这个很奇怪撒,仔细查了下,原作者是这么说的:
1I have created a patch which introduces some forms of scrambling to the packet payload of any OpenVPN connection.
2I have been successfully using the patch with Iranian and Chinese users for some time now.
看来伊朗也比较糟糕啊。
无语,鉴于在森华易腾无法建openvpn,不知道是直接封了1194的udp端口,还是从协议上封掉了openvpn,总之,都很shit。
简单说就是对openvpn协议进行了混淆,多了一个配置项:
1scramble 参数
2scramble reverse #对传输的数据进行反转,通常这一句就已经可以绕过China和Iran的检测机制了
3scramble xorptrpos #对传输的package中的有效数据进行xor运算
4scramble obfuscate password #更强烈的加密。反转+xor+密码三种方式全用上. "password" 是你设定的密码
5
6用上这个配置项后,建议设置cipher none, 因为如此这般以后,没有必要再制定cipher方式了。另外,用cipher会消耗cpu,而采用scramble消耗cpu的程度比cipher低。
搭一个试试看 这里采用的是openvpn 2.4.4版本和相应的patch
下载:
1#centos
2yum -y install unzip
3yum -y groupinstall "development tools"
4
5#ubuntu
6apt update
7apt install build-essential
8
9unzip -x 2.4.4.zip
10unzip -x master.zip
应用补丁:
1cd openvpn-release-2.4/
2git apply ../openvpn_xorpatch-master/openvpn_xor.patch
安装依赖包并编译:
1#cetnos
2yum install -y openssl-devel lz4-devel net-tools lzo-devel pam-devel
3
4#ubuntu
5apt install autoreconf liblzo2-dev libpam0g-dev
6
7autoreconf -i -v -f
8./configure --prefix=/export/servers/openvpn
9
10make
11make install
安装easy-rsa-3.0,不得不击节叫好啊,easy-rsa 3.0比2.0进化多了,就一个可执行文件,也轻省多了:
1wget http://img.rendoumi.com/soft/vpn/easy-rsa.zip
2unzip -x easy-rsa.zip
建立openvpn配置文件夹
1mkdir -p /etc/openvpn/conf
2cp -r easy-rsa-master/easyrsa3/* /etc/openvpn
看看新版easy-rsa-3.0都有什么命令
1cd /etc/openvpn
2./easyrsa
3
4Easy-RSA 3 usage and overview
5
6USAGE: easyrsa [options] COMMAND [command-options]
7
8A list of commands is shown below. To get detailed usage and help for a
9command, run:
10 ./easyrsa help COMMAND
11
12For a listing of options that can be supplied before the command, use:
13 ./easyrsa help options
14
15Here is the list of commands available with a short syntax reminder. Use the
16'help' command above to get full usage details.
17
18 init-pki
19 build-ca [ cmd-opts ]
20 gen-dh
21 gen-req <filename_base> [ cmd-opts ]
22 sign-req <type> <filename_base>
23 build-client-full <filename_base> [ cmd-opts ]
24 build-server-full <filename_base> [ cmd-opts ]
25 revoke <filename_base>
26 gen-crl
27 update-db
28 show-req <filename_base> [ cmd-opts ]
29 show-cert <filename_base> [ cmd-opts ]
30 import-req <request_file_path> <short_basename>
31 export-p7 <filename_base> [ cmd-opts ]
32 export-p12 <filename_base> [ cmd-opts ]
33 set-rsa-pass <filename_base> [ cmd-opts ]
34 set-ec-pass <filename_base> [ cmd-opts ]
35
36DIRECTORY STATUS (commands would take effect on these locations)
37 EASYRSA: .
38 PKI: /etc/openvpn/pki
简单明了,一目了然,来吧,一气呵成
1cd /etc/openvpn
2./easyrsa init-pki
3./easyrsa --batch build-ca nopass
4./easyrsa --batch build-server-full server nopass
5./easyrsa --batch build-client-full client1 nopass
6./easyrsa gen-dh
什么都不用管,就全弄好了,比起easy-rsa 2.0一堆脚本,修改vars,省事多了!!!
准备server端的配置文件:
1cd /etc/openvpn/
2cp pki/ca.crt pki/dh.pem pki/private/client1.key pki/private/server.key pki/issued/* /etc/openvpn/conf
3cd /etc/openvpn/conf
4/export/servers/openvpn/sbin/openvpn --genkey --secret ta.key
这样/etc/openvpn/conf下就会有7个文件
1ca.crt
2server.key
3client1.key
4client1.crt
5dh.pem
6server.crt
7ta.key
准备个模板:
1cat<<EOF>>/etc/openvpn/conf/server.conf
2port 1194
3proto udp
4dev tun
5
6server 10.8.0.0 255.255.255.0
7
8scramble obfuscate fuckfuckfuck
9
10ca /etc/openvpn/conf/ca.crt
11cert /etc/openvpn/conf/server.crt
12key /etc/openvpn/conf/server.key
13tls-auth /etc/openvpn/conf/ta.key 0
14key-direction 0
15dh /etc/openvpn/conf/dh.pem
16cipher none
17
18#push "route 172.16.0.0 255.255.0.0"
19
20client-to-client
21comp-lzo
22
23persist-key
24persist-tun
25
26user nobody
27group nobody
28
29ifconfig-pool-persist /etc/openvpn/conf/ipp.txt
30status /var/log/openvpn-status.log
31log /var/log/openvpn.log
32log-append /var/log/openvpn.log
33
34keepalive 5 30
35
36verb 3
37EOF
启动server端
1/export/servers/openvpn/sbin/openvpn --config /etc/openvpn/server.conf --daemon
准备客户端文件
1cat<<EOF>>/etc/openvpn/conf/client1.ovpn
2client
3dev tun
4proto udp
5remote change_this_to_server_address 1194
6scramble obfuscate fuckfuckfuck
7resolv-retry infinite
8nobind
9persist-key
10persist-tun
11user nobody
12group nogroup
13ca ca.crt
14cert client1.crt
15key client1.key
16tls-auth ta.key 1
17remote-cert-tls server
18key-direction 1
19cipher none
20comp-lzo
21keepalive 5 30
22verb 3
23EOF
合并出一个单独的客户端文件 注意merge.sh里面文件的配置:
1ca="ca.crt"
2cert="client1.crt"
3key="client1.key"
4tlsauth="ta.key"
5ovpndest="client1.ovpn"
6cd /etc/openvpn/conf
7wget http://img.rendoumi.com/soft/vpn/merge.sh
8chmod 755 merge.sh
9./merge.sh
这样就会合并出一个client1.ovpn客户端连接文件来,全部合一,其实server.conf也可以把所有东西包括进去
1client
2dev tun
3proto udp
4remote change_this_to_server_address 1194
5scramble obfuscate fuckfuckfuck
6resolv-retry infinite
7nobind
8persist-key
9persist-tun
10remote-cert-tls server
11cipher none
12comp-lzo
13verb 3
14key-direction 1
15<ca>
16-----BEGIN CERTIFICATE-----
17MIIDKzCCAhOgAwIBAgIJAOG5arbs5t9RMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
18BAMTCENoYW5nZU1lMB4XDTE4MDMyODAzNDkyMloXDTI4MDMyNTAzNDkyMlowEzER
19MA8GA1UEAxMIQ2hhbmdlTWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
20AQDMOUuQg49OstGbfPLjTgzwb5YBmBeVxyF3+5jmKbgPXujZ3dvdBwxaslVUwre6
21XsMUBz3vbB7Kf1BBDHe2jt60p2x2O+ptTb3rRhTPLhdhd9C3HUhwkNYc7jv1+ua3
22sUlwiYikltKhXGVU3e/XYB+Aiw63mem4ex5T4kJ/KIKoulGhUsaOl9JtPPKbeIlV
23BgUzBLHNt/9bY7r7m2Fh0VmbD5p5YMZEGrg+WX0qzT4wKD/734VdxuAoFwd7as6s
24CH73w0ykscV7evUJEaNu1keTqgqG5SuE3HzQ1cmWSSeF84gUes+l2JAivpQ/XTkF
25wdLnq2caXVTMDF8t/Y1e8JfVAgMBAAGjgYEwfzAdBgNVHQ4EFgQU+SKBqluAW6hQ
26p8y9Q22ZBhkTw5IwQwYDVR0jBDwwOoAU+SKBqluAW6hQp8y9Q22ZBhkTw5KhF6QV
27MBMxETAPBgNVBAMTCENoYW5nZU1lggkA4blqtuzm31EwDAYDVR0TBAUwAwEB/zAL
28BgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAL9ZqyMSrrJ2ss/5pQhUBw71
29nmjeT8DPg7Optiq02oAPdIo06WdJ77Y+mFypGKw8uUHp/h0mL5wBr6NBYbdw+5Lc
30vv4tCpOzzNW7PJngJWilIdvL1W+y3i3/AolSs7jAradaOQOpI23tOeQAQUmwchmt
31hvgKH8kyIWlOzxGIHdG9Spv8Oi1X6dwD0t4ddaNqcnCbyC2cBX4TvlXeVixMdBLY
32xq/5+G6dlJhaUzD4lG9Co7PTctwOFzKIP+mCrhLFCh7v5L6HCqL5ZLI7bWYTy0rm
33XURbleynyld95FKuul5YFRyb/j+I8iBd3Sw9TWhVuqKb4JX9n6zB1FxkNUX1r4g=
34-----END CERTIFICATE-----
35</ca>
36<cert>
37-----BEGIN CERTIFICATE-----
38MIIDRTCCAi2gAwIBAgIRALV3i3gqfdbfWujom75JgiwwDQYJKoZIhvcNAQELBQAw
39EzERMA8GA1UEAxMIQ2hhbmdlTWUwHhcNMTgwMzI4MDg1NjQ5WhcNMjgwMzI1MDg1
40NjQ5WjASMRAwDgYDVQQDEwdjbGllbnQxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
41MIIBCgKCAQEAqXq+oaXFyp24OBuXrAPRxnyg4t7eKl7jh4EmL+T2xnQ5qZfwDBz/
420mI6MDgqPFDC8DWeO3iJZlNlIBNrHpza2kj53Fw7UB1yyi9fArt3Luj2HdjqXyDw
43yLTX6dVV/m+dP7Jq1OnnpaG7gbkjKaaS8inc79v1ismJK9ZAwaiQobv1T3Th7eL+
44nrKfjCJ/gevHfXocR7PuEe1CwyUEp124Z5fhq7S6JAgmt3WbiBVPIg5lp/pCyfbh
45K6z1Y5abPVCAJXTqgbaYBLIorO88wn5zn5D6ZFXDTdo3gJgQSlbax6AN5CqyK+Qi
46U2mF7Cf8+Ma+0eLbOFM62kulaqXX+uUojwIDAQABo4GUMIGRMAkGA1UdEwQCMAAw
47HQYDVR0OBBYEFJaAOw/CP8O/dnncm/VwlPow8kM9MEMGA1UdIwQ8MDqAFPkigapb
48gFuoUKfMvUNtmQYZE8OSoRekFTATMREwDwYDVQQDEwhDaGFuZ2VNZYIJAOG5arbs
495t9RMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0B
50AQsFAAOCAQEAmU9Y+dP4PH0eh4KMNW0QhseN0t0CK1Nzyu3hNcuIntns3J3VpJ1u
511WKA16mnH8nLu2hNUKnWkOnuvPnwXIprWdg9Zvmct/QEtys4THnG3+5Ni7wVexhU
52lNU0qZcwGNwqQiZBrHcZZq6pAKtrAH0kD6/l5qCeScPrDIy6w3eFfGa/AJcEBNEN
53Wruj3hUQxRsv35XFfxEROaklfuLrfr0U1OlWDySSGMQafXjZCmLdxRb5IkI90255
54t3yksT9Bj7v/2n++ttlQTH0FK5zY7Uz76A21idiRCw/aVeXvJkafYqi+o/9kkVJh
55w+Q9Lm+AKGkaaMgz0dt0cmVZgHsnyzOzhQ==
56-----END CERTIFICATE-----
57</cert>
58<key>
59-----BEGIN PRIVATE KEY-----
60MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCper6hpcXKnbg4
61G5esA9HGfKDi3t4qXuOHgSYv5PbGdDmpl/AMHP/SYjowOCo8UMLwNZ47eIlmU2Ug
62E2senNraSPncXDtQHXLKL18Cu3cu6PYd2OpfIPDItNfp1VX+b50/smrU6eelobuB
63uSMpppLyKdzv2/WKyYkr1kDBqJChu/VPdOHt4v6esp+MIn+B68d9ehxHs+4R7ULD
64JQSnXbhnl+GrtLokCCa3dZuIFU8iDmWn+kLJ9uErrPVjlps9UIAldOqBtpgEsiis
657zzCfnOfkPpkVcNN2jeAmBBKVtrHoA3kKrIr5CJTaYXsJ/z4xr7R4ts4UzraS6Vq
66pdf65SiPAgMBAAECggEAKwlSUzYHTfZTC1xmXXXy1RZcvH+fpt7FpGk1S0A3Mhnd
67cqV0fX73r3LmF8yLXRmdBuZ2sd9f9K4EpeqIbxOht4CEgmKhZSy1M4Zn+AemsjDS
68Hq4whcuVmUHi+iwEVEH/imdCHaLwAe1Z8g0TUsZL1lavFfGjHoUi4hDcDNFDOO5Z
69+gOL+ZLtAwCibcdTgdW7xXZMY6U4Mg4f7VggFqpuxe90ebaa1DHUYOm4XFQdrEOg
70KtC93wkFKuz9fXvyCyjk5t3oXO3EQvLSsm0W1LhBYkdZp8fUmkgh7Lz2J/h7/qK9
71FYxbkvbFE7Zl1FE0g4kYNgMRq94Dy7IPhrbCXh1XUQKBgQDXYJt0KlfNdIQrZVsg
72kGkvE9eeEw3XhRCzsKIqnD3DkvkgowD6kpq9rU3tTg1x830QbfPu9L5cQEt5Hlsg
73zzCWKsjvC8Gnblz4ctvUvl+o9jbIKBf1aSykGGLZqB8rITd+gY8jcRDE637pxmKO
74HHhN0hjXyhSpjSCeWfvHHt4OdQKBgQDJcfq3nVmO6JBjn8Csywi9OHhodI4IKcLH
75EuEoJR0akv5l07UQGZXjkT60UUg5uAIU+z/Bk7UOErJckxvMCLzg9/O1ZRCEppdP
76GKMP4DM/xxdf37zEifBtFzBG9LCoIEJqRwzhaD7jyEg8jEv9G+ege/Bp5W9WDS2P
779bWWF3DCcwKBgHN+0t4QdtUuTlIXIC7uQfmE4nNaNGoGaVZyugOvlU9zWTUvNC8q
78vuBINymyWXNp5v8Qd2cEx7Agqlhg9u05LgzZFLdbzpVCkYiJz2jeTd4FaosbNP3d
79UJsOmLOvfEdcoK2uPFv9Hcj7oCssv10F112j9L6DF2F01LEV//ZfjyShAoGAEHjo
80hoEwZJYx0GOszrRfh5GJjwkQ4CwCCGNL1AuM4LJqaQsxwBpHfm9PEFGhNU8NpIeT
81BBI++OKggR9qY3nHcCH2ZLvZ6O7yan5aPx8XMbzm9WkHN48MAO+ne/XgSC8zHxum
82OvxaQCgNeB4EzLKucxoPY6lmPEQhmKb/7UEHcG8CgYEAxhtREMFAL0+uDAJ72WLx
83qCEM0x9zet5DOLOqxUSlBJILAwwcgGA1DXdjMej/BxZbIHgZANZ3Gj+k3D5m4GQl
84Pe3DtI3HBLbVH8DeyZC6fJxjaNi16/mbD6puRpPs+w0D2pQwJr6k2uR8+G883RW5
854vcpovBkutR5n1M09M3DyeU=
86-----END PRIVATE KEY-----
87</key>
88<tls-auth>
89-----BEGIN OpenVPN Static key V1-----
9079a3add18ba52b97045de864939a9a9e
91a0a07657bce8a0210c41b7d83d48ec48
9281c89db3dbec8b4bfc13424d3813711d
93f34a4770ebeaf181eeffcd3f38cea425
9478006c5b7506a5d9dcb0079daa3b3412
955434af9df560f3a0d29bc8b333479943
960f5839fee349f2079d03c9d31d6e2bf4
9726a32180c8e4f6c1579acbfef7596335
98a4147c64395ff77927ebe02f2a757d17
99a2df3245670c1eff89f9e1025dbc4b07
1008d3fcfaf4fbad44d9becf17f5d6d34ee
10150d616fb58bc0e29da54a934353701a9
102973df9b1f9041706642ff8ed00b24462
1035cb52768dd5472093855d0e8fa5b8762
104cca2aa48bda3d8964a19842fbf9d2081
105ff0075295379f663129723ee9319a789
106-----END OpenVPN Static key V1-----
107</tls-auth>
ok,把这个client1.ovpn拷贝出来,准备弄到windows上用
在windows上下载原始的openvpn-gui:
1http://img.rendoumi.com/soft/vpn/openvpn-install-2.4.4-I601.exe
然后下载对应的openvpn主文件
1 https://github.com/lawtancool/openvpn-windows-xor/releases
先安装好openvpn,然后到
1C:\Program Files\OpenVPN\config
把client1.ovpn放进去
然后以管理员身份启动桌面上的OpenVPN-GUI,右键点击连接就可以连上了。
