(一)几种常见 VPN Protocols
看坛子里玩VPN, 俺也试验了一下。相对来说, PPTP最容易设置,OpenVPN次之,L2TP/IPsec 似乎比较麻烦(但用Softether容易设置)。 以下是各种VPN比较:
-
PPTP
PPTP is a fast, & easy-to-use protocol with a simple setup process. It is a good choice if OpenVPN isn't supported by your device.
-
L2TP/IPsec
L2TP/IPsec is a protocol built into most desktop, phone, and tablet devices. It is a good choice if OpenVPN isn't supported by your device and security is top priority.
-
OpenVPN
OpenVPN is the recommended protocol for desktops including Windows, Mac OS and Linux. Highest performance - fast, secure and reliable.
(参考: http://www.giganews.com/vyprvpn/compare-vpn-protocols.html)
(二) Routing vs. Bridging
用 VPN 一个重要的要求是所有的上网流量都要走VPN,因此要考虑服务器实际网络与虚拟网络的连接。一般来说,routing 比较容易。 Router上直接就行,Windows 和Linux routing 比较简单。
(参考: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting)
(三)具体操作
(1) TomatoUSB OpenVPN (Linksys WRT54G)
参考: http://www.howtogeek.com/60774/connect-to-your-home-network-from-anywhere-with-openvpn-and-tomato/
OpenVPN麻烦之处在于做加密证书与密钥。注意如果用简单的静态密钥,则只能支持一个用户。
OpenVPN server在Tomato router上设置最容易。 缺点是只能用证书, 不能加用户名与密码。
(2) OpenVPN Server on Windows (Dell Desktop Pentium 4 CPU + 2GB RAM)
参考
(a) 安装: https://community.openvpn.net/openvpn/wiki/HOWTO#WindowsNotes
(b) VPN上网: Windows XP as OpenVPN server with redirect-gateway
Goal:
- Your Windows XP PC becomes an Internet gateway, using OpenVPN server mode. Traffic can be tunneled from any OpenVPN client.
Scope:
- This example assumes that you already know how to install OpenVPN and setup keys and/or certificates. For the scope of this example, information about key and certificate management will not be provided.
Overview:
- We'll setup a server.ovpn, a client.ovpn, and some Windows XP settings. Keep in mind that .ovpn is the Windows equivalent of .conf in Linux.
重点: 如何实现虚拟网络与实体网络的流量交换?
Start -> Right-click My Computer -> Manage Services
Right-click Routing and Remote Access -> Properties -> Automatic
Right-click Routing and Remote Access -> Start
Next:
Control Panel -> Network Connections -> Local Area Connection ->
Properties -> Advanced
-> Tick the box "Allow other network users to connect through this computer's Internet connection"
From the drop-down list select "Local Area Connection X", or whatever is the connection name of your TAP OpenVPN server interface.
Start-> run-> regedit (you type regedit)*
Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters
Value: IPEnableRouter
Type: REG_DWORD
Data: 0x00000001 (1)
*Since this is Windows XP, you should restart Windows after making changes to registry.
(3) SoftetherVPN Server on Windows: L2TP and OpenVPN (Dell Desktop Pentium 4 CPU + 2GB RAM)
SoftEther VPN ("SoftEther" means "Software Ethernet") is one of the world's most powerful and easy-to-use multi-protocol VPN software. It runs on Windows, Linux, Mac, FreeBSD and Solaris.
重点: 如何实现虚拟网络与实体网络的流量交换?
Softether OpenVPN 优点:
(1)Softether.net 提供 DDNS(软件自动安装)。
(2)Softether 提供用户管理,可设用户密码。
(3)自动生成 server/client opvn 配置文件,加密证书与密钥都由软件自动生成。
(4)用户连接除了配置文件, 还需要用户名和密码。保密性好。
(四)Firewall port forwarding
因为OpenVPN router 和PC 都在防火墙后面,一级 router 要设 port forwarding。
如果打开 Windows Firewall, 也要做 port forwarding.
OpenVPN 的最大优点, tcp/udp port number 可以随意选择,尤其是选择 tcp 80/443 后与 http/https 流量相同, 不容易被封。
