嗨,我在互联网上搜索了很多,特别是在这个网站上,阅读了更多关于通过 SSH 隧道使用 OpenVPN 连接的帖子和文章,但所有教程都是关于使用 TCP 协议来做到这一点。在我们的互联网网络中(一些国家封锁互联网和大多数互联网通话应用程序),我们只能使用 SSH 隧道,这可以通过 tcp 连接来实现,但是像 whatsapp、instagram、telegram 这样的互联网通话应用程序不再起作用,所以我需要通过 SSH 隧道使用带有 UDP 协议的 OpenVPN 连接(这对我来说不起作用)或者任何使用 UDP 连接并且也可以在智能手机上使用的协议,但我需要所有这些应用程序都放在 ssh 隧道上,因为其他协议很快就会被阻止,比如 v2ray
答案1
SSH 无法通过 UDP 隧道传输数据。如果您想通过 SSH 运行 OpenVPN,则需要使用 TCP。
但是,在某些情况下,如果 SSH 可以正常工作,您可能不需要 OpenVPN。首先,OpenSSH 本身就具有 VPN 功能。引用man ssh:
SSH-BASED VIRTUAL PRIVATE NETWORKS
ssh contains support for Virtual Private Network (VPN) tunnelling
using the tun(4) network pseudo-device, allowing two networks to be
joined securely. The sshd_config(5) configuration option PermitTunnel
controls whether the server supports this, and at what level (layer 2
or 3 traffic).
The following example would connect client network 10.0.50.0/24 with
remote network 10.0.99.0/24 using a point-to-point connection from
10.1.1.1 to 10.1.1.2, provided that the SSH server running on the
gateway to the remote network, at 192.168.1.15, allows it.
On the client:
# ssh -f -w 0:1 192.168.1.15 true
# ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
# route add 10.0.99.0/24 10.1.1.2
On the server:
# ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
# route add 10.0.50.0/24 10.1.1.1
Client access may be more finely tuned via the /root/.ssh/authorized_keys
file (see below) and the PermitRootLogin server option. The following
entry would permit connections on tun(4) device 1 from user “jane” and
on tun device 2 from user “john”, if PermitRootLogin is set to
“forced-commands-only”:
tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
Since an SSH-based setup entails a fair amount of overhead, it may be
more suited to temporary setups, such as for wireless VPNs. More
permanent VPNs are better provided by tools such as ipsecctl(8) and
isakmpd(8).
现代 Linux 发行版不再默认包含过时的程序,最好使用更现代的ifconfig实用程序来做同样的事情:routeip
ip addr add 10.1.1.1 peer 10.1.1.2 dev tun0
ip route add 10.0.99.0/24 via 10.1.1.2
等等。
其次,OpenSSH 客户端(也包含在最近的 Windows 版本中)包含一个 SOCKS 代理接口。除了通常的 TCP 隧道之外,它甚至不需要 SSH 服务器端的任何特殊支持。来自man ssh:
-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding.
This works by allocating a socket to listen to port on the
local side, optionally bound to the specified bind_address.
Whenever a connection is made to this port, the connection is
forwarded over the secure channel, and the application protocol
is then used to determine where to connect to from the remote
machine. Currently the SOCKS4 and SOCKS5 protocols are
supported, and ssh will act as a SOCKS server. Only root can
forward privileged ports. Dynamic port forwardings can also be
specified in the configuration file.
IPv6 addresses can be specified by enclosing the address in
square brackets. Only the superuser can forward privileged
ports. By default, the local port is bound in accordance with
the GatewayPorts setting. However, an explicit bind_address
may be used to bind the connection to a specific address. The
bind_address of “localhost” indicates that the listening port
be bound for local use only, while an empty address or ‘*’
indicates that the port should be available from all interfaces.
因此,您运行例如ssh -D 12345 user@server,并配置您的浏览器(或其他程序)以在 处使用 SOCKS 代理localhost:12345;它将在 Internet 上显示为从 连接server。如果某个程序仅支持 HTTP 代理而不支持 SOCKS,您可以使用proxifyHTTP 代理将 HTTP 代理链接到此 SSH 提供的 SOCKS。