Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zhu Guoliang What can they do? to start with Basics.

Similar presentations


Presentation on theme: "Zhu Guoliang What can they do? to start with Basics."— Presentation transcript:

1 Zhu Guoliang

2 What can they do?

3 to start with Basics

4 Routing & Routing Table  Concept – 计算机网络概论  Tools  linux  route  -n: show numerical addresses instead of trying to determine symbolic host names.  traceroute  start up: 内核 IP 路由表 目标 网关 子网掩码 标志 跃点 引用 使用 接口 U wlan U wlan UG wlan0

5 Routing & Routing Table  Windows  route print  netstat –r  tracert  start up: IPv4 路由表 =========================================================================== 活动路由 : 网络目标 网络掩码 网关 接口 跃点数 在链路上 在链路上 在链路上 在链路上 在链路上 在链路上 在链路上 在链路上 在链路上 在链路上 ===========================================================================

6 VPN  Virtual private network  (Wikipedia) A virtual private network ( VPN ) is a secure way of connecting to a private Local Area Network at a remote location, using the Internet or any insecure public network to transport the network data packets privately, using encryption. Local Area Network Internet encryption

7 Quotations  “ 我的家用电脑上有 6 个 VPN ,用以访问某些被 屏蔽的网站。 ”  “GFW 和 VPN 之间的战争是场永久战。 ”  “ 只用来检测哪个更厉害,我对那些像反政府的 众多言论不感兴趣。 ”  “ 到目前为止, GFW 处于劣势,仍需要进一步的 提升。 ” —

8 powerful tool OpenVPN

9

10 OpenVPN  is a free and open source software application  implements virtual private network (VPN) techniques  creates secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities  uses SSL/TLS security for encryption  capable of traversing network address translators (NATs) and firewalls  written by James Yonan and is published under the GNU General Public License (GPL).

11 Installation  apt-get  sudo apt-get install openvpn  Compile, +ipv6 patch  Dependencies  Openssl  openssl-devel  ubuntu apt-get: libssl-dev  lzo  liblzo2-dev./configure make sudo make install

12 Installation  Compile, +ipv6 patch  gzip -d openvpn ipv patch.gz  mv openvpn ipv patch openvpn  cd openvpn  patch -p1 < openvpn ipv patch./configure make sudo make install

13 Configuration  We use client – server mode  only since 2.0  “allowing multiple clients to connect to a single OpenVPN server process over a single TCP or UDP port.”  Others  client – client mode  site – site mode

14 Configuration  use easy-rsa tool  $openvpn/easy-rsa/2.0  if apt-get, /usr/share/doc/openvpn/example  if compile, your source path  Modify vars  source vars ./clean-all# Clean keys ./build-ca# Build a root certificate ./build-key-server# Make a certificate/private key pair using a locally generated root certificate. ./build-key# ditto ./build-dh# Build Diffie-Hellman parameters for the server side of an SSL/TLS connection.

15 Configuration - Server  use template  $openvpn/sample-config-files/server.conf  Detail..  proto upd  proto udp6 to use ipv6  uncomment push "dhcp-option DNS a.b.c.d", modify  uncomment push "redirect-gateway def1 bypass-dhcp"  uncomment push "route ", add other routes  ca ca.crt # root certificate cert server.crt # certificate key server.key # private key key dh1024.pem # Diffie-Hellman parameters

16 Configuration - Client  use template  $openvpn/sample-config-files/client.conf  Detail..  proto upd  proto udp6 to use ipv6  remote a.b.c.d 9999, server address & port  ca ca.crt cert client.crt key client.key  generated by build-ca, build-key

17 Other platforms  OpenVPN GUI for Windows .ovpn ≈.conf  GUI  OpenVPN Mac

18 Launch!  Server  Launch openvpn  sudo openvpn --config server.conf  Set routing rules  sudo iptables -A POSTROUTING -t nat -o eth0 -s /24 -d 0/0 -j MASQUERADE  Client  Launch openvpn  sudo openvpn --config client.conf  Windows GUI: click  Routing rule set if "push"ed in server.conf

19 Under the hood  Client side route - Windows  before: IPv4 路由表 =========================================================================== 活动路由 : 网络目标 网络掩码 网关 接口 跃点数 在链路上 在链路上 在链路上 在链路上 在链路上 在链路上 在链路上 在链路上 在链路上 在链路上 ===========================================================================

20 Under the hood IPv4 路由表 =========================================================================== 活动路由 : 网络目标 网络掩码 网关 接口 跃点数 在链路上 在链路上 在链路上 在链路上 在链路上 在链路上 在链路上 在链路上 在链路上 在链路上 在链路上 在链路上 在链路上 在链路上 在链路上 ===========================================================================

21 Under the hood  Client side route - Linux  before:  after: 内核 IP 路由表 目标 网关 子网掩码 标志 跃点 引用 使用 接口 U wlan U wlan UG wlan0 内核 IP 路由表 目标 网关 子网掩码 标志 跃点 引用 使用 接口 UGH tun UH tun U wlan U wlan UG tun UG tun UG wlan0

22 the easy way PPTP

23  Point-to-Point Tunneling Protocol  is a method for implementing virtual private networks(VPN)  uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.  Specification: RFC 2637

24 Implementations  MS Windows support since 95, WM since 2003  Server: Routing And Remote Access Service  Linux: “lacked full PPTP support”  packet: pptp-linux, pptpd  SuSE Linux 10 was the first Linux distribution to provide a complete working PPTP client  Mac OS X & iOS have PPTP client  Palm PDA has PPTP client  Android has PPTP client, since 1.6

25 Installation & Configuration  sudo apt-get install pptpd  modify /etc/pptpd.conf  localip  remoteip  modify /etc/ppp/pptpd-options  uncomment require-mppe-128  ms-dns  modify /etc/ppp/chap-secrets  userpptpdpassword*  sudo /etc/init.d/pptpd restart

26 Installation & Configuration  Routing rule  sudo iptables -t nat -A POSTROUTING -s /24 -o eth0 -j MASQUERADE  Turn on ipv4 forward  modify /etc/sysctl.conf  net.ipv4.ip_forward=1  sudo sysctl -p

27 Client  Windows  create new VPN  choose PPTP  input user, password  save  connect  Mac OS X: same  Android: same  Linux:  apt-get install pptp-linux  pptpsetup --create xx --server x.x.x.x --username user --password password –start  sudo route add default dev ppp0

28 Save routing rule  So don’t need to do it on each reboot  sudo iptables-save > /etc/iptables-rules  modify /etc/network/interfaces  find eth0 (or wlan0)  pre-up iptables-restore < /etc/iptables-rules

29 Compare ...  In a nutshell:  OpenVPN is much safer, sometimes the only choice  PPTP is easy to configure, widely supported

30 Other choices  L2TP  IPSec

31


Download ppt "Zhu Guoliang What can they do? to start with Basics."

Similar presentations


Ads by Google