vpn - yar145/mytestrepo1 GitHub Wiki
Configure an Always On VPN device tunnel
A new feature of the Windows 10 or later VPN client, Always On, is the ability to maintain a VPN connection. With Always On, the active VPN profile can connect automatically and remain connected based on triggers, such as user sign-in, network state change, or device screen active.
You can use gateways with Always On to establish persistent user tunnels and device tunnels to Azure.
Always On VPN connections include either of two types of tunnels:
Device tunnel: Connects to specified VPN servers before users sign in to the device. Pre-sign-in connectivity scenarios and device management use a device tunnel.
User tunnel: Connects only after users sign in to the device. By using user tunnels, you can access organization resources through VPN servers.
Device tunnels and user tunnels operate independent of their VPN profiles. They can be connected at the same time, and they can use different authentication methods and other VPN configuration settings, as appropriate.
A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet. This article applies to the Resource Manager deployment model.
What protocol does P2S use? Point-to-site VPN can use one of the following protocols:
OpenVPN® Protocol, an SSL/TLS based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux, and Mac devices (macOS versions 10.13 and above).
Secure Socket Tunneling Protocol (SSTP), a proprietary TLS-based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. SSTP is only supported on Windows devices. Azure supports all versions of Windows that have SSTP and support TLS 1.2 (Windows 8.1 and later).
IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (macOS versions 10.11 and above).
How are P2S VPN clients authenticated? Before Azure accepts a P2S VPN connection, the user has to be authenticated first. There are two mechanisms that Azure offers to authenticate a connecting user.
Certificate authentication When using the native Azure certificate authentication, a client certificate that is present on the device is used to authenticate the connecting user. Client certificates are generated from a trusted root certificate and then installed on each client computer. You can use a root certificate that was generated using an Enterprise solution, or you can generate a self-signed certificate.
The validation of the client certificate is performed by the VPN gateway and happens during establishment of the P2S VPN connection. The root certificate is required for the validation and must be uploaded to Azure.
Azure Active Directory authentication Azure AD authentication allows users to connect to Azure using their Azure Active Directory credentials. Native Azure AD authentication is only supported for OpenVPN protocol and also requires the use of the Azure VPN Client. The supported client operation systems are Windows 10 or later and macOS.
Cloak is a pluggable transport that enhances traditional proxy tools like OpenVPN to evade sophisticated censorship and data discrimination.
Cloak is not a standalone proxy program. Rather, it works by masquerading proxied traffic as normal web browsing activities. In contrast to traditional tools which have very prominent traffic fingerprints and can be blocked by simple filtering rules, it's very difficult to precisely target Cloak with little false positives. This increases the collateral damage to censorship actions as attempts to block Cloak could also damage services the censor state relies on.
To any third party observer, a host running Cloak server is indistinguishable from an innocent web server. Both while passively observing traffic flow to and from the server, as well as while actively probing the behaviours of a Cloak server. This is achieved through the use a series of cryptographic steganography techniques.
Cloak can be used in conjunction with any proxy program that tunnels traffic through TCP or UDP, such as Shadowsocks, OpenVPN and Tor. Multiple proxy servers can be running on the same server host and Cloak server will act as a reverse proxy, bridging clients with their desired proxy end.
Cloak multiplexes traffic through multiple underlying TCP connections which reduces head-of-line blocking and eliminates TCP handshake overhead. This also makes the traffic pattern more similar to real websites.
Cloak provides multi-user support, allowing multiple clients to connect to the proxy server on the same port (443 by default). It also provides traffic management features such as usage credit and bandwidth control. This allows a proxy server to serve multiple users even if the underlying proxy software wasn't designed for multiple users
Cloak also supports tunneling through an intermediary CDN server such as Amazon Cloudfront. Such services are so widely used, attempts to disrupt traffic to them can lead to very high collateral damage for the censor.
build: git clone https://github.com/cbeuw/Cloak cd Cloak go get ./... make
Cloak
Проксируем OpenVPN с помощью Cloak
Проксируем OpenVPN через Shadowsocks или чиним OpenVPN во время блокировок
Делаем OpenVPN работающим, когда его хотят сделать неработающим
FAQ по Shadowsocks/XRay/XTLS/Reality/Nekobox/etc. для обхода блокировок
ShadowSocks
https://habr.com/ru/articles/770400/
How to Install shadowsocks on Ubuntu
Ubuntu server
apt install shadowsocks-libev shadowsocks-v2ray-plugin
cat /etc/shadowsocks-libev/config.json
{
"server":["172.31.5.237:8388"],
"mode":"tcp_and_udp",
"server_port":8388,
"local_port":1080,
"password":"password",
"timeout":86400,
"method":"aes-256-gcm"
}
/usr/bin/ss-server -c /etc/shadowsocks-libev/config.json --plugin ss-v2ray-plugin --plugin-opts "server;mode=websocket;localAddr=127.0.0.1;localPort=8388" -v
or put --plugin-opts "server;mode=websocket;localAddr=127.0.0.1;localPort=8388" at /etc/default/shadowsocks-libev DAEMON_ARGS="--plugin ss-v2ray-plugin --plugin-opts "server;mode=websocket;localAddr=127.0.0.1;localPort=8388"
#Defaults for shadowsocks initscript
# sourced by /etc/init.d/shadowsocks-libev
# installed at /etc/default/shadowsocks-libev by the maintainer scripts
#
# This is a POSIX shell fragment
#
# Note: START', GROUP' and MAXFD' options are not recognized by systemd. # Please change those settings in the corresponding systemd unit file.`
# Configuration file
CONFFILE="/etc/shadowsocks-libev/config.json"
# Extra command line arguments
DAEMON_ARGS="--plugin ss-v2ray-plugin --plugin-opts "server;mode=websocket;localAddr=127.0.0.1;localPort=8388"
# User and group to run the server as
USER=nobody
GROUP=nogroup
# Number of maximum file descriptors
MAXFD=32768
systemctl restart shadowsocks-libev.service
Ubuntu client
shadowsocks2-linux.tgz get from https://github.com/shadowsocks/go-shadowsocks2/releases :
https://github.com/shadowsocks/go-shadowsocks2/releases/download/v0.1.5/shadowsocks2-linux.tgz
v2ray-plugin get from https://github.com/shadowsocks/v2ray-plugin/releases :
https://github.com/shadowsocks/v2ray-plugin/releases/download/v1.3.2/v2ray-plugin-linux-amd64-v1.3.2.tar.gz
unzip\untar in the same dir.
./shadowsocks2-linux -c "ss://aes-256-gcm:password@server_name:8388" -verbose -socks :1080 -u -plugin v2ray -plugin-opts
"mode=websocket;host=172.31.5.237:8388"
v2ray in same dir as shadowsocks2-linux
How to Install shadowsocks on Ubuntu
vi /etc/sysctl.conf
fs.file-max = 51200
net.core.rmem_max = 67108864 net.core.wmem_max = 67108864 net.core.netdev_max_backlog = 250000 net.core.somaxconn = 4096
net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 0 net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_keepalive_time = 1200 net.ipv4.ip_local_port_range = 10000 65000 net.ipv4.tcp_max_syn_backlog = 8192 net.ipv4.tcp_max_tw_buckets = 5000 net.ipv4.tcp_fastopen = 3 net.ipv4.tcp_mem = 25600 51200 102400 net.ipv4.tcp_rmem = 4096 87380 67108864 net.ipv4.tcp_wmem = 4096 65536 67108864 net.ipv4.tcp_mtu_probing = 1 net.ipv4.tcp_congestion_control = hybla