Why
我家里用的是一家三线的便宜小区宽带,标称有几个M的带宽,虽说有些资源确实能达到这个速度,但发现直连VPN的速度从来都没上去过,大概30k/s,不难猜测到,ISP在链路上做了手脚,即所谓的Layer 7 Priority QoS。因为入线是100M进宅然后PPPoE,不像ADSL那样直接物理链路就限制了连接速度,在链路层做QoS也很合理。平时HTTP打开网页、下载到合适链路的话很容易达到满速,而OpenVPN的TCP/UDP包估计就被当成P2P流量被限制了,所以网速一点都不给力。
用OpenVPN科学上网是最稳定最灵活的方式了,它基于udp/tcp的协议,比pptp、l2tp等直接跑IP包的开销虽说大一点,但好处就是容易把数据流重新封装,避开链路的关卡。显然它也支持HTTP代理,所以把OpenVPN变成HTTP协议,就可以在家里跑上满速的VPN。
How
OpenVPN要过HTTP代理,只能用TCP协议,这个需要服务端和客户端都要稍作修改。
Polipo as Tunnel Proxy
首先在VPS上安装一个http proxy,我选择polipo,比较轻量级。
apt-get install polipo
|
配置也是很简单的,编辑/etc/polipo/config,原来的配置文件基本全都是注释,直接在文件底部加上:
proxyAddress = "0.0.0.0" proxyPort = 8128 authCredentials = "user:password3.141592654" tunnelAllowedPorts = 1194 |
- polipo默认只监听本地的127.0.0.1,要拿来做服务就要监听外网
- polipo默认监听8123,为了不让扫代理的盯上,自己随便写个端口
- 加上http basic验证,这个密码不要紧,后面让openvpn自动应答
- 允许管道模式连接openvpn的1194端口
OpenVPN
Server
服务端倒是不需要很多配置,确定是tcp模式监听连接(我是多开一个openvpn server,子网错开,个人喜欢吧)
Client
客户端就要指定使用代理的方式:
remote 127.0.0.1 1194 http-proxy YOUR.VPS.IP.HERE.com 8128 pw.txt http-proxy-retry |
这个pw.txt是上述的HTTP的认证信息,用户名密码各一行。
现在连接OpenVPN,可以看到连接过程的Log有这么几句,基本就确定OpenVPN over HTTP成功了!
Sun Mar 4 19:12:58 2012 Attempting to establish TCP connection with 199.101.103.107:8192 [nonblock] Sun Mar 4 19:12:59 2012 TCP connection established with [IPADDR]:8128 Sun Mar 4 19:12:59 2012 Send to HTTP proxy: 'CONNECT 127.0.0.1:1194 HTTP/1.0' Sun Mar 4 19:12:59 2012 Attempting Basic Proxy-Authorization Sun Mar 4 19:13:00 2012 HTTP proxy returned: 'HTTP/1.1 200 Tunnel established' |
Related
最后透露一下我的科学上网环境是在跑OpenWRT的路由器上跑VPN,然后配合chnroute的路由表,当然dnsmasq也经过配置负责把国内常用域名的解释交给国内的114.114.114.114服务器,这样基本一回家手机kindle电脑等全都是翻墙环境,而且速度非常良好。
Reference
-------------------------------
OpenVPN config files generator
It’s not extremly difficult to set up an openvpn server, but you have to deal with certificates, rsa keys, configs, subnet addresses, iptables … such trifles are annoying.
So I wrote this script to make my life easier, only to provide essential infomation like the server IP, and configuraion will be done at the background, then tared packages are ready for both servers and clients.
Source is available at Github. Pull requests are welcome.
The script is recommanded running at your work station, and then upload only the server part to the server, for secure considerations.
Features
- Provide tared config which ready for any server distribution.
- Random VPN subnet will be generated to avoid conflict.
- Random digital subffixed server/client CommonName will be assigned (if you don’t provide one) for clearer management.
- All those config files are based on examples that ship together within your distribution.
- tls-auth enabled by default.
Usage
For new setup:
./much-easier-rsa-menu.sh
|
Just do as promoted. When select 5 to exit, all the files will be packed into a single NAME-all.tar.gz, you should save it to somewhere safe. And if you want to sign some more certificate from this root ca, put this tar file as the argument.
./much-easier-rsa-menu.sh /path/to/YOUR-VPN-all.tar.gz |
At last the script also provide you iptables commands that can be useful to setup the server as a VPN gateway.
Download
Direct download via wget/curl should be ok:
https://github.com/pentie/much-easier-rsa-for-openvpn/raw/master/much-easier-rsa-menu.sh
项目地址:
