Board logo

標題: OpenVPN——Random Ports [打印本頁]
作者: 角色    時間: 2013-12-7 19:02     標題: OpenVPN——Random Ports

本帖最後由 角色 於 2013-12-7 19:05 編輯

Since the China blocks a number of ports for the OpenVPN,we may consider a range of ports forwarding to the single 1194 UDP port. For details, please refer [1].

The performance OpenVPN used in mainland China could be found in [2].

References:
[1] http://kyl191.net/2012/12/getting-openvpn-to-run-on-random-ports/
[2] http://kyl191.net/2012/12/openvpn-and-chinas-great-firewall/
作者: 角色    時間: 2013-12-8 09:32

本帖最後由 角色 於 2013-12-8 10:37 編輯

How to set up for client using random port number for connection?

1. We have to using port redirection to the standard UDP/TCP port 1194
  1. iptables -t nat -A PREROUTING -p udp --match multiport --dport 10000:40000 -j DNAT --to ip.add.re.ss:1194
  2. iptables -t nat -A PREROUTING -p tcp --match multiport --dport 10000:40000 -j DNAT --to ip.add.re.ss:1194
複製代碼
2. For the server side, a stand configuration is used. In the following script, the server uses TCP 1194 port for connection.
  1. local ip.add.re.ss
  2. port 1194
  3. proto tcp
  4. dev tun
  5. ca keys/ca.crt
  6. cert keys/server.crt
  7. key keys/server.key
  8. dh keys/dh1024.pem
  9. server 10.10.0.0 255.255.255.0
  10. ifconfig-pool-persist ipptcp.txt
  11. push "redirect-gateway def1 bypass-dhcp"
  12. push "dhcp-option DNS 208.67.222.222"
  13. push "dhcp-option DNS 208.67.220.220"
  14. keepalive 5 30
  15. comp-lzo
  16. persist-key
  17. persist-tun
  18. status tcp-server-tcp.log
  19. verb 3
  20. log /var/log/openvpn-tcp.log
  21. tls-auth keys/ta.key 0
  22. link-mtu 1400
複製代碼
3. Client side uses the option "remote-random" to set a random port for connection. If the server accepts, then the connection is established otherwise another port number is employed. If the connection is lost then another connection using another port will be tried to establish.
  1. client
  2. dev tun
  3. proto tcp-client
  4. remote-random
  5. remote ip.add.re.ss 1194
  6. resolv-retry infinite
  7. nobind
  8. persist-key
  9. persist-tun
  10. ca ca.crt
  11. cert client1.crt
  12. key client1.key
  13. tls-auth ta.key 1
  14. ns-cert-type server
  15. comp-lzo
  16. verb 3
  17. keepalive 10 120
  18. route-method exe
  19. route-delay 2
  20. register-dns
  21. link-mtu 1400
複製代碼
4. On rotuer's iptables side, we should add
  1. # Allow packets from the new subnet to make it out to the Internet
  2. iptables -A FORWARD -s 10.10.0.0/24 -j ACCEPT
  3. # Change the source address on outgoing packets from the new subnet to be the VPS's IP address
  4. iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -j SNAT --to-source ip.add.re.ss
  5. # Accept incoming packets on the TCP port 1194 - change this to your actual OpenVPN port
  6. iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
複製代碼
作者: tomleehk    時間: 2014-5-15 14:17

Tried the scripts and yet ended up with failure..
作者: milanolarry    時間: 2014-7-19 16:23

本帖最後由 milanolarry 於 2014-7-19 16:58 編輯

會否等同於開了很多門給 Grandpa 攻擊?每個開放了的 port 均可直達 vpn 。



歡迎光臨 電訊茶室 (http://telecom-cafe.com/forum/) Powered by Discuz! 7.2