Настройка VPN — от простого к сложному

English version

Here is FULL instrustion on how to setup VPN on the router and use
multiple clients (laptops, phones) to access internet. For one
laptop, you don’t need chapter 2 and Linux part, just use Windows
package.

1. VPN setup.

I used HotSpotVPN account — www.hotspotvpn.com. They provide two types
of vpn – PPTP- (they call it VPN-1) and SSL-based (VPN2). PPTP (VPN-1)
doesn’t work from China, as it is usually blocked at ISP, therefore,
SSL (VPN-2) is the only choice. They propose 3 types of encryption —
Blowfish 128, AES-192 and AES-256. I took AES-192 for 11.88 USD per
month. And VPN-1 is free, if you buy VPN-2.

(You can use whatever VPN service, it just should work at your ISP)

You should get several mails to your mailbox, two of them are important:
— VPN-1 credentials: login (your email), password and encryption
server (es.hotspotvpn.com). You can setup it on your Windows laptop or
iPhone and try it as well, or use in some country. Other than China :)
— VPN-2 credentials: this is actually a link, which works 48 hours
only. There are two packages — for Windows and for Linux/Mac. Windows
package is OpenVPN setup file, with your keys and certificates
build-in. Linux package is an 70kB archive with 16 files.

Windows package is useful as a backup solution on some Windows laptop.
Install it, run «Add a new TAP-Win32 virtual ethernet adapter» script
once, then use it. Ensure that you don’t use it in parallel with Linux
— HotSpotVPN doesn’t allow multiple connections for same credentials.

Linux package is needed for router/gateway PC setup and info below is
related to Linux OS:

2. Router/gateway PC setup.

HW/SW:
My router is Linksys WRT54GL v1.1, firmware is Openwrt 8.09, taken
from here: http://openwrt.org/ Also, you can check DD-WRT firmware as
an option.
Then, on top of openwrt, I installed openvpn2.0.9 (opkg install
openvpn). That’s all. Firewall is iptables, which is installed by
default. I didn’t use any GUI, because I don’t have enough space.

AAA WAN leg.
from here: https://sales.hotspotvpn.com/helpdesk/issue_view.asp?ID=4694&CATE=3
********************************************************************************
# Start an Xterm and create your HotSpotVPN2 directory by typing
«mkdir ~/hotspotvpn2» without the quote marks. It will look like this:

$ mkdir ~/hotspotvpn2
# Download your certificates and keys from the download link you get
in the welcome email.
# Unzip the contents of the above file to ~/hotspotvpn2.
# In the terminal window change to the ~/hotspotvpn2 directory by
typing «cd ~/hotspotvpn2» without the quotes.
# In the terminal window type the following to start the vpn: «sudo
/usr/local/sbin/openvpn ~/hotspotvpn2/hotspotvpn2.ovpn» without the
quotes. You will have to enter your admin password. You can put this
in a small script file and attach an Icon to it if you wish. An
example of a working script «startvpn.sh» is included. You will have
to chmod it to make it executable.
# When you see the line Initialization Sequence Complete, you are
connected to the vpn.
# To end your VPN session press Ctrl-C.
********************************************************************************

In short, just extract the contents of Linux package to
/home/hostspotvpn2 directory, make the files executable and run
«openvpn ~/hotspotvpn2/hotspotvpn2.ovpn» command. Please note that
hotspotvpn2.ovpn file is your actual openvpn config file (not
openvpn.conf). Required changes are below, in the LAN leg part.

Most important part is iptables firewall config, here is my
/etc/firewall.user config with comments:

# enable nat for the tunnel
iptables -t nat -A PREROUTING -i tun0 -j ACCEPT
# added to make router accessible from internet. Not mandatory.
iptables -I INPUT 3 -p tcp —dport 22 -i ppp0 -j ACCEPT

# All possible traffic for tunnel.
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT

#added for openvpn
iptables -t nat -A zone_wan_nat -o tun+ -j MASQUERADE
iptables -A zone_wan_ACCEPT -o tun+ -j ACCEPT

BBB LAN leg.

This is tricky part. Thing is that different clients (Win, OS X,
Linux, Symbian) have some problems to process DHCP information, when
it was pushed from VPN tunnel. There are a lot of articles about this
in internet. So, the 100% straightforward solution is to put Google
DNS IP addresses to your clients:

8.8.8.8
4.4.4.4

To avoid DNS caching on your ISP, its better to use real IP addresses
in your openvpn config. You can see them if you do a nslookup for
kamai.dcsanswires.com (SSL server). Then I would recommend to ping
each address and don’t use those which have big latency (> 300 ms). In
my case, I used
64.27.12.217
208.53.153.7
67.159.22.187

Here is my hotspotvpn2.ovpn contents (with my comments):

port 443
proto tcp
verb 3
# SSL servers hostnames are commented
; remote kamai.dcsanswires.com
; remote kamaimd.dcsanswires.com
; remote kamaica.dcsanswires.com
# and real IPs are used.
remote 64.27.12.217
remote 208.53.153.7
remote 67.159.22.187
;remote 64.27.9.195
client
cert ****************.crt
key ************************.key
ca ca.crt
tls-auth ta.key 1
ns-cert-type server
cipher aes-192-cbc
comp-lzo
mute 20
dev tun0
resolv-retry infinite
persist-key
persist-tun
mute-replay-warnings
redirect-gateway def1

That’s all.

Фото аватара

Автор: hired_geek

По месту рождения я сибиряк, однако большую часть своей жизни прожил в Питере. Много езжу по миру по работе (телеком). В 2009 году перевелся в г. Чэнду, где вознамерился прожить 2 года.

Занимаюсь проектами и принимаю участие в разработке архитектуры software-продуктов. Специализируюсь на виртуализации и облачных вычислениях.

Увлекаюсь историей, люблю почитать научную фантастику, русскую классику, посмотреть хорошие фильмы. Переехав в Чэнду, постоянно езжу на велосипеде, город почти идеален для этого.

Китай мне нравится, но без экзальтации. По-китайски я могу заказать разнообразную еду, поторговаться и выразить простейшую мысль либо инстинкт. Признаться, после 5 месяцев учить язык я перестал, утратив к нему интерес и уважение.

С помощью Магазеты хочу попытаться впрячь трепетную лань моих гуманитарных навыков вместе с конем технических - а вдруг...