fangpsh's blog

重温 IPv6

ipv6

今晚在该帖子中见到网友说 塞尔的ipv6服务实际上包的openvpn,虽然官方只提供了Windows下的安装包,那岂不是可以拿出密钥文件和配置等,在Linux或者OSX上玩?

到六年级的官网注册,购买个人免费套餐,邮箱会收到主题为"New Account Information”的邮件,记下Username(即个人注册的邮箱地址)和官网生成的Password,后续用于登录。

下载六年级客户端,运行安装,到安装目录(默认为 C:/Program/六年级)可见到一个Link文件夹,其中的部分内容就是我们需要的,拷贝出来备用,dll和exe文件不需要。(注:也可以不拷贝,而复制我下文中提供的)

以OSX为例,安装openvpn,过程见 一键连接VPN,我将Link下的配置拷贝至 /usr/local/etc/openvpn/6nianji 文件夹中,包含以下文件:

文件名:ca.crt

-----BEGIN CERTIFICATE-----
MIIDKDCCAhCgAwIBAgIJAOOXJkeu5LvtMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
BAMTB25ld3RlY2gwHhcNMTQxMTI2MDYxMDMwWhcNMjQxMTIzMDYxMDMwWjASMRAw
DgYDVQQDEwduZXd0ZWNoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
xM1rbqQO9S28ynpPB4Ch78Mb/Olkr+4VWm6X9B/Aqx5x8RgZoldFJsTBTIUHiWk8
lQdtpNU++QdXqqO6RL943lrXHC9qTvxKtp44DpeXETOfozDxexIHc7S1zRTjbmZZ
5yRlLhXPR6dpzH0fLDgINTk341n+jS4zGAoBcseiqlRPBDJQXOmhvWKfGPMD5SeI
fpKsDTcVwLDj1k8rhwy58MwW/5mDtUp0ykgC3N/Crn6QGJ+SZMsNR1rfXPs8qchM
nI/MXJjyDUi+f0PTRH9RsniHOg5p9X2ldXWLBkbASOP7gesokd6pu6TkkKYRM5eQ
/DkyEo+DLShQY67FoAvlOQIDAQABo4GAMH4wHQYDVR0OBBYEFMxRMcMG/1Q85ISL
2VrGk7P0zK+oMEIGA1UdIwQ7MDmAFMxRMcMG/1Q85ISL2VrGk7P0zK+ooRakFDAS
MRAwDgYDVQQDEwduZXd0ZWNoggkA45cmR67ku+0wDAYDVR0TBAUwAwEB/zALBgNV
HQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAD7iHWOU2vrsT7a8k1F1VDs1dBCh
JEskfeT5U+/asby5J7GTaitqlKMbPqYKxf3VLdlibLgMUW8EpwI0OvYrBJHJGx70
RwW+glO7gqiKmWJcF3DGDHQxcHej4PHKeve+qhtlalTK38GTmI0RFu+lE4Qp1zMA
LcasWST4iboGvaAgOC6ZJe+MsMwV9aTOvMMM4TROh+2ipe6hxtiFH8UBR1WR4gdG
MIiqaZss4capsogETnIeACL+eeOQrVzyG3DEuuy5taw+Zl8XDIRdbOBX8/3oLG0x
o8IHc24ag59MqOttUQU1FFnGwpm5GOAbudMv7v0PNizsfZYdR5ALLjY9n9M=
-----END CERTIFICATE-----

文件名:ta.key

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
a7254f6cdfc1425382b939d777174b52
45e2d5253e3688db2a6e5e5b7e996d99
78210eeb95a7ddad7c2176e63b9ed492
db08cdbb276be3e387f8556a8ab555b3
67c2bc9deb086af5df3e60f15b4fd13b
aa94f6f86c6c3147abe9e700f0b0c17f
ba53a933d6926f3a4ac5b104b2eed07c
e009d3b41b1637f638c537d3d6ef9ea7
4c8cd58cff6dfab30384cf9efc23fb3d
b62f77ffbbacd7d6b2c7e21986e69f02
244bac63c94970b097006ac04b62dac0
e974025f7203e9a4fac977f902291234
f405f71f00ac2b6f7ebc41f99b96f8ca
28b3bb7b7f984da1198aafa2e766926d
13674e1e80afdc1d08c7454d42244258
5da5f8cc31eca36999010c14a433f454
-----END OpenVPN Static key V1-----

文件名:client.ovpn

client
dev tap
proto udp
remote vpnsrv1.cernewtech.com 80
remote vpnsrv2.cernewtech.com 80
resolv-retry infinite
persist-key
persist-tun
ca /usr/local/etc/openvpn/6nianji/ca.crt
comp-lzo
up /usr/local/etc/openvpn/6nianji/tap-up-down.sh
down /usr/local/etc/openvpn/6nianji/tap-up-down.sh
auth-user-pass /usr/local/etc/openvpn/6nianji/pass
verb 3
mute 20

client.ovpn 配置文件中的 auth-user-pass 执行的pass文件主要记录你的个人用户名和密码,用于登录验证,

文件名:pass #填写上文邮件中的用户名和密码,各一行。你不想每次都手动输入账户和密码吧?

username 
password

在我一开始直接拷贝link下的文件过来登录的时候,遇到过 

write to TUN/TAP : Input/output error (code=5)

的错误,查看了 tap0设备的状态,发现没有up。。囧。网络上找了一个脚本,就是client.ovpn中 up和down指定的脚本,

文件名:tap-up-down.sh

#!/bin/sh
#!/bin/sh
#
# openvpn-tap-up-down.sh
#
#
# A script to be used as an OpenVPN bridged (tap) up/down script on Mac OSX 10.4
# - uses ipconfig to acquire a DHCP lease via the OpenVPN tap interface, and scutil to
#  incorporate the DHCP-supplied DNS configuration
#
# Use in your OpenVPN config file as follows:
#
#    up  openvpn-tap-up-down.sh
#
# - up: openvpn calls the 'up' script after the tun/tap interface is created, but before the link
#   to the server is available for use (ditto 'up-delay' at least for UDP)
#   - on testing w/ openvpn 2.0.5, and tcpdump on the tap interface as soon as it comes up,
#     packets are queued up on the interface (and not actually sent over the openvpn tunnel)
#     until *after* this script returns; this makes sense: this script could fail in which
#     case the connection is invalid
#     - this means the DHCP acquisition can't complete until after this script exits
#     - that's not directly a problem as the OS X DHCP client should do everything we need
#       to make the interface functional, all by itself - *except* for one small thing: as of
#       OS X 10.4.7 the DHCP-acquired DNS information is not "merged" into the System
#       Configuration (OS X bug?)
#       - thus we have a chicken-and-egg situation: we need to manually fixup the DNS config,
#         but can't until we get the DHCP lease; we won't get the lease until we this script exits
#       - the solution is to spawn a little "helper" that waits until the lease is acquired,
#         and then does the DNS fixup
#
# - down: the only sensible 'down' action is to release the DHCP lease (as a courtesy to the
#   DHCP server), alas it's too late to do this *after* the connection has been shutdown (as
#   of OpenVPN 2.0 there's no "pre-disconnect" script option; note that both 'down' and
#   'down-pre' are called only after the connection to the server is closed ('down-pre' before
#   closing the tun/tap device, 'down' after)
#   - OS X automatically cleans up the System Config keys created from ipconfig, but we need to
#     manually remove the DNS fixup
#
# 2006-09-21    Ben Low    original
#
# 200x-xx-xx    name
#
if [ -z "$dev" ]; then echo "$0: \$dev not defined, exiting"; exit 1; fi

# relevant script_type values are 'up' or 'down'
case "$script_type" in
   up)

     # bring the interface up and set it to DHCP
     # - System Configuration dynamic store will be automatically updated, with the
     #       State:/Network/Service/DHCP-tap0
     #   data store created.
     # - the ipconfig man page notes that it should only be used for "test and debug" purposes,
     #   and that you're supposed to use the SystemConfiguration APIs to manipulate the network
     #   configuration
     #   - alas, there appears to be no CLI utility other than ipconfig

     /usr/sbin/ipconfig set "$dev" DHCP
     /usr/sbin/ipconfig set "$dev" AUTOMATIC-V6
     # spawn our little DNS-fixerupper
     {
         # whilst ipconfig will have created the neccessary Network Service keys, the DNS
         # settings won't actually be used by OS X unless the SupplementalMatchDomains key
         # is added
         # ref. <http://lists.apple.com/archives/Macnetworkprog/2005/Jun/msg00011.html>
         # - is there a way to extract the domains from the SC dictionary and re-insert
         #   as SupplementalMatchDomains? i.e. not requiring the ipconfig domain_name call?

         # - wait until we get a lease before extracting the DNS domain name and merging into SC
         # - despite it's name, ipconfig waitall doesn't (but maybe one day it will :-)
         /usr/sbin/ipconfig waitall

         # usually takes at least a few seconds to get a DHCP lease
         sleep 3
                  n=0
         while [ -z "$domain_name" -a $n -lt 5 ]
         do
             sleep $n
             n=`expr $n + 1`
             domain_name=`/usr/sbin/ipconfig getoption $dev domain_name 2>/dev/null`
         done

         if [ "$domain_name" ]; then
         /usr/sbin/scutil <<EOF
d.init
get State:/Network/Service/DHCP-$dev/DNS
d.add SupplementalMatchDomains * $domain_name
set State:/Network/Service/DHCP-$dev/DNS
EOF
         fi

     } &

   ;;

   down)

     # for completeness...
     if [ `/usr/bin/id -u` -eq 0 ]; then
         /usr/sbin/ipconfig set "$dev" NONE
     fi

   ;;
   *) echo "$0: invalid script_type" && exit 1 ;;
esac

##### FIN

不过如果直接用这哥们提供的脚本,会发现tap0并没有分配到ipv6地址,所以上文中我加上了:

     /usr/sbin/ipconfig set "$dev" AUTOMATIC-V6

这个时候执行openvpn登录,可以会出现以下WARNING:

WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.

那就按照提供 --script-security 2 选项咯:

sudo /usr/local/sbin/openvpn  --config /usr/local/etc/openvpn/6nianji/client.ovpn --script-security 2

做个简短的alias吧。

贴下登录的日志:

➜  ~  sudo /usr/local/sbin/openvpn  --config /usr/local/etc/openvpn/6nianji/client.ovpn --script-security 2
Sun Sep 13 22:20:34 2015 OpenVPN 2.3.7 x86_64-apple-darwin14.4.0 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jul 30 2015
Sun Sep 13 22:20:34 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
Sun Sep 13 22:20:34 2015 WARNING: file '/usr/local/etc/openvpn/6nianji/pass' is group or others accessible
Sun Sep 13 22:20:34 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Sep 13 22:20:34 2015 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Sep 13 22:20:34 2015 Socket Buffers: R=[196724->65536] S=[9216->65536]
Sun Sep 13 22:20:34 2015 UDPv4 link local (bound): [undef]
Sun Sep 13 22:20:34 2015 UDPv4 link remote: [AF_INET]121.194.13.130:80
Sun Sep 13 22:20:35 2015 TLS Error: local/remote TLS keys are out of sync: [AF_INET]121.194.13.130:80 [0]
Sun Sep 13 22:20:35 2015 TLS Error: local/remote TLS keys are out of sync: [AF_INET]121.194.13.130:80 [0]
Sun Sep 13 22:20:35 2015 TLS Error: local/remote TLS keys are out of sync: [AF_INET]121.194.13.130:80 [0]
Sun Sep 13 22:20:35 2015 TLS Error: local/remote TLS keys are out of sync: [AF_INET]121.194.13.130:80 [0]
Sun Sep 13 22:20:35 2015 TLS Error: local/remote TLS keys are out of sync: [AF_INET]121.194.13.130:80 [0]
Sun Sep 13 22:20:35 2015 TLS Error: local/remote TLS keys are out of sync: [AF_INET]121.194.13.130:80 [0]
Sun Sep 13 22:20:35 2015 TLS Error: local/remote TLS keys are out of sync: [AF_INET]121.194.13.130:80 [0]
Sun Sep 13 22:20:35 2015 TLS Error: local/remote TLS keys are out of sync: [AF_INET]121.194.13.130:80 [0]
Sun Sep 13 22:20:35 2015 TLS Error: local/remote TLS keys are out of sync: [AF_INET]121.194.13.130:80 [0]
Sun Sep 13 22:20:35 2015 TLS Error: local/remote TLS keys are out of sync: [AF_INET]121.194.13.130:80 [0]
Sun Sep 13 22:20:35 2015 TLS Error: local/remote TLS keys are out of sync: [AF_INET]121.194.13.130:80 [0]
Sun Sep 13 22:20:35 2015 TLS: Initial packet from [AF_INET]121.194.13.130:80, sid=8b7c1075 4b39cd60
Sun Sep 13 22:20:35 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Sep 13 22:20:35 2015 TLS Error: local/remote TLS keys are out of sync: [AF_INET]121.194.13.130:80 [0]
Sun Sep 13 22:20:35 2015 VERIFY OK: depth=1, CN=newtech
Sun Sep 13 22:20:35 2015 VERIFY OK: depth=0, CN=newtech-BJ
Sun Sep 13 22:20:35 2015 TLS Error: local/remote TLS keys are out of sync: [AF_INET]121.194.13.130:80 [0]
Sun Sep 13 22:20:35 2015 TLS Error: local/remote TLS keys are out of sync: [AF_INET]121.194.13.130:80 [0]
Sun Sep 13 22:20:35 2015 TLS Error: local/remote TLS keys are out of sync: [AF_INET]121.194.13.130:80 [0]
Sun Sep 13 22:20:35 2015 TLS Error: local/remote TLS keys are out of sync: [AF_INET]121.194.13.130:80 [0]
Sun Sep 13 22:20:35 2015 TLS Error: local/remote TLS keys are out of sync: [AF_INET]121.194.13.130:80 [0]
Sun Sep 13 22:20:35 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Sep 13 22:20:35 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 13 22:20:35 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Sep 13 22:20:35 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 13 22:20:35 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Sep 13 22:20:35 2015 [newtech-BJ] Peer Connection Initiated with [AF_INET]121.194.13.130:80
Sun Sep 13 22:20:37 2015 SENT CONTROL [newtech-BJ]: 'PUSH_REQUEST' (status=1)
Sun Sep 13 22:20:37 2015 PUSH: Received control message: 'PUSH_REPLY,route-gateway dhcp,ping 10,ping-restart 120'
Sun Sep 13 22:20:37 2015 OPTIONS IMPORT: timers and/or timeouts modified
Sun Sep 13 22:20:37 2015 OPTIONS IMPORT: route-related options modified
Sun Sep 13 22:20:37 2015 TUN/TAP device /dev/tap0 opened
Sun Sep 13 22:20:37 2015 /usr/local/etc/openvpn/6nianji/tap-up-down.sh tap0 1500 1574   init
Sun Sep 13 22:20:37 2015 Initialization Sequence Completed

还有一些错误和警告,不过已经可以正常访问IPv6网站,先忽略了。 Google的各项服务秒开了,可惜六维已经打不开了,听说限制东北大学校内访问了,只能去交大的晨光PT看看。

周末结束了,感冒还没好,希望明天北京天气依旧好吧。