Google一連串先進同好的資料,一致認為OpenVPN應該是最佳的solution。OpenVPN主要是可以自己設定port,假設用https的port443應該非常適合,因為https是常用的protocol,一般不會去block。
把細節記錄下來避免忘記,而且可以分享同好。
設備與環境:
1. BananaPi with Ubuntu 14.04
2. Wifi AP
3. 用 sudo -i 進入root
Step1: Install OpenVPN
首先進入root,如果用ssh進入ubuntu,用sudo -i.
apt-get update
apt-get upgrade
apt-get install openvpn easy-rsa
2. config OpenVPN
cd /etc/openvpn
gzip -d /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz .
產生server.conf
Modify the server.conf
nano server.conf
port 1194 => port 443
dh dh1024.pem => dh dh2048.pem
在ubuntu 16.04不用打開這一行
;push "redirect-gateway def1 bypass-dhcp" => 去掉;
;push "dhcp-option DNS 208.67.222.222" => 去掉;
;push "dhcp-option DNS 208.67.220.220" => 去掉;
增加一行,google的DNS server
push "dhcp-option DNS 8.8.8.8"
;user nobody => 去掉;
;group nogroup => 去掉;
完畢,記得按ctrl-x存檔
3. config IP forward
修改 /etc/sysctl.conf
nano /etc/sysctl.conf
#net.ipv4.ip_forward=1 => 去掉#
修改/etc/rc.local
nano /etc/rc.local
增加一行
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
4. generate RSA key
copy easy-rsa 到openvpn,這是避免升級時把key蓋掉
cp -r /usr/share/easy-rsa/ /etc/openvpn
mkdir /etc/openvpn/easy-rsa/keys
修改RSA key屬性
nano /etc/openvpn/easy-rsa/vars
export KEY_COUNTRY="TW"
export KEY_PROVINCE="TW"
export KEY_CITY="TPE"
export KEY_ORG="My Company Name"
export KEY_EMAIL="aaaa@bbbb.com"
export KEY_OU="MYOrganizationalUnit"
export KEY_NAME="server"
完畢,記得按ctrl-x存檔
產生Diffie-Hellman parameters,這花掉大約10分鐘。。。。
openssl dhparam -out /etc/openvpn/dh2048.pem 2048
5. 製作server & client key
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
產生server key,細節參考 How To Set Up an OpenVPN Server on Ubuntu 14.04
./build-key-server server
產生client key,最好一次多做幾個備用
給phone1
./build-key phone1
給phone2
./build-key phone2
給pad1
./build-key pad1
給pad2
./build-key pad2
給PC1
./build-key pc1
這些步驟會在keys目錄下產生.crt, .key檔案。
6.修改 client.ovpn檔
先複製template
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn
cd /etc/openvpn/easy-rsa/keys
製作phone1的ovpn
cp client.ovpn phone1.ovpn
nano phone1.ovpn
remote my-server-1 1194 => remote xxxx.xxxx.xxxx(regis.xxx.xxx or ip) 443
;user nobody => 去掉;
;group nogroup => 去掉;
cert client.crt => cert phone1.crt
key client.key => key phone1.key
其他phone2,pad1/2,PC等等,幾個都是重複這個步驟。
7. 啟動OpenVPN server
cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn
service openvpn start
or
service openvpn restart
service openvpn status
《重要!!》記得在Wifi AP把port 443打開,並接到 banana pi 的IP與port 443
8. 設定 Android phone
將這些client 的.crt .key複製到regis的HOME目錄,並change own and group
cp -r /etc/openvpn/easy-rsa/keys/{phone1.*,ca.crt} /home/regis/vpn/phone1/.
cp -r /etc/openvpn/easy-rsa/keys/{phone2.*,ca.crt} /home/regis/vpn/phone2/.
cp -r /etc/openvpn/easy-rsa/keys/{pad1.*,ca.crt} /home/regis/vpn/pad1/.
....
cd /home/regis/vpn/phone1
chown regis *
chgrp regis *
(這個步驟是為了可以用SCP複製到Macbook)
其他都一樣
複製到Macbook
scp -P xxxx 192.168.x.xxx:/home/regis/vpn/phone1/* ./vpn_keys/phone1/.
主要4個檔案
ca.crt
phone1.crt
phone1.key
phone1.ovpn
主要4個檔案
ca.crt
phone1.crt
phone1.key
phone1.ovpn
scp -P xxxx 192.168.x.xxx:/home/regis/vpn/phone2/* ./vpn_keys/phone2/.
然後,複製到手機與PC
9. 設定PC
《心得》
我發現連接速度很快,其他等下次出差再看看效果。
參考文章: