突破防火墙的OpenVPN

时间: 2008-03-15 / 分类: 网络技术, 防火墙 / 浏览次数: 10,507 / 6个评论 发表评论

OpenVPN可以透过特定的port,连上远程的server,如此可以跟远程的server处在同一个 local LAN,从而达到突破公司防火墙的目的。一般公司对于对外的联机,通常只会开放 port 80 (http) 及port 443 (https SSL),所以其它的网络功能都被限制住了;而透过 OpenVPN ,可以借用port 443 连到外面的server,再由没有限制的server执行各种网络功能,有效穿越 firewall。

OpenVPN 是免费软件,但基本操作上有点难,不过只要依步骤来,还是 ok 的了。
第一次设定如下:

  1. 执行 init-config –第一次设定
  2. 执行 vars –这个文件的内容要依你的数据修改
    clean-all
    build-ca –生成 CA 文件
  3. 执行 build-key-server server –生成server key 文件
  4. 执行 build-key client1
    build-key client2
    build-key client3 –生成client key 文件,看有几个client 要用就生成几个。

生成出来的文件,依下表server或client(n)需要,复制到C:\Program Files\OpenVPN\config 目录。

Filename Needed by Purpose Secret
ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh{n}.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
client1.crt client1 only Client1 Certificate NO
client1.key client1 only Client1 Key YES
client2.crt client2 only Client2 Certificate NO
client2.key client2 only Client2 Key YES
client3.crt client3 only Client3 Certificate NO
client3.key client3 only Client3 Key YES

比较复杂的是改server端及client端的config 文件,我把config-example 目录中附的范例修改,有改动的部份列在下面,并稍加说明,请参考。改完同样复制到C:\Program Files\OpenVPN\config 目录。

Server
...
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 4431 # TCP or UDP server?
proto tcp2
;proto udp
...
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert server.crt
key server.key3
...
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
;server 10.8.0.0 255.255.255.0
server 192.168.0.0 255.255.255.04
...
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel. Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
push "redirect-gateway"5
...

Client
...
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp2
;proto udp # The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote your.openvpn.server 4436
...
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
http-proxy proxy.your.company.com 80807
...
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client2.crt
key client2.key3
...

最后,Windows 中,在系统托盘中右键菜单的config 选项上按右键就可以执行。或由下面的命令执行:
openvpn --config server.ovpn
另外,Windows 中也可以以service 型式执行。

  1. 用 SSL 用的 443 port
  2. 使用 proxy 要用 tcp
  3. 这三行用你产生出来的 key 档案
  4. 换成我常用的 192.168.0 网段
  5. client端连上后用将 default gateway 改成连到 server
  6. server 的位置及使用的 port,用 SSL 用的 443 port
  7. 你公司 proxy 的位置及 port

6个评论

  1. ryback
    2008/03/21 21:27:33

    噢噢,你想这样,没有ISA的管理权限那是没办法,isa作为防火墙最主要就是拒绝连入。
    但还有个方法也许可以,就是某些具有服务器的软件,如vnn,hamachi等,这些软件都会在客户端与服务器之间建立一个隧道,然后另一个客户端与服务器间也建立一个隧道,服务器会把这两个隧道连通,估计是可以的,我想如果你能找到一台服务器做openvpn的服务端也应该可以。
    我还是推荐hamachi,曾经试过一下功能,照理论应该无问题

  2. peter
    2008/03/21 14:49:32

    公司用ISA,在公司内网自己办公电脑架VPN,在家里电脑连公司办公电脑.家里办公…

  3. ryback
    2008/03/18 22:20:36

    哈哈,我估计你想突破ISA的限制吧,想突破简单,你需要在外部架设一个服务器端,在内部连接出来即可突破了,但你上面说的是要在内部架设vpn服务,这是为什么呢?你到底想干啥?我没看明白

  4. peter
    2008/03/18 08:51:13

    如果没有ISA的管理权限就无解了。。。

  5. ryback
    2008/03/17 19:48:11

    怎么会没有build-key呢,easy-rsa目录里面有个build-key.bat,那个client1是你自己输入的,这些都要在命令行下输入的,生成的key名字就是client1了,你也可以改成别的名字,服务端当然可以架设在内网中,但要在isa发布端口

  6. peter
    2008/03/17 15:04:11

    4、执行 build-key client1
    这个文件我怎么找不到呢?我的openvpn是从www.openvpn.net下载的。最新版的。

    另:sever端可以架设在公司内网中吗?公司ISA2004,很多端都限制了。

发表评论

您的昵称 *

您的邮箱 *

您的网站