Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zhu Guoliang What can they do? to start with Basics.

Similar presentations


Presentation on theme: "Zhu Guoliang What can they do? to start with Basics."— Presentation transcript:

1 Zhu Guoliang tedzhu@163.com

2 What can they do?

3 to start with Basics

4 Routing & Routing Table  Concept – 计算机网络概论  Tools  linux  route  -n: show numerical addresses instead of trying to determine symbolic host names.  traceroute  start up: 内核 IP 路由表 目标 网关 子网掩码 标志 跃点 引用 使用 接口 162.105.238.0 0.0.0.0 255.255.255.0 U 2 0 0 wlan0 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan0 0.0.0.0 162.105.238.1 0.0.0.0 UG 0 0 0 wlan0

5 Routing & Routing Table  Windows  route print  netstat –r  tracert  start up: IPv4 路由表 =========================================================================== 活动路由 : 网络目标 网络掩码 网关 接口 跃点数 0.0.0.0 0.0.0.0 162.105.238.1 162.105.238.14 25 127.0.0.0 255.0.0.0 在链路上 127.0.0.1 306 127.0.0.1 255.255.255.255 在链路上 127.0.0.1 306 127.255.255.255 255.255.255.255 在链路上 127.0.0.1 306 162.105.238.0 255.255.255.0 在链路上 162.105.238.14 281 162.105.238.14 255.255.255.255 在链路上 162.105.238.14 281 162.105.238.255 255.255.255.255 在链路上 162.105.238.14 281 224.0.0.0 240.0.0.0 在链路上 127.0.0.1 306 224.0.0.0 240.0.0.0 在链路上 162.105.238.14 281 255.255.255.255 255.255.255.255 在链路上 127.0.0.1 306 255.255.255.255 255.255.255.255 在链路上 162.105.238.14 281 ===========================================================================

6 VPN  Virtual private network  (Wikipedia) A virtual private network ( VPN ) is a secure way of connecting to a private Local Area Network at a remote location, using the Internet or any insecure public network to transport the network data packets privately, using encryption. Local Area Network Internet encryption

7 Quotations  “ 我的家用电脑上有 6 个 VPN ,用以访问某些被 屏蔽的网站。 ”  “GFW 和 VPN 之间的战争是场永久战。 ”  “ 只用来检测哪个更厉害,我对那些像反政府的 众多言论不感兴趣。 ”  “ 到目前为止, GFW 处于劣势,仍需要进一步的 提升。 ” —

8 powerful tool OpenVPN

9  http://openvpn.net/ http://openvpn.net/

10 OpenVPN  is a free and open source software application  implements virtual private network (VPN) techniques  creates secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities  uses SSL/TLS security for encryption  capable of traversing network address translators (NATs) and firewalls  written by James Yonan and is published under the GNU General Public License (GPL).

11 Installation  apt-get  sudo apt-get install openvpn  Compile, +ipv6 patch  Dependencies  Openssl  openssl-devel  ubuntu apt-get: libssl-dev  lzo  liblzo2-dev./configure make sudo make install

12 Installation  Compile, +ipv6 patch  gzip -d openvpn-2.1.1-ipv6-0.4.11.patch.gz  mv openvpn-2.1.1-ipv6-0.4.11.patch openvpn- 2.1.1  cd openvpn-2.1.1  patch -p1 < openvpn-2.1.1-ipv6-0.4.11.patch./configure make sudo make install

13 Configuration  We use client – server mode  only since 2.0  “allowing multiple clients to connect to a single OpenVPN server process over a single TCP or UDP port.”  Others  client – client mode  site – site mode

14 Configuration  use easy-rsa tool  $openvpn/easy-rsa/2.0  if apt-get, /usr/share/doc/openvpn/example  if compile, your source path  Modify vars  source vars ./clean-all# Clean keys ./build-ca# Build a root certificate ./build-key-server# Make a certificate/private key pair using a locally generated root certificate. ./build-key# ditto ./build-dh# Build Diffie-Hellman parameters for the server side of an SSL/TLS connection.

15 Configuration - Server  use template  $openvpn/sample-config-files/server.conf  Detail..  proto upd  proto udp6 to use ipv6  uncomment push "dhcp-option DNS a.b.c.d", modify  uncomment push "redirect-gateway def1 bypass-dhcp"  uncomment push "route 192.168.10.0 255.255.255.0", add other routes  ca ca.crt # root certificate cert server.crt # certificate key server.key # private key key dh1024.pem # Diffie-Hellman parameters

16 Configuration - Client  use template  $openvpn/sample-config-files/client.conf  Detail..  proto upd  proto udp6 to use ipv6  remote a.b.c.d 9999, server address & port  ca ca.crt cert client.crt key client.key  generated by build-ca, build-key

17 Other platforms  OpenVPN GUI for Windows .ovpn ≈.conf  GUI  OpenVPN Mac

18 Launch!  Server  Launch openvpn  sudo openvpn --config server.conf  Set routing rules  sudo iptables -A POSTROUTING -t nat -o eth0 -s 10.8.0.1/24 -d 0/0 -j MASQUERADE  Client  Launch openvpn  sudo openvpn --config client.conf  Windows GUI: click  Routing rule set if "push"ed in server.conf

19 Under the hood  Client side route - Windows  before: IPv4 路由表 =========================================================================== 活动路由 : 网络目标 网络掩码 网关 接口 跃点数 0.0.0.0 0.0.0.0 162.105.238.1 162.105.238.14 25 127.0.0.0 255.0.0.0 在链路上 127.0.0.1 306 127.0.0.1 255.255.255.255 在链路上 127.0.0.1 306 127.255.255.255 255.255.255.255 在链路上 127.0.0.1 306 162.105.238.0 255.255.255.0 在链路上 162.105.238.14 281 162.105.238.14 255.255.255.255 在链路上 162.105.238.14 281 162.105.238.255 255.255.255.255 在链路上 162.105.238.14 281 224.0.0.0 240.0.0.0 在链路上 127.0.0.1 306 224.0.0.0 240.0.0.0 在链路上 162.105.238.14 281 255.255.255.255 255.255.255.255 在链路上 127.0.0.1 306 255.255.255.255 255.255.255.255 在链路上 162.105.238.14 281 ===========================================================================

20 Under the hood IPv4 路由表 =========================================================================== 活动路由 : 网络目标 网络掩码 网关 接口 跃点数 0.0.0.0 0.0.0.0 162.105.238.1 162.105.238.14 25 0.0.0.0 128.0.0.0 10.8.0.5 10.8.0.6 30 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 30 10.8.0.4 255.255.255.252 在链路上 10.8.0.6 286 10.8.0.6 255.255.255.255 在链路上 10.8.0.6 286 10.8.0.7 255.255.255.255 在链路上 10.8.0.6 286 127.0.0.0 255.0.0.0 在链路上 127.0.0.1 306 127.0.0.1 255.255.255.255 在链路上 127.0.0.1 306 127.255.255.255 255.255.255.255 在链路上 127.0.0.1 306 128.0.0.0 128.0.0.0 10.8.0.5 10.8.0.6 30 162.105.238.0 255.255.255.0 在链路上 162.105.238.14 281 162.105.238.14 255.255.255.255 在链路上 162.105.238.14 281 162.105.238.255 255.255.255.255 在链路上 162.105.238.14 281 224.0.0.0 240.0.0.0 在链路上 127.0.0.1 306 224.0.0.0 240.0.0.0 在链路上 10.8.0.6 286 224.0.0.0 240.0.0.0 在链路上 162.105.238.14 281 255.255.255.255 255.255.255.255 在链路上 127.0.0.1 306 255.255.255.255 255.255.255.255 在链路上 10.8.0.6 286 255.255.255.255 255.255.255.255 在链路上 162.105.238.14 281 ===========================================================================

21 Under the hood  Client side route - Linux  before:  after: 内核 IP 路由表 目标 网关 子网掩码 标志 跃点 引用 使用 接口 162.105.238.0 0.0.0.0 255.255.255.0 U 2 0 0 wlan0 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan0 0.0.0.0 162.105.238.1 0.0.0.0 UG 0 0 0 wlan0 内核 IP 路由表 目标 网关 子网掩码 标志 跃点 引用 使用 接口 10.8.0.1 10.8.0.9 255.255.255.255 UGH 0 0 0 tun0 10.8.0.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 162.105.238.0 0.0.0.0 255.255.255.0 U 2 0 0 wlan0 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan0 0.0.0.0 10.8.0.9 128.0.0.0 UG 0 0 0 tun0 128.0.0.0 10.8.0.9 128.0.0.0 UG 0 0 0 tun0 0.0.0.0 162.105.238.1 0.0.0.0 UG 0 0 0 wlan0

22 the easy way PPTP

23  Point-to-Point Tunneling Protocol  is a method for implementing virtual private networks(VPN)  uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.  Specification: RFC 2637

24 Implementations  MS Windows support since 95, WM since 2003  Server: Routing And Remote Access Service  Linux: “lacked full PPTP support”  packet: pptp-linux, pptpd  SuSE Linux 10 was the first Linux distribution to provide a complete working PPTP client  Mac OS X & iOS have PPTP client  Palm PDA has PPTP client  Android has PPTP client, since 1.6

25 Installation & Configuration  sudo apt-get install pptpd  modify /etc/pptpd.conf  localip 10.100.0.1  remoteip 10.100.0.2-10  modify /etc/ppp/pptpd-options  uncomment require-mppe-128  ms-dns 162.105.129.27  modify /etc/ppp/chap-secrets  userpptpdpassword*  sudo /etc/init.d/pptpd restart

26 Installation & Configuration  Routing rule  sudo iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE  Turn on ipv4 forward  modify /etc/sysctl.conf  net.ipv4.ip_forward=1  sudo sysctl -p

27 Client  Windows  create new VPN  choose PPTP  input user, password  save  connect  Mac OS X: same  Android: same  Linux:  apt-get install pptp-linux  pptpsetup --create xx --server x.x.x.x --username user --password password –start  sudo route add default dev ppp0

28 Save routing rule  So don’t need to do it on each reboot  sudo iptables-save > /etc/iptables-rules  modify /etc/network/interfaces  find eth0 (or wlan0)  pre-up iptables-restore < /etc/iptables-rules

29 Compare ...  In a nutshell:  OpenVPN is much safer, sometimes the only choice  PPTP is easy to configure, widely supported

30 Other choices  L2TP  IPSec

31


Download ppt "Zhu Guoliang What can they do? to start with Basics."

Similar presentations


Ads by Google