openvpn + http-proxy +免流配置

还在为手机流量苦恼么,本文可以让你的每月流量用不完!!!!(免责申明:本文仅探讨交流免流技术,该技术实为运营商的计费漏洞,不支持或赞成任何实质的此类免流行为

环境: centos 6.x 32 位(vps)

1)安装epel 源(省略)

2)安装依赖包
yum groupinstall "Development Tools" -y

3)安装openvpn 组件

yum install openvpn pam_krb5 pam_mysql pam pam-devel -y
yum install openssl openssl-devel lzo -y
yum install lzo lzo-minilzo lzo-devel -y
yum install easy-rsa -y

4)生成证书

cd /usr/share/easy-rsa/2.0/
vim vars
#修改为如下即可
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048
export CA_EXPIRE=36500
export KEY_EXPIRE=36500
export KEY_COUNTRY="CN"
export KEY_PROVINCE="Shanghai"
export KEY_CITY="Shanghai"
export KEY_ORG="freedom"
export KEY_EMAIL="admin@tiaoh.com"
export KEY_OU="freedom"
export KEY_NAME="EasyRSA"

source vars
./clean-all

#创建ca证书根证书,密钥
./build-ca
#创建服务端证书和密钥
./build-key-server server

#创建客户端证书,每个证书同时只能提供一个在线,多个客户端可建立多个证书
./build-key client1
./build-key client2

#生成DH密钥,时间较长
./build-dh

#生成ta.key (防止ddos攻击,udp淹没攻击等)
openvpn --genkey --secret keys/ta.key

5)proxy (基于squid)

#http proxy
yum install squid -y
yum install httpd-tools -y

#配置 文件
cat /etc/squid/squid.conf

http_port 8080
access_log /var/log/squid/access.log squid
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
acl password proxy_auth REQUIRED
http_access allow password
#acl all src all
#http_access allow all
coredump_dir /var/spool/squid
#header_access Via deny all
#header_access X-Forwarded-For deny all

#产生密码
htpasswd -c /etc/squid/passwd password

6)#openvpn 配置文件

port "端口"
proto tcp
;dev tap
dev tun
;dev-node MyTap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret

dh dh2048.pem
server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun

status openvpn-status.log
verb 3
ping-timer-rem
tls-auth ./ta.key 0
status status/tcp.log
log-append /var/log/openvpn-tcp.log
cipher BF-CBC
max-clients 50
push "persist-key"
push "persist-tun"
push "explicit-exit-notify 1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
script-security 2

6)防火墙策略

iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source "你的公网ip"

7)重启服务运行

chkconfig openvpn on
chkconfig squid on
/etc/init.d/openvpn restart
/etc/init.d/squid restart

8)openvpn 客户端免流配置

client
dev tun

proto tcp
remote "你的域名或者ip" "你的端口"
#reneg-sec 432000
resolv-retry infinite

ca ca.crt
key client1.key
cert client1.crt
comp-lzo
verb 3
auth-nocache
tls-auth ta.key 1
nobind
auth-user-pass
remote-cert-tls server
ns-cert-type server
auth-user-pass auth.txt
redirect-gateway def1
##联通
#http-proxy-retry
#http-proxy "你的域名或者ip" "你的代理端口" pw.txt
#http-proxy-option EXT1 "X-Online-Host: wap.10010.com"
#http-proxy-option EXT2 "Host: wap.10010.com"
#
##电信
http-proxy-retry
http-proxy "你的域名或者ip" "你的代理端口" pw.txt
http-proxy-option EXT1 "X-Online-Host: ltetp.tv189.com"
http-proxy-option EXT2 "Host: ltetp.tv189.com"
#
##移动-默认
#http-proxy-retry
#http-proxy "你的域名或者ip" "你的代理端口" pw.txt
#http-proxy-option EXT1 "POST http://rd.go.10086.cn"
#http-proxy-option EXT1 "GET http://rd.go.10086.cn"
#http-proxy-option EXT1 "X-Online-Host: rd.go.10086.cn"
#http-proxy-option EXT1 "POST http://rd.go.10086.cn"
#http-proxy-option EXT1 "X-Online-Host: rd.go.10086.cn"
#http-proxy-option EXT1 "POST http://rd.go.10086.cn"
#http-proxy-option EXT1 "Host: rd.go.10086.cn"
#http-proxy-option EXT1 "GET http://rd.go.10086.cn"
#http-proxy-option EXT1 "Host: rd.go.10086.cn"
#
##移动-彩信
#http-proxy-retry
#http-proxy "你的域名或者ip" "你的代理端口" pw.txt
#http-proxy-option EXT1 "POST http://mmsc.monternet.com"
#http-proxy-option EXT1 "GET http://mmsc.monternet.com"
#http-proxy-option EXT1 "X-Online-Host: mmsc.monternet.com"
#http-proxy-option EXT1 "CMCC: mmsc.monternet.com"

发表评论