只想为一个应用程序实施 VPN
我正在为我的软件寻找对 VPN 的支持,
我知道 PPTP 和 OpenVPN ,两者进行系统范围的绑定,安装 TAP 驱动程序,以便所有应用程序将其流量路由到。
我如何才能只为我的应用程序实现 VPN 支持?有任何库、示例、提示或方法吗?
我的软件实际上是用C++/MFC制作的。使用标准 CAsyncSocket。
I looking for add support to a VPN for my software,
I known PPTP and OpenVPN , the two makes a system-wide binding, installing a TAP driver so all applications route their traffic to then.
How could i implement a VPN support for just my application ? There´s any library, example, hint or way to do it ?
My software is actually made in C++ /MFC. Using the standard CAsyncSocket.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
将传入连接转发到您的应用程序相对容易:
stunnel 允许您将流量转发到特定端口通过 SSL 隧道。不过,它要求您在两端运行它。
最体面的 SSH 客户端,例如 OpenSSH 或 PuTTY 也支持端口转发,其附加优点是任何远程SSH 服务器通常可以充当隧道的另一端,无需任何修改。
您还可以使用OpenVPN和其他VPN解决方案,但这需要在远程服务器中添加特定的转发规则。
不过,在不修改应用程序的情况下转发传出连接会比较棘手。正确的方法是实现 SOCKS 协议,最好是 SOCKS5。或者,您可以使用外部应用程序(例如 FreeCap)来重定向来自应用程序的任何连接。
完成此操作后,您可以将连接转发到任何 SOCKS 服务器。例如,大多数 SSH 客户端允许您 使用 SOCKS 协议通过远程服务器路由传出连接。
顺便说一句,OpenVPN 服务器不一定成为所有流量的默认网关。有些确实会将这样的路由表条目推送给客户端,但它可以更改。在我自己的 OpenVPN 设置中,我仅使用 VPN 访问专用网络,而不通过它路由所有内容。
如果您可以强制应用程序将所有传出套接字绑定到一个或多个特定端口,则可以使用系统上的 IP 过滤规则通过 VPN 路由来自这些端口的任何连接。
编辑:
隧道 UDP 数据包有点困难。通常,您需要在远程服务器和本地客户端上都有一个代理进程,该进程将通过持久 TCP 连接建立传入和传出连接的隧道。
最好的选择是在应用程序中实现完整的 SOCKS5 客户端,包括用于 UDP 数据包的 UDP-ASSOCIATE 命令。然后你必须找到一个支持隧道的 SOCKS5 代理。
我偶尔使用 Delegate 它似乎是代理的瑞士小刀。据我所知,它在其SOCKS5实现中支持UDP-ASSOCIATE命令,并且还支持通过TCP连接连接两个Delegate进程。它也适用于 Linux 和 Windows。我不记得它是否也可以加密该 TCP 连接,但如果需要,您始终可以通过 stunnel 或 SSH 建立该连接。
但是,如果您拥有远程 VPN 服务器的系统管理员权限,您可能可以进行更简单的设置:
让您的 P2P 应用程序将其传出 UDP 套接字绑定到客户端 VPN 接口。您可能需要为该接口设置辅助默认路由。这样,您的应用程序的传出数据包将通过远程服务器。
让远程服务器通过 VPN 连接将传入的 UDP 数据包转发到特定端口返回给您。
这应该是一个更简单的设置,但如果您确实关心匿名性,您可能有兴趣确保您的 P2P 应用程序不会泄漏 DNS 或其他可跟踪的请求。
Forwading incoming connections to your application is relatively easy:
stunnel allows you to forward traffic to specific ports through an an SSL tunnel. It requires that you run it on both ends, though.
Most decent SSH clients, such as OpenSSH or PuTTY also support port forwarding, with the added advantage that any remote SSH server can usually act as the other end of the tunnel without any modifications.
You can also use OpenVPN and other VPN solutions, but this requires specific forwarding rules to be added to the remote server.
Forwarding outgoing connections, though, is trickier without modifying your application. The proper way to do it is to implement the SOCKS protocol, preferrably SOCKS5. Alternatively, you can use an external application, such as FreeCap, to redirect any connections from your application.
After you do that, you can forward your connections to any SOCKS server. Most SSH clients, for example, allow you to use the SOCKS protocol to route outgoing connections through the remote server.
As a sidenote, OpenVPN servers do not necessarily become the default gateway for all your traffic. Some do push such a route table entry to the clients, but it can be changed. In my own OpenVPN setup I only use the VPN to access the private network and do not route everything through it.
If you can force your application to bind all outgoing sockets to one or more specific ports, you could use IP filtering rules on your system to route any connections from those ports through the VPN.
EDIT:
Tunneling UDP packets is somewhat more difficult. Typically you need a proxy process on both the remote server and the local client that will tunnel incoming and outgoing connections through a persistent TCP connection.
Your best bet would be a full SOCKS5 client implementation in your application, including the UDP-ASSOCIATE command for UDP packets. Then you will have to find a SOCKS5 proxy that supports tunnelling.
I have occasionally used Delegate which seems to be the Swiss pocket-knife of proxies. As far as I know, it supports the UDP-ASSOCIATE command in its SOCKS5 implementation and it also supports connecting two Delegate processes through a TCP connection. It is also available for both Linux and Windows. I don't remember if it can also encrypt that TCP connection, but you could always tunnel that one through stunnel or SSH if you need to.
If you have system administrator rights on a remote VPN server, however, you could probably have a simpler set-up:
Have your P2P application bind it's outgoing UDP sockets to the client VPN interface. You many need to setup a secondary default route for that interface. This way your application's outgoing packets will go through the remote server.
Have the remote server forward incoming UDP packets to specific ports through the VPN connection back to you.
This should be a simpler set-up, although if you really care about anonymity you might be interested in ensuring your P2P application does not leak DNS or other requests that can be tracked.
将 SSH 连接放入您的应用程序中或使用 SSL。您必须使用协议/服务而不是 VPN 技术。祝你好运!
Put SSH connectivity in your app or use SSL. You'll have to use a protocol/service instead of VPN technology. Good luck!
我认为你只需要 SSL: http://www.openssl.org/
OpenVPN 基于 SSL -但它是一个完整的VPN。
问题是你需要什么?如果您需要加密(应用程序专用连接),而不是 VPN(虚拟专用网络),请选择 ssl。
可以在此处找到提示:
向现有 TCP 和 udp 中添加 SSL 支持UDP 代码?
http://sctp.fh-muenster.de/dtls -samples.html
http://fixunix.com/openssl/ 152877-ssl-udp-traffic.html
I think you simply need SSL: http://www.openssl.org/
OpenVPN is based on SSL - but it is a full vpn.
The question is what do you need? If you need encryption (application private connection) - and not a vpn (virtual private network) go for ssl.
Hints can be found here:
Adding SSL support to existing TCP & UDP code?
http://sctp.fh-muenster.de/dtls-samples.html
http://fixunix.com/openssl/152877-ssl-udp-traffic.html