Network practice: openvpn is built without a public IP Address

Openvpn is actually used for transmission at the application layer. You can select UDP/TCP as the transmission protocol. UDP is more commonly used. The reason is described in this article.

Why openvpn network?

Openvpn gui download

If I want to access the network resources of the Organization at home, VPN is a good choice, but in general, setting up a VPN requires a VPN Server, that is, at least one real IP address, this is not owned by anyone. but don't forget that openvpn supports UDP transmission. In today's popular use of Bt, UDP is often synonymous with Nat penetration. Can openvpn also use this mode? If yes, it will solve many problems,
Imagine: openvpn gui update

1. I am a student and I am writing a thesis, but I am not at school now, so I cannot download the documents in the school thesis database. It is not a good solution for my classmates and it is inconvenient, in this way, I can consider opening an openvpn software on any computer in the school, and then let it provide external services through NAT, so that I can use it on the off-campus network as in the school.

2. I am an office worker. I want to do things that need to be done in the organization's network at home, but the Organization does not have a VPN or has a VPN, but I have no account, I can put an openvpn on the work machine of the Organization and then go home to access and use it again.

Telecharger openvpn gui

It sounds good, but how is it implemented? Here I want to explain some technical prerequisites: You should know how to configure openvpn normally, that is, how to configure the actual IP address. If you do not know about it, search for it on Google. There are many articles.

A host that is behind a firewall or NAT device wants to provide external services. For example, if it communicates with a host that is not connected to a network NAT device, you can use the UDP penetration technology, this details online also has a lot of articles, can refer to the http://www.ppcn.net/n1306c2.aspx

Download openvpn gui for pc

Solve the Problem of UDP crossing the Firewall

Before using UDP to successfully penetrate the holes, you must solve the following problems:

1. Determine the NAT type of both parties. Nat can be roughly divided into two categories: conical Nat and symmetric NAT (for detailed Nat classification, see section 5th of rfc3489, there are four categories, the first three categories are classified as conical Nat, and the second category is symmetric Nat ). the general principle of UDP penetration is that UDP penetration can be performed between cone-shaped Nat, while symmetric Nat cannot. In fact, it is also possible to have a cone-shaped segment as symmetric, but this cannot be guaranteed, it mainly depends on the rule of symmetric Nat.

How can I determine the NAT type? You can use the stun client to view the information. The software can be obtained from:

Http://sourceforge.net/projects/stun/ (Linux)

Openvpn gui v10 download 
Java edition (applicable to various operating systems): http://jstun.javawi.de/

These software is very easy to use, such as the stun of Linux, after compilation, run./client stun01.sipphone.com.
For Java, double-click the JAR file to execute the command. It records the result in the log file in the same directory. you only need to confirm that both parties are not symmetric Nat. if both parties are symmetric Nat, the method described in this article has no hope. if the query type fails, there are two possible causes:

A. You cannot access this stun server. You can try other servers in the stun list below. If you are an CERNET user and cannot access foreign traffic, there is no way to use it for the moment, because the domestic stun server has not been found.

B. The firewall of your network has disabled UDP. I have seen this situation and it is abnormal. There is no way.

If you confirm that the NAT types at both ends are not symmetric Nat, continue to look at it. Otherwise, you may not want to see it, but there is still a chance.

2. Before the communication is established, both parties need to inform the other party of the IP/port converted by the NAT device, and the IP/port can also be obtained through the stun server. There are many such free stun services on the public network, it is rare in China.

The first two problems come to an end: how to find the free stun server. The list below shows what I have tried to use, but all of them are abroad. This is not good news for CERNET users, chinese users are still searching, and they hope someone can provide clues.

Stun01.sipphone.com
Stun.ekiga.net
Stun.fwdnet.net
Stun.ideasip.com
Stun.iptel.org
Stun. rixtelecom. se
Stun.schlund.de
Stunserver.org
Stun.softjoys.com
Stun.voiparound.com
Stun.voipbuster.com
Stun.voipstunt.com
Stun.voxgratia.org
Stun.xten.com

3. Now you can know the real address after Nat ing, but how can you tell the other party that there is actually an intermediary server in the widely used BT applications, but we won't. Otherwise, I will use it as a VPN Server.

It is a little troublesome to solve this problem. In my example, Gmail is used for interaction. The client registers a Gmail account, and the server registers a Gmail account, in this way, there is a very slow pipeline, but at least the communication can be completed, and the process will be okay.

At this point, you can check your own IP/port, and there is a pipeline for interaction between the two ends of the communication. The remaining problem is to set a simple protocol to truly run these processes.

How to Establish a UDP channel?

1. The client initiates the request and notifies the Server client via mail of the IP/port mapped by Nat.
2. The server queries the IP/port mapped by Nat and returns it to the client via email. It also holes in the UDP port of the client.
3. After receiving the mail from the server, the client sends data to the UDP port of the server. Then, the UDP port of the server should receive the data and return a UDP message to the client, indicating that the channel is successfully established.

4. The server starts openvpn, the client opens the openvpn client, and the VPN connection can be established through the channel just created. in this process, I made a model implementation using python, not software, but some scripts, but they can work stably. Here we will introduce the usage process:

1. Configure openvpn. This process is identical with the actual IP address. Here is a very simple example. The default server runs on the Linux platform and the client runs on Windows, openvpn adopts version 2.0.9, and the client uses openvpn GUI

Windows v1.0.3, default installation path.

You can find two machines (or virtual machines) in the LAN for testing. You need to change the remote in the client configuration to the IP address/port of the host where the openvpn service is located.

Figure 1 Brief openvpn Server Configuration

Figure 2 brief openvpn client Configuration

After the configuration is complete, connect to the service from the client. Then ping 10.4.0.1 from the client machine. If the response is received, the configuration is complete and you can proceed to the next step. Otherwise, find the cause, refer to openvpn documentation and articles on openvpn configuration on the network.

2, apply for two Gmail accounts for communication use, such as openvpn.nat.server@gmail.com, openvpn.nat.client@gmail.com, pay attention to enter the Gmail mailbox settings after the application, enable IMAP support, otherwise the subsequent can not continue.

3. Obtain the UDP code that passes through NAT. obtain the latest package from http://code.google.com/p/natvpn/downloads/list. You can also obtain the latest code from SVN. after obtaining the package, decompress the package. In my example, the server runs on the Linux operating system and the client runs on Windows. In fact, it has little to do with the system and the diagram is convenient. openvpn and Python are both cross-platform, you only need to modify the path. the Python version is 2.5.

Decompress the package and configure the server first *. copy the Py and openvpn configuration files to your preferred location, such as/usr/local/etc, and then modify the server. path in The py file, consistent with your system:

Figure 3 variables to be changed in server. py
Then the client, Set *. copy the Py and openvpn client configuration files to the config directory under the openvpn installation path. note client. the ovpn file must be writable, because the script will rewrite the remote address and other parts of the file later.

 

Figure 4 variables to be changed in client. py

4. Start the server. Use root to start the server:

#./Server. py

5. Go home :) then start the client. for Windows, first install python. I use ActiveState Python 2.5 for easy installation. The software can be downloaded from http://www.activestate.com/products/activepython. then double-click to execute client. PY, run until it prompts that the connection can be established. This process takes about three to five minutes in the current configuration status,
This is mainly because the Gmail email retrieval time is set to 3 minutes, and the last time should be shown as follows:

Figure 5 prompt page after successful UDP injection on the client

When you see this picture, the UDP channel has been connected. You need to start the openvpn client as soon as possible (within 1 minute) to complete the connection.

Figure 6 start an openvpn Client Connection

I have established a symmetric Nat connection unit at home and a conical Nat at home. I don't have much hope for this network connection, but I have a little understanding about the NAT mode of the unit, its Nat ing has a temporal locality, so it is in the server. PY/client. PY has made some optimizations: It holes in a port range, rather than a specific port. In this way, the connection can be successfully established and never fails :)

I have to say that the communication quality of openvpn is still very good. I have never experienced connection interruptions during this period of time. It is worth a try!

Reprinted: http://cisco.chinaitlab.com/compose/757854_5.html