macOS Mojave(10.14.2)配置OpenVPN软件Tunnelblick 3.7.8(客户端)

我们需要在macOS Mojave (10.14.2)配置连接在OpenVPN服务器实现加密上网或者翻墙。这里我们使用在Tunnelblick 3.7.8实现我们需要的功能。

具体配置过程如下

 

程序启动之后,在顶部的菜单栏中出现程序图标,跟蓝牙,无线等的图标在一排。

程序第一次启动,如果没有找到配置文件,会出现如下图的界面:



点击之后,会出现一个文件编辑器,并且在桌面上生成一个名为Tunnelblick VPN 配置样本的文件夹,然后我们编辑 config.ovpn 文件,填入我们需要设置的服务器地址,用户名,网络协议等信息。

配置文件 config.ovpn 里面的内容如下:

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote my-server-1 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
# comp-lzo
# 从2.5版本开始 comp-lzo 被废弃,要求使用 compress lzo 配置
# https://github.com/Nyr/openvpn-install/issues/430
compress lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20
    • remote 字段,这个字段,填写服务器的域名或者IP地址以及端口号
    • proto 字段,这个字段,填写协议类型tcp或者udp
    • ca 字段,这个字段,填写加密认证的证书路径。这需要服务器创建一个正常的SSL加密证书。相当于HTTPS的认证证书,必须有,否则SSL无法建立连接。即使是用户名密码认证的情况,也需要客户端使用私钥加密,服务器使用公钥解密,之后才会交换用户名密码。

如果需要用户名密码登录,那么也需要提供一个有效的 ca 证书,一般从服务端下载下来,类似HTTPS的证书,在Windows下可能不需要提供这个证书,其实是客户端从服务器主动下载了这个证书,然而Tunnelblick需要我们手工下载这个证书然后存储到指定的目录或者跟配置文件同一个文件夹下。其实从OpenVPN生成的文件中,这个 ca 证书被包含在config.ovpn文件里面了。

很多时候,我们发现这个证书其实跟网站HTTPS使用的证书是相同的!这就意味着我们可以直接使用浏览器下载的证书来连接。

完成后双击 config.ovpn 即可成功安装配置文件。

参考链接

发布者

默默

码农

《macOS Mojave(10.14.2)配置OpenVPN软件Tunnelblick 3.7.8(客户端)》上有11条评论

    1. ca证书是个无效证书,自己生成的,用来骗过软件校验用的,他只是检测这个证书是不是有,并且尝试一下,如果尝试失败,转而使用用户名密码,如果不提供,他检测不到,就走不到需要用户名密码的地方了。
      回复
      1. 登录了,只有流出没有流入。我用win上是可以登录成功的。2020-01-08 16:40:05 Tunnelblick[4250] Warning: Unable to change permissions from 700 to 750 on /private/var/folders/b4/852lppw14pl2kf3yqntn19k00000gn/T
        2020-01-08 16:40:05 Tunnelblick[4250] Converting/Installing /Users/liliqin/Desktop/Tunnelblick VPN 配置样本/client.ovpn: Converted OpenVPN configuration
        2020-01-08 16:40:10 Tunnelblick[4250] Tunnelblick 需要进行需要管理员授权方可进行的操作.
        2020-01-08 16:40:10 Tunnelblick[4250] Beginning installation or repair
        2020-01-08 16:40:10 Tunnelblick[4250] Installation or repair succeeded; Log:
        Tunnelblick installer started 2020-01-08 16:40:10. 3 arguments: 0x0001
        /Users/liliqin/Library/Application Support/Tunnelblick/Configurations/client.tblk
        /private/var/folders/b4/852lppw14pl2kf3yqntn19k00000gn/T/Tunnelblick-FmXjSb/client.tblk
        Copied /private/var/folders/b4/852lppw14pl2kf3yqntn19k00000gn/T/Tunnelblick-FmXjSb/client.tblk
        to /Users/liliqin/Library/Application Support/Tunnelblick/Configurations/client.tblk.temp
        Renamed /Users/liliqin/Library/Application Support/Tunnelblick/Configurations/client.tblk.temp
        to /Users/liliqin/Library/Application Support/Tunnelblick/Configurations/client.tblk
        Changed ownership of /Users/liliqin/Library/Application Support/Tunnelblick/Configurations/client.tblk and its contents from 501:20 to 501:80
        Deleted /Library/Application Support/Tunnelblick/Users/liliqin/client.tblk
        Copied /Users/liliqin/Library/Application Support/Tunnelblick/Configurations/client.tblk
        to /Library/Application Support/Tunnelblick/Users/liliqin/client.tblk.temp
        Renamed /Library/Application Support/Tunnelblick/Users/liliqin/client.tblk.temp
        to /Library/Application Support/Tunnelblick/Users/liliqin/client.tblk
        Changed ownership of /Library/Application Support/Tunnelblick/Users/liliqin/client.tblk and its contents from 501:80 to 0:0
        Changed permissions from 750 to 755 on /Library/Application Support/Tunnelblick/Users/liliqin/client.tblk
        Changed permissions from 750 to 755 on /Library/Application Support/Tunnelblick/Users/liliqin/client.tblk/Contents
        Changed permissions from 750 to 755 on /Library/Application Support/Tunnelblick/Users/liliqin/client.tblk/Contents/Resources
        Changed permissions from 740 to 700 on /Library/Application Support/Tunnelblick/Users/liliqin/client.tblk/Contents/Resources/config.ovpn
        Updated secure (shadow) copy of client.tblk
        Tunnelblick installer finished without error
        2020-01-08 16:40:18 Tunnelblick[4250] Cleared 'expect disconnect' flag
        2020-01-08 16:40:20 Tunnelblick[4250] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-client' account = 'username'
        2020-01-08 16:40:20 Tunnelblick[4250] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-client' account = 'password'
        2020-01-08 16:40:53 Tunnelblick[4250] currentIPInfo(Name): IP address info could not be fetched within 34.3 seconds; the error was 'Error Domain=NSURLErrorDomain Code=-1001 "请求超时。" UserInfo={NSUnderlyingError=0x600003165560 {Error Domain=kCFErrorDomainCFNetwork Code=-1001 "请求超时。" UserInfo={NSErrorFailingURLStringKey=https://tunnelblick.net/ipinfo, NSErrorFailingURLKey=https://tunnelblick.net/ipinfo, _kCFStreamErrorCodeKey=-2102, _kCFStreamErrorDomainKey=4, NSLocalizedDescription=请求超时。}}, NSErrorFailingURLStringKey=https://tunnelblick.net/ipinfo, NSErrorFailingURLKey=https://tunnelblick.net/ipinfo, _kCFStreamErrorDomainKey=4, _kCFStreamErrorCodeKey=-2102, NSLocalizedDescription=请求超时。}'; the response was '(null)'
        2020-01-08 16:40:53 Tunnelblick[4250] An error occured fetching IP address information before connecting
        回复
        1. 报告错误信息貌似是IP地址解析异常,你检查一下IP或者域名配置部分 也就是 remote 这个项目配置的地址是不是不正确
          我这里写的是 `remote my-server-1 1194` 你需要配置成自己的服务器的域名 端口 才行。
          回复
          2. 报错内容是 currentIPInfo(Name): IP address info could not be fetched within 34.3 seconds; 意思是34秒的时间都没有得到对端服务的应答,你试试Shell 下面ping 能否Ping到,然后试试telnet是不是能建立连接。
          3. ping 和telnet都是通的。是不是因为服务端没有开启证书认证的原因。以前一直都是win操作,客户端配了个地址,然后账户密码登记就可以连上。
    1. 抱歉,之前的文章,关于证书部分的理解是错误的。很多时候,我们发现这个证书其实跟网站HTTPS使用的证书是相同的!这就意味着我们可以直接使用浏览器下载的证书来连接。不妨看看Windows下的客户端日志,看看Windows客户端是怎么获取这个证书的,这个证书可以是公开的,并不会造成安全问题,因为非对称加密就是这么设计的,这个证书被用来加密用户名密码。
      回复
  3. 这个是win版本的日志,连接成功。
    Thu Jan 09 08:38:40 2020 NOTE: VPN Client 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Thu Jan 09 08:38:40 2020 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Thu Jan 09 08:38:40 2020 Attempting to establish TCP connection with [AF_INET]***.**.***.***:8443
    Thu Jan 09 08:38:40 2020 TCP connection established with [AF_INET]***.**.***.***:8443
    Thu Jan 09 08:38:40 2020 TCPv4_CLIENT link local: [undef]
    Thu Jan 09 08:38:40 2020 TCPv4_CLIENT link remote: [AF_INET]***.**.***.***:8443
    Thu Jan 09 08:38:40 2020 TLS: Initial packet from [AF_INET]***.**.***.***:8443, sid=******** ********
    Thu Jan 09 08:38:40 2020 VERIFY OK: depth=1, C=CN, ST=GD, L=SZ, O=********, OU=********, CN=******** CA, name=********, emailAddress=[email]support@********.com[/email]
    Thu Jan 09 08:38:40 2020 VERIFY OK: nsCertType=SERVER
    Thu Jan 09 08:38:40 2020 VERIFY OK: depth=0, C=CN, ST=GD, L=SZ, O=********, OU=********, CN=server, name=********, emailAddress=[email]support@********.com[/email]
    Thu Jan 09 08:38:40 2020 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Thu Jan 09 08:38:40 2020 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Jan 09 08:38:40 2020 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Thu Jan 09 08:38:40 2020 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Jan 09 08:38:40 2020 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Thu Jan 09 08:38:40 2020 [server] Peer Connection Initiated with [AF_INET]***.**.***.***:8443
    Thu Jan 09 08:38:42 2020 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Thu Jan 09 08:38:42 2020 PUSH: Received control message: 'PUSH_REPLY,route 192.168.88.100 255.255.255.255,route 192.168.200.183 255.255.255.255,route 192.168.200.186 255.255.255.255,route 10.1.2.16 255.255.255.255,route 10.1.2.238 255.255.255.255,route 10.1.2.64 255.255.255.255,route 192.168.196.66 255.255.255.255,route 192.168.196.40 255.255.255.255,route 192.168.196.130 255.255.255.255,route 10.1.2.22 255.255.255.255,route 10.1.2.0 255.255.255.0,route 192.168.196.0 255.255.255.0,route 10.1.19.0 255.255.255.0,route 172.17.0.0 255.255.0.0,route 192.168.66.0 255.255.255.0,route 192.168.200.181 255.255.255.255,route-gateway 192.168.254.1,ping 10,ping-restart 120,ifconfig 192.168.254.44 255.255.255.0'
    Thu Jan 09 08:38:42 2020 OPTIONS IMPORT: timers and/or timeouts modified
    Thu Jan 09 08:38:42 2020 OPTIONS IMPORT: --ifconfig/up options modified
    Thu Jan 09 08:38:42 2020 OPTIONS IMPORT: route options modified
    Thu Jan 09 08:38:42 2020 OPTIONS IMPORT: route-related options modified
    Thu Jan 09 08:38:42 2020 Preserving previous TUN/TAP instance: 本地连接 2
    Thu Jan 09 08:38:42 2020 Initialization Sequence Completed
    回复
    1. 请注意,这个日志显示是使用了服务器下发的ca证书的,原则上,你可以找到这个服务器下发的证书的,然后把这个存储起来。 另外,根据日志,你服务器需要配置 ns-cert-type server ,这个项目打开看看日志跟踪一下。
      回复

回复 默默 取消回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注