常见VPN协议的现状分析及OpenVPN的一些实用配置

2018年7月9日 | 分类: 翻墙相关 | 标签:

上图列出来十大VPN协议类型在几家VPN服务商中的支持情况,

从中不难看出国外VPN服务商对OpenVPN情有独钟,你基本找不到不支持OpenVPN的服务商,这也得益于OpenVPN开源免费的强大生命力,我们知道几年前GFW升级OpenVPN首当其冲当时几乎被封杀,后来VPN厂商陆续推出了应对之策,主要分为三类:一、SSL或SSH的加密隧道转发,尤其是基于stunnel的ssl隧道被广泛采用,二、基于obfsproxy和shadowsocks的前端代理连接,尤其obfsproxy被openvpn官方推出的Private Tunnel VPN在win、mac、苹果和安卓上的全平台实现,三、使用各种防止DPI的混淆元数据,比如知名VPN服务商VyprVPNChameleon技术等,使用这些技术的OpenVPN被VPN服务商们统称为StealthVPN,成为了他们对抗大陆GFW的有力法宝。不过从效果上来看obfsproxy和混淆元数据更好一些,毕竟SSL、SSH、shadowsocks这些技术本身在大陆都会被GFW干扰的。这些时间GFW对OpenVPN的封杀主要是在tcp传输层面,对于udp传输的OpenVPN服务器基本没有影响。

有时候我惊奇的发现PPTP VPN连接上后居然会很稳定不掉线,不过基于安全的原因苹果已经取消了系统默认对PPTP协议的支持,也有VPN服务商取消PPTP支持的,总之这是一个没有未来的VPN协议。至于IPSec协议在翻墙上的应用大概是塞班黑莓苹果那时候就吵起来的不过一只没有非常流行过,支持的VPN服务商也不广泛,尤其是后来IKEv2的流行使得它更没有多大市场了,不过其配置简单,尤其在安卓系统默认不支持IKEv2的情况下IPSec成了其默认支持的最好的VPN协议了。L2TP协议是目前常见系统都支持的VPN协议,目前在各方面的发展都比较成熟,不过面临着IKEv2的有力冲击。IKEv2 VPN协议是一个比较先进的VPN协议也是最近很火很流行的VPN协议,你可以打开苹果的各大VPN服务商的客户端看看,他们基本清一色的选择IKEv2,它是一个很有发展很有未来的VPN协议,当安卓系统默认支持IKEv2协议的时候,其流行程度就更不可估量了。SSTP作为微软发展出来代替自家PPTP的协议还算比较成功的,由于其使用tcp传输而在大陆又没有受到像openvpn-tcp那样的严重的干扰,在linux、mac和安卓上都发展出了可用的客户端,用于翻墙还是不错的。

至于SoftEther协议随着VPN Gate公共免费VPN的流行被封杀的很厉害。AnyConnect主要是基于Openconnect VPN Server搭建的兼容方案,由于AnyConnect商业应用较广,被GFW干扰的不多,不失为翻墙一个好选择。WireGuard是未来VPN发展的方向也许某一天它会取代OpenVPN成为最流行的VPN,尽管WireGuard技术先进安全性高效率高,不过其官方目前连个win客户端都没有开发出来,要在翻墙领域大面积流行还有很长的路要走。

上文说到iOS清一色的IKEv2,那国外各大VPN商家在win、mac和安卓上都是选择什么协议呢?没错就是OpenVPN。国外各大VPN服务商的客户端在win、mac和安卓系统上默认都是OpenVPN UDP连接,尤其在OpenVPN发展的2.4版本之后其又焕发出了强大的生命力,相比之前的版本2.4版增加了AEAD(GCM)加密、LZ4压缩、Elliptic Curve DH密钥交换支持和新的–tls-crypt功能可用于增加用户的连接隐私。在使用OpenVPN时,有时候可以在配置文件中加入以下内容:

block-outside-dns  #防止DNS泄露的必加
auth-nocache #必加
remote-cert-tls server #可能可以加
tls-version-min 1.2 #可能可以加

#一般不加

#auth SHA512
#tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
#cipher AES-256-GCM
#compress lz4
#verify-x509-name
#tls-crypt

#关闭IPv6的
pull-filter ignore “tun-ipv6”
pull-filter ignore “ifconfig-ipv6”
pull-filter ignore “route-ipv6”
pull-filter ignore “redirect-gateway ipv6”

#提高OpenVPN UDP速度的
sndbuf 393216
rcvbuf 393216
push “sndbuf 393216”
push “rcvbuf 393216”

#最小智能路由表,可以国内直连国外代理,不过国内有误伤

route 1.0.0.0 255.192.0.0 net_gateway 5
route 1.64.0.0 255.224.0.0 net_gateway 5
route 1.112.0.0 255.248.0.0 net_gateway 5
route 1.176.0.0 255.240.0.0 net_gateway 5
route 1.192.0.0 255.240.0.0 net_gateway 5
route 14.0.0.0 255.224.0.0 net_gateway 5
route 14.96.0.0 255.224.0.0 net_gateway 5
route 14.128.0.0 255.224.0.0 net_gateway 5
route 14.192.0.0 255.224.0.0 net_gateway 5
route 27.0.0.0 255.192.0.0 net_gateway 5
route 27.96.0.0 255.224.0.0 net_gateway 5
route 27.128.0.0 255.224.0.0 net_gateway 5
route 27.176.0.0 255.240.0.0 net_gateway 5
route 27.192.0.0 255.224.0.0 net_gateway 5
route 27.224.0.0 255.252.0.0 net_gateway 5
route 36.0.0.0 255.192.0.0 net_gateway 5
route 36.96.0.0 255.224.0.0 net_gateway 5
route 36.128.0.0 255.192.0.0 net_gateway 5
route 36.192.0.0 255.224.0.0 net_gateway 5
route 36.240.0.0 255.240.0.0 net_gateway 5
route 39.0.0.0 255.255.0.0 net_gateway 5
route 39.64.0.0 255.224.0.0 net_gateway 5
route 39.96.0.0 255.240.0.0 net_gateway 5
route 39.128.0.0 255.192.0.0 net_gateway 5
route 40.72.0.0 255.254.0.0 net_gateway 5
route 40.124.0.0 255.252.0.0 net_gateway 5
route 42.0.0.0 255.248.0.0 net_gateway 5
route 42.48.0.0 255.240.0.0 net_gateway 5
route 42.80.0.0 255.240.0.0 net_gateway 5
route 42.96.0.0 255.224.0.0 net_gateway 5
route 42.128.0.0 255.128.0.0 net_gateway 5
route 43.224.0.0 255.224.0.0 net_gateway 5
route 45.65.16.0 255.255.240.0 net_gateway 5
route 45.112.0.0 255.240.0.0 net_gateway 5
route 45.248.0.0 255.248.0.0 net_gateway 5
route 47.92.0.0 255.252.0.0 net_gateway 5
route 47.96.0.0 255.224.0.0 net_gateway 5
route 49.0.0.0 255.128.0.0 net_gateway 5
route 49.128.0.0 255.224.0.0 net_gateway 5
route 49.192.0.0 255.192.0.0 net_gateway 5
route 52.80.0.0 255.252.0.0 net_gateway 5
route 54.222.0.0 255.254.0.0 net_gateway 5
route 58.0.0.0 255.128.0.0 net_gateway 5
route 58.128.0.0 255.224.0.0 net_gateway 5
route 58.192.0.0 255.224.0.0 net_gateway 5
route 58.240.0.0 255.240.0.0 net_gateway 5
route 59.32.0.0 255.224.0.0 net_gateway 5
route 59.64.0.0 255.224.0.0 net_gateway 5
route 59.96.0.0 255.240.0.0 net_gateway 5
route 59.144.0.0 255.240.0.0 net_gateway 5
route 59.160.0.0 255.224.0.0 net_gateway 5
route 59.192.0.0 255.192.0.0 net_gateway 5
route 60.0.0.0 255.224.0.0 net_gateway 5
route 60.48.0.0 255.240.0.0 net_gateway 5
route 60.160.0.0 255.224.0.0 net_gateway 5
route 60.192.0.0 255.192.0.0 net_gateway 5
route 61.0.0.0 255.192.0.0 net_gateway 5
route 61.80.0.0 255.248.0.0 net_gateway 5
route 61.128.0.0 255.192.0.0 net_gateway 5
route 61.224.0.0 255.224.0.0 net_gateway 5
route 91.234.36.0 255.255.255.0 net_gateway 5
route 101.0.0.0 255.128.0.0 net_gateway 5
route 101.128.0.0 255.224.0.0 net_gateway 5
route 101.192.0.0 255.240.0.0 net_gateway 5
route 101.224.0.0 255.224.0.0 net_gateway 5
route 103.0.0.0 255.0.0.0 net_gateway 5
route 106.0.0.0 255.128.0.0 net_gateway 5
route 106.224.0.0 255.240.0.0 net_gateway 5
route 110.0.0.0 255.128.0.0 net_gateway 5
route 110.144.0.0 255.240.0.0 net_gateway 5
route 110.160.0.0 255.224.0.0 net_gateway 5
route 110.192.0.0 255.192.0.0 net_gateway 5
route 111.0.0.0 255.192.0.0 net_gateway 5
route 111.64.0.0 255.224.0.0 net_gateway 5
route 111.112.0.0 255.240.0.0 net_gateway 5
route 111.128.0.0 255.192.0.0 net_gateway 5
route 111.224.0.0 255.240.0.0 net_gateway 5
route 112.0.0.0 255.128.0.0 net_gateway 5
route 112.128.0.0 255.240.0.0 net_gateway 5
route 112.192.0.0 255.252.0.0 net_gateway 5
route 112.224.0.0 255.224.0.0 net_gateway 5
route 113.0.0.0 255.128.0.0 net_gateway 5
route 113.128.0.0 255.240.0.0 net_gateway 5
route 113.192.0.0 255.192.0.0 net_gateway 5
route 114.16.0.0 255.240.0.0 net_gateway 5
route 114.48.0.0 255.240.0.0 net_gateway 5
route 114.64.0.0 255.192.0.0 net_gateway 5
route 114.128.0.0 255.240.0.0 net_gateway 5
route 114.192.0.0 255.192.0.0 net_gateway 5
route 115.0.0.0 255.0.0.0 net_gateway 5
route 116.0.0.0 255.0.0.0 net_gateway 5
route 117.0.0.0 255.128.0.0 net_gateway 5
route 117.128.0.0 255.192.0.0 net_gateway 5
route 118.16.0.0 255.240.0.0 net_gateway 5
route 118.64.0.0 255.192.0.0 net_gateway 5
route 118.128.0.0 255.128.0.0 net_gateway 5
route 119.0.0.0 255.128.0.0 net_gateway 5
route 119.128.0.0 255.192.0.0 net_gateway 5
route 119.224.0.0 255.224.0.0 net_gateway 5
route 120.0.0.0 255.192.0.0 net_gateway 5
route 120.64.0.0 255.224.0.0 net_gateway 5
route 120.128.0.0 255.240.0.0 net_gateway 5
route 120.192.0.0 255.192.0.0 net_gateway 5
route 121.0.0.0 255.128.0.0 net_gateway 5
route 121.192.0.0 255.192.0.0 net_gateway 5
route 122.0.0.0 254.0.0.0 net_gateway 5
route 124.0.0.0 255.0.0.0 net_gateway 5
route 125.0.0.0 255.128.0.0 net_gateway 5
route 125.160.0.0 255.224.0.0 net_gateway 5
route 125.192.0.0 255.192.0.0 net_gateway 5
route 137.59.59.0 255.255.255.0 net_gateway 5
route 137.59.88.0 255.255.252.0 net_gateway 5
route 139.0.0.0 255.224.0.0 net_gateway 5
route 139.128.0.0 255.128.0.0 net_gateway 5
route 140.64.0.0 255.240.0.0 net_gateway 5
route 140.128.0.0 255.240.0.0 net_gateway 5
route 140.192.0.0 255.192.0.0 net_gateway 5
route 144.0.0.0 255.248.0.0 net_gateway 5
route 144.12.0.0 255.255.0.0 net_gateway 5
route 144.48.0.0 255.248.0.0 net_gateway 5
route 144.123.0.0 255.255.0.0 net_gateway 5
route 144.255.0.0 255.255.0.0 net_gateway 5
route 146.196.0.0 255.255.128.0 net_gateway 5
route 150.0.0.0 255.255.0.0 net_gateway 5
route 150.96.0.0 255.224.0.0 net_gateway 5
route 150.128.0.0 255.240.0.0 net_gateway 5
route 150.192.0.0 255.192.0.0 net_gateway 5
route 152.104.128.0 255.255.128.0 net_gateway 5
route 153.0.0.0 255.192.0.0 net_gateway 5
route 153.96.0.0 255.224.0.0 net_gateway 5
route 157.0.0.0 255.255.0.0 net_gateway 5
route 157.18.0.0 255.255.0.0 net_gateway 5
route 157.61.0.0 255.255.0.0 net_gateway 5
route 157.112.0.0 255.240.0.0 net_gateway 5
route 157.144.0.0 255.240.0.0 net_gateway 5
route 157.255.0.0 255.255.0.0 net_gateway 5
route 159.226.0.0 255.255.0.0 net_gateway 5
route 160.19.0.0 255.255.0.0 net_gateway 5
route 160.20.48.0 255.255.252.0 net_gateway 5
route 160.202.0.0 255.255.0.0 net_gateway 5
route 160.238.64.0 255.255.252.0 net_gateway 5
route 161.207.0.0 255.255.0.0 net_gateway 5
route 162.105.0.0 255.255.0.0 net_gateway 5
route 163.0.0.0 255.192.0.0 net_gateway 5
route 163.96.0.0 255.224.0.0 net_gateway 5
route 163.128.0.0 255.192.0.0 net_gateway 5
route 163.192.0.0 255.224.0.0 net_gateway 5
route 164.52.0.0 255.255.128.0 net_gateway 5
route 166.111.0.0 255.255.0.0 net_gateway 5
route 167.139.0.0 255.255.0.0 net_gateway 5
route 167.189.0.0 255.255.0.0 net_gateway 5
route 167.220.244.0 255.255.252.0 net_gateway 5
route 168.160.0.0 255.255.0.0 net_gateway 5
route 170.179.0.0 255.255.0.0 net_gateway 5
route 171.0.0.0 255.128.0.0 net_gateway 5
route 171.192.0.0 255.224.0.0 net_gateway 5
route 175.0.0.0 255.128.0.0 net_gateway 5
route 175.128.0.0 255.192.0.0 net_gateway 5
route 180.64.0.0 255.192.0.0 net_gateway 5
route 180.128.0.0 255.128.0.0 net_gateway 5
route 182.0.0.0 255.0.0.0 net_gateway 5
route 183.0.0.0 255.192.0.0 net_gateway 5
route 183.64.0.0 255.224.0.0 net_gateway 5
route 183.128.0.0 255.128.0.0 net_gateway 5
route 192.124.154.0 255.255.255.0 net_gateway 5
route 192.140.128.0 255.255.128.0 net_gateway 5
route 195.78.82.0 255.255.254.0 net_gateway 5
route 202.0.0.0 255.128.0.0 net_gateway 5
route 202.128.0.0 255.192.0.0 net_gateway 5
route 202.192.0.0 255.224.0.0 net_gateway 5
route 203.0.0.0 255.0.0.0 net_gateway 5
route 210.0.0.0 255.192.0.0 net_gateway 5
route 210.64.0.0 255.224.0.0 net_gateway 5
route 210.160.0.0 255.224.0.0 net_gateway 5
route 210.192.0.0 255.224.0.0 net_gateway 5
route 211.64.0.0 255.248.0.0 net_gateway 5
route 211.80.0.0 255.240.0.0 net_gateway 5
route 211.96.0.0 255.248.0.0 net_gateway 5
route 211.136.0.0 255.248.0.0 net_gateway 5
route 211.144.0.0 255.240.0.0 net_gateway 5
route 211.160.0.0 255.248.0.0 net_gateway 5
route 216.250.108.0 255.255.252.0 net_gateway 5
route 218.0.0.0 255.128.0.0 net_gateway 5
route 218.160.0.0 255.224.0.0 net_gateway 5
route 218.192.0.0 255.192.0.0 net_gateway 5
route 219.64.0.0 255.224.0.0 net_gateway 5
route 219.128.0.0 255.224.0.0 net_gateway 5
route 219.192.0.0 255.192.0.0 net_gateway 5
route 220.96.0.0 255.224.0.0 net_gateway 5
route 220.128.0.0 255.128.0.0 net_gateway 5
route 221.0.0.0 255.224.0.0 net_gateway 5
route 221.96.0.0 255.224.0.0 net_gateway 5
route 221.128.0.0 255.128.0.0 net_gateway 5
route 222.0.0.0 255.0.0.0 net_gateway 5
route 223.0.0.0 255.224.0.0 net_gateway 5
route 223.64.0.0 255.192.0.0 net_gateway 5
route 223.128.0.0 255.128.0.0 net_gateway 5

  1. iGFW
    2018年8月31日11:25

    25 465 587
    110 995
    143 993
    20 21 53 109 115 194 209 220 366 989 990
    测试

  2. zhu
    2018年8月31日07:57

    pptp使用tcp 1723端口和GRE,l2tp/ipsec使用UDP:500 、UDP:4500 、UDP:1701 端口,IPsec使用UDP:500 、UDP:4500端口,IKEv2使用UDP:500 、UDP:4500端口,sstp、AnyConnect、OpenVPN、SoftEther、Tinc、WireGuard都可以自定义端口