34980人阅读
OpenStack Networking(75)
无法访问Github,该如何更新OpenStack代码? ( by quqi99 )作者:张华& 发表于:版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明( http://blog.csdn.net/quqi99) 最近一段时间通过git pull命令更新openstack代码,或者使用git review命令提交代码时总是超时,失败。只能尝试使用goagent这种免费的http代理来穿透长城防火墙实现代码的顺利下载。1, 安装配置goagent代理,goagent是一个运行在google云(一台国外虚机)上的一个python写的https代理程序,所以需要你在google云上注册一个帐户并将goagent这个代理程序的服务端上传到云上,另外在你的机器上运行goagent客户端(sudo python /bak/java/goagent-goagent/local/proxy.py),具体方法请google之,如:/over-the-wall-of-the-gae-goolge-app-engine-goagent-switchysharp.html,略。(git clone /goagent/goagent.git)2, 设置http及https代理,这要求将git url改为&git clone http://**&或者&git clone https://**&, 如果是&git://**&打头,需配置tscoks代理来实现。export https_proxy=&https://127.0.0.1:8087&export http_proxy=&http://127.0.0.1:8087&3, 安装证书,下列命令会将github的证书“/bak/java/goagent-goagent/local/.crt”安装。sudo yum install nss-tools浏览所有证书: sudo certutil -d sql:/home/hua/.pki/nssdb -L查看证书详情: sudo certutil -d sql:/home/hua/.pki/nssdb -L -n github导入证书:sudo certutil -d sql:/home/hua/.pki/nssdb -A -t TC -n &github& -i /bak/java/goagent/local/CA.crt删除证书:sudo certutil -d sql:/home/hua/.pki/nssdb -n &github& -D /bak/java/goagent/local/CA.crt4, 这时候可成功通过&git pull&来更新openstack的代码时,日志如下:INFO - [Aug 26 13:47:03] 127.0.0.1:50390 &GAE :443 HTTP/1.1& - -INFO - [Aug 26 13:47:10] 127.0.0.1:50390 &GAE GET /openstack/neutron.git/info/refs?service=git-upload-pack HTTP/1.1& 200 562208INFO - [Aug 26 13:49:33] 127.0.0.1:50504 &GAE :443 HTTP/1.1& - -INFO - [Aug 26 13:49:37] 127.0.0.1:50504 &GAE POST /openstack/neutron.git/git-upload-pack HTTP/1.1& 200 89357其它:1, 浏览器想使用上述http代理的话,可以在Internet选择中设置Network proxy的Method为&Automatic&, URI设置为”http://127.0.0.1:8086/proxy.pac“ 如果想要浏览https的网站,同样需要在浏览器中导入证书, 打开FireFox-&选项-&高级-&加密-&查看证书-&导入证书, 选择/bak/java/goagent-goagent/local/CA.crt, 勾选所有项,导入。&& Chrome可安装SwitchySharp (/p/wwqgtxx-goagent/downloads/detail?name=SwitchyOptions.bak&can=2&q=),它设置为”自动切换模式”,这样“墙外”“墙内”就可以自动切换了。&& Firefox可安装FoxyProxy (https://addons.mozilla.org/zh-cn/firefox/addon/foxyproxy-standard/)2, 如果goagent出问题的话,一是保证程序最新,二是可以试着修改goagent-goagent/local/proxy.ini文件中的profile = google_cn参数。3, 有一个叫qrouter的代理项目,可以叠加多个代理的带宽,是不同的tcp连接走不通的线路,达到同时使用多个线路的效果。添加:1, 使用squid建立http代理的方法:a. Install squid in the computer, config it to use 21 port and start it.sudo vim /etc/squid/squid.conf##################################http_access allow localnethttp_access allow all# And finally deny all other access to this proxy#http_access deny all# Squid normally listens to port 3128http_port 21##################################sudo service squid startb. In the server, you need export http_proxy=http://&the computer IP&:21 in shell.c. Now you can use any program which use http_proxy.for example: wget 2, 使用tsock建立socket代理的方法:a. Set socks proxy in the server using ssh commandssh -D 8008 &-l&your username& -o serveraliveinterval=60& &your IP& -fN& (serveraliveinterval让server给client发心跳让ssh保持在线,-f指后台运行,-N指不开终端)this command will specifies a local “dynamic” application-level port forwarding using 8008.b. Using tsocks command to access Internet through the port 8008.You need install tsocks first.sudo yum install tsocksConifg it to use 8008.sudo vim /etc/tsocks.conf##################################local = 192.168.1.0/255.255.255.0local = 127.0.0.0/255.0.0.0server = 127.0.0.1server_type = 4server_port = 8008##################################Then you can using the socks proxy like:sudo tsocks wget 日更新:今天goagent用不了了,无法从github更新代码,都干不了活了,群上的一个好心人给我一个vpn帐号,继续翻墙成功更新openstack代码:1, PPTP客户端&&& 经测试在fedora 17上不好使,最后我用的是L2TP客户端。在Fedora 19 NetworkManager自带的PPTP连接器是好使的,诀窍是身份验证勾选MSCHAP和MSCHAPv2,MPPE也要开启, 关掉PAP,否则伟大的长城防火墙会继续干扰明文PAP的PPTP报文。在windows 8.1中,需要将vpn属性那块的数据加密选择“最大强度的加密”,”使用可扩展的身份验证协议(EAP)中“的&MS-CHAP v2&& 1) 安装, sudo yum install pptp pptp-setup,& http://sourceforge.net/projects/pptpclient/& 2) sudo ln -s /usr/sbin/ip /bin/ip& 3) 建立连接&&&& sudo pptpsetup --create vpntunnel --server na.vpnip.net --username vpnip.net --password 2013 --encrypt --start&&&& sudo pptpsetup --delete vpntunnel& 4) 设置到的路由 (在/etc/hosts里设置:192.30.252.)sudo route add -net 192.30.252.0 netmask 255.255.252.0 dev ppp0& 5) 图形化GUI工具,/p/vpnpptp/2, L2TP客户端& 1)sudo yum install xl2tpd& 2)配置使用xl2ptd作为客户端(它也可以做服务端的,类似于strongwan)$ cat /etc/xl2tpd/xl2tpd.conf[lac quqi99]name = myvpnlns = &vpn-server-ip-address&refuse chap = yesrefuse pap = yesrequire authentication = yespppoptfile = /etc/ppp/peers/options.l2tpd.clientppp debug = yeslength bit =yes$ cat /etc/ppp/peers/options.l2tpd.clientipcp-accept-localipcp-accept-remoterefuse-paprefuse-chaprefuse-eaprefuse-mschaprequire-mschap-v2require-mppe-128noccp noauthidle 1800mtu 1410mru 1410defaultrouteusepeerdnsdebuglockconnect-delay 5000 name &&vpn-use-name&&password &&vpn-password&&注意: 下列不使用明文确保数据都加密的配置(启用MSCHAPv2和MPPE,关掉其他如chap, pap, chap)是避免GWF的干扰不总是断连接的关键./etc/xl2tpd/xl2tpd.confrefuse chap = yesrefuse pap = yesrequire authentication = yes/etc/ppp/peers/options.l2tpd.clientrefuse-paprefuse-chaprefuse-eaprefuse-mschaprequire-mschap-v2require-mppe-128且为防gfw断线还要在/etc/ppp/options.xl2tpd中添加下列配置吗?refuse-paprefuse-chaprefuse-eaprefuse-mschaprequire-mschap-v2require-mppe-128&& 3)启动服务,sudo service xl2tpd restart&& 4)切换到root服务开始拨号,成功之后会看到ppp0这个网卡,echo 'c quqi99' &/var/run/xl2tpd/l2tp-control&&&& 断开连接 echo 'd quqi99' &/var/run/xl2tpd/l2tp-control&& 5) 设置到的路由 (在/etc/hosts里设置:192.30.252.)sudo route add -net 192.30.252.0 netmask 255.255.252.0 dev ppp0当时成功过,但今天又报错:xl2tpd Maximum retries exceeded for tunnel添加,今天发现无法执行git review提交代码,一开始就怀疑又是长城防火墙导的鬼,gerrit使用的地址是ssh://&username&@review.openstack.org:29418/openstack/neutron.git,可见是ssh协议,平时使用的像goagent这样的https_proxy代理肯定是不好使的,实在没办法,只好花钱买了个vpn,按上述方法架好vpn,再添加到review.openstack.org的静态路由(sudo route add -host 198.101.231.251 dev ppp0),终于成功提交代码。# traceroute review.openstack.orgtraceroute to review.openstack.org (198.101.231.251), 30 hops max, 60 byte packets&1& 10.10.11.1 (10.10.11.1)& 287.837 ms& 287.814 ms& 287.801 ms&2& * * *&3& * * *&4& * * *&5& * * *&6& * * *&7& * * *&8& * * *&9& * * *10& review.openstack.org (198.101.231.251)& 307.272 ms !X& 307.240 ms !X& 307.231 ms !Xandroid手机设置vpn连接时,建立L2TP/IPSec VPN连接,其预共享密钥是:vpn.psk3,SoftEther VPN1)下载SoftEther VPN Client for Linux后执行执行make命令安装, http://www.softether.org/5-download2) 运行vpn client&& ./vpnclient start3) 配置vpn client, http://wan.pengganas.net/entry/packetix-net-vpn-installation-on-linux/附录,windows上如何连接vpnwindows 8.1可以通过它自带的vpn客户端创建PPTP和L2TP的VPN,但我用了一下,连我购买的killwall的VPN失败,所以我将它换成IPSec的方式连接,使用叫Shrew Soft VPN的客户端工具,具体方法详见:/KB/read.php?ID=194。连完之后,我并不想所有网站都走vpn的路由,还是想保持原有的默认路由不变,想访问google的话就给添加google的路由走vpn,方法如下:C:\Windows\System32&route -4 print |findstr &0.0.0.0&网络目标&&&&&&& 网络掩码&&&&&&&&& 网关&&&&&& 接口&&&&&&&&&& 跃点数0.0.0.0&&&&&&&&& 0.0.0.0&&&&& 192.168.1.1&&& 192.168.1.104&&& 1250.0.0.0&&&&&&&&& 0.0.0.0&&&&&&&&&&& 在链路上&&& 10.10.11.6 &&& 31你可以在VPN拨号以后再手动修改路由,因为你通过VPN拨号只是想访问某些网段的IP(如google, 74.125.235.68),拨号成功后将这段IP的路由添加上,比如:route delete 0.0.0.0 mask 0.0.0.0 IF 0xc005& (delete vpn gw)route add 10.0.0.0 mask 255.0.0.0 10.10.1.1 IF 0xc0005& (vpn gw)route add
74.125.235.68 mask 255.255.255.255 10.10.11.6
Windows路由命令语法:ROUTE [-f] [-p] [command [destination] [MASK netmask] [gateway] [METRIC metric] [IF interface]删除默认路由,route delete 0.0.0.0 mask 0.0.0.0添加默认路由,route add 0.0.0.0 mask 0.0.0.0 192.168.1.1 IF 17 (其中索引接口IF可以通过route -4 print命令查看)写一个脚本处理将国外的某些需要访问的ip加入到白名单设置走vpn的路由:#!/bin/bash# Setting route after the ppp0 has been created. by quqi99white_ip_list=`cat && EOF&& 74.125.235.68&&& # && 74.125.128.91&&& # && 76.74.254.123&&& # && 192.30.252.129&& # && 198.101.231.251& # review.openstack.org&& 199.59.150.39&&& # && 103.245.222.184& # pypi.python.org&& 185.31.17.185&&& # pypi.python.orgEOF`DEVICE=ppp0PUBLIC_GW=$(ip -4 addr show |grep 'scope global' | awk {'print $2'} |head -1 |awk -F '.' {'print $1&.&$2&.&$3&.&1'})route add default gw $PUBLIC_GWecho &$white_ip_list& | do&& white_net=$(echo $line |awk {'print $1'} |awk -F '.' {'print $1&.&$2&.&$3&.&0'} |uniq)&& route add -net ${white_net}/24 dev $DEVICEdone#route del -net 0.0.0.0 gw 0.0.0.0 dev $DEVICE附录二:pypi使用国内清华源加速安装:$ cat ~/.pip/pip.conf[global]timeout = 6000index-url = http://e.pypi.python.org/simple[install]use-mirrors = truemirrors = http://e.pypi.python.org$ cat ~/.pydistutils.cfg[easy_install]index_url = http://e.pypi.python.org/simple附录三,使用国内源sudo cp /etc/apt/sources.list /etc/apt/sources.list.bakvim /etc/apt/sources.listdeb /ubuntu/ precise-updates main restricteddeb-src /ubuntu/ precise-updates main restricteddeb /ubuntu/ precise universedeb-src /ubuntu/ precise universedeb /ubuntu/ precise-updates universedeb-src /ubuntu/ precise-updates universedeb /ubuntu/ precise multiversedeb-src /ubuntu/ precise multiversedeb /ubuntu/ precise-updates multiversedeb-src /ubuntu/ precise-updates multiversedeb /ubuntu/ precise-backports main restricted universe multiversedeb-src /ubuntu/ precise-backports main restricted universe multiverse附录三, 白名单:与,& sudo route add -net 173.194.38.0/24 dev vpn0有时候通过sslspeady代理无法访问google hangout时,是需要清理cookies, 报的错为“this website has a redirect loop&vpn走3层路由或2层交换,所以用远程dns不那么方便,有时候使用ssh遂道直接用autoproxy使用远程dns更快捷更便宜。1, create socket 5 proxy at port 7070 via ssh, then can use it via sshtunnel in android or autoproxy in firefox etc.&&ssh -lquqissh -fN -o ServerAliveInterval=30 -o ServerAliveCountMax=1 -D 7070 &ssh-server&2, create http/https proxy via ssh socket proxy&& sudo apt-get install polipo&& sudo polipo socksProxyType=socks5 socksParentProxy=127.0.0.1:7070&& export https_proxy=http://127.0.0.1:8123&& git pull # eg. for https protocal, like https://review.openstack.org/p/openstack-dev/devstack2, use tsocks to forward all application-level flow to port 7070&& sudo apt-get install tsocks&& sudo sed -i -r &s/server = (.*?)/server = 127.0.0.1/g& /etc/tsocks.conf&& sudo sed -i -r &s/server_port = (.*?)/server_port = 7070/g& /etc/tsocks.conf&& sudo tsocks git pull # eg. for git protocal, git://git.openstack.org/openstack/keystone.git上面建立ssh遂道时已经通过-o ServerAliveInterval=30 -o ServerAliveCountMax=1作心跳检查保证ssh连接不断,但仍然有断的时候,那就采用autossh来进一步保证。sudo apt-get install autossh expectcat /bak/bin/autossh.sh#!/bin/bash#ssh -lquqissh -fN -o ServerAliveInterval=30 -o ServerAliveCountMax=1 -D 7070 s20.flyssh.netHOST=&&ssh-server&&USER=&quqissh&PASS=&&password&&CMD=$@&VAR=$(expect -c &spawn /usr/bin/autossh -M 2000 -N -v -D 127.0.0.1:7070 $USER@$HOST $CMDmatch_max 100000expect \&*?assword:*\&send -- \&$PASS\r\&send -- \&\r\&expect eof&)echo &===============&echo &$VAR&相当于仍然在本机127.0.0.1上找了一个监听端口2000, 127.0.0.1:2000收到请求数据后转给远程的2000端口(在这里仍然是本机)处理,远端的2000端口(仍然是本机)收到响应数据后转给本机的127.0.0.1:2001处理。/usr/lib/autossh/autossh -M 2000 -N -v -D 127.0.0.1:7070 quqissh@s20.flyssh.net/usr/bin/ssh -L .0.1:2000 -R .0.1:2001 -N -v -D 127.0.0.1:7070 quqissh@s20.flyssh.net, 使用sshuttle1, 添加帐户& sudo useradd -m -s /bin/bash -g root quqi99 & # sudo userdel -r -f quqi99& sudo passwd quqi992, 打开ssh的密码登录 , 在/etc/ssh/sshd_config里: PasswordAuthentication yes&3, 安装配置sshuttle, sshuttle比sshd -D快一点,因为It’s just data-over-TCP,而不是 TCP-over-TCP。因为它是:& &iptables -t nat -N sshuttle-12300& &iptables -t nat -F sshuttle-12300& &iptables -t nat -I OUTPUT 1 -j sshuttle-12300& &iptables -t nat -I PREROUTING 1 -j sshuttle-12300& &iptables -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.0/8 -p tcp& &iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 0.0.0.0/0 -p tcp --to-ports 12300 -m ttl ! --ttl 42& &iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 127.0.1.1/32 -p udp --dport 53 --to-ports 12300 -m ttl ! --ttl 42& &显然它设置一个客户端所有的流量包括国内都走遂道,这样性能不会太好。& &sshuttle 的用法很简单,在客户端下载和运行就可以了(需要有Python 的支持),无需在服务器端做任何配置。& &sudo apt-get install sshuttle& &sshuttle --dns -r quqi99@162.213.** 0.0.0.0/0& &sshuttle -r quqi99@162.213.34.205 192.168.0.0/16 -vv &#但它是用于连接远程端的192.168.0.0/16子网& &sshuttle --dns -r quqi99@162.213.** 0.0.0.0/0 -vv #访问远程的0.0.0.0/0正是我们所要的& &用远程dns会很慢,还是在自己路由器上搭建使用tcp查询的dns服务器再结合ipset只转发国外被墙的流量要好点吧,所以还是用ssh比较靠谱。更新,如何使用wndr4300科学上网及防DNS污染修改DNS只能解决DNS污染的问题,对于IP封锁或者关键字封锁也是没有任何办法的。当你请求一个敏感域名的dns记录时,由于dns请求是udp包很容易被伪造,这样伪造的响应会先于正确的响应到达你的机器(因为国内发污染数据怎么都比国外要快),从而你的机器就被DNS劫持了。所以处理DNS污染其本质是要收到正确的响应包,目前常用的方法有, 第2种看起来最不错。1, 使用非53端口的DNS服务器,使用方便,但是支持非53端口的DNS不多。 如opendns的208.67.222.222#.222.222#4432, 使用tcp协议查询。 如pdnsd3, 使用隧道(如vpn,如ss-tunnel)把本地53端口的UDP请求转发到远程去解析。(ss-tunnel -c /etc/shadowsocks.json -b 0.0.0.0 -l 1053 -L 8.8.8.8:53 -u)4, 设置两个DNS,一个在国内,一个在国外,维护一个国内ip列表,当发现是国外ip时比较两个结果,不同时采用后到的响应。如:chinadns5, DNSSEC是DNS服务器和客户端之间的一个增强协议,这个协议可以让客户端检查返回的DNS查询结果数据是否完整,如果数据被修改或者破坏,客户端可以丢弃这个结果.这样就保证了DNS查询的绝对正确。但目前支持DNSSEC密钥加密的域名不多。&& dnssec&& trust-anchor=.,,49AAC11D7B6FAA1ACE1CDDE32F24E8FB5&& dnssec-check-unsigned&& dnssec-no-timecheck6, 采用iptables DROP掉枚举的污染ip列表,但这也有一个问题,如果采用随机ip来污染的话,这个iptables列表很难维护。dnsmasq可以用来做dhcp时缓冲记录,也可以做dhcp服务器。先看dnsmasq对dns支持的一些主要配置:1, no-resolv参数(在openwrt系统中,它可由/etc/config/dhcp中的(option resolvfile&&&&&& '/tmp/resolv.conf.auto')指定, 当一个网络接口启用后,如果被配置了DNS或者被配置了使用通告DNS(上级网络dhcp通告给下级设备的DNS),就会把这个DNS写入/tmp/resolv.conf.auto文件中, 所以如果你同时在WAN和VPN都设置了DNS,那么这两个接口的DNS都会在接口连接上之后被写入/tmp/resolv.conf.auto中, 然后Dnsmasq会把这些DNS都抓过来作为默认的DNS, 即使两个接口的DNS是一样的. 也就是说WAN和VPN接口都会向/tmp/resolv.conf.auto自动传入DNS设置.这个特性可以通过no-resolv参数禁用。2, 如果没有配置resolv,可以参过server参数指定哪些域名走哪个特定的dns服务器,如server=//8.8.8.83, all-servers参数,dnsmasq支持同时指定多个上游dns服务器(server=8.8.8.8),然后同时发请求,哪个快用哪个的响应结果。chinadns就是通过这个特性去同时向国内和国外的dns服务器发起请求的。但使用这个特性也容易带来问题,因为伪造的dns响应包也容易来得快。4, conf-dir=/etc/dnsmasq.d/, 可以通过这个配置将dns的配置写到/etc/dnsmasq.d目录,这样看起来更干净。5, 对ipset的支持,例如可对每一个域名添加:ipset=/./fuckgfw , fuckgfw为ipset名(ipset -N fuckgfw iphash).6, 所以可以手工为每一个要访问的域名添加为如下格式白名单,当然,也可以结构gfw的列表来自动生成, 见附件一。&& server=//127.0.0.1:1053&& ipset=//fuckgfw&& 注意:&& 这种配置只有要访问它的时候dnsmasq解析到它的dns之后才加到ipset之中,&& 查看ipset, ipset list fuckgfw&& 清空ipset, ipset flush fuckgfw&& 重启dnsmasq:/etc/init.d/dnsmasq restart&& 举个例子,纯google服务:cat /etc/dnsmasq.d/google.conf# OpenDNS, 208.67.220.220#443ipset=/./fuckgfwserver=/./127.0.0.1#1053ipset=/..hk/fuckgfwserver=/..hk/127.0.0.1#1053ipset=/..tw/fuckgfwserver=/..tw/127.0.0.1#1053ipset=/..jp/fuckgfwserver=/..jp/127.0.0.1#1053ipset=/./fuckgfwserver=/./127.0.0.1#1053ipset=/./fuckgfwserver=/./127.0.0.1#1053ipset=/./fuckgfwserver=/./127.0.0.1#1053ipset=/./fuckgfwserver=/./127.0.0.1#1053ipset=/./fuckgfwserver=/./127.0.0.1#1053ipset=/./fuckgfwserver=/./127.0.0.1#1053ipset=/./fuckgfwserver=/./127.0.0.1#1053ipset=/./fuckgfwserver=/./127.0.0.1#1053ipset=/./fuckgfwserver=/./127.0.0.1#1053ipset=/./fuckgfwserver=/./127.0.0.1#1053ipset=/./fuckgfwserver=/./127.0.0.1#1053ipset=/./fuckgfwserver=/./127.0.0.1#1053ipset=/./fuckgfwserver=/./127.0.0.1#1053ipset=/./fuckgfwserver=/./127.0.0.1#1053ipset=/./fuckgfwserver=/./127.0.0.1#10537, pdnsd的配置文件(pdnsd.conf)要确保使用tcp查询(query_method=tcp_only)以及设置端口为1053, 使用“pdnsd --debug”或“/etc/init.d/pdnsd restart&启动pdnsd进程。&cat /etc/pdnsd.confglobal {& & & & #debug= & & & & & & # debug mode, log will be writed in /var/pdnsd/pdnsd.debug& & & & perm_cache=8192; & & & # increase or decrease the perm_cache, change min_ttl & max_ttl& & & & cache_dir=&/var/pdnsd&;& & & & run_as=&nobody&;& & & & server_port=1053;& & & & server_ip=0.0.0.0;& & & & status_ctl=& & & & query_method=tcp_& & & & min_ttl=1d;& & & & max_ttl=1w;& & & & timeout=10;}# Add the upstream dns servers, the servers are queried in the order of their appearance# (or parallel to a limited extend). If one fails, the next one is taken and so on.server {& & & & label=&Google Public Dns&;& & & & ip=208.67.222.222,208.67.222.123,8.8.4.4; & #有时候8.8.4.4不work, 可用nslookup -port= 192.168.99.1命令测试& & & & #root_server =& & & & uptest=& & & & #purge_cache=& & & & exclude=&.cn&,&.&,&.qq.com&,&.csdn.net&,&.&;}#server {# & & & label=&114 DNS&;# & & & ip=114.114.114.114,119.29.29.29,223.5.5.5;# & & & exclude=&.&,&.jp&;#}&& 测试:& #如使用nslookup命令查询到的的ip为154.35.164.8whois 154.35.164.8&&& #可用whois命令检查到这个ip不可能是twitter的 8.8.8.8&&&&&& #采用udp模式查询国外的域名服务器也会被dns域名劫持nslookup - 8.8.8.8&& #通过tcp查询,能查询到正确的IPnslookup -port= 192.168.1.1 #测试上面配置的pdnsd是否工作正常。这时候,如果使用路由器作为DNS服务器,就可以避免被DNS污染了;但是如果局域网内的主机手动设置了DNS服务器,还是难免遭到DNS污染。为了避免这个问题,我们可以强制局域网内的主机都使用路由器的DNS,通过设置防火墙规则,将所有DNS解析的请求&劫持&到路由器上,从未避免局域网内的主机使用自定义DNS时被污染,在/etc/firewall.user上增加两条规则即可:iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p udp --dport 53 -j DNAT --to 127.0.0.1:1053iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 53 -j DNAT --to 127.0.0.1:1053[可选] 或者不设置上面的iptables规则(上面这种配置就可以不用配dnsmasq的dns都行),由路由器上的dnsmasq的53端口来转发到1053也行, /etc/config/dhcp应该配置为:&& #all-servers&& server=223.5.5.5&&&&&& #223.5.5.5为淘宝的dns服务器,推荐用于国内域名的解析&&& server=127.0.0.1#1053&& log-queries&& no-resolv&& conf-dir=/etc/dnsmasq.d/&& server=//127.0.0.1:1053&& #对于特定的如的域名由1053端口的pdnsd进程解析&& ipset=//fuckgfw&[可选] 这样,在路由器上配置pdnsd与dnsmasq集成的dns集成之后,如果局域网内的其他机器是从路由器通过dhcp拿到的ip,那么就会自动使用路由器的dns解析。&& 在ubuntu上,也配置了一个dnsmasq让其本机的域名解析127.0.0.1,但这个配置只是最基本的配置是告诉它使用上游也即路由器的dns设置。所以局域网内的客户机实际上不需要做什么事情。当然你愿意将客户机上的dnsmasq禁用掉在/etc/resolv.conf文件中将域名解析指向路由器(nameserver 192.168.1.1)也是可以的。客户端也可以通过配置/etc/resolvconf/resolv.conf.d/head覆盖本机的dns设置让它直接指向路由器(当然客户机配不配都无所谓)。10, 对于路由器我们最好使用透明代理,这样可以避免客户机还要配置代理。对于shadowsocks应该更新/etc/init.d/shadowsocks使用ss-redir而不是ss-local。注意:ss-redir与ss-local同时启动时需将默认配置文件/etc/shadowsocks.json中的端口改成不一样的。另外,下面的配置中的method参数的值应该是小写。{&&& &server&: &106.186.22.**&,&&& &server_port&: 26062,&&& &local_port&: 8080,&&& &password&: &password&,&&& &timeout&: 600,&&& &method&: &aes-128-cfb&}shadowsocks使用的是白名单,除中国IP外,全部走代理。wget -O- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf(&%s/%d\n&, $4, 32-log($5)/log(2)) }' & /etc/shadowsocks/ignore.list也可利用GFWlist整理黑名单域名,让dnsmasq走VPN出去解释域名,以避免被污染10, 这样,从客户机上的流量就来到了路由器,路由路要配合使用透明代理。&&& 例如,对于shadowsocks,可以在/etc/firewall.user中添加下列iptables规则将配置fuckgfw这个ipset的流量导到8080端口的ss-redir进程中(ss-redir -c /etc/shadowsocks.json -l 8080)。&&& ipset create fuckgfw iphash --exist&&& iptables -t nat -A PREROUTING -p tcp -m set --match-set fuckgfw dst -j REDIRECT --to-port 8080&&& 写入后重启防火墙:/etc/init.d/firewall restart&&& 例如,对于vpn, 可以在/etc/firewall.user中将匹配fuckgfw这个ipset的流量打上标记8&&&& #iptables -t mangle -A fwmark -m set --match-set fuckgfw dst -j MARK --set-mark 8&&& 然后将标记8的流量导到另一个router tables中去。&&& a, 创建router table, echo &200 fuckgfw& && /etc/iproute2/rt_tables&&& b, 在router table表中添加让标记为8的流量走默认路由让它走vpn遂道。另外,也注意将8.8.8.8等dns查询的流量让它走vpn遂道(如果想让它走ss-tunnel的话,可以:ss-tunnel -c /etc/shadowsocks.json -b 0.0.0.0 -l 1053 -L 8.8.8.8:53 -u)&& cat /etc/vpnc/post-connect.d/fuckgwf-connectchmod +x /etc/vpnc/post-connect.d/fuckgwf-connect#!/bin/shTUNDEV=tun0ip route add 8.8.8.8 dev $TUNDEVip route add default dev $TUNDEV table fuckgfwip rule add fwmark 8 table fuckgfwip route list table fuckgfw# ip rule del from all fwmark 0x8 lookup fuckgfwip rule list&&& c, vpn停的时候清空router table fuckgfw中的路由规则 cat /etc/vpnc/post-disconnect.d/fuckgwf-disconnectchmod +x /etc/vpnc/post-disconnect.d/fuckgwf-disconnect#!/bin/ship rule del table fuckgfw&&& d, 不要将vpn走遂道的路由作为全局路由,这样会导致访问国内的网站也慢的。vi /etc/vpnc/vpnc-script&&&&&&& elif [ -n &$INTERNAL_IP4_ADDRESS& ]; then&&&&&&&&&&&&&&& echo 'do not change default route'&&&&&&&&&&&&&&& #set_default_route&&&&&&& fi&&& e, vpnc作为vpn的配置内容:/etc/vpnc/default.confIPSec gateway ipsec01.××.netIPSec ID vpnIPSec secret vpn.pskXauth username &usernameXauth password &password&NAT Traversal Mode cisco-udp&&& f, 安装vpnc, opkg update & opkg install vpnc&&& g, 启动vpnc, vpnc&11, 配置crontab监控ss-redir进程root@OpenWrt:~# crontab -eroot@OpenWrt:~# crontab -l*/2 * * * * isfound=$(ps | grep &ss-redir& | grep -v &grep&); if [ -z &$isfound& ]; then echo &$(date): restart ss-redir...&&&/tmp/log/ss-monitor.log && /etc/init.d/ fi以上在讲原理的时候其本上连配置一起说了,现在说说如何安装openwrt和shadowsocks和支持ipset的dnsmasq-full:1, 下载固件&& http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/nand/openwrt-ar71xx-nand-wndr4300-ubi-factory.img&& WNDR4300默认的IP是192.168.1.1(如果电脑还连有无线,请将无线路由器设置其他网段),网线连接路由器的下行接口和电脑的有线网卡之后网卡会自动分配一个192.168.1.0/24网段的IP。2, 进WNDR4300的管理界面(http://192.168.1.1)的直接升级固件(注意:管理界面在有代理的时候好像进不去)3, 进OpenWRT的管理界面(http://192.168.1.1)设置root用户的密码后ssh会默认开启。4, 检查5G频段是否正常。&& $ ssh 192.168.1.1&& root@OpenWrt:~# devmem 0x&& 0x002F055A5, 配置广域网接口, Network -& Interface -& WAN -& Edit -& General Setup里设置PPPoE。6, 配置无线局域网,Network -& Wireless.7, 更改为中文系统,进System -& Software菜单后点击Update lists按钮更新软件列表,然后在Download and install package处输入luci-i18n-chinese后点OK安装中文插件。进入System —& System —& Language and Style,在Language后选择Chinese。8, 安装配置shadowsocks&& 软件:http://sourceforge.net/projects/openwrt-dist/files/shadowsocks-libev/&& opkg install ipset libpolarssl resolveip && (遇到这问题“kmod: failed to insert /lib/modules/3.10.49/ip_set.ko”是因为安装了ipset需要重启路由器)&& opkg install iptables-mod-geoip iptables-mod-nat-extra kmod-ipt-geoip kmod-ipt-nat kmod-ipt-nat-extra kmod-ipt-nathelper&& 根据CPU型号选择下载不带spec的包,然后scp拷贝到路由器上安装&& scp shadowsocks-libev_2.1.4-1_ar71xx.ipk root@192.168.1.1:/tmp/*.ipk&& opkg install /tmp/shadowsocks-libev_2.1.4-1_ar71xx.ipk9, 需要dnsmasq支持ipset (可用dnsmasq -v来检查是否支持, dnsmasq-full在dnsmasq的基础上增加了对ipset的支持)。&& http://sourceforge.net/projects/openwrt-dist/files/dnsmasq&& http://sourceforge.net/projects/openwrt-dist/files/depends-libs&& dnsmasq -v 查看dnsmasq是否支持ipset&& opkg remove dnsmasq&& opkg install /tmp/libgmp_6.0.0-1_ar71xx.ipk&& opkg install /tmp/libnettle_2.7.1-1_ar71xx.ipk&& opkg install /tmp/dnsmasq-full_2.72-4_ar71xx.ipk&& opkg install ipset iptables-mod-nat-extra附件一, 根据gfw列表自动生成为dnsmasq生成dns及ipset记录#!/usr/bin/env pythonfrom os.path import expanduserimport urllibimport base64import stringif __name__ == '__main__':#&&&& gfwlist = 'http://autoproxy-/svn/trunk/gfwlist.txt'&&& gfwlist = 'file:///bak/tools/gfw/wndr4300/openwrt/other/gfwlist.txt'&&& # some sites can be visited via https or is already in known list&&& oklist = ['','','']&&& print &fetching gfwList ...&&&& d = urllib.urlopen(gfwlist).read()&&& print(&gfwList fetched&)&&& data = base64.b64decode(d)&&& lines = string.split(data, &\n&)&&& gfwlistfile = open(expanduser('/tmp/')+'gfwlist.txt', 'wa')&&& for l in lines:&&&&&&& gfwlistfile.write(l+'\n')&&& gfwlistfile.close()&&& newlist = []&&& for l in lines:&&&&&&& if len(l) == 0:&&&&&&&&&&&&&&& continue&&&&&&& if l[0] == &!&:&&&&&&&&&&&&&&& continue&&&&&&& if l[0] == &@&:&&&&&&&&&&&&&&& continue&&&&&&& if l[0] == &[&:&&&&&&&&&&&&&&& continue&&&&&&& l = string.replace(l, &||&,&&).lstrip(&.&)&&&&&&& l = string.replace(l, &|https://&,&&)&&&&&&& l = string.replace(l, &|http://&,&&)&&&&&&& # strip everything from &/& to the end&&&&&&& if l.find(&/&) != -1:&&&&&&&&&&&&&&& l = l[0:l.find(&/&)]&&&&&&& if l.find(&%2F&) != -1:&&&&&&&&&&&&&&& continue&&&&&&& if l.find(&*&) != -1:&&&&&&&&&&&&&&& continue&&&&&&& if l.find(&.&) == -1:&&&&&&&&&&&&&&& continue&&&&&&& if l in oklist:&&&&&&&&&&&&&&& continue&&&&&&& newlist.append(l)&&& newlist = list(set(newlist))&&& newlist.sort()&&& # generate dnsmasq configuration&&& gfwdn = open(expanduser('/tmp/')+'gfwdomains.conf', 'wa')&&& for l in newlist:&&&&&&&&&&& gfwdn.write('server=/'+l+'/127.0.0.1#1053\n')&&&&&&&&&&& gfwdn.write('ipset=/'+l+'/fuckgfw\n')&&& gfwdn.close()附件二,WNDR4300刷成砖之后如何恢复DD-WRT不能使用SSH, 关闭之后也无法进入Web管理界面,但能telnet进入。决定将WNDR4300切换到OpenWRT。先要恢复成官方的固件。1, 下载官方固件到电脑上。2, 在电脑上启动http服务器用于传文件, python -m SimpleHTTPServer3, telnet 192.168.1.1 root/&your_password_for WNDR4300&4, 使用telnet刷固件&& root@DD-WRT:/tmp# cd /tmp/&& root@DD-WRT:/tmp# wget http://192.168.1.122:8000/WNDR.1.69PRRU.img&& root@DD-WRT:/tmp# mtd -r write WNDR.1.69PRRU.img linux&& Unlocking linux ...&& Writing from WNDR.1.69PRRU.img to linux ...& [w]&& root@DD-WRT:/tmp# Connection closed by foreign host.&& 遗失对主机的连接,绿灯闪烁直至路由器重新启动即为救砖成功。但这种方法似乎不大好使,使用始终就是闪啊闪个把小时没反应。5, mtd方式不好使,改用tftp方式。&& 正常是按reset键,加电等灯由绿变蓝时松reset键,然后执行tftp操作。记得事先给电脑网卡设同网段IP(这个IP可能在断电时消失)。&& tftp不成功时,我这样成功过,加电按reset键(背部红圆圈处)30秒,断电再按30秒,再加电按30秒,释放reset键10秒,断开电源10秒,加电重新连接。&& sudo arp -s 192.168.1.1 04a&& $ tftp 192.168.1.1&& tftp& binary&& tftp& put WNDR.1.69PRRU.img&&&&&&&&&&&&& WNDR.1.60.img&& Sent
bytes in 2.7 seconds6, 然后再重置配置,加电情况下按reset约5秒左右等闪烁时松手。Reference:1, Netgear wndr4300 翻墙手册, http://tonylee.name/?page_id=142, OpenWrt VPN 按域名路由, https://blog.sorz.org/p/openwrt-outwall/, 在openwrt上使用vps上的ssh遂道1, OpenWrt 中默认自带的 SSH 服务/客户端是 Dropbear,Dropbear 作为 SSH 客户端无法满足我们的需要,所以我们要安装 openssh-client。首先到路由器的文件系统中 /usr/bin 目录下,删除 ssh 和 scp。其实这两个文件都是到 Dropbear 的符号链接,所以放心删除。& rm -rf /usr/bin/ssh& rm -rf /usr/bin/scp& opkg install openssh-server openssh-client autossh polipo2, 免公钥登录& ssh-keygen -b 1024 -t rsa& scp /root/.ssh/id_rsa.pub quqi99@&ssh-server-ip&:/home/quqi99/.ssh/authorized_keys3,运行autossh,相当于:ssh -D 8008& -lquqi99 -o serveraliveinterval=60& &ssh-server-ip& -fNv& autossh -M20000 -f -q -N -D 127.0.0.1:8080 quqi99@ &ssh-server-ip&& 或添加自启动服务cat& /etc/init.d/iautossh#!/bin/sh /monSTART=99start() {&&& autossh -M20000 -f -q -N -D 0.0.0.0:8080 quqi99@ &ssh-server-ip&}stop() {&&& killall autossh}& chmod +x /etc/init.d/iautossh& /etc/init.d/iautossh enable4, 配置polipocat /etc/polipo/configpidFile = &/var/run/polipo.pid&daemonise = trueproxyAddress = &0.0.0.0&allowedClients = &127.0.0.1&, &192.168.0.0/16&socksParentProxy = &127.0.0.1:8080&socksProxyType = socks5logFile = &/tmp/log/polipo.log&cat /etc/init.d/ipolipo#!/bin/sh /monSTART=99start() {&&& polipo -c /etc/polipo/config &}stop() {&&& killall polipo}chmod +x /etc/init.d/ipolipo/etc/init.d/ipolipo enable& #注意,不是/etc/init.d/polipo enable哦更新:GFW是一个分布式的入侵检测系统,并不是一个严格意义上的防火墙。不是说每个出入国境的IP包都需要先经过GFW的首可。做为一个入侵检测系 统,GFW把你每一次访问facebook都看做一次入侵,然后在检测到入侵之后采取应对措施,也就是常见的连接重置。GFW会在监听到不和谐的IP包之后发回RST包来重置TCP连接。1, 对于HTTP协议由于是标准且未加密的,直接通过Hash像LB一样往众多节点上转去重建一个TCP会话的单向字节流。2, 从HTTP的GET请求中取得请求的URL。然后GFW拿到这个请求的URL去与关键字做匹配,比如 查找Twitter是否在请求的URL中。3, GFW可以在识别到HTTP明文代理和SOCKS明文代理之后,再拆解其内部的HTTP协议的正文。但是如果给数据加的套是GFW不能理解的,比如你把TCP包塞到了UDP包里,GFW就不能理解正文了,从而逃过了关键字匹配的检查。4, GFW可以分析53端口的UDP协议的DNS查询, 目前为止53端口之外的查询也没有被劫持。但是TCP的DNS查询已经可以被TCP RST切断了,表明了GFW具有这样的能力,只是不屑于大规模部署。5, SMTP协议,看邮件是不是发往上了黑名单的邮件地址的(比如就是一个上了黑名单的邮件地址),如果发现了就立马用TCP RST包切断连接。6, 电驴(ed2k)协议,GFW会切断所有使用混淆模式的ed2k连接,迫使客户端使用明文与服务器通讯.7, 封IP, 把无效的路由黑洞加入到主干路由器的路由表中,然后让这些主干网上的路由器去帮GFW把到指定IP的包给丢弃掉。8, DNS劫持,其原理是基于DNS与IP协议的弱点,DNS与 IP这两个协议都不验证服务器的权威性,而且DNS客户端会盲目地相信第一个收到的答案。所以你去查询的话,GFW只要在正确的 答案被返回之前抢答了,然后伪装成你查询的DNS服务器向你发错误的答案就可以了.9, 如果检测 到服务器是用SSH或者VPN等方式提供翻墙服务。GFW会在全国的出口骨干路由上部署这样的一条ACL规则,来封你这个服务器+端口的下行数据包。10, Python的NetfilterQueue(iptables -D OUTPUT -p udp --dst 8.8.8.8 -j QUEUE), 使用Python任意抓包,修改包和发包的能力。11, Python的dpkt, 解析和构造任意的IP包。12, 非53端口,dig @208.67.222.222 -p , 但应用程序一般不支持非53端口,所以一是使用本地dns服务转发(dnsmasq, pdnsd, dnsmasq无法强制使用TCP协议向上游服务器转发请求), 二是使用NetfilterQueue改写IP包,三是iptables规则:&&& iptables -t nat -I OUTPUT --dst 208.67.222.222 -p udp --dport 53 -j DNAT --to-destination 208.67.222.222:5353&&& #iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p udp --dport 53 -j DNAT --to 127.0.0.1:1053&&& #iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 53 -j DNAT --to 127.0.0.1:1053&&& 因为dnsmasq无法强制使用TCP协议向上游服务器转发请求,所以当使用pdnsd惑乱unbound构建了一个非53端口的TCP查询dns的方式,&&& 需要修改/etc/config/dhcp, 注释掉resolvfile并打开noresolv选项,是为了让dnsmasq不使用resolvfile中的DNS服务器进行查询:&& config 'dnsmasq'&&&&&&& #option 'resolvfile' '/tmp/resolv.conf.auto'&&&&&&& option 'noresolv' '1'&&&&&&& list 'server' '127.0.0.1#5353'&&&&&&& 当list 'server' 使用127.0.0.1#5353是全局转发(对应于控制台界面在&Network-&DHCP and DNS-&DNS forwardings&,也可以这里填114.114.114.114, 然后在/etc/dnsmasq.conf配置(server=//127.0.0.1#5353)只针对具体站点转发.It is possible to mix the traditional /etc/dnsmasq.conf configuration file with the options found in /etc/config/dhcp.The dnsmasq.conf file does not exist by default but will be processed by dnsmasq on startup if it is present. Note that options in /etc/config/dhcp take precendence over dnsmasq.conf since they are translated to command line arguments.&&&&& 但感觉应该在/etc/dnsmasq.conf中注释掉, #all-servers&&& 对于使用OpenDNS的非53端口的,需要, &&& config 'dnsmasq'&&&&&&& #option 'resolvfile' '/tmp/resolv.conf.auto'&&&&&&& option 'noresolv' '1'&&&&&&& list 'server' '208.67.222.222#5353'&&&&&&& list 'server' '208.67.220.220#5353'&&&&&&& bogus-nxdomain=67.215.65.132 # 去除OpenDNS查询不存在的域名显示广告的问题13, GFW在日常是不屏蔽TCP的DNS查询的,所以可以得到正确的结果。但是和非标准端口一样,几乎所有的应用程序都不支持使用TCP查询。14, iptable nfqueue, 对于没有办法自己安装或者编译内核模块的场景,比如最常见的Android手机,厂家不告诉你内核的具体版本以及编译参数,普通用户是没有办法重新编译 linux内核的。对于这样的情况,iptables提供了nfqueue,我们可以把内核模块做的ip过滤的工作交给用户态(也就是普通的应用程序)来 完成。15, tcpdump -i pppoe-wan host 199.59.150.7 or icmp -vvv&&& iptables -L -v -n | grep icmp参考:1, http://otnth.blogspot.jp/2012/05/openwrt-dns.html?m=12, /kill-gfw-router-principle.html3, /1161.html, 采用chinadns抗dns污染的配置方法更新IP 忽略列表:rm -f /etc/chinadns_chnroute.txtln -s /etc/shadowsocks/ignore.list /etc/chinadns_chnroute.txtwget -O- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf(&%s/%d\n&, $4, 32-log($5)/log(2)) }' & /etc/shadowsocks/ignore.list, ipv6网络服务商早就提供IPv6 6to4接入,OpenWrt从Barrier Breaker开始已经原生支持IPv6了。opkg install 6to4 kmod-sit luci-proto-ipv6 radvd ip ip6tables kmod-ipv6 kmod-tun kmod-ip6tables1, 在openwrt的Network-Interface菜单的WAN6选项卡中为WAN接口配置6to4隧道。在LAN选项卡中的DHCP Server处的IPv6 Settings处设置如下。& &Router Advertisement-Service, server mode& &DHCPv6-Service, server mode& &NDP-Proxy, disabled& &DHCPv6-Mode, stateless + stateful& &它相当于会干这类事情( pppd nodetach ipparam wan ifname pppoe-wan +ipv6 nodefaultroute usepeerdns persist maxfail 1 user)& &# create and bring up tunnel& &ip tunnel add tun6to4 mode sit remote any local 114.245.25.8& &ip link set dev tun6to4 up& &# assign ipv6 addr to tunnel& &ip -6 addr add : dev tun6to4& &# assign ipv6 addr to LAN& &ip -6 addr add :1908:ffff::1/64/64 dev br-lan& &# add a default route via 6to4 magic, ::192.88.99.1 is the &magic& anycast address of the 6to4 protocol& &ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1& &route -n -A inet6& &ip -6 addr show& &ip -6 neigh show2, 在重启路由器或者/etc/init.d/network restart后路由器和局域网机器都会配置上6to4 ipv6地址。& &直接访问:3, ipv6 host, /etc/resolvconf/resolv.conf.d/head, 然后执行:resolvconf -u& &nameserver 60::88444, 验证, 通过下列命令发现看到的很多不同域名的ipv6地址都是重复的,说明gfw对ipv6的域名也污染了& &nslookup -query=AAAA & &dig
AAAA5, 输入url时记得加上https,& &https://[2a00:2::2005]/6, 下列程序用于进行TCP查询dns, 可用这个命令测试:&nslookup -port=5354 -type=AAAA
127.0.0.1#! /usr/bin/pythonimport os, sysimport socketimport structimport threadingimport SocketServerimport tracebackimport randomDHOSTS = ['60::8888',& & & & '60::8844'& & & & &]DPORT = 53TIMEOUT = 60#-------------------------------------------------------------# Hexdump Cool :)# default width 16#--------------------------------------------------------------def hexdump( src, width=16 ):& & FILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)])& & result=[]& & for i in xrange(0, len(src), width):& & & & s = src[i:i+width]& & & & hexa = ' '.join([&%02X&%ord(x) for x in s])& & & & printable = s.translate(FILTER)& & & & result.append(&%04X & %s & %s\n& % (i, hexa, printable))& & return ''.join(result)#---------------------------------------------------------------# bytetodomain# 03www06google02cn00 =& #--------------------------------------------------------------def bytetodomain(s):& & domain = ''& & i = 0& & length = struct.unpack('!B', s[0:1])[0]&&& & while length != 0 :& & & & i += 1& & & & domain += s[i:i+length]& & & & i += length& & & & length = struct.unpack('!B', s[i:i+1])[0]& & & & if length != 0 :& & & & & & domain += '.'&&& & return domain#--------------------------------------------------# tcp dns request#---------------------------------------------------def QueryDNS(server, port, querydata):& & # length& & Buflen = struct.pack('!h', len(querydata))& & sendbuf = Buflen + querydata& & try:& & & & s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)& & & & s.settimeout(TIMEOUT) # set socket timeout& & & & s.connect((server, int(port)))& & & & s.send(sendbuf)& & & & data = s.recv(2048)& & except:& & & & print traceback.print_exc(sys.stdout)& & & & if s: s.close()& & & & return& & &&& & if s: s.close()& & return data#-----------------------------------------------------# send udp dns respones back to client program#----------------------------------------------------def transfer(querydata, addr, server):& & if not querydata: return& & domain = bytetodomain(querydata[12:-4])& & qtype = struct.unpack('!h', querydata[-4:-2])[0]& & print 'domain:%s, qtype:%x, thread:%d' % \& & & & &(domain, qtype, threading.activeCount())& & sys.stdout.flush()& & choose = random.sample(xrange(len(DHOSTS)), 1)[0]& & DHOST = DHOSTS[choose]& & response = QueryDNS(DHOST, DPORT, querydata)& & if response:& & & & # udp dns packet no length& & & & server.sendto(response[2:], addr)& & returnclass ThreadedUDPServer(SocketServer.ThreadingMixIn, SocketServer.UDPServer):& & def __init__(self, s, t):& & & & SocketServer.UDPServer.__init__(self, s, t)class ThreadedUDPRequestHandler(SocketServer.BaseRequestHandler):& & # Ctrl-C will cleanly kill all spawned threads& & daemon_threads = True& & # much faster rebinding& & allow_reuse_address = True& & def handle(self):& & & & data = self.request[0]& & & & socket = self.request[1]& & & & addr = self.client_address& & & & transfer(data, addr, socket)if __name__ == &__main__&:& & print '&& Please wait program init....'& & print '&& Init finished!'& & print '&& Now you can set dns server to 127.0.0.1'& & server = ThreadedUDPServer(('127.0.0.1', 5354), ThreadedUDPRequestHandler)& & # on my ubuntu uid is 1000, change it&& & # comment out below line on windows platform& & os.setuid(1000)& & server.serve_forever()& & server.shutdown()&&
哦耶路由器硬件连接: 找根网线将哦耶路由器的WAN口和家里路由器的LAN口相连,然后连接哦耶路由器的无线热点,最后通过ssh root@192.168.8.1访问,默认密码是admin可将/etc/opkg.conf文件的源改成:dest root /dest ram /tmplists_dir ext /var/opkg-listsoption overlay_root /tmpsrc/gz barrier_breaker_base /OYE-0001.BB.IPKs./basesrc/gz barrier_breaker_luci /OYE-0001.BB.IPKs./lucisrc/gz barrier_breaker_management /OYE-0001.BB.IPKs./managementsrc/gz barrier_breaker_oldpackages /OYE-0001.BB.IPKs./oldpackagessrc/gz barrier_breaker_packages /OYE-0001.BB.IPKs./packagessrc/gz barrier_breaker_routing /OYE-0001.BB.IPKs./routing遗憾的是kernel版本太低不支持ipset, root@OYE:~# opkg install ipset libpolarssl resolveip Installing ipset (6.20.1-1) to root...Downloading /OYE-0001.BB.IPKs./base/ipset_6.20.1-1_ramips_24kec.ipk.Upgrading libpolarssl on root from 1.3.8-1 to 1.3.8-2...Downloading /OYE-0001.BB.IPKs./base/libpolarssl_1.3.8-2_ramips_24kec.ipk.Package resolveip (2) installed in root is up to date.Configuring libpolarssl.Collected errors:&* satisfy_dependencies_for: Cannot satisfy the following dependencies for ipset:&* && &kernel (= 3.10.49-1-3df3ab26a49abf83827ca3) * && &kernel (= 3.10.49-1-3df3ab26a49abf83827ca3) * &* opkg_install_cmd: Cannot install package ipset.root@OYE:~# opkg info kernelPackage: kernelVersion: 3.10.49-1-2dd2cf0a47Depends: libcStatus: install hold installedArchitecture: ramips_24kecInstalled-Time: 然后刷openwrt trunk版本,&http://downloads.openwrt.org/snapshots/trunk/ramips/mt7620/openwrt-ramips-mt7620-Lenovo-y1-squashfs-sysupgrade.bin从http://sourceforge.net/projects/openwrt-dist/files/shadowsocks-libev/2.2.2-89e0f7f/ramips/ 下载shadowsocks-libev-spec_2.2.2-1_ramips_24kec.ipk安装,上面问题得到解决,将源换成:dest root /dest ram /tmplists_dir ext /var/opkg-listsoption overlay_root /tmpsrc/gz barrier_breaker_base http://downloads.openwrt.org/snapshots/trunk/ramips/mt7620/packages/basesrc/gz barrier_breaker_luci http://downloads.openwrt.org/snapshots/trunk/ramips/mt7620/packages/lucisrc/gz barrier_breaker_packages http://downloads.openwrt.org/snapshots/trunk/ramips/mt7620/packages/packagessrc/gz barrier_breaker_routing http://downloads.openwrt.org/snapshots/trunk/ramips/mt7620/packages/routingsrc/gz barrier_breaker_telephony http://downloads.openwrt.org/snapshots/trunk/ramips/mt7620/packages/telephonysrc/gz barrier_breaker_management http://downloads.openwrt.org/snapshots/trunk/ramips/mt7620/packages/managementsrc/gz barrier_breaker_oldpackages http://downloads.openwrt.org/barrier_breaker/14.07/ramips/mt7620a/packages/oldpackages不过,仍然有其他问题:1, pdnsd不能正常启动,网上搜了一下,说可以是版本太老2, GUI界面出不来,执行了下列命令也出不来opkg install luci luci-i18n-chinese/etc/init.d/uhttpd enable/etc/init.d/uhttpd start有空再试试&http://downloads.openwrt.org/barrier_breaker/14.07/ramips/mt7620a/ 解决一问题这周怎么遇到使用google就不行,使用其他也要翻墙的网站就不行,找到原因了,原来是我使用的是日本隧道,访问google时会自动变成www.google.co.jp,而co.jp没有被加到ipset中,dns没有被正确解析ipset=//fuckgfwserver=//127.0.0.1#1053ipset=/co.jp/fuckgfwserver=/co.jp/127.0.0.1#1053对于ubuntu,那个配置文件应该放在/etc/NetworkManager/dnsmasq.d目录中,而不是/etc/dnsmasq.d目录。使用sudo restart network-manager可重启dnsmasq (开始也需要安装sudo apt-get install dnsmasq)。本机解析了dns,还需要隧道才能访问 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/run/sendsigs.omit.d/network-manager.dnsmasq.pid --listen-address=127.0.1.1 --conf-file=/var/run/NetworkManager/dnsmasq.conf --cache-size=0 --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d发现hangout没视频但没有声音,可能因为刚开始防火墙里只有对tcp的规则,没有udp所致iptables -t nat -A PREROUTING -p tcp -m set --match-set fuckgfw dst -j REDIRECT --to-port 7070iptables -t nat -A PREROUTING -p udp -m set --match-set fuckgfw dst -j REDIRECT --to-port 7070-A zone_wan_input -p tcp -m tcp --dport 7070 -m comment --comment shadowsocks -j ACCEPT-A zone_wan_input -p udp -m udp --dport 7070 -m comment --comment shadowsocks -j ACCEPT-A zone_wan_input -p udp -m udp --dport 19302 -m comment --comment hangouts_income_udp -j ACCEPT-A zone_wan_input -p udp -m udp --dport 19309 -m comment --comment hangouts_outcome_udp -j ACCEPT解决xxxvpn不好使的问题因为我发现域名被污染访问不了,于是我将下列两行追加到了/etc/dnsmasq.d/gfwdomains.confipset=//fuckgfwserver=//127.0.0.1#1053这样,vypvpn的网段XX.99.0.0/16被加到了fuckgfw ipset之中,将下列iptables规则将vpn流量送到了shadowsocks隧道,从而导致pptp, openvpn连接无法建立。iptables -t nat -A PREROUTING -p tcp -m set --match-set fuckgfw dst -j REDIRECT --to-port 7070iptables -t nat -A PREROUTING -p udp -m set --match-set fuckgfw dst -j REDIRECT --to-port 7070解决办法,添加如下:iptables -t nat -A PREROUTING -p tcp -m set --match-set fuckgfw dst -d XX.99.0.0/16 -j RETURNiptables -t nat -A PREROUTING -p udp -m set --match-set fuckgfw dst -d XX.99.0.0/16 -j RETURN但这并不是好的解决办法,可能地址范围太广有误杀,可以去掉ipset=//fuckgfw, 只使用server=//127.0.0.1#1053发现经常性的openvpn连接超时(pptp多半能连上),此时一得restart network-manager一下了就可以连上了。这是为什么呢?如何debug openvpn,& sudo /usr/lib/NetworkManager/nm-openvpn-service --debug --persist看到的日志是TLS timeout, 于是我将路由器上的防火墙的所有forward设置成accept,它好像连接成功的次数多了且速度明显快了。但这不能解决根本啊,哪里可以增大tls的超时时间呢?http://blog.csdn.net/dog250/article/details/9529927Fri Sep 25 15:52:41 2015 us=625871 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)Fri Sep 25 15:52:41 2015 us=625884 TLS Error: TLS handshake failed/etc/sysctl.conf net.netfilter.nf_conntrack_tcp_timeout_established=1200net.netfilter.nf_conntrack_udp_timeout=120sysctl -p更新对于vpnc协议的vpn, 使用命令行会更比用NetworkManager容易成功(因为NetworkManager集成了dnsmasq,所以直接使用IP代替vpn的域名会能有效减少连接超时时间)。sudo vpnc --local-port 0sudo vpnc-disconnect# cat /etc/vpnc/default.conf&IPSec gateway &gateway&IPSec ID vpnIPSec secret vpn.password#IKE Authmode hybridXauth username usenameXauth password passwordNAT Traversal Mode cisco-udp#Enable Single DES另外,disable掉ipv6也能减小超时时间,有三处:1, vi /etc/default/grub& &GRUB_CMDLINE_LINUX_DEFAULT=&quiet splash intel_iommu=on intel_iommu_dump=1 ipv6.disable=1&2, vi &/etc/sysctl.confnet.ipv6.conf.all.autoconf = 0net.ipv6.conf.all.disable_ipv6 = 1net.ipv6.conf.default.disable_ipv6 = 1&net.ipv6.conf.lo.disable_ipv6 = 1&3, vi /etc/NetworkManager/system-connections/quqiAP & # 不改这里会报:NetworkManager[13827]: &info& (wlan2): IP6 addrconf timed out or failed[ipv6]method=ignore更新今天报错“vpnc: no response from target”,这样解决&sudo apt-get install libssl-dev &hua@hua-ThinkPad-T440p:~$ sudo cat /etc/openvpn/vyprvpn.conf&#sudo apt-get install openvpn#sudo wget -O /etc/openvpn/.crt /downloads/.crt#sudo openvpn --config /etc/openvpn/vyprvpn.confclientkeepalive 10 60nobinddev tunproto udp#link-mtu 1542remote &vpn-ip& 1194resolv-retry infinitepersist-keypersist-tunpersist-remote-ipca /etc/openvpn/&ca&tls-clientauth-user-pass /etc/openvpn/pass.txtauth-nocachecomp-lzoverb 3tun-mtu 6000fragment 0mssfix 0reneg-sec 0sudo openvpn --client --remote &vpn-ip& --dev tun --comp-lzo --auth-user-pass /etc/openvpn/pass.txt --tls-client --ca /etc/openvpn/.crt使用pptpsudo apt-get install pptp-linuxsudo vi /etc/ppp/peers/jp1.vyprvpnpty &pptp
--nolaunchpppd&locknoauthnobsdcompnodeflatename &your-account-name&remotename jp1.vyprvpnipparam jp1.vyprvpnrequire-mppe-128usepeerdnsdefaultroutepersist#lcp-echo-failure 30#lcp-echo-interval 5#debugsudo vi /etc/ppp/chap-secrets&your-account-name& jp1.vyprvpn password *sudo vi /etc/ppp/ip-up.local#!/bin/bashH=`ps aux | grep 'pppd pty' | grep -v grep | awk '{print $14}'`DG=`route -n | grep UG | awk '{print $2}'`DEV=`route -n | grep UG | awk '{print $8}'`route add -host $H gw $DG dev $DEVroute del default $DEVroute add default dev ppp0Start, sudo pon jp1.vyprvpnStop, &sudo poff jp1.vyprvpnDebug, sudo strace -f -o /tmp/pptp-strace.log pon jp1.vyprvpn但报错:Dec 19 00:05:14 hua-ThinkPad-T440p pptp[18138]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 'Start-Control-Connection-Request'Dec 19 00:05:14 hua-ThinkPad-T440p pptp[18138]: anon log[pptp_read_some:pptp_ctrl.c:551]: read error: Connection reset by peerDec 19 00:05:14 hua-ThinkPad-T440p pptp[18138]: anon log[pptp_read_some:pptp_ctrl.c:544]: read returned zero, peer has closed在路由器加了下列防火墙规则仍然报错:## PPTP: forward initiator 1723/tcpiptables -t nat -A PREROUTING -p tcp --dport 1723 -j DNAT --to &vpn-ip&iptables -A FORWARD -p tcp --dport 1723 -d &vpn-ip& -j ACCEPT## PPTP: forward tunnel GRE trafficiptables -t nat -A PREROUTING -p gre -j DNAT --to &vpn-ip&iptables -A FORWARD -p gre -d &vpn-ip& -j ACCEPT使用xl2tpd来实现ipsec和l2tp的一般步骤vi /etc/ipsec.confconn vyprvpn& & & & authby=secret& & & & pfs=no& & & & rekey=yes& & & & keyingtries=3& & & & type=transport& & & & left=%defaultroute& & & & leftprotoport=17/1701& & & & right=& & & & rightid=@& & & & rightprotoport=17/1701& & & & auto=addvi /etc/ipsec.secrets%any : PSK &password&sudo apt-get install xl2tpdvi /etc/xl2tpd/xl2tpd.conf[lac vyprvpn]lns = require chap = yesrefuse pap = yesrequire authentication = yesname = &your-vpn-account&ppp debug = nopppoptfile = /etc/ppp/options.l2tpd.clientlength bit = yessudo vi &/etc/ppp/chap-secrets&&your-vpn-account&
&password& *sudo vi /etc/ppp/options.l2tpd.client&ipcp-accept-localipcp-accept-remoterefuse-eapnoccpnoauthcrtsctsidle 1800mtu 1410mru 1410defaultroutedebuglock#proxyarpconnect-delay 5000apt-get install strongswan-starteripsec vyprvpnsudo service xl2tpd restartecho &c vyprvpn& & /var/run/xl2tpd/l2tp-control更新Mon Dec 21 15:47:44 2015 [] Peer Connection Initiated with [AF_INET]209.99.xx.xx:1194Mon Dec 21 15:47:46 2015 SENT CONTROL []: 'PUSH_REQUEST' (status=1)Mon Dec 21 15:47:46 2015 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.10.160.1,explicit-exit-notify 5,rcvbuf 262144,route-gateway 10.10.160.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.10.160.172 255.255.255.0'Mon Dec 21 15:47:46 2015 OPTIONS IMPORT: timers and/or timeouts modifiedMon Dec 21 15:47:46 2015 OPTIONS IMPORT: explicit notify parm(s) modifiedMon Dec 21 15:47:46 2015 OPTIONS IMPORT: --sndbuf/--rcvbuf options modifiedMon Dec 21 15:47:46 2015 Socket Buffers: R=[5984] S=[1072]Mon Dec 21 15:47:46 2015 OPTIONS IMPORT: --ifconfig/up options modifiedMon Dec 21 15:47:46 2015 OPTIONS IMPORT: route options modifiedMon Dec 21 15:47:46 2015 OPTIONS IMPORT: route-related options modifiedMon Dec 21 15:47:46 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modifiedMon Dec 21 15:47:46 2015 ROUTE_GATEWAY 192.168.99.1/255.255.255.0 IFACE=eth0 HWADDR=28:d2:44:52:31:1dMon Dec 21 15:47:46 2015 TUN/TAP device tun0 openedMon Dec 21 15:47:46 2015 TUN/TAP TX queue length set to 100Mon Dec 21 15:47:46 2015 do_ifconfig, tt-&ipv6=0, tt-&did_ifconfig_ipv6_setup=0Mon Dec 21 15:47:46 2015 /sbin/ip link set dev tun0 up mtu 6000Mon Dec 21 15:47:46 2015 /sbin/ip addr add dev tun0 10.10.160.172/24 broadcast 10.10.160.255Mon Dec 21 15:47:46 2015 /sbin/ip route add &vpn-ip&/32 via 192.168.99.1Mon Dec 21 15:47:46 2015 /sbin/ip route add 0.0.0.0/1 via 10.10.160.1Mon Dec 21 15:47:46 2015 /sbin/ip route add 128.0.0.0/1 via 10.10.160.1Mon Dec 21 15:47:46 2015 Initialization Sequence CompletedMon Dec 21 16:47:44 2015 TLS: soft reset sec=0 bytes= pkts=Enter Auth Username:^CMon Dec 21 16:50:53 2015 ERROR: could not read Auth username from stdin1, openvpn在tls建立连接时容易受到干扰丢包从而超时失败。在服务端加tls-timeout参数,最好也加HMAC signature参数。2, openvpn有时候收不到tls的上述PUSH_REPLY包,从而断,&SIGUSR1[soft,no-push-reply] received, process restarting3, openvpn由于使用了&ping-restart 60&,那么在一分钟时如果tls被墙了也容易断。4, openvpn的tls协议随机会reset了,&TLS: soft reset sec=0 bytes= pkts= . 在服务端与客户端加reneg-sec=0可以上openvpn服务端与客户端同时运行:iptables -I FORWARD -p tcp -s &vpn-ip&& --sport 1194 --tcp-flags RST RST -m state --state RELATED,ESTABLISHED -j DROP所以改用cisco anyconnect协议吧echo &password& |sudo openconnect -u username a1.vpn.net更新在换成移动宽带之后,运行混淆后的openvpn总是隔一段时间就由ping-restart造成断线了。OpenVPN是在UDP之上模拟的TCP连接,使用Timer重传(有数据传输收到确认就不重发了,丢包后超过了超时时间就重发),openvpn服务商的设置(ping 10,ping-restart 60)代表只要有10/60=16.7%的丢包率的时候客户端就会触发ping-restart软中断重新连接。而网络运营商一般会用如下防火墙规则对UDP随机丢包:iptables -t mangle -A PREROUTING -m statistic --mode random --probability 0.3 -j MARK --set-mark 100iptables -t filter -A FORWARD -p udp -m mark --mark 100 -j DROP随机丢包的理由是:a.UDP本身没有流控和拥控,不加以管制的话,UDP最终会吃掉整个带宽,让TCP之类的拥控协议认为网络拥堵,自行减速。b.UDP无状态,无法很好的通过五元组监控来控制UDP。c.UDP和组播天生是一对,二者可能会做出一些见不得人的勾当。d.受管制的TCP会伪装在UDP中,招摇过市。更新install_openconnect.sh#!/usr/bin/env bash
set -o xtrace
#Install openconnect packages
sudo apt-get -y install build-essential pkg-config libgnutls28-dev libreadline-dev libseccomp-dev libwrap0-dev libnl-nf-3-dev liblz4-dev gnutls-bin
if [ ! -f &/tmp/ocserv-0.10.5.tar.xz& ]; then
curl -f --retry 6 --retry-delay 5 -O ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.5.tar.xz
tar -xf ocserv-0.10.5.tar.xz
#git clone /ocserv/ocserv.git
cd /tmp/ocserv-0.10.5
./configure
make -j $(grep &cpu cores& /proc/cpuinfo|uniq|awk -F':' '{print $2}'|xargs)
sudo make install
#Create CA certificate
mkdir -p /tmp/cert && cd /tmp/cert
cat & /tmp/cert/ca.tmpl && EOF
cn = &sts CA&
organization = &sts CA&
serial = 1
expiration_days = 3650
signing_key
cert_signing_key
crl_signing_key
#Generate CA secret KEY: V2
certtool --generate-privkey --outfile CA.key
#Generate CA certifice: P2 signed by V2
certtool --generate-self-signed --load-privkey CA.key --template ca.tmpl --outfile CA.pem
#Create User certificate (here is for VPN server)
cat & /tmp/cert/vpnserver.tmpl && EOF
cn = &sts vpn server&
organization = &sts&
expiration_days = 3650
signing_key
encryption_key
tls_www_server
#Generate User secret KEY: V1
certtool --generate-privkey --outfile vpnserver.key
#Generate User certificate: &P1 signed by V2&
certtool --generate-certificate --load-privkey vpnserver.key --load-ca-certificate CA.pem --load-ca-privkey CA.key --template vpnserver.tmpl --outfile vpnserver.pem
#CA.pem,vpnserver,pem,vpnserver.key need to be installed in vpnserver
sudo cp CA.pem /etc/ssl/certs/CA.pem
sudo cp vpnserver.pem /etc/ssl/private/vpnserver.pem
sudo cp vpnserver.key /etc/ssl/private/vpnserver.key
#Configure and Start VPN Server
sudo mkdir -p /etc/ocserv
sudo bash -c 'cat & /etc/ocserv/ocserv.conf' &&EOF
auth = &plain[passwd=/etc/ocserv/ocpasswd]&
tcp-port = 443
udp-port = 443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
isolate-workers = true
max-clients = 100
max-same-clients = 5
keepalive = 32400
mobile-dpd = 1800
try-mtu-discovery = true
server-cert = /etc/ssl/private/vpnserver.pem
server-key = /etc/ssl/private/vpnserver.key
ca-cert = /etc/ssl/certs/CA.pem
cert-user-oid = 0.9.0.100.1.1
tls-priorities = &NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0&
auth-timeout = 40
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain =
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
ping-leases = false
route = 0.0.0.0/128.0.0.0
route = 128.0.0.0/128.0.0.0
no-route = 192.168.5.0/255.255.255.0
cisco-client-compat = true
#Configure iptable rules
sudo iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
sudo iptables -A INPUT -p udp -m state --state NEW --dport 443 -j ACCEPT
sudo iptables -A FORWARD -j ACCEPT
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
sudo sed -i '/net.ipv4.ip_forward/ s/\(.*= \).*/\11/' /etc/sysctl.conf
sudo sysctl -p
sudo sysctl -w net.ipv4.ip_forward=1
#[option] User certificate way
#configuration options in vpn server side
#auth = &certificate&
# #listen-clear-file = /var/run/ocserv-conn.socket
#ca-cert = /etc/ssl/certs/CA.pem
cat & /tmp/cert/user.tmpl &&EOF
cn = &sts_user&
unit = &sts&
expiration_days = 365
signing_key
tls_www_client
#Create user secret KEY
#certtool --generate-privkey --outfile user.key
#Create user certificate
#certtool --generate-certificate --load-privkey user.key --load-ca-certificate CA.pem --load-ca-privkey CA.key --template user.tmpl --outfile user.pem
#Transform to PKCS12 format: mykey/password
#certtool --to-p12 --load-privkey user.key --pkcs-cipher 3des-pkcs12 --load-certificate user.pem --outfile user.p12 --outder
#Start VPN Server
sudo cp /tmp/ocserv-0.10.5/doc/systemd/standalone/ocserv.service /lib/systemd/system/
sudo systemctl enable ocserv.service
sudo ocserv -f -d 1
#Start VPN Client
echo &Usage:&
echo &sudo ocpasswd -c /etc/ocserv/ocpasswd test1&
echo 'echo &password& |sudo openconnect --no-cert-check -u test1 &VPN-Server&'更新之前openvpn总ping-reset的原因可能如下:1, 不要使用OVS桥,直接用eth0 (openvpn-Network-Manager和这个有关,确认)2, 可在服务端添加下列三个参数将60的默认值改为120keepalive 10 120& keepalive和下列的ping-restart参数是等价的if mode server:ping 10ping-restart 120push &ping 10&push &ping-restart 60&elseping 10ping-restart 60Fri Jul 29 10:52:18 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.53, 服务端tls-timout默认为2, 改大了像60,120都直接ping-reset,但改成4似乎没事,另外net.netfilter.nf_conntrack_udp_timeout默认为30,改成60试试(sudo sysctl -w net.netfilter.nf_conntrack_udp_timeout=60)The tls-timeout specifies how many seconds elapse between retransmission ofpackets if no response is recieved from the server. The default timeout is 2seconds. You can change this timeout to some other value, but the client willcontinue to attempt connections for 1 minute regardless of how the tls-timeoutinterval is set. - sslspead或shadowsock使用hangout没有声音的问题&ipset --add fuckgfw 74.125.0.0/16参考:[1]&http://blog.csdn.net/dog250/article/details/9529927
参考知识库
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
访问:1189092次
积分:14278
积分:14278
排名:第615名
原创:280篇
转载:10篇
评论:282条
(2)(5)(7)(4)(2)(8)(6)(4)(2)(8)(4)(3)(3)(3)(4)(7)(4)(1)(2)(1)(4)(6)(5)(1)(2)(1)(3)(3)(7)(2)(6)(7)(7)(1)(3)(8)(7)(13)(6)(1)(2)(3)(1)(9)(3)(2)(1)(1)(4)(2)(6)(2)(1)(1)(2)(5)(2)(4)(1)(1)(1)(2)(2)(4)(5)(5)(5)(6)(1)(1)(4)(1)(1)(2)(3)(1)(1)(1)(3)(4)(1)(4)(4)(4)(7)
