openvpn客户端在和服务端建立连接时,一般建立ssl通信,流量都需要经过加密。正常建立ssl连接的时候,流程是很复杂的,需要握手信息,需要验证证书,需要协商和交换对称加密密钥。这个对称加密密钥是用来做什么的呢?其实ssl在建立连接前期的协商步骤中使用非对称加密算法(一般为RSA算法),是为了交换某些生成后续对称加密密钥所必须的信息,避免在网络中明文传输对称加密的密钥。一旦协商完成,对称密钥也就交换完成,后续的通信,都是使用对称加密来通信。为什么不能全程都使用非对称加密来加解密数据?因为非对称加密的效率比较低,所以在对称加密密钥协商完成后,后续通信都用这个对称加密密钥进行对称加密。这里说的比较笼统,感兴趣的可以自行去谷歌ssl连接建立的过程。

        oponvpn支持配置静态密钥,也就是说不用协商密钥,默认通信的双方都知道是用哪个对称加密密钥来加解密。这在某些场景下还是很有用的,每种技术都有它特定的应用场景。当然,用静态密钥本身安全性就不高,一旦别人拿到这个静态密钥,那整个通信过程就相当于明文通信了。正是因为不安全,所以openvpn官方强烈不推荐使用,可能在某些新版本中都禁用了这个功能。使用静态密钥还有一个局限性,就是只能有一个服务端,一个客户端,不能多个客户端端同时连接openvpn服务器。

        openvpn使用静态密钥也有一个优点,就是配置会特别简单,不需要ca证书,服务端客户端证书,私钥这些,只需要一个对称加密密钥。

静态密钥生成

        在linux下,使用openvpn的命令生成静态密钥:

openvpn –genkey –secret static.key

生成的static.key,服务端和客户端共用

服务端配置(centos)

        如果还不懂openvpn怎么搭建的,可以参考我前面的文章:openvpn组网技术原理及配置过程(centos服务器/安卓客户端/linux客户端)-CSDN博客

        服务端配置文件server.conf如下:

################################################
# Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#                                               #
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# OpenVPN also supports                         #
# single-machine <-> single-machine             #
# configurations (See the Examples page         #
# on the web site for more info).               #
#                                               #
# This config should work on Windows            #
# or Linux/BSD systems.  Remember on            #
# Windows to quote pathnames and use            #
# double backslashes, e.g.:                     #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
#                                               #
# Comments are preceded with '#' or ';'         #
#################################################
dev tun
port 7379

proto udp

# 此处不能配置server的子网范围,只能用ifconfig配置两个ip,一个是服务端ip,一个是客户端ip
#server 10.9.0.0 255.255.255.0
ifconfig 10.9.0.1 10.9.0.2

# 配置静态密钥
secret static.key

#ifconfig-pool-persist ipp.txt

#The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# 将客户端的所有流量都重定向到服务端
push "redirect-gateway def1 bypass-dhcp"

# 向客户端推送DNS地址,也可以是用其他可用的DNS,可以取服务端本机的DNS地址
push "dhcp-option DNS 100.100.2.136"
push "dhcp-option DNS 100.100.2.138"

# 这个是保活的检测间隔
keepalive 10 120

# 加密算法,服务端和客户端要一致
cipher AES-256-CBC

#compress lz4-v2
#push "compress lz4-v2"
# 设置压缩
comp-lzo

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
# openvpn运行的用户和用户组
user root
group root

#comp-lzo

#log-append openvpn-static.log

# 日志保存
log         openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
# 日志等级
verb 3

客户端配置(centos)

        可以先使用linux的openvpn客户端尝试连接,方便解决问题,linux客户端配置如下,静态密钥我们也用内联的方式:

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
;client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
# 此处跟服务端一致
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
# 此处跟服务端一致
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
# 这里填服务端的ip端口
remote 1.1.1.1 7379
#remote my-server-2 1194

这里要跟服务端的配置一致
ifconfig 10.9.0.2 10.9.0.1

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
# 使用默认配置
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
# 使用默认配置,随机分配端口
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
# 尝试在重新启动时保留一些状态
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
#   digitalSignature, keyEncipherment
# and the extendedKeyUsage to
#   serverAuth
# EasyRSA can do this for you.
#remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
#tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
# 这里是加密算法,跟服务端一致
cipher AES-256-CBC

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20
# 服务端已经配置,这里不需要重新配置
#redirect-gateway autolocal
# 允许压缩
comp-lzo

# 这里我是想在客户端连接好服务器端后就更改本地的DNS,但是发现没成功,还是需要手动编辑/etc/resolv.conf文件进行修改
dhcp-option DNS 100.100.2.136
dhcp-option DNS 100.100.2.138


#下面是静态密钥的内容
<secret>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END OpenVPN Static key V1-----
</secret>

如果连接上后DNS解析不正常,可以手动修改DNS,直接编辑/etc/resolv.com,比如将DNS修改为8.8.8.8

安卓客户端配置

        由于openvpn官方不推荐使用静态密钥,似乎已经弃用了这个功能,用OpenVPN Connect导入只有静态密钥的配置文件,连接的时候会直接报错要求导入ca证书。找了一阵没办法解决,于是尝试用OpenVPN For Android这个客户端,连接的时候也报错,提示静态密钥强烈不建议使用,但是提示了一下可以使用--allow-deprecated-insecure-static-crypto来强行使用静态密钥。后来发现这个应该是在使用命令行的时候传入的参数,安卓客户端启动哪有命令行?尝试直接在自定义选项中加“--allow-deprecated-insecure-static-crypto”,会报识别不了该配置。参考了一下其他配置,这个配置在配置文件应该直接使用字符串"allow-deprecated-insecure-static-crypto yes",果然能通过了。后面又根据报错日志新增了两个自定义配置,才成功建立连接。

        完整的配置过程如下:

0、先决条件:安装OpenVPN For Android,版本0.7.51,或者以上。我尝试使用0.7.39版本,发现会报错无法识别allow-deprecated-insecure-static-crypto选项,因此应该是高版本才支持这个选项

1、将上面centos客户端的配置的配置复制一份,然后在后面添加这三条配置

allow-compression yes
allow-deprecated-insecure-static-crypto yes
cipher AES-256-CBC

2、然后将上一步修改好的配置文件发送到安卓手机,导入这个配置,然后执行连接

        或者你先导入centos客户端配置导入OpenVPN For Android,然后再在这个配置的基础上添加那三条自定义选项,也是可以的。自定义选项配置是点击PROFILES右边的编辑按钮,然后ADVANCED下面的Custom Options

        如果显示已经连接成功,但是还是无法访问到外网或者无法访问到openvpn服务端主机,你需要检查一下PROFLE的ROUTING下的Use default Route选项是否勾选,如果没有勾选要勾选上才可以,可能有的系统导入配置文件后,默认是没有勾选的,就导致流量数据没有发往openvpn服务端。

Logo

开放原子开发者工作坊旨在鼓励更多人参与开源活动,与志同道合的开发者们相互交流开发经验、分享开发心得、获取前沿技术趋势。工作坊有多种形式的开发者活动,如meetup、训练营等,主打技术交流,干货满满,真诚地邀请各位开发者共同参与!

更多推荐