(一)幾種常見 VPN Protocols
看壇子裏玩VPN, 俺也試驗了一下。相對來說, PPTP最容易設置,OpenVPN次之,L2TP/IPsec 似乎比較麻煩(但用Softether容易設置)。 以下是各種VPN比較:
-
PPTP
PPTP is a fast, & easy-to-use protocol with a simple setup process. It is a good choice if OpenVPN isn't supported by your device.
-
L2TP/IPsec
L2TP/IPsec is a protocol built into most desktop, phone, and tablet devices. It is a good choice if OpenVPN isn't supported by your device and security is top priority.
-
OpenVPN
OpenVPN is the recommended protocol for desktops including Windows, Mac OS and Linux. Highest performance - fast, secure and reliable.
(參考: http://www.giganews.com/vyprvpn/compare-vpn-protocols.html)
(二) Routing vs. Bridging
用 VPN 一個重要的要求是所有的上網流量都要走VPN,因此要考慮服務器實際網絡與虛擬網絡的連接。一般來說,routing 比較容易。 Router上直接就行,Windows 和Linux routing 比較簡單。
(參考: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting)
(三)具體操作
(1) TomatoUSB OpenVPN (Linksys WRT54G)
參考: http://www.howtogeek.com/60774/connect-to-your-home-network-from-anywhere-with-openvpn-and-tomato/
OpenVPN麻煩之處在於做加密證書與密鑰。注意如果用簡單的靜態密鑰,則隻能支持一個用戶。
OpenVPN server在Tomato router上設置最容易。 缺點是隻能用證書, 不能加用戶名與密碼。
(2) OpenVPN Server on Windows (Dell Desktop Pentium 4 CPU + 2GB RAM)
參考
(a) 安裝: https://community.openvpn.net/openvpn/wiki/HOWTO#WindowsNotes
(b) VPN上網: Windows XP as OpenVPN server with redirect-gateway
Goal:
- Your Windows XP PC becomes an Internet gateway, using OpenVPN server mode. Traffic can be tunneled from any OpenVPN client.
Scope:
- This example assumes that you already know how to install OpenVPN and setup keys and/or certificates. For the scope of this example, information about key and certificate management will not be provided.
Overview:
- We'll setup a server.ovpn, a client.ovpn, and some Windows XP settings. Keep in mind that .ovpn is the Windows equivalent of .conf in Linux.
重點: 如何實現虛擬網絡與實體網絡的流量交換?
Start -> Right-click My Computer -> Manage Services
Right-click Routing and Remote Access -> Properties -> Automatic
Right-click Routing and Remote Access -> Start
Next:
Control Panel -> Network Connections -> Local Area Connection ->
Properties -> Advanced
-> Tick the box "Allow other network users to connect through this computer's Internet connection"
From the drop-down list select "Local Area Connection X", or whatever is the connection name of your TAP OpenVPN server interface.
Start-> run-> regedit (you type regedit)*
Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters
Value: IPEnableRouter
Type: REG_DWORD
Data: 0x00000001 (1)
*Since this is Windows XP, you should restart Windows after making changes to registry.
(3) SoftetherVPN Server on Windows: L2TP and OpenVPN (Dell Desktop Pentium 4 CPU + 2GB RAM)
SoftEther VPN ("SoftEther" means "Software Ethernet") is one of the world's most powerful and easy-to-use multi-protocol VPN software. It runs on Windows, Linux, Mac, FreeBSD and Solaris.
參考: https://www.softether.org/4-docs/1-manual/7._Installing_SoftEther_VPN_Server/7.2_Install_on_Windows_and_Initial_Configurations
重點: 如何實現虛擬網絡與實體網絡的流量交換?
參考: https://www.softether.org/index.php?title=4-docs/1-manual/3._SoftEther_VPN_Server_Manual/3.7_Virtual_NAT_%26_Virtual_DHCP_Servers
Softether OpenVPN 優點:
(1)Softether.net 提供 DDNS(軟件自動安裝)。
(2)Softether 提供用戶管理,可設用戶密碼。
(3)自動生成 server/client opvn 配置文件,加密證書與密鑰都由軟件自動生成。
(4)用戶連接除了配置文件, 還需要用戶名和密碼。保密性好。
(四)Firewall port forwarding
因為OpenVPN router 和PC 都在防火牆後麵,一級 router 要設 port forwarding。
如果打開 Windows Firewall, 也要做 port forwarding.
OpenVPN 的最大優點, tcp/udp port number 可以隨意選擇,尤其是選擇 tcp 80/443 後與 http/https 流量相同, 不容易被封。