如何在 VPS 上设置 VPN

hbghlyj

今天参考computingforgeeks.com操作了一次:
下载并执行openvpn-install.sh

1. wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh

复制代码

client名称 我填的是test20230402 其它都是默认的(按Enter过去)

1. Welcome to this OpenVPN road warrior installer!
3. Which protocol should OpenVPN use?
4.    1) UDP (recommended)
5.    2) TCP
6. Protocol [1]:
8. What port should OpenVPN listen to?
9. Port [1194]:
11. Select a DNS server for the clients:
12.    1) Current system resolvers
13.    2) Google
14.    3) 1.1.1.1
15.    4) OpenDNS
16.    5) Quad9
17.    6) AdGuard
18. DNS server [1]:
20. Enter a name for the first client:
21. Name [client]: test20230402
23. OpenVPN installation is ready to begin.
24. Press any key to continue...
25. Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
26. Hit:2 http://archive.canonical.com/ubuntu focal InRelease
27. Hit:3 http://archive.ubuntu.com/ubuntu focal InRelease
28. Get:4 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [2082                                                                              kB]
29. Get:5 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
30. Get:6 http://security.ubuntu.com/ubuntu focal-security/main Translation-en [338                                                                              kB]
31. Get:7 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [                                                                             820 kB]
32. Get:8 http://security.ubuntu.com/ubuntu focal-security/universe Translation-en [                                                                             164 kB]
33. Get:9 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [2464 k                                                                             B]
34. Get:10 http://archive.ubuntu.com/ubuntu focal-updates/main Translation-en [420 k                                                                             B]
35. Get:11 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages                                                                              [1714 kB]
36. Get:12 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1                                                                             046 kB]
37. Get:13 http://archive.ubuntu.com/ubuntu focal-updates/universe Translation-en [2                                                                             46 kB]
38. Fetched 9523 kB in 4s (2606 kB/s)
39. Reading package lists... Done
40. Reading package lists... Done
41. Building dependency tree
42. Reading state information... Done
43. ca-certificates is already the newest version (20211016ubuntu0.20.04.1).
44. openssl is already the newest version (1.1.1f-1ubuntu2.17).
45. The following additional packages will be installed:
46.   libpkcs11-helper1
47. Suggested packages:
48.   resolvconf openvpn-systemd-resolved easy-rsa
49. The following NEW packages will be installed:
50.   libpkcs11-helper1 openvpn
51. 0 upgraded, 2 newly installed, 0 to remove and 6 not upgraded.
52. Need to get 521 kB of archives.
53. After this operation, 1345 kB of additional disk space will be used.
54. Get:1 http://archive.ubuntu.com/ubuntu focal/main amd64 libpkcs11-helper1 amd64                                                                              1.26-1 [44.3 kB]
55. Get:2 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 openvpn amd64 2.                                                                             4.7-1ubuntu2.20.04.4 [476 kB]
56. Fetched 521 kB in 1s (721 kB/s)
57. Preconfiguring packages ...
58. Selecting previously unselected package libpkcs11-helper1:amd64.
59. (Reading database ... 252268 files and directories currently installed.)
60. Preparing to unpack .../libpkcs11-helper1_1.26-1_amd64.deb ...
61. Unpacking libpkcs11-helper1:amd64 (1.26-1) ...
62. Selecting previously unselected package openvpn.
63. Preparing to unpack .../openvpn_2.4.7-1ubuntu2.20.04.4_amd64.deb ...
64. Unpacking openvpn (2.4.7-1ubuntu2.20.04.4) ...
65. Setting up libpkcs11-helper1:amd64 (1.26-1) ...
66. Setting up openvpn (2.4.7-1ubuntu2.20.04.4) ...
67. * Restarting virtual private network daemon.                            [ OK ]
68. Created symlink /etc/systemd/system/multi-user.target.wants/openvpn.service → /l                                                                             ib/systemd/system/openvpn.service.
69. Processing triggers for systemd (245.4-4ubuntu3.20) ...
70. Processing triggers for man-db (2.9.1-1) ...
71. Processing triggers for libc-bin (2.31-0ubuntu9.9) ...
73. Notice
74. ------
75. 'init-pki' complete; you may now create a CA or requests.
77. Your newly created PKI dir is:
78. * /etc/openvpn/server/easy-rsa/pki
80. * Using Easy-RSA configuration:
82. * IMPORTANT: Easy-RSA 'vars' template file has been created in your new PKI.
83.              Edit this 'vars' file to customise the settings for your PKI.
84.              To use a global vars file, use global option --vars=<YOUR_VARS>
86. * Using x509-types directory: /etc/openvpn/server/easy-rsa/x509-types
88. * Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
90. * Using Easy-RSA configuration: /etc/openvpn/server/easy-rsa/pki/vars
91. ................................................................................                                                                             .+++++
92. .......+++++
94. Notice
95. ------
96. CA creation complete and you may now import and sign cert requests.
97. Your new CA certificate file for publishing is at:
98. /etc/openvpn/server/easy-rsa/pki/ca.crt
100. * Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
102. * Using Easy-RSA configuration: /etc/openvpn/server/easy-rsa/pki/vars
103. Generating a RSA private key
104. ...............................+++++
105. .........+++++
106. writing new private key to '/etc/openvpn/server/easy-rsa/pki/6734298d/temp.bcb12                                                                             f7c'
107. -----
109. Notice
110. ------
111. Keypair and certificate request completed. Your files are:
112. req: /etc/openvpn/server/easy-rsa/pki/reqs/server.req
113. key: /etc/openvpn/server/easy-rsa/pki/private/server.key
114. Using configuration from /etc/openvpn/server/easy-rsa/pki/6734298d/temp.73295085
115. Check that the request matches the signature
116. Signature ok
117. The Subject's Distinguished Name is as follows
118. commonName            :ASN.1 12:'server'
119. Certificate is to be certified until Mar 30 20:53:56 2033 GMT (3650 days)
121. Write out database with 1 new entries
122. Data Base Updated
124. Notice
125. ------
126. Certificate created at:
127. * /etc/openvpn/server/easy-rsa/pki/issued/server.crt
129. Notice
130. ------
131. Inline file created:
132. * /etc/openvpn/server/easy-rsa/pki/inline/server.inline
134. * Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
136. * Using Easy-RSA configuration: /etc/openvpn/server/easy-rsa/pki/vars
137. Generating a RSA private key
138. ...................+++++
139. .......+++++
140. writing new private key to '/etc/openvpn/server/easy-rsa/pki/3230792d/temp.80e3f                                                                             e56'
141. -----
143. Notice
144. ------
145. Keypair and certificate request completed. Your files are:
146. req: /etc/openvpn/server/easy-rsa/pki/reqs/test20230402.req
147. key: /etc/openvpn/server/easy-rsa/pki/private/test20230402.key
148. Using configuration from /etc/openvpn/server/easy-rsa/pki/3230792d/temp.f54f2cb0
149. Check that the request matches the signature
150. Signature ok
151. The Subject's Distinguished Name is as follows
152. commonName            :ASN.1 12:'test20230402'
153. Certificate is to be certified until Mar 30 20:53:56 2033 GMT (3650 days)
155. Write out database with 1 new entries
156. Data Base Updated
158. Notice
159. ------
160. Certificate created at:
161. * /etc/openvpn/server/easy-rsa/pki/issued/test20230402.crt
163. Notice
164. ------
165. Inline file created:
166. * /etc/openvpn/server/easy-rsa/pki/inline/test20230402.inline
168. * Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
170. * Using Easy-RSA configuration: /etc/openvpn/server/easy-rsa/pki/vars
171. Using configuration from /etc/openvpn/server/easy-rsa/pki/8b32d5f9/temp.4ef1748e
173. Notice
174. ------
175. An updated CRL has been created.
176. CRL file: /etc/openvpn/server/easy-rsa/pki/crl.pem
177. Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-iptables.ser                                                                             vice → /etc/systemd/system/openvpn-iptables.service.
178. Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-server@serve                                                                             r.service → /lib/systemd/system/openvpn-server@.service.
180. Finished!
182. The client configuration is available in: /root/test20230402.ovpn
183. New clients can be added by running this script again.

复制代码

根据上面写的,在/root下,将出现配置文件test20230402.ovpn

用 FTP client 连接到您的 VPS 将这个配置文件传输到您的设备
安装Windows客户端 建议访问官网下载最新版 (截至2023-08-23的最新版本为3.4.1) 并选择 Import Profile 导入配置文件
导入完配置文件,就连接上了[查询IP就变成了VPS的IP] 以后可能会遇到什么问题, 我再来补充

Android手机可以在Google Play安装OpenVPN app
直接执行那个Bash脚本虽然方便, 但是如果以后遇到什么问题, 可能需要根据Ubuntu官方教程来做.

hbghlyj

Known blocked methods写道

The OpenVPN protocol is detected and blocked. Connections not using symmetric keys or using "tls-auth" are blocked at handshake, and connections using the new "tls-crypt" option are detected and throttled (under 56kbit/s) by the QoS filtering system

Wikipedia–OpenVPN写道

由于OpenVPN通讯协议特征明显，当从中国大陆向境外OpenVPN服务器传输大量数据或进行频繁连接后，防火长城会封锁OpenVPN服务器所使用的TCP/UDP端口或服务器IP地址，使OpenVPN无法连接。而在敏感时期则会针对OpenVPN服务器回送证书完成握手创建有效加密连接时干扰连接，在使用TCP协议模式时握手会被连接重置，而使用UDP协议时含有服务器认证证书的数据包会被故意丢弃，使OpenVPN无法创建有效加密连接而连接失败。而在中国大陆内部的连接不受这种限制。

vpncn写道

除非你是网络安全技术方面的大咖或者有捣腾VPS这方面的兴趣，否则我现在不建议这么做，尤其是采用目前流行的脚本的方法，ip很容易死。

过去几年租用VPS服务器自建翻墙工具一度很流行，以前很多有点技术基础的人也在用这种方法，买了VPS服务器，下载安装脚本文件，就能翻墙了。这种方案的好处是服务器独享，仅自己一个人用，如果服务器有CN线路的话速度上也有优势，确实在刚开始我也推荐大家这样做，因为一个人独享一台服务器的资源，而且翻墙的成本也不高。但缺点就是现在使用市面通用协议的IP太容易被墙，尤其是搬瓦工、Vultr和DO这些国内用户众多的机房，因为防火长城不断在升级，对于翻墙流量的识别越来越精准。这些流行且技术含量不高的翻墙方法对于防火长城来说只需一眼就知道你在翻墙，然后导致ip被封...

个人使用VPS翻墙就很蛋疼了，被封了只能花钱换IP，很可能下一个IP又是被封的，总之够折腾！这种VPS搭搭网站还行，用来翻墙还是算了。

Wikipedia–OpenVPN又写道

伪装的改进
Stunnel，通过使用Stunnel转发OpenVPN流量以消除OpenVPN的协议特征，达到提供安全保护与流量伪装的目的（通常将Stunnel设置于443端口伪装成Web网站）。
KCPtun，使用KCPtun将OpenVPN流量转为UDP流量传输，也可以消除OpenVPN的协议特征。

hbghlyj

Wikipedia—Great Firewall写道

Tor still functions in China using independently published Obfs4 bridges and meek.

Graphic from Tor Project providing directions for using pluggable transports to bypass censorship.

Tor可插拔传输的使用說明，其中使用流量混淆技術來增强抵抗審查的能力。

Wikipedia—Internet censorship in China写道

Tor Obfs4 bridges still work in China as long as the IPs are discovered through social networks or self-published bridges.

Tor now primarily functions in China using Snowflake and meeks which works via front-end proxies hosted on Content Delivery Networks (CDNs) to obfuscate the information coming to and from the source and destination, it is a type of pluggable transport. Examples are Microsoft's Azure and Cloudflare.

FlatAssembler写道

These days, the TOR anti-censorship team seems to be putting all its faith into a pluggable transport called SnowFlake, which also tries to imitate video conferencing software.

Censorship Circumvention Tools and Pluggable Transports

hbghlyj

刚才重装了一下，运行安装程序openvpn-install.sh时报错Module tun not found.
根据superuser.com运行

1. mkdir /dev/net
2. mknod /dev/net/tun c 10 200

复制代码

再安装就成功了