review.openstack.org (198.101.231.251) 307.272 ms !X 307.240 ms !X 307.231 ms !X
android手机设置vpn连接时,建立L2TP/IPSec VPN连接,其预共享密钥是:vpn.psk
3,SoftEther VPN
1)下载SoftEther VPN Client for Linux后执行执行make命令安装, http://www.softether.org/5-download
2) 运行vpn client
./vpnclient start
3) 配置vpn client, http://wan.pengganas.net/entry/packetix-net-vpn-installation-on-linux/
附录,windows上如何连接vpn
windows 8.1可以通过它自带的vpn客户端创建PPTP和L2TP的VPN,但我用了一下,连我购买的killwall的VPN失败,所以我将它换成IPSec的方式连接,使用叫Shrew Soft VPN的客户端工具,具体方法详见:https://vpnso.com/KB/read.php?ID=194。连完之后,我并不想所有网站都走vpn的路由,还是想保持原有的默认路由不变,想访问google的话就给添加google的路由走vpn,方法如下:
C:\Windows\System32>route -4 print |findstr "0.0.0.0"
网络目标 网络掩码 网关 接口 跃点数
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.104 125
0.0.0.0 0.0.0.0 在链路上 10.10.11.6 31
你可以在VPN拨号以后再手动修改路由,因为你通过VPN拨号只是想访问某些网段的IP(如google, 74.125.235.68),拨号成功后将这段IP的路由添加上,比如:
route delete 0.0.0.0 mask 0.0.0.0 IF 0xc005 (delete vpn gw)
route add 10.0.0.0 mask 255.0.0.0 10.10.1.1 IF 0xc0005 (vpn gw)
route add 74.125.235.68 mask 255.255.255.255 10.10.11.6 (google)tracert google.com
Windows路由命令语法:
ROUTE [-f] [-p] [command [destination] [MASK netmask] [gateway] [METRIC metric] [IF interface]
删除默认路由,route delete 0.0.0.0 mask 0.0.0.0
添加默认路由,route add 0.0.0.0 mask 0.0.0.0 192.168.1.1 IF 17 (其中索引接口IF可以通过route -4 print命令查看)
写一个脚本处理将国外的某些需要访问的ip加入到白名单设置走vpn的路由:
#!/bin/bash
# Setting route after the ppp0 has been created. by quqi99
74.125.235.68 # google.com
74.125.128.91 # google.com
76.74.254.123 # fanqianghou.com
192.30.252.129 # github.com
198.101.231.251 # review.openstack.org
199.59.150.39 # twitter.com
103.245.222.184 # pypi.python.org
185.31.17.185 # pypi.python.org
EOF
`
DEVICE=ppp0
PUBLIC_GW=$(ip -4 addr show |grep 'scope global' | awk {'print $2'} |head -1 |awk -F '.' {'print $1"."$2"."$3"."1'})
route add default gw $PUBLIC_GW
echo "$white_ip_list" | while read line; do
white_net=$(echo $line |awk {'print $1'} |awk -F '.' {'print $1"."$2"."$3"."0'} |uniq)
route add -net ${white_net}/24 dev $DEVICE
done
#route del -net 0.0.0.0 gw 0.0.0.0 dev $DEVICE
附录二:
pypi使用国内清华源加速安装:
$ cat ~/.pip/pip.conf
[global]
timeout = 6000
index-url = http://e.pypi.python.org/simple
[install]
use-mirrors = true
mirrors = http://e.pypi.python.org
$ cat ~/.pydistutils.cfg
[easy_install]
index_url = http://e.pypi.python.org/simple
附录三,使用国内源
sudo cp /etc/apt/sources.list /etc/apt/sources.list.bak
vim /etc/apt/sources.list
deb http://mirrors.sohu.com/ubuntu/ precise-updates main restricted
deb-src http://mirrors.sohu.com/ubuntu/ precise-updates main restricted
deb http://mirrors.sohu.com/ubuntu/ precise universe
deb-src http://mirrors.sohu.com/ubuntu/ precise universe
deb http://mirrors.sohu.com/ubuntu/ precise-updates universe
deb-src http://mirrors.sohu.com/ubuntu/ precise-updates universe
deb http://mirrors.sohu.com/ubuntu/ precise multiverse
deb-src http://mirrors.sohu.com/ubuntu/ precise multiverse
deb http://mirrors.sohu.com/ubuntu/ precise-updates multiverse
deb-src http://mirrors.sohu.com/ubuntu/ precise-updates multiverse
deb http://mirrors.sohu.com/ubuntu/ precise-backports main restricted universe multiverse
deb-src http://mirrors.sohu.com/ubuntu/ precise-backports main restricted universe multiverse
附录三, 白名单:
plus.google.com与docs.google.com, sudo route add -net 173.194.38.0/24 dev vpn0
2014-12-17
有时候通过sslspeady代理无法访问google hangout时,是需要清理cookies, 报的错为“this website has a redirect loop"
2014-12-31
vpn走3层路由或2层交换,所以用远程dns不那么方便,有时候使用ssh遂道直接用autoproxy使用远程dns更快捷更便宜。
1, create socket 5 proxy at port 7070 via ssh, then can use it via sshtunnel in android or autoproxy in firefox etc.
ssh -lquqissh -fN -o ServerAliveInterval=30 -o ServerAliveCountMax=1 -D 7070 <ssh-server>
2, create http/https proxy via ssh socket proxy
sudo apt-get install polipo
sudo polipo socksProxyType=socks5 socksParentProxy=127.0.0.1:7070
export https_proxy=http://127.0.0.1:8123
git pull # eg. for https protocal, like https://review.openstack.org/p/openstack-dev/devstack
2, use tsocks to forward all application-level flow to port 7070
sudo apt-get install tsocks
sudo sed -i -r "s/server = (.*?)/server = 127.0.0.1/g" /etc/tsocks.conf
sudo sed -i -r "s/server_port = (.*?)/server_port = 7070/g" /etc/tsocks.conf
sudo tsocks git pull # eg. for git protocal, git://git.openstack.org/openstack/keystone.git
上面建立ssh遂道时已经通过-o ServerAliveInterval=30 -o ServerAliveCountMax=1作心跳检查保证ssh连接不断,但仍然有断的时候,那就采用autossh来进一步保证。
sudo apt-get install autossh expect
cat /bak/bin/autossh.sh
#!/bin/bash
#ssh -lquqissh -fN -o ServerAliveInterval=30 -o ServerAliveCountMax=1 -D 7070 s20.flyssh.net
HOST="<ssh-server>"
USER="quqissh"
PASS="<password>"
CMD=$@
VAR=$(expect -c "
spawn /usr/bin/autossh -M 2000 -N -v -D 127.0.0.1:7070 $USER@$HOST $CMD
match_max 100000
expect \"*?assword:*\"
send -- \"$PASS\r\"
send -- \"\r\"
expect eof
")
echo "==============="
echo "$VAR"
相当于仍然在本机127.0.0.1上找了一个监听端口2000, 127.0.0.1:2000收到请求数据后转给远程的2000端口(在这里仍然是本机)处理,远端的2000端口(仍然是本机)收到响应数据后转给本机的127.0.0.1:2001处理。
/usr/lib/autossh/autossh -M 2000 -N -v -D 127.0.0.1:7070 quqissh@s20.flyssh.net
/usr/bin/ssh -L 2000:127.0.0.1:2000 -R 2000:127.0.0.1:2001 -N -v -D 127.0.0.1:7070 quqissh@s20.flyssh.net
2015-03-19, 使用sshuttle
1, 添加帐户
sudo useradd -m -s /bin/bash -g root quqi99 # sudo userdel -r -f quqi99
sudo passwd quqi99
2, 打开ssh的密码登录 , 在/etc/ssh/sshd_config里: PasswordAuthentication yes
3, 安装配置sshuttle, sshuttle比sshd -D快一点,因为It’s just data-over-TCP,而不是 TCP-over-TCP。因为它是:
iptables -t nat -N sshuttle-12300
iptables -t nat -F sshuttle-12300
iptables -t nat -I OUTPUT 1 -j sshuttle-12300
iptables -t nat -I PREROUTING 1 -j sshuttle-12300
iptables -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.0/8 -p tcp
iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 0.0.0.0/0 -p tcp --to-ports 12300 -m ttl ! --ttl 42
iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 127.0.1.1/32 -p udp --dport 53 --to-ports 12300 -m ttl ! --ttl 42
显然它设置一个客户端所有的流量包括国内都走遂道,这样性能不会太好。
sshuttle 的用法很简单,在客户端下载和运行就可以了(需要有Python 的支持),无需在服务器端做任何配置。
sudo apt-get install sshuttle
sshuttle --dns -r quqi99@162.213.** 0.0.0.0/0
sshuttle -r quqi99@162.213.34.205 192.168.0.0/16 -vv #但它是用于连接远程端的192.168.0.0/16子网
sshuttle --dns -r quqi99@162.213.** 0.0.0.0/0 -vv #访问远程的0.0.0.0/0正是我们所要的
用远程dns会很慢,还是在自己路由器上搭建使用tcp查询的dns服务器再结合ipset只转发国外被墙的流量要好点吧,所以还是用ssh比较靠谱。
2015-03-16更新,如何使用wndr4300科学上网及防DNS污染
修改DNS只能解决DNS污染的问题,对于IP封锁或者关键字封锁也是没有任何办法的。
当你请求一个敏感域名的dns记录时,由于dns请求是udp包很容易被伪造,这样伪造的响应会先于正确的响应到达你的机器(因为国内发污染数据怎么都比国外要快),从而你的机器就被DNS劫持了。所以处理DNS污染其本质是要收到正确的响应包,目前常用的方法有, 第2种看起来最不错。
1, 使用非53端口的DNS服务器,使用方便,但是支持非53端口的DNS不多。 如opendns的208.67.222.222#5353或208.67.222.222#443
2, 使用tcp协议查询。 如pdnsd
3, 使用隧道(如vpn,如ss-tunnel)把本地53端口的UDP请求转发到远程去解析。(ss-tunnel -c /etc/shadowsocks.json -b 0.0.0.0 -l 1053 -L 8.8.8.8:53 -u)
4, 设置两个DNS,一个在国内,一个在国外,维护一个国内ip列表,当发现是国外ip时比较两个结果,不同时采用后到的响应。如:chinadns
5, DNSSEC是DNS服务器和客户端之间的一个增强协议,这个协议可以让客户端检查返回的DNS查询结果数据是否完整,如果数据被修改或者破坏,客户端可以丢弃这个结果.这样就保证了DNS查询的绝对正确。但目前支持DNSSEC密钥加密的域名不多。
dnssec
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
dnssec-check-unsigned
dnssec-no-timecheck
6, 采用iptables DROP掉枚举的污染ip列表,但这也有一个问题,如果采用随机ip来污染的话,这个iptables列表很难维护。
dnsmasq可以用来做dhcp时缓冲记录,也可以做dhcp服务器。先看dnsmasq对dns支持的一些主要配置:
1, no-resolv参数(在openwrt系统中,它可由/etc/config/dhcp中的(option resolvfile '/tmp/resolv.conf.auto')指定, 当一个网络接口启用后,如果被配置了DNS或者被配置了使用通告DNS(上级网络dhcp通告给下级设备的DNS),就会把这个DNS写入/tmp/resolv.conf.auto文件中, 所以如果你同时在WAN和VPN都设置了DNS,那么这两个接口的DNS都会在接口连接上之后被写入/tmp/resolv.conf.auto中, 然后Dnsmasq会把这些DNS都抓过来作为默认的DNS, 即使两个接口的DNS是一样的. 也就是说WAN和VPN接口都会向/tmp/resolv.conf.auto自动传入DNS设置.这个特性可以通过no-resolv参数禁用。
2, 如果没有配置resolv,可以参过server参数指定哪些域名走哪个特定的dns服务器,如server=/githubusercontent.com/8.8.8.8
3, all-servers参数,dnsmasq支持同时指定多个上游dns服务器(server=8.8.8.8),然后同时发请求,哪个快用哪个的响应结果。chinadns就是通过这个特性去同时向国内和国外的dns服务器发起请求的。但使用这个特性也容易带来问题,因为伪造的dns响应包也容易来得快。
4, conf-dir=/etc/dnsmasq.d/, 可以通过这个配置将dns的配置写到/etc/dnsmasq.d目录,这样看起来更干净。
5, 对ipset的支持,例如可对每一个域名添加:ipset=/.mail.google.com/fuckgfw , fuckgfw为ipset名(ipset -N fuckgfw iphash).
6, 所以可以手工为每一个要访问的域名添加为如下格式白名单,当然,也可以结构gfw的列表来自动生成, 见附件一。
server=/facebook.com/127.0.0.1:1053
ipset=/facebook.com/fuckgfw
注意:
这种配置只有要访问它的时候dnsmasq解析到它的dns之后才加到ipset之中,
查看ipset, ipset list fuckgfw
清空ipset, ipset flush fuckgfw
重启dnsmasq:/etc/init.d/dnsmasq restart
举个例子,纯google服务:
cat /etc/dnsmasq.d/google.conf
# OpenDNS, 208.67.220.220#443
ipset=/.google.com/fuckgfw
server=/.google.com/127.0.0.1#1053
ipset=/.google.com.hk/fuckgfw
server=/.google.com.hk/127.0.0.1#1053
ipset=/.google.com.tw/fuckgfw
server=/.google.com.tw/127.0.0.1#1053
ipset=/.google.com.jp/fuckgfw
server=/.google.com.jp/127.0.0.1#1053
ipset=/.gstatic.com/fuckgfw
server=/.gstatic.com/127.0.0.1#1053
ipset=/.googleusercontent.com/fuckgfw
server=/.googleusercontent.com/127.0.0.1#1053
ipset=/.appspot.com/fuckgfw
server=/.appspot.com/127.0.0.1#1053
ipset=/.googlecode.com/fuckgfw
server=/.googlecode.com/127.0.0.1#1053
ipset=/.googleapis.com/fuckgfw
server=/.googleapis.com/127.0.0.1#1053
ipset=/.gmail.com/fuckgfw
server=/.gmail.com/127.0.0.1#1053
ipset=/.google-analytics.com/fuckgfw
server=/.google-analytics.com/127.0.0.1#1053
ipset=/.youtube.com/fuckgfw
server=/.youtube.com/127.0.0.1#1053
ipset=/.blogspot.com/fuckgfw
server=/.blogspot.com/127.0.0.1#1053
ipset=/.blogger.com/fuckgfw
server=/.blogger.com/127.0.0.1#1053
ipset=/.ggpht.com/fuckgfw
server=/.ggpht.com/127.0.0.1#1053
ipset=/.useso.com/fuckgfw
server=/.useso.com/127.0.0.1#1053
ipset=/.googlevideo.com/fuckgfw
server=/.googlevideo.com/127.0.0.1#1053
ipset=/.youtube-nocookie.com/fuckgfw
server=/.youtube-nocookie.com/127.0.0.1#1053
ipset=/.ytimg.com/fuckgfw
server=/.ytimg.com/127.0.0.1#1053
7, pdnsd的配置文件(pdnsd.conf)要确保使用tcp查询(query_method=tcp_only)以及设置端口为1053, 使用“pdnsd --debug”或“/etc/init.d/pdnsd restart"启动pdnsd进程。
cat /etc/pdnsd.conf
global {
#debug=on; # debug mode, log will be writed in /var/pdnsd/pdnsd.debug
perm_cache=8192; # increase or decrease the perm_cache, change min_ttl & max_ttl
cache_dir="/var/pdnsd";
run_as="nobody";
server_port=1053;
server_ip=0.0.0.0;
status_ctl=on;
query_method=tcp_only;
min_ttl=1d;
max_ttl=1w;
timeout=10;
}
# Add the upstream dns servers, the servers are queried in the order of their appearance
# (or parallel to a limited extend). If one fails, the next one is taken and so on.
server {
label="Google Public Dns";
ip=208.67.222.222,208.67.222.123,8.8.4.4; #有时候8.8.4.4不work, 可用nslookup -port=1053 xx.com 192.168.99.1命令测试
#root_server = on;
uptest=none;
#purge_cache=off;
exclude=".cn",".baidu.com",".qq.com",".csdn.net",".163.com";
}
#server {
# label="114 DNS";
# ip=114.114.114.114,119.29.29.29,223.5.5.5;
# exclude=".google.com",".jp";
#}
测试:
nslookup twitter.com #如使用nslookup命令查询到的twitter.com的ip为154.35.164.8
whois 154.35.164.8 #可用whois命令检查到这个ip不可能是twitter的
nslookup twitter.com 8.8.8.8 #采用udp模式查询国外的域名服务器也会被dns域名劫持
nslookup -vc twitter.com 8.8.8.8 #通过tcp查询,能查询到正确的IP
nslookup -port=5353 twitter.com 192.168.1.1 #测试上面配置的pdnsd是否工作正常。
这时候,如果使用路由器作为DNS服务器,就可以避免被DNS污染了;但是如果局域网内的主机手动设置了DNS服务器,还是难免遭到DNS污染。
为了避免这个问题,我们可以强制局域网内的主机都使用路由器的DNS,通过设置防火墙规则,将所有DNS解析的请求"劫持"到路由器上,从未避免局域网内的主机使用自定义DNS时被污染,在/etc/firewall.user上增加两条规则即可:
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p udp --dport 53 -j DNAT --to 127.0.0.1:1053
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 53 -j DNAT --to 127.0.0.1:1053
[可选] 或者不设置上面的iptables规则(上面这种配置就可以不用配dnsmasq的dns都行),由路由器上的dnsmasq的53端口来转发到1053也行, /etc/config/dhcp应该配置为:
#all-servers
server=223.5.5.5 #223.5.5.5为淘宝的dns服务器,推荐用于国内域名的解析
server=127.0.0.1#1053
log-queries
no-resolv
conf-dir=/etc/dnsmasq.d/
server=/facebook.com/127.0.0.1:1053 #对于特定的如facebook.com的域名由1053端口的pdnsd进程解析
ipset=/facebook.com/fuckgfw
[可选] 这样,在路由器上配置pdnsd与dnsmasq集成的dns集成之后,如果局域网内的其他机器是从路由器通过dhcp拿到的ip,那么就会自动使用路由器的dns解析。
在ubuntu上,也配置了一个dnsmasq让其本机的域名解析127.0.0.1,但这个配置只是最基本的配置是告诉它使用上游也即路由器的dns设置。所以局域网内的客户机实际上不需要做什么事情。当然你愿意将客户机上的dnsmasq禁用掉在/etc/resolv.conf文件中将域名解析指向路由器(nameserver 192.168.1.1)也是可以的。客户端也可以通过配置/etc/resolvconf/resolv.conf.d/head覆盖本机的dns设置让它直接指向路由器(当然客户机配不配都无所谓)。
10, 对于路由器我们最好使用透明代理,这样可以避免客户机还要配置代理。对于shadowsocks应该更新/etc/init.d/shadowsocks使用ss-redir而不是ss-local。注意:ss-redir与ss-local同时启动时需将默认配置文件/etc/shadowsocks.json中的端口改成不一样的。另外,下面的配置中的method参数的值应该是小写。
{
"server": "106.186.22.**",
"server_port": 26062,
"local_port": 8080,
"password": "password",
"timeout": 600,
"method": "aes-128-cfb"
}
shadowsocks使用的是白名单,除中国IP外,全部走代理。
wget -O- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /etc/shadowsocks/ignore.list
也可利用GFWlist整理黑名单域名,让dnsmasq走VPN出去解释域名,以避免被污染
10, 这样,从客户机上的流量就来到了路由器,路由路要配合使用透明代理。
例如,对于shadowsocks,可以在/etc/firewall.user中添加下列iptables规则将配置fuckgfw这个ipset的流量导到8080端口的ss-redir进程中(ss-redir -c /etc/shadowsocks.json -l 8080)。
ipset create fuckgfw iphash --exist
iptables -t nat -A PREROUTING -p tcp -m set --match-set fuckgfw dst -j REDIRECT --to-port 8080
写入后重启防火墙:/etc/init.d/firewall restart
例如,对于vpn, 可以在/etc/firewall.user中将匹配fuckgfw这个ipset的流量打上标记8
#iptables -t mangle -A fwmark -m set --match-set fuckgfw dst -j MARK --set-mark 8
然后将标记8的流量导到另一个router tables中去。
a, 创建router table, echo "200 fuckgfw" >> /etc/iproute2/rt_tables
b, 在router table表中添加让标记为8的流量走默认路由让它走vpn遂道。另外,也注意将8.8.8.8等dns查询的流量让它走vpn遂道(如果想让它走ss-tunnel的话,可以:ss-tunnel -c /etc/shadowsocks.json -b 0.0.0.0 -l 1053 -L 8.8.8.8:53 -u)
cat /etc/vpnc/post-connect.d/fuckgwf-connect
chmod +x /etc/vpnc/post-connect.d/fuckgwf-connect
#!/bin/sh
TUNDEV=tun0
ip route add 8.8.8.8 dev $TUNDEV
ip route add default dev $TUNDEV table fuckgfw
ip rule add fwmark 8 table fuckgfw
ip route list table fuckgfw
# ip rule del from all fwmark 0x8 lookup fuckgfw
ip rule list
c, vpn停的时候清空router table fuckgfw中的路由规则
cat /etc/vpnc/post-disconnect.d/fuckgwf-disconnect
chmod +x /etc/vpnc/post-disconnect.d/fuckgwf-disconnect
#!/bin/sh
ip rule del table fuckgfw
d, 不要将vpn走遂道的路由作为全局路由,这样会导致访问国内的网站也慢的。
vi /etc/vpnc/vpnc-script
elif [ -n "$INTERNAL_IP4_ADDRESS" ]; then
echo 'do not change default route'
#set_default_route
fi
e, vpnc作为vpn的配置内容:
/etc/vpnc/default.conf
IPSec gateway ipsec01.××.net
IPSec ID vpn
IPSec secret vpn.psk
Xauth username <username
Xauth password <password>
NAT Traversal Mode cisco-udp
f, 安装vpnc, opkg update & opkg install vpnc
g, 启动vpnc, vpnc
11, 配置crontab监控ss-redir进程
root@OpenWrt:~# crontab -e
root@OpenWrt:~# crontab -l
*/2 * * * * isfound=$(ps | grep "ss-redir" | grep -v "grep"); if [ -z "$isfound" ]; then echo "$(date): restart ss-redir...">>/tmp/log/ss-monitor.log && /etc/init.d/shadowsocks restart; fi
以上在讲原理的时候其本上连配置一起说了,现在说说如何安装openwrt和shadowsocks和支持ipset的dnsmasq-full:
1, 下载固件
http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/nand/openwrt-ar71xx-nand-wndr4300-ubi-factory.img
WNDR4300默认的IP是192.168.1.1(如果电脑还连有无线,请将无线路由器设置其他网段),网线连接路由器的下行接口和电脑的有线网卡之后网卡会自动分配一个192.168.1.0/24网段的IP。
2, 进WNDR4300的管理界面(http://192.168.1.1)的直接升级固件(注意:管理界面在有代理的时候好像进不去)
3, 进OpenWRT的管理界面(http://192.168.1.1)设置root用户的密码后ssh会默认开启。
4, 检查5G频段是否正常。
$ ssh 192.168.1.1
root@OpenWrt:~# devmem 0x180600b0
0x002F055A
5, 配置广域网接口, Network -> Interface -> WAN -> Edit -> General Setup里设置PPPoE。
6, 配置无线局域网,Network -> Wireless.
7, 更改为中文系统,进System -> Software菜单后点击Update lists按钮更新软件列表,然后在Download and install package处输入luci-i18n-chinese后点OK安装中文插件。进入System —> System —> Language and Style,在Language后选择Chinese。
8, 安装配置shadowsocks
软件:http://sourceforge.net/projects/openwrt-dist/files/shadowsocks-libev/
opkg install ipset libpolarssl resolveip
(遇到这问题“kmod: failed to insert /lib/modules/3.10.49/ip_set.ko”是因为安装了ipset需要重启路由器)
opkg install iptables-mod-geoip iptables-mod-nat-extra kmod-ipt-geoip kmod-ipt-nat kmod-ipt-nat-extra kmod-ipt-nathelper
根据CPU型号选择下载不带spec的包,然后scp拷贝到路由器上安装
scp shadowsocks-libev_2.1.4-1_ar71xx.ipk root@192.168.1.1:/tmp/*.ipk
opkg install /tmp/shadowsocks-libev_2.1.4-1_ar71xx.ipk
9, 需要dnsmasq支持ipset (可用dnsmasq -v来检查是否支持, dnsmasq-full在dnsmasq的基础上增加了对ipset的支持)。
http://sourceforge.net/projects/openwrt-dist/files/dnsmasq
http://sourceforge.net/projects/openwrt-dist/files/depends-libs
dnsmasq -v 查看dnsmasq是否支持ipset
opkg remove dnsmasq
opkg install /tmp/libgmp_6.0.0-1_ar71xx.ipk
opkg install /tmp/libnettle_2.7.1-1_ar71xx.ipk
opkg install /tmp/dnsmasq-full_2.72-4_ar71xx.ipk
opkg install ipset iptables-mod-nat-extra
附件一, 根据gfw列表自动生成为dnsmasq生成dns及ipset记录
#!/usr/bin/env python
from os.path import expanduser
import urllib
import base64
import string
if __name__ == '__main__':
# gfwlist = 'http://autoproxy-gfwlist.googlecode.com/svn/trunk/gfwlist.txt'
gfwlist = 'file:///bak/tools/gfw/wndr4300/openwrt/other/gfwlist.txt'
# some sites can be visited via https or is already in known list
oklist = ['flickr.com','amazon.com','twimg.com']
print "fetching gfwList ..."
d = urllib.urlopen(gfwlist).read()
print("gfwList fetched")
data = base64.b64decode(d)
lines = string.split(data, "\n")
gfwlistfile = open(expanduser('/tmp/')+'gfwlist.txt', 'wa')
for l in lines:
gfwlistfile.write(l+'\n')
gfwlistfile.close()
newlist = []
for l in lines:
if len(l) == 0:
continue
if l[0] == "!":
continue
if l[0] == "@":
continue
if l[0] == "[":
continue
l = string.replace(l, "||","").lstrip(".")
l = string.replace(l, "|https://","")
l = string.replace(l, "|http://","")
# strip everything from "/" to the end
if l.find("/") != -1:
l = l[0:l.find("/")]
if l.find("%2F") != -1:
continue
if l.find("*") != -1:
continue
if l.find(".") == -1:
continue
if l in oklist:
continue
newlist.append(l)
newlist = list(set(newlist))
newlist.sort()
# generate dnsmasq configuration
gfwdn = open(expanduser('/tmp/')+'gfwdomains.conf', 'wa')
for l in newlist:
gfwdn.write('server=/'+l+'/127.0.0.1#1053\n')
gfwdn.write('ipset=/'+l+'/fuckgfw\n')
gfwdn.close()
附件二,WNDR4300刷成砖之后如何恢复
DD-WRT不能使用SSH, 关闭之后也无法进入Web管理界面,但能telnet进入。决定将WNDR4300切换到OpenWRT。
先要恢复成官方的固件。
1, 下载官方固件到电脑上。
2, 在电脑上启动http服务器用于传文件, python -m SimpleHTTPServer
3, telnet 192.168.1.1 root/<your_password_for WNDR4300>
4, 使用telnet刷固件
root@DD-WRT:/tmp# cd /tmp/
root@DD-WRT:/tmp# wget http://192.168.1.122:8000/WNDR4300-V1.0.1.69PRRU.img
root@DD-WRT:/tmp# mtd -r write WNDR4300-V1.0.1.69PRRU.img linux
Unlocking linux ...
Writing from WNDR4300-V1.0.1.69PRRU.img to linux ... [w]
root@DD-WRT:/tmp# Connection closed by foreign host.
遗失对主机的连接,绿灯闪烁直至路由器重新启动即为救砖成功。但这种方法似乎不大好使,使用始终就是闪啊闪个把小时没反应。
5, mtd方式不好使,改用tftp方式。
正常是按reset键,加电等灯由绿变蓝时松reset键,然后执行tftp操作。记得事先给电脑网卡设同网段IP(这个IP可能在断电时消失)。
tftp不成功时,我这样成功过,加电按reset键(背部红圆圈处)30秒,断电再按30秒,再加电按30秒,释放reset键10秒,断开电源10秒,加电重新连接。
sudo arp -s 192.168.1.1 04a1518a2ca7
$ tftp 192.168.1.1
tftp> binary
tftp> put WNDR4300-V1.0.1.69PRRU.img WNDR4300-V1.0.1.60.img
Sent 12910725 bytes in 2.7 seconds
6, 然后再重置配置,加电情况下按reset约5秒左右等闪烁时松手。
Reference:
1, Netgear wndr4300 翻墙手册, http://tonylee.name/?page_id=14
2, OpenWrt VPN 按域名路由, https://blog.sorz.org/p/openwrt-outwall/
2015-03-19, 在openwrt上使用vps上的ssh遂道
1, OpenWrt 中默认自带的 SSH 服务/客户端是 Dropbear,Dropbear 作为 SSH 客户端无法满足我们的需要,所以我们要安装 openssh-client。首先到路由器的文件系统中 /usr/bin 目录下,删除 ssh 和 scp。其实这两个文件都是到 Dropbear 的符号链接,所以放心删除。
rm -rf /usr/bin/ssh
rm -rf /usr/bin/scp
opkg install openssh-server openssh-client autossh polipo
2, 免公钥登录
ssh-keygen -b 1024 -t rsa
scp /root/.ssh/id_rsa.pub quqi99@<ssh-server-ip>:/home/quqi99/.ssh/authorized_keys
3,运行autossh,相当于:ssh -D 8008 -lquqi99 -o serveraliveinterval=60 <ssh-server-ip> -fNv
autossh -M20000 -f -q -N -D 127.0.0.1:8080 quqi99@ <ssh-server-ip>
或添加自启动服务
cat /etc/init.d/iautossh
#!/bin/sh /etc/rc.common
START=99
start() {
autossh -M20000 -f -q -N -D 0.0.0.0:8080 quqi99@ <ssh-server-ip>
}
stop() {
killall autossh
}
chmod +x /etc/init.d/iautossh
/etc/init.d/iautossh enable
4, 配置polipo
cat /etc/polipo/config
pidFile = "/var/run/polipo.pid"
daemonise = true
proxyAddress = "0.0.0.0"
allowedClients = "127.0.0.1", "192.168.0.0/16"
socksParentProxy = "127.0.0.1:8080"
socksProxyType = socks5
logFile = "/tmp/log/polipo.log"
cat /etc/init.d/ipolipo
#!/bin/sh /etc/rc.common
START=99
start() {
polipo -c /etc/polipo/config
}
stop() {
killall polipo
}
chmod +x /etc/init.d/ipolipo
/etc/init.d/ipolipo enable #注意,不是/etc/init.d/polipo enable哦
2015-03-20更新:
GFW是一个分布式的入侵检测系统,并不是一个严格意义上的防火墙。不是说每个出入国境的IP包都需要先经过GFW的首可。做为一个入侵检测系 统,GFW把你每一次访问facebook都看做一次入侵,然后在检测到入侵之后采取应对措施,也就是常见的连接重置。GFW会在监听到不和谐的IP包之后发回RST包来重置TCP连接。
1, 对于HTTP协议由于是标准且未加密的,直接通过Hash像LB一样往众多节点上转去重建一个TCP会话的单向字节流。
2, 从HTTP的GET请求中取得请求的URL。然后GFW拿到这个请求的URL去与关键字做匹配,比如 查找Twitter是否在请求的URL中。
3, GFW可以在识别到HTTP明文代理和SOCKS明文代理之后,再拆解其内部的HTTP协议的正文。但是如果给数据加的套是GFW不能理解的,比如你把TCP包塞到了UDP包里,GFW就不能理解正文了,从而逃过了关键字匹配的检查。
4, GFW可以分析53端口的UDP协议的DNS查询, 目前为止53端口之外的查询也没有被劫持。但是TCP的DNS查询已经可以被TCP RST切断了,表明了GFW具有这样的能力,只是不屑于大规模部署。
5, SMTP协议,看邮件是不是发往上了黑名单的邮件地址的(比如xiazai@upup.info就是一个上了黑名单的邮件地址),如果发现了就立马用TCP RST包切断连接。
6, 电驴(ed2k)协议,GFW会切断所有使用混淆模式的ed2k连接,迫使客户端使用明文与服务器通讯.
7, 封IP, 把无效的路由黑洞加入到主干路由器的路由表中,然后让这些主干网上的路由器去帮GFW把到指定IP的包给丢弃掉。
8, DNS劫持,其原理是基于DNS与IP协议的弱点,DNS与 IP这两个协议都不验证服务器的权威性,而且DNS客户端会盲目地相信第一个收到的答案。所以你去查询facebook.com的话,GFW只要在正确的 答案被返回之前抢答了,然后伪装成你查询的DNS服务器向你发错误的答案就可以了.
9, 如果检测 到服务器是用SSH或者VPN等方式提供翻墙服务。GFW会在全国的出口骨干路由上部署这样的一条ACL规则,来封你这个服务器+端口的下行数据包。
10, Python的NetfilterQueue(iptables -D OUTPUT -p udp --dst 8.8.8.8 -j QUEUE), 使用Python任意抓包,修改包和发包的能力。
11, Python的dpkt, 解析和构造任意的IP包。
12, 非53端口,dig @208.67.222.222 -p 5353 twitter.com, 但应用程序一般不支持非53端口,所以一是使用本地dns服务转发(dnsmasq, pdnsd, dnsmasq无法强制使用TCP协议向上游服务器转发请求), 二是使用NetfilterQueue改写IP包,三是iptables规则:
iptables -t nat -I OUTPUT --dst 208.67.222.222 -p udp --dport 53 -j DNAT --to-destination 208.67.222.222:5353
#iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p udp --dport 53 -j DNAT --to 127.0.0.1:1053
#iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 53 -j DNAT --to 127.0.0.1:1053
因为dnsmasq无法强制使用TCP协议向上游服务器转发请求,所以当使用pdnsd惑乱unbound构建了一个非53端口的TCP查询dns的方式,
需要修改/etc/config/dhcp, 注释掉resolvfile并打开noresolv选项,是为了让dnsmasq不使用resolvfile中的DNS服务器进行查询:
config 'dnsmasq'
#option 'resolvfile' '/tmp/resolv.conf.auto'
option 'noresolv' '1'
list 'server' '127.0.0.1#5353'
当list 'server' 使用127.0.0.1#5353是全局转发(对应于控制台界面在"Network->DHCP and DNS->DNS forwardings",也可以这里填114.114.114.114, 然后在/etc/dnsmasq.conf配置(server=/example.com/127.0.0.1#5353)只针对具体站点转发.
It is possible to mix the traditional /etc/dnsmasq.conf configuration file with the options found in /etc/config/dhcp.The dnsmasq.conf file does not exist by default but will be processed by dnsmasq on startup if it is present. Note that options in /etc/config/dhcp take precendence over dnsmasq.conf since they are translated to command line arguments.
但感觉应该在/etc/dnsmasq.conf中注释掉, #all-servers
对于使用OpenDNS的非53端口的,需要,
config 'dnsmasq'
#option 'resolvfile' '/tmp/resolv.conf.auto'
option 'noresolv' '1'
list 'server' '208.67.222.222#5353'
list 'server' '208.67.220.220#5353'
bogus-nxdomain=67.215.65.132 # 去除OpenDNS查询不存在的域名显示广告的问题
13, GFW在日常是不屏蔽TCP的DNS查询的,所以可以得到正确的结果。但是和非标准端口一样,几乎所有的应用程序都不支持使用TCP查询。
14, iptable nfqueue, 对于没有办法自己安装或者编译内核模块的场景,比如最常见的Android手机,厂家不告诉你内核的具体版本以及编译参数,普通用户是没有办法重新编译 linux内核的。对于这样的情况,iptables提供了nfqueue,我们可以把内核模块做的ip过滤的工作交给用户态(也就是普通的应用程序)来 完成。
15, tcpdump -i pppoe-wan host 199.59.150.7 or icmp -vvv
iptables -L -v -n | grep icmp
参考:
1, http://otnth.blogspot.jp/2012/05/openwrt-dns.html?m=1
2, http://allinfa.com/kill-gfw-router-principle.html
3, http://www.wufuli.com/1161.html
20150422, 采用chinadns抗dns污染的配置方法
更新IP 忽略列表:
rm -f /etc/chinadns_chnroute.txt
ln -s /etc/shadowsocks/ignore.list /etc/chinadns_chnroute.txt
wget -O- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /etc/shadowsocks/ignore.list
20150422, ipv6
网络服务商早就提供IPv6 6to4接入,OpenWrt从Barrier Breaker开始已经原生支持IPv6了。
opkg install 6to4 kmod-sit luci-proto-ipv6 radvd ip ip6tables kmod-ipv6 kmod-tun kmod-ip6tables
1, 在openwrt的Network-Interface菜单的WAN6选项卡中为WAN接口配置6to4隧道。在LAN选项卡中的DHCP Server处的IPv6 Settings处设置如下。
Router Advertisement-Service, server mode
DHCPv6-Service, server mode
NDP-Proxy, disabled
DHCPv6-Mode, stateless + stateful
它相当于会干这类事情( pppd nodetach ipparam wan ifname pppoe-wan +ipv6 nodefaultroute usepeerdns persist maxfail 1 user)
# create and bring up tunnel
ip tunnel add tun6to4 mode sit remote any local 114.245.25.8
ip link set dev tun6to4 up
# assign ipv6 addr to tunnel
ip 6 addr add 2002:72F5:1908::1/48 dev tun6to4
# assign ipv6 addr to LAN
ip 6 addr add 2002:72F5:1908:ffff::1/64/64 dev brlan
# add a default route via 6to4 magic, ::192.88.99.1 is the "magic" anycast address of the 6to4 protocol
ip 6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1
route -n -A inet6
ip -6 addr show
ip -6 neigh show
2, 在重启路由器或者/etc/init.d/network restart后路由器和局域网机器都会配置上6to4 ipv6地址。
直接访问:ipv6.google.com
3, ipv6 host, /etc/resolvconf/resolv.conf.d/head, 然后执行:resolvconf -u
nameserver 2001:4860:4860::8844
4, 验证, 通过下列命令发现看到的很多不同域名的ipv6地址都是重复的,说明gfw对ipv6的域名也污染了
nslookup -query=AAAA plus.google.com
dig plus.google.com AAAA
5, 输入url时记得加上https,
https://[2a00:1450:4017:802::2005]/
6, 下列程序用于进行TCP查询dns, 可用这个命令测试: nslookup -port=5354 -type=AAAA plus.google.com 127.0.0.1
#! /usr/bin/python
import os, sys
import socket
import struct
import threading
import SocketServer
import traceback
import random
DHOSTS = ['2001:4860:4860::8888',
'2001:4860:4860::8844'
]
DPORT = 53
TIMEOUT = 60
#-------------------------------------------------------------
# Hexdump Cool :)
# default width 16
#--------------------------------------------------------------
def hexdump( src, width=16 ):
FILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)])
result=[]
for i in xrange(0, len(src), width):
s = src[i:i+width]
hexa = ' '.join(["%02X"%ord(x) for x in s])
printable = s.translate(FILTER)
result.append("%04X %s %s\n" % (i, hexa, printable))
return ''.join(result)
#---------------------------------------------------------------
# bytetodomain
# 03www06google02cn00 => www.google.cn
#--------------------------------------------------------------
def bytetodomain(s):
domain = ''
i = 0
length = struct.unpack('!B', s[0:1])[0]
while length != 0 :
i += 1
domain += s[i:i+length]
i += length
length = struct.unpack('!B', s[i:i+1])[0]
if length != 0 :
domain += '.'
return domain
#--------------------------------------------------
# tcp dns request
#---------------------------------------------------
def QueryDNS(server, port, querydata):
# length
Buflen = struct.pack('!h', len(querydata))
sendbuf = Buflen + querydata
try:
s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
s.settimeout(TIMEOUT) # set socket timeout
s.connect((server, int(port)))
s.send(sendbuf)
data = s.recv(2048)
except:
print traceback.print_exc(sys.stdout)
if s: s.close()
return
if s: s.close()
return data
#-----------------------------------------------------
# send udp dns respones back to client program
#----------------------------------------------------
def transfer(querydata, addr, server):
if not querydata: return
domain = bytetodomain(querydata[12:-4])
qtype = struct.unpack('!h', querydata[-4:-2])[0]
print 'domain:%s, qtype:%x, thread:%d' % \
(domain, qtype, threading.activeCount())
sys.stdout.flush()
choose = random.sample(xrange(len(DHOSTS)), 1)[0]
DHOST = DHOSTS[choose]
response = QueryDNS(DHOST, DPORT, querydata)
if response:
# udp dns packet no length
server.sendto(response[2:], addr)
return
class ThreadedUDPServer(SocketServer.ThreadingMixIn, SocketServer.UDPServer):
def __init__(self, s, t):
SocketServer.UDPServer.__init__(self, s, t)
class ThreadedUDPRequestHandler(SocketServer.BaseRequestHandler):
# Ctrl-C will cleanly kill all spawned threads
daemon_threads = True
# much faster rebinding
allow_reuse_address = True
def handle(self):
data = self.request[0]
socket = self.request[1]
addr = self.client_address
transfer(data, addr, socket)
if __name__ == "__main__":
print '>> Please wait program init....'
print '>> Init finished!'
print '>> Now you can set dns server to 127.0.0.1'
server = ThreadedUDPServer(('127.0.0.1', 5354), ThreadedUDPRequestHandler)
# on my ubuntu uid is 1000, change it
# comment out below line on windows platform
os.setuid(1000)
server.serve_forever()
server.shutdown()
20150629 哦耶路由器
硬件连接: 找根网线将哦耶路由器的WAN口和家里路由器的LAN口相连,然后连接哦耶路由器的无线热点,最后通过ssh root@192.168.8.1访问,默认密码是admin
可将/etc/opkg.conf文件的源改成:
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /tmp
src/gz barrier_breaker_base http://www.oyewifi.com/OYE-0001.BB.IPKs.20141227/base
src/gz barrier_breaker_luci http://www.oyewifi.com/OYE-0001.BB.IPKs.20141227/luci
src/gz barrier_breaker_management http://www.oyewifi.com/OYE-0001.BB.IPKs.20141227/management
src/gz barrier_breaker_oldpackages http://www.oyewifi.com/OYE-0001.BB.IPKs.20141227/oldpackages
src/gz barrier_breaker_packages http://www.oyewifi.com/OYE-0001.BB.IPKs.20141227/packages
src/gz barrier_breaker_routing http://www.oyewifi.com/OYE-0001.BB.IPKs.20141227/routing
遗憾的是kernel版本太低不支持ipset,
root@OYE:~# opkg install ipset libpolarssl resolveip
Installing ipset (6.20.1-1) to root...
Downloading http://www.oyewifi.com/OYE-0001.BB.IPKs.20141227/base/ipset_6.20.1-1_ramips_24kec.ipk.
Upgrading libpolarssl on root from 1.3.8-1 to 1.3.8-2...
Downloading http://www.oyewifi.com/OYE-0001.BB.IPKs.20141227/base/libpolarssl_1.3.8-2_ramips_24kec.ipk.
Package resolveip (2) installed in root is up to date.
Configuring libpolarssl.
Collected errors:
* satisfy_dependencies_for: Cannot satisfy the following dependencies for ipset:
* kernel (= 3.10.49-1-3df3ab26a49a04478a9633bf83827ca3) * kernel (= 3.10.49-1-3df3ab26a49a04478a9633bf83827ca3) *
* opkg_install_cmd: Cannot install package ipset.
root@OYE:~# opkg info kernel
Package: kernel
Version: 3.10.49-1-2dd2c89794a3ce18f08951ae52186a47
Depends: libc
Status: install hold installed
Architecture: ramips_24kec
Installed-Time: 1409240867
然后刷openwrt trunk版本, http://downloads.openwrt.org/snapshots/trunk/ramips/mt7620/openwrt-ramips-mt7620-Lenovo-y1-squashfs-sysupgrade.bin
从http://sourceforge.net/projects/openwrt-dist/files/shadowsocks-libev/2.2.2-89e0f7f/ramips/ 下载shadowsocks-libev-spec_2.2.2-1_ramips_24kec.ipk安装,上面问题得到解决,将源换成:
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /tmp
src/gz barrier_breaker_base http://downloads.openwrt.org/snapshots/trunk/ramips/mt7620/packages/base
src/gz barrier_breaker_luci http://downloads.openwrt.org/snapshots/trunk/ramips/mt7620/packages/luci
src/gz barrier_breaker_packages http://downloads.openwrt.org/snapshots/trunk/ramips/mt7620/packages/packages
src/gz barrier_breaker_routing http://downloads.openwrt.org/snapshots/trunk/ramips/mt7620/packages/routing
src/gz barrier_breaker_telephony http://downloads.openwrt.org/snapshots/trunk/ramips/mt7620/packages/telephony
src/gz barrier_breaker_management http://downloads.openwrt.org/snapshots/trunk/ramips/mt7620/packages/management
src/gz barrier_breaker_oldpackages http://downloads.openwrt.org/barrier_breaker/14.07/ramips/mt7620a/packages/oldpackages
不过,仍然有其他问题:
1, pdnsd不能正常启动,网上搜了一下,说可以是版本太老
2, GUI界面出不来,执行了下列命令也出不来
opkg install luci luci-i18n-chinese
/etc/init.d/uhttpd enable
/etc/init.d/uhttpd start
有空再试试 http://downloads.openwrt.org/barrier_breaker/14.07/ramips/mt7620a/
20150721解决一问题
这周怎么遇到使用google就不行,使用其他也要翻墙的网站就不行,找到原因了,原来是我使用的是日本隧道,访问google时会自动变成www.google.co.jp,而co.jp没有被加到ipset中,dns没有被正确解析
ipset=/google.com/fuckgfw
server=/google.com/127.0.0.1#1053
ipset=/co.jp/fuckgfw
server=/co.jp/127.0.0.1#1053
对于ubuntu,那个配置文件应该放在/etc/NetworkManager/dnsmasq.d目录中,而不是/etc/dnsmasq.d目录。使用sudo restart network-manager可重启dnsmasq (开始也需要安装sudo apt-get install dnsmasq)。本机解析了dns,还需要隧道才能访问
/usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/run/sendsigs.omit.d/network-manager.dnsmasq.pid --listen-address=127.0.1.1 --conf-file=/var/run/NetworkManager/dnsmasq.conf --cache-size=0 --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d
20150723发现hangout没视频但没有声音,可能因为刚开始防火墙里只有对tcp的规则,没有udp所致
iptables -t nat -A PREROUTING -p tcp -m set --match-set fuckgfw dst -j REDIRECT --to-port 7070
iptables -t nat -A PREROUTING -p udp -m set --match-set fuckgfw dst -j REDIRECT --to-port 7070
-A zone_wan_input -p tcp -m tcp --dport 7070 -m comment --comment shadowsocks -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 7070 -m comment --comment shadowsocks -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 19302 -m comment --comment hangouts_income_udp -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 19309 -m comment --comment hangouts_outcome_udp -j ACCEPT
20150921解决xxxvpn不好使的问题
因为我发现XXX.com域名被污染访问不了,于是我将下列两行追加到了/etc/dnsmasq.d/gfwdomains.conf
ipset=/XXX.com/fuckgfw
server=/XXX.com/127.0.0.1#1053
这样,vypvpn的网段XX.99.0.0/16被加到了fuckgfw ipset之中,将下列iptables规则将vpn流量送到了shadowsocks隧道,从而导致pptp, openvpn连接无法建立。
iptables -t nat -A PREROUTING -p tcp -m set --match-set fuckgfw dst -j REDIRECT --to-port 7070
iptables -t nat -A PREROUTING -p udp -m set --match-set fuckgfw dst -j REDIRECT --to-port 7070
解决办法,添加如下:
iptables -t nat -A PREROUTING -p tcp -m set --match-set fuckgfw dst -d XX.99.0.0/16 -j RETURN
iptables -t nat -A PREROUTING -p udp -m set --match-set fuckgfw dst -d XX.99.0.0/16 -j RETURN
但这并不是好的解决办法,可能地址范围太广有误杀,可以去掉ipset=/XXX.com/fuckgfw, 只使用server=/XXX.com/127.0.0.1#1053
20150925发现经常性的openvpn连接超时(pptp多半能连上),此时一得restart network-manager一下了就可以连上了。这是为什么呢?
如何debug openvpn, sudo /usr/lib/NetworkManager/nm-openvpn-service --debug --persist
看到的日志是TLS timeout, 于是我将路由器上的防火墙的所有forward设置成accept,它好像连接成功的次数多了且速度明显快了。但这不能解决根本啊,哪里可以增大tls的超时时间呢?
http://blog.csdn.net/dog250/article/details/9529927
Fri Sep 25 15:52:41 2015 us=625871 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Sep 25 15:52:41 2015 us=625884 TLS Error: TLS handshake failed
/etc/sysctl.conf
net.netfilter.nf_conntrack_tcp_timeout_established=1200
net.netfilter.nf_conntrack_udp_timeout=120
sysctl -p
20151217更新
对于vpnc协议的vpn, 使用命令行会更比用NetworkManager容易成功(因为NetworkManager集成了dnsmasq,所以直接使用IP代替vpn的域名会能有效减少连接超时时间)。
sudo vpnc --local-port 0
sudo vpnc-disconnect
# cat /etc/vpnc/default.conf
IPSec gateway <gateway>
IPSec ID vpn
IPSec secret vpn.password
#IKE Authmode hybrid
Xauth username usename
Xauth password password
NAT Traversal Mode cisco-udp
#Enable Single DES
另外,disable掉ipv6也能减小超时时间,有三处:
1, vi /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash intel_iommu=on intel_iommu_dump=1 ipv6.disable=1"
2, vi /etc/sysctl.conf
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
3, vi /etc/NetworkManager/system-connections/quqiAP # 不改这里会报:NetworkManager[13827]: <info> (wlan2): IP6 addrconf timed out or failed
[ipv6]
method=ignore
20151218更新
今天报错“vpnc: no response from target”,这样解决"sudo apt-get install libssl-dev "
hua@hua-ThinkPad-T440p:~$ sudo cat /etc/openvpn/vyprvpn.conf
#sudo apt-get install openvpn
#sudo wget -O /etc/openvpn/ca.vyprvpn.com.crt https://www.goldenfrog.com/downloads/ca.vyprvpn.com.crt
#sudo openvpn --config /etc/openvpn/vyprvpn.conf
client
keepalive 10 60
nobind
dev tun
proto udp
#link-mtu 1542
remote <vpn-ip> 1194
resolv-retry infinite
persist-key
persist-tun
persist-remote-ip
ca /etc/openvpn/<ca>
tls-client
auth-user-pass /etc/openvpn/pass.txt
auth-nocache
comp-lzo
verb 3
tun-mtu 6000
fragment 0
mssfix 0
reneg-sec 0
sudo openvpn --client --remote <vpn-ip> --dev tun --comp-lzo --auth-user-pass /etc/openvpn/pass.txt --tls-client --ca /etc/openvpn/ca.vpn.com.crt
使用pptp
sudo apt-get install pptp-linux
sudo vi /etc/ppp/peers/jp1.vyprvpn
pty "pptp jp1.vpn.com --nolaunchpppd"
lock
noauth
nobsdcomp
nodeflate
name <your-account-name>
remotename jp1.vyprvpn
ipparam jp1.vyprvpn
require-mppe-128
usepeerdns
defaultroute
persist
#lcp-echo-failure 30
#lcp-echo-interval 5
#debug
sudo vi /etc/ppp/chap-secrets
<your-account-name> jp1.vyprvpn password *
sudo vi /etc/ppp/ip-up.local
#!/bin/bash
H=`ps aux | grep 'pppd pty' | grep -v grep | awk '{print $14}'`
DG=`route -n | grep UG | awk '{print $2}'`
DEV=`route -n | grep UG | awk '{print $8}'`
route add -host $H gw $DG dev $DEV
route del default $DEV
route add default dev ppp0
Start, sudo pon jp1.vyprvpn
Stop, sudo poff jp1.vyprvpn
Debug, sudo strace -f -o /tmp/pptp-strace.log pon jp1.vyprvpn
但报错:
Dec 19 00:05:14 hua-ThinkPad-T440p pptp[18138]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 'Start-Control-Connection-Request'
Dec 19 00:05:14 hua-ThinkPad-T440p pptp[18138]: anon log[pptp_read_some:pptp_ctrl.c:551]: read error: Connection reset by peer
Dec 19 00:05:14 hua-ThinkPad-T440p pptp[18138]: anon log[pptp_read_some:pptp_ctrl.c:544]: read returned zero, peer has closed
在路由器加了下列防火墙规则仍然报错:
## PPTP: forward initiator 1723/tcp
iptables -t nat -A PREROUTING -p tcp --dport 1723 -j DNAT --to <vpn-ip>
iptables -A FORWARD -p tcp --dport 1723 -d <vpn-ip> -j ACCEPT
## PPTP: forward tunnel GRE traffic
iptables -t nat -A PREROUTING -p gre -j DNAT --to <vpn-ip>
iptables -A FORWARD -p gre -d <vpn-ip> -j ACCEPT
使用xl2tpd来实现ipsec和l2tp的一般步骤
vi /etc/ipsec.conf
conn vyprvpn
authby=secret
pfs=no
rekey=yes
keyingtries=3
type=transport
left=%defaultroute
leftprotoport=17/1701
right=jp1.vpn.com
rightid=@jp1.vpn.com
rightprotoport=17/1701
auto=add
vi /etc/ipsec.secrets
%any jp1.vpn.com: PSK "password"
sudo apt-get install xl2tpd
vi /etc/xl2tpd/xl2tpd.conf
[lac vyprvpn]
lns = jp1.vpn.com
require chap = yes
refuse pap = yes
require authentication = yes
name = <your-vpn-account>
ppp debug = no
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
sudo vi /etc/ppp/chap-secrets
<your-vpn-account> jp1.vpn.com "password" *
sudo vi /etc/ppp/options.l2tpd.client
ipcp-accept-local
ipcp-accept-remote
refuse-eap
noccp
noauth
crtscts
idle 1800
mtu 1410
mru 1410
defaultroute
debug
lock
#proxyarp
connect-delay 5000
apt-get install strongswan-starter
ipsec vyprvpn
sudo service xl2tpd restart
echo "c vyprvpn" > /var/run/xl2tpd/l2tp-control
20151221更新
Mon Dec 21 15:47:44 2015 [jp1.vyprvpn.com] Peer Connection Initiated with [AF_INET]209.99.xx.xx:1194
Mon Dec 21 15:47:46 2015 SENT CONTROL [jp1.vyprvpn.com]: 'PUSH_REQUEST' (status=1)
Mon Dec 21 15:47:46 2015 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.10.160.1,explicit-exit-notify 5,rcvbuf 262144,route-gateway 10.10.160.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.10.160.172 255.255.255.0'
Mon Dec 21 15:47:46 2015 OPTIONS IMPORT: timers and/or timeouts modified
Mon Dec 21 15:47:46 2015 OPTIONS IMPORT: explicit notify parm(s) modified
Mon Dec 21 15:47:46 2015 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Mon Dec 21 15:47:46 2015 Socket Buffers: R=[131072->425984] S=[131072->131072]
Mon Dec 21 15:47:46 2015 OPTIONS IMPORT: --ifconfig/up options modified
Mon Dec 21 15:47:46 2015 OPTIONS IMPORT: route options modified
Mon Dec 21 15:47:46 2015 OPTIONS IMPORT: route-related options modified
Mon Dec 21 15:47:46 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Dec 21 15:47:46 2015 ROUTE_GATEWAY 192.168.99.1/255.255.255.0 IFACE=eth0 HWADDR=28:d2:44:52:31:1d
Mon Dec 21 15:47:46 2015 TUN/TAP device tun0 opened
Mon Dec 21 15:47:46 2015 TUN/TAP TX queue length set to 100
Mon Dec 21 15:47:46 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Dec 21 15:47:46 2015 /sbin/ip link set dev tun0 up mtu 6000
Mon Dec 21 15:47:46 2015 /sbin/ip addr add dev tun0 10.10.160.172/24 broadcast 10.10.160.255
Mon Dec 21 15:47:46 2015 /sbin/ip route add <vpn-ip>/32 via 192.168.99.1
Mon Dec 21 15:47:46 2015 /sbin/ip route add 0.0.0.0/1 via 10.10.160.1
Mon Dec 21 15:47:46 2015 /sbin/ip route add 128.0.0.0/1 via 10.10.160.1
Mon Dec 21 15:47:46 2015 Initialization Sequence Completed
Mon Dec 21 16:47:44 2015 TLS: soft reset sec=0 bytes=319619538/0 pkts=404182/0
Enter Auth Username:^CMon Dec 21 16:50:53 2015 ERROR: could not read Auth username from stdin
1, openvpn在tls建立连接时容易受到干扰丢包从而超时失败。在服务端加tls-timeout参数,最好也加HMAC signature参数。
2, openvpn有时候收不到tls的上述PUSH_REPLY包,从而断, SIGUSR1[soft,no-push-reply] received, process restarting
3, openvpn由于使用了"ping-restart 60",那么在一分钟时如果tls被墙了也容易断。
4, openvpn的tls协议随机会reset了, TLS: soft reset sec=0 bytes=319619538/0 pkts=404182/0 . 在服务端与客户端加reneg-sec=0
可以上openvpn服务端与客户端同时运行:
iptables -I FORWARD -p tcp -s <vpn-ip> --sport 1194 --tcp-flags RST RST -m state --state RELATED,ESTABLISHED -j DROP
所以改用cisco anyconnect协议吧
echo "password" |sudo openconnect -u username a1.vpn.net
20160121更新
在换成移动宽带之后,运行混淆后的openvpn总是隔一段时间就由ping-restart造成断线了。
OpenVPN是在UDP之上模拟的TCP连接,使用Timer重传(有数据传输收到确认就不重发了,丢包后超过了超时时间就重发),openvpn服务商的设置(ping 10,ping-restart 60)代表只要有10/60=16.7%的丢包率的时候客户端就会触发ping-restart软中断重新连接。而网络运营商一般会用如下防火墙规则对UDP随机丢包:
iptables -t mangle -A PREROUTING -m statistic --mode random --probability 0.3 -j MARK --set-mark 100
iptables -t filter -A FORWARD -p udp -m mark --mark 100 -j DROP
随机丢包的理由是:
a.UDP本身没有流控和拥控,不加以管制的话,UDP最终会吃掉整个带宽,让TCP之类的拥控协议认为网络拥堵,自行减速。
b.UDP无状态,无法很好的通过五元组监控来控制UDP。
c.UDP和组播天生是一对,二者可能会做出一些见不得人的勾当。
d.受管制的TCP会伪装在UDP中,招摇过市。
20160728更新
install_openconnect.sh
#!/usr/bin/env bashset -o xtrace#Install openconnect packagessudo apt-get -y install build-essential pkg-config libgnutls28-dev libreadline-dev libseccomp-dev libwrap0-dev libnl-nf-3-dev liblz4-dev gnutls-bincd /tmpif [ ! -f "/tmp/ocserv-0.10.5.tar.xz" ]; then curl -f --retry 6 --retry-delay 5 -O ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.5.tar.xz tar -xf ocserv-0.10.5.tar.xz #git clone https://gitlab.com/ocserv/ocserv.gitficd /tmp/ocserv-0.10.5./configuremake -j $(grep "cpu cores" /proc/cpuinfo|uniq|awk -F':' '{print $2}'|xargs)sudo make install#Create CA certificatemkdir -p /tmp/cert && cd /tmp/certcat > /tmp/cert/ca.tmpl << EOF cn = "sts CA" organization = "sts CA" serial = 1 expiration_days = 3650ca signing_key cert_signing_key crl_signing_keyEOF#Generate CA secret KEY: V2certtool --generate-privkey --outfile CA.key#Generate CA certifice: P2 signed by V2certtool --generate-self-signed --load-privkey CA.key --template ca.tmpl --outfile CA.pem#Create User certificate (here is for VPN server)cat > /tmp/cert/vpnserver.tmpl << EOFcn = "sts vpn server" organization = "sts" expiration_days = 3650signing_key encryption_keytls_www_serverEOF#Generate User secret KEY: V1certtool --generate-privkey --outfile vpnserver.key#Generate User certificate: <P1 signed by V2>certtool --generate-certificate --load-privkey vpnserver.key --load-ca-certificate CA.pem --load-ca-privkey CA.key --template vpnserver.tmpl --outfile vpnserver.pem#CA.pem,vpnserver,pem,vpnserver.key need to be installed in vpnserver sudo cp CA.pem /etc/ssl/certs/CA.pemsudo cp vpnserver.pem /etc/ssl/private/vpnserver.pemsudo cp vpnserver.key /etc/ssl/private/vpnserver.key#Configure and Start VPN Serversudo mkdir -p /etc/ocservsudo bash -c 'cat > /etc/ocserv/ocserv.conf' <<EOFauth = "plain[passwd=/etc/ocserv/ocpasswd]"tcp-port = 443udp-port = 443run-as-user = nobodyrun-as-group = daemonsocket-file = /var/run/ocserv-socketisolate-workers = truemax-clients = 100max-same-clients = 5keepalive = 32400dpd = 90mobile-dpd = 1800try-mtu-discovery = trueserver-cert = /etc/ssl/private/vpnserver.pemserver-key = /etc/ssl/private/vpnserver.keyca-cert = /etc/ssl/certs/CA.pemcert-user-oid = 0.9.2342.19200300.100.1.1tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"auth-timeout = 40min-reauth-time = 300max-ban-score = 50ban-reset-time = 300cookie-timeout = 300deny-roaming = falserekey-time = 172800rekey-method = ssluse-occtl = truepid-file = /var/run/ocserv.piddevice = vpnspredictable-ips = truedefault-domain = example.comipv4-network = 192.168.1.0ipv4-netmask = 255.255.255.0dns = 8.8.8.8ping-leases = falseroute = 0.0.0.0/128.0.0.0route = 128.0.0.0/128.0.0.0no-route = 192.168.5.0/255.255.255.0cisco-client-compat = trueEOF#Configure iptable rulessudo iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPTsudo iptables -A INPUT -p udp -m state --state NEW --dport 443 -j ACCEPTsudo iptables -A FORWARD -j ACCEPTsudo iptables -t nat -A POSTROUTING -j MASQUERADEsudo sed -i '/net.ipv4.ip_forward/ s/\(.*= \).*/\11/' /etc/sysctl.confsudo sysctl -psudo sysctl -w net.ipv4.ip_forward=1#[option] User certificate way#configuration options in vpn server side#auth = "certificate"# #listen-clear-file = /var/run/ocserv-conn.socket#ca-cert = /etc/ssl/certs/CA.pemcat > /tmp/cert/user.tmpl <<EOFcn = "sts_user"unit = "sts"expiration_days = 365signing_keytls_www_clientEOF#Create user secret KEY#certtool --generate-privkey --outfile user.key#Create user certificate#certtool --generate-certificate --load-privkey user.key --load-ca-certificate CA.pem --load-ca-privkey CA.key --template user.tmpl --outfile user.pem#Transform to PKCS12 format: mykey/password#certtool --to-p12 --load-privkey user.key --pkcs-cipher 3des-pkcs12 --load-certificate user.pem --outfile user.p12 --outder#Start VPN Serversudo cp /tmp/ocserv-0.10.5/doc/systemd/standalone/ocserv.service /lib/systemd/system/sudo systemctl enable ocserv.service sudo ocserv -f -d 1#Start VPN Clientecho "Usage:"echo "sudo ocpasswd -c /etc/ocserv/ocpasswd test1"echo 'echo "password" |sudo openconnect --no-cert-check -u test1 <VPN-Server>'20160728更新
之前openvpn总ping-reset的原因可能如下:
1, 不要使用OVS桥,直接用eth0 (openvpn-Network-Manager和这个有关,确认)
2, 可在服务端添加下列三个参数将60的默认值改为120
keepalive 10 120
keepalive和下列的ping-restart参数是等价的
if mode server:
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 60"
else
ping 10
ping-restart 60
Fri Jul 29 10:52:18 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5
3, 服务端tls-timout默认为2, 改大了像60,120都直接ping-reset,但改成4似乎没事,另外net.netfilter.nf_conntrack_udp_timeout默认为30,改成60试试(sudo sysctl -w net.netfilter.nf_conntrack_udp_timeout=60)
The tls-timeout specifies how many seconds elapse between retransmission of
packets if no response is recieved from the server. The default timeout is 2
seconds. You can change this timeout to some other value, but the client will
continue to attempt connections for 1 minute regardless of how the tls-timeout
interval is set.
20161027 - sslspead或shadowsock使用hangout没有声音的问题 ipset --add fuckgfw 74.125.0.0/16
参考:
[1] http://blog.csdn.net/dog250/article/details/9529927
- 无法访问Github,该如何更新OpenStack代码? ( by quqi99 )
- 如何实现OpenStack STT隧道(by quqi99)
- 如何学习OpenStack与精通OpenStack好书推荐 ( by quqi99 )
- openstack mtu (by quqi99)
- 如何基于rst书写openstack文档 ( by quqi99 )
- OpenStack中的防火墙 ( by quqi99 )
- Openstack extension api ( by quqi99 )
- Openstack中的测试 ( by quqi99 )
- Openstack extension api ( by quqi99 )
- OpenStack TripleO印象( by quqi99 )
- OpenStack IPSec VPNaaS ( by quqi99 )
- Testing OpenStack NUMA (by quqi99)
- Test OpenStack SRIOV (by quqi99)
- Test multipath feature by openstack (by quqi99)
- Install OpenStack on rhel6.2 ( by quqi99 )
- OpenStack Neutron FWaaS 学习( by quqi99 )
- OpenStack Neutron FWaaS 学习 ( by quqi99 )
- 高可用OpenStack理论分析( by quqi99)
- 栈
- 前台利用jcrop做头像选择预览,后台通过django利用Uploadify组件上传图最终使用PIL做图像裁切
- linux 下gitolite服务器搭建
- POJ 2564 Edit Step Ladders
- C语言的指针要怎么理解
- 无法访问Github,该如何更新OpenStack代码? ( by quqi99 )
- ASP.Net 后台执行导出Excel list集合 有跨行合并
- NFS服务器的配置
- java 中break和continue的区别
- SQL Server视频
- shape的使用
- AJAX 跨域请求 – JSONP的使用,PHP实例详解
- 循环陷阱
- Linux中替换文件中的字符串
