OpenVPN——Random Ports

角色

Since the China blocks a number of ports for the OpenVPN，we may consider a range of ports forwarding to the single 1194 UDP port. For details, please refer [1].

The performance OpenVPN used in mainland China could be found in [2].

References:
[1] http://kyl191.net/2012/12/getting-openvpn-to-run-on-random-ports/
[2] http://kyl191.net/2012/12/openvpn-and-chinas-great-firewall/

角色

How to set up for client using random port number for connection?

1. We have to using port redirection to the standard UDP/TCP port 1194

1. iptables -t nat -A PREROUTING -p udp --match multiport --dport 10000:40000 -j DNAT --to ip.add.re.ss:1194
   
2. iptables -t nat -A PREROUTING -p tcp --match multiport --dport 10000:40000 -j DNAT --to ip.add.re.ss:1194

複製代碼

2. For the server side, a stand configuration is used. In the following script, the server uses TCP 1194 port for connection.

1. local ip.add.re.ss
   
2. port 1194
   
3. proto tcp
   
4. dev tun
   
5. ca keys/ca.crt
   
6. cert keys/server.crt
   
7. key keys/server.key
   
8. dh keys/dh1024.pem
   
9. server 10.10.0.0 255.255.255.0
   
10. ifconfig-pool-persist ipptcp.txt
    
11. push "redirect-gateway def1 bypass-dhcp"
    
12. push "dhcp-option DNS 208.67.222.222"
    
13. push "dhcp-option DNS 208.67.220.220"
    
14. keepalive 5 30
    
15. comp-lzo
    
16. persist-key
    
17. persist-tun
    
18. status tcp-server-tcp.log
    
19. verb 3
    
20. log /var/log/openvpn-tcp.log
    
21. tls-auth keys/ta.key 0
    
22. link-mtu 1400

複製代碼

3. Client side uses the option "remote-random" to set a random port for connection. If the server accepts, then the connection is established otherwise another port number is employed. If the connection is lost then another connection using another port will be tried to establish.

1. client
   
2. dev tun
   
3. proto tcp-client
   
4. remote-random
   
5. remote ip.add.re.ss 1194
   
6. resolv-retry infinite
   
7. nobind
   
8. persist-key
   
9. persist-tun
   
10. ca ca.crt
    
11. cert client1.crt
    
12. key client1.key
    
13. tls-auth ta.key 1
    
14. ns-cert-type server
    
15. comp-lzo
    
16. verb 3
    
17. keepalive 10 120
    
18. route-method exe
    
19. route-delay 2
    
20. register-dns
    
21. link-mtu 1400

複製代碼

4. On rotuer's iptables side, we should add

1. # Allow packets from the new subnet to make it out to the Internet
   
2. iptables -A FORWARD -s 10.10.0.0/24 -j ACCEPT
   
3. # Change the source address on outgoing packets from the new subnet to be the VPS's IP address
   
4. iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -j SNAT --to-source ip.add.re.ss
   
5. # Accept incoming packets on the TCP port 1194 - change this to your actual OpenVPN port
   
6. iptables -A INPUT -p tcp --dport 1194 -j ACCEPT

複製代碼

tomleehk

Tried the scripts and yet ended up with failure..

milanolarry

會否等同於開了很多門給 Grandpa 攻擊？每個開放了的 port 均可直達 vpn 。