OpenVPN For Android实现手机刷Twitter

笔者有时候也会刷刷Twitter，或者上Facebook吹吹牛逼，目前的Android对于VPN支持实在是渣渣，用了很多免费的VPN方案都让人欲哭无泪。于是有了自己弄一套VPN的想法，以实现笔者刷刷Twitter，吹吹牛逼的梦想！

基本配置：

1、服务器一台（位于美帝的洛杉矶），CentOS5 64bit，编译安装OpenVPN Server v2.3.4

2、Android手机一部（酷派，android4.2，VPN在Android4.0以上，依赖Google提供的VPNService服务，无需root），安装Ics-OpenVPN（OpenVPN的Android版本）

基本网络拓扑图：

Server配置：

#Set OpenVPN major mode. By default, OpenVPN runs in point-to-point mode ("p2p"). OpenVPN 2.0 introduces a new mode ("server") which impl#ements a multi-client server capability.
#mode server
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
duplicate-cn

#listen on IPv4
local 0.0.0.0

#we use a non-default port
port 11194

#UDP protocol chosen for better protection against DoS attacks and port scanning
proto tcp

#using routed IP tunnel
dev tun

#relative paths to keys and certificates
ca /usr/local/openvpn/easy-rsa/keys/ca.crt
cert /usr/local/openvpn/easy-rsa/keys/server.crt
key /usr/local/openvpn/easy-rsa/keys/server.key
dh /usr/local/openvpn/easy-rsa/keys/dh1024.pem

#set OpenVPN subnet
server 10.6.0.0 255.255.0.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

#for route stunnel from gateway directly
push "route your server IP 255.255.255.255 net_gateway"

#maintain a record of client-to-virtual-IP-address
ifconfig-pool-persist ipp.txt

#ping every 10 seconds, assume that remote peer is down if no ping received during 60
keepalive 10 60

#cryptographic cipher, must be the same (copied) on the client config file as well
cipher AES-256-CBC

#enable compression on VPN link
comp-lzo

max-clients 500

#try to preserve some state across restarts
persist-key
persist-tun

#status log file
status /usr/local/openvpn/conf/openvpn-status.log

#log file
#log-append /usr/local/openvpn/conf/openvpn.log

#log file verbosity
verb 3

Client配置：

client
dev tun
proto tcp
remote your vpn server IP 11194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3

#tun-mtu 1500
#tun-mtu-extra 32
#fragment 1450
#mssfix 

<ca>
-----BEGIN CERTIFICATE-----
CA
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
CERTIFICATE
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
PRIVATE KEY
-----END PRIVATE KEY-----
</key>

关于Openvpn的安装，以及CA等证书的生成操作可参考网络相关资料，不再赘述。

这里重点说明一点，服务端配置要加上：

push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

push "redirect-gateway  def1"将修改Android路由，重定向所有web流量至vpn，默认只定向vpn私网段的流量，这里是10.6.0.0/16。

后面两条配置是修改客户端dns为google public dns，切记！

好了，我们连上vpn后，打开浏览器浏览看看，貌似和我们想的不太一样，还是不能愉快的刷facebook，经常断？经常连不上？于是乎，又开始了漫长的Google之旅，大致找到原因，因为GFW~~~，据说采用了新的DPI牛逼技术，可以探测OpenVPN的连接握手过程，并采用终极大招，将连接重置，于是乎就悲剧了，还是不能愉快的玩耍！

好吧，继续下一招，采用stunnel来封装openvpn tunnel，说白了就是再加上一层保险，让Openvpn的流量看起来更像普通的SSL连接，以不那么容易被识别。

笔者采用的stunnel客户端版本为stunnel 5.06 on arm-unknown-linux-androideabi platform。

Stunnel服务端配置：

sslVersion = all
options = -NO_SSLv2
options = -NO_SSLv3
cert = /etc/stunnel/server.pem
pid = /var/run/stunnel.pid
output = /var/log/stunnel
;debug = 7
;foreground = yes
[openvpn]
client = no
accept=993
connect=11194

Stunnel客户端配置：

debug = 7
foreground = yes
[openvpn]
client = yes
accept = 127.0.0.1:1194
connect = your vpn server IP:993

好了，大功告成，终于可以愉快的玩耍了！另外，针对OpenVPN对于Http URL级别的过滤机制不完善（也很正常，毕竟VPN是个IP层面的东西，都是IP，没有什么URL），笔者也做了测试，可以通过Squid透明代理来在服务端实现基于URL的过滤机制，毕竟咱捣鼓这玩意只是自己玩玩，被用来上那些什么非法网站就不好了。

另外，服务端的iptables需要做NAT，附上：

-A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j DNAT --to-destination your server IP:8080
-A POSTROUTING -s 10.6.0.0/255.255.0.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.6.0.0/255.255.0.0 -j SNAT --to-source your server IP 

好了，开始愉快的玩耍了

申明：本文仅限于技术研究之目的，请勿用于其他目的，转载请注明来源！