Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

[Tutorial] Build Your Ultimate Scrambled VPN

[Tutorial] Build Your Ultimate Scrambled VPN

This guide is for those who live or travel in a country with very strict internet control. For example, China use the Great Firewall to actively seek out VPN connections and block VPN servers. The GFW has been upgraded along the years and as of now, it is known to use Deep Packet Inspection to identify and block PPTP and OpenVPN connections. It usually takes GFW 30 minutes or less to block your connection. However, we can scrambled our VPN connection to bypass the GFW. In this guide, I will show you how to setup scrambled OpenVPN and Softehter VPN Server. Hopefully, this guide will be useful to some of you.

VPN protocols blocked by GFW

  • PPTP
  • OpenVPN
  • L2TP (Certain ISPs)

VPN protocols that GFW cannot detect as of now

  • Scrambled OpenVPN
  • Softehter Protocol
  • L2TP over IPsec
  • SSTP
  • VPN over ICMP / VPN over DNS

Test enviroment

  • Server: CentOS 6 (OpenVZ)
  • Client: Ubuntu / Windows 8.1

I'm have tested the above protocols on China Telecom's residential fiber network. I would appreiciated if someone on China Unicom can let me know if this guide works for them.


Setting up your scrambled OpenVPN server

Prerequisites:

  1. Install the RHEL EPEL Repo on CentOS 6

    wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
    sudo rpm -Uvh remi-release-6*.rpm
    
  2. Update your system

    sudo yum upgrade
    
  3. Install these packages so we can compile OpenVPN from source later

    sudo yum install autoconf.noarch automake file gcc libtool patch quilt git make rpm-build zlib-devel pam-devel openssl-devel lzo-devel
    
  4. If your VPS is OpenVZ based, you need to enable TUN/TAP.

Building OpenVPN from source

  1. Download the OpenVPN source file and the packet obfuscate patch.

    wget https://github.com/OpenVPN/openvpn/archive/release/2.3.zip
    wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip
    unzip 2.3.zip
    unzip master.zip
    

    Back up links if above files are deleted from github:

    OpenVPN 2.3.2: https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/2.3.zip
    Bbfuscate Patch: https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/master.zip
    
  2. Apply the patch to the source files.

    cp openvpn_xorpatch-master/openvpn_xor.patch openvpn-release-2.3/
    cd openvpn-release-2.3/
    git apply --check openvpn_xor.patch
    git apply openvpn_xor.patch
    cd ..
    sudo mv ./openvpn-release-2.3/ /etc/openvpn
    
  3. Make sure you have install the packages in the prerequisite section. We will now build the OpenVPN server from source.

    cd /etc/openvpn/
    sudo autoreconf -i -v -f
    sudo ./configure --prefix=/usr
    sudo make
    sudo make install
    

  4. Let's set OpenVPN to startup on boot.

    sudo wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/openvpn -O /etc/rc.d/init.d/openvpn
    sudo chmod +x /etc/rc.d/init.d/openvpn
    sudo chkconfig --add openvpn
    sudo chkconfig openvpn on
    

    Make sure the startup script is correctly set.

    chkconfig --list | grep openvpn
    

  5. Now that our OpenVPN server is installed, we need to download the Easy-Rsa package for creating keys and certificates.

    cd /etc/openvpn
    wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz
    tar zxvf easy-rsa-2.2.0_master.tar.gz
    sudo cp -R easy-rsa-2.2.0_master/easy-rsa/ /etc/openvpn/
    sudo chown -R $USER /etc/openvpn/easy-rsa/
    

    Fill in whatever info you want to build the CA certificate.

    cd /etc/openvpn/easy-rsa/2.0/
    source vars
    ./clean-all
    ./build-ca
    

    You will be asked for a password in the following step and you will need to answer y to sign and commit the certificate.

    ./build-key-server server
    

    This step might take a minute.

    ./build-dh
    

    We are now building the client key, you can build as many as you want. Just change client to something else. I recommend building multiple client keys if you plan to share. Please answer y to sign at the end.

    ./build-key client
    

    We will move the server side certificates and keys to their location.

    sudo cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
    

    Now copy client files to a sepreate folder and generate a ta.key.

    sudo mkdir $HOME/client-files
    sudo cp ca.crt client.crt client.key $HOME/client-files
    sudo openvpn --genkey --secret /etc/openvpn/ta.key
    sudo cp /etc/openvpn/ta.key $HOME/client-files
    
  6. Let's create the OpenVPN client configuration file now. You will need to fill in your server's IP and you can choose whatever keyword after scramble obfuscate. Just make sure you have the same keyword in your server configuration file as well. Also, choose a UDP port that is best for your network setting. We will use 443 in this tutorial.

    sudo nano $HOME/client-files/scrambled-client.ovpn
    
    client
    dev tun
    scramble obfuscate guardian
    proto udp
    remote **YOUR SERVER IP** 443
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client.crt
    key client.key
    tls-auth ta.key 1
    ns-cert-type server
    cipher AES-256-CBC
    comp-lzo
    verb 3
    fast-io
    script-security 2
    
  7. Now that we have the configuration file handly, we will merge the certificates and keys to make it an inline configuration file. (If you did not name your certificates like the examples above, please download the merge.sh script and change the parameters).

    sudo wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/merge.sh -O $HOME/client-files/merge.sh
    cd $HOME/client-files/
    sudo chmod +x $HOME/client-files/merge.sh
    sudo $HOME/client-files/merge.sh
    sudo chown $USER $HOME/client-files/scrambled-client.ovpn
    
  8. The client configuration file is ready. Transfer it to your computer. You can use SFTP via Filezilla.

  9. We will setup the configuration file on the server side now.

    sudo nano /etc/openvpn/server.conf
    

    Please make sure that you have the same keyword after scramble obfuscate as in client configuration files . Don't forget to set same port as well.

    port 443
    proto udp
    dev tun
    scramble obfuscate guardian
    ca /etc/openvpn/ca.crt
    cert /etc/openvpn/server.crt
    key /etc/openvpn/server.key
    tls-auth /etc/openvpn/ta.key 0
    dh /etc/openvpn/dh1024.pem
    server 10.8.0.0 255.255.255.0
    cipher AES-256-CBC
    comp-lzo
    persist-key
    persist-tun
    user nobody        # If server fails to start, please change this to an existing user
    group openvpn    # If server fails to start, please change this to an existing group
    status openvpn-status.log
    verb 3
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    push "redirect-gateway def1"
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"
    keepalive 5 30
    
Tagged:
«13

Comments

  • halczyhalczy Member
    edited February 2014
    1. Enable IP packet forwarding so that our VPN traffic can pass through.

      sudo nano /etc/sysctl.conf
      

      Change it from 0 to 1 to enable IP packet forwarding.

      net.ipv4.ip_forward=1
      

      Reload to take effect.

      sysctl -p
      
    2. Let's set the iptables. Please go with your corresponding virtualization.

      OpenVZ:

      sudo iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source YOUR SERVER IP
      sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source YOUR SERVER IP
      

      KVM/XEN:

      sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
      

      Save the iptables rules.

      sudo service iptables save
      
    3. Start the OpenVPN service.

      sudo service openvpn restart
      

    Setting up your scrambled OpenVPN client on Ubuntu

    Prerequisites:

    1. Install the following packages in order to be able to compile OpenVPN later.

      sudo apt-get update; sudo apt-get upgrade
      sudo apt-get install gcc make automake autoconf dh-autoreconf file patch perl dh-make debhelper devscripts gnupg lintian quilt libtool pkg-config libssl-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev -y
      

    Building the OpenVPN client from source

    1. Download OpenVPN and the patch (Same as setting up OpenVPN on the server side).

      wget https://github.com/OpenVPN/openvpn/archive/release/2.3.zip
      wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip
      unzip 2.3.zip
      unzip master.zip
      
    2. Apply the patch to the source files.

      cp openvpn_xorpatch-master/openvpn_xor.patch openvpn-release-2.3/
      cd openvpn-release-2.3/
      git apply --check openvpn_xor.patch
      git apply openvpn_xor.patch
      cd ..
      sudo mv ./openvpn-release-2.3/ /etc/openvpn
      
    3. Make sure you have install the packages in the prerequisite section. We will now build the OpenVPN server from source.

      cd /etc/openvpn/
      sudo autoreconf -i -v -f
      sudo ./configure --prefix=/usr
      sudo make
      sudo make install
      

    Client side OpenVPN usage

    In the folder where your client configuration file is located.

    sudo openvpn --config [Your configuration file name]
    

    If you see Initialization Sequence Completed, that means you have connected to your VPN successfully.

    Thanked by 3mark sycotic kontam
  • halczyhalczy Member
    edited February 2014

    Setting up your Softether VPN Server

    Softether's native protocol is pretty solid. As of now, it can bypass the GFW undetected. Softether also offer L2TP over IPsec and MS-SSTP for your mobile devices, since the scrambled OpenVPN won't work on your iOS or Android devices. For those behind crazy firewalls, you can try VPN over ICMP or DNS.

    1. Download the Softether VPN Server and unzip it.

      x64:
      wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/softether-vpnserver-v4.04-9412-rtm-2014.01.15-linux-x64-64bit.tar.gz
      
      x32:
      wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/softether-vpnserver-v4.04-9412-rtm-2014.01.15-linux-x86-32bit.tar.gz
      

      ~~~ tar zxvf softether-vpnserver ~~~

    2. Complie the source and install.

      cd vpnserver/
      make
      

      Answer 1 (Yes) for about three times and it will start to compile. If it is successfully, you should see 6 pass.

    3. Move the folder to /usr/local and change the file permissions.

      cd ..
      sudo mv vpnserver/ /usr/local/ 
      cd /usr/local/vpnserver/
      sudo chmod 600 *
      sudo chmod 700 vpncmd
      sudo chmod 700 vpnserver
      
    4. Let's download the startup script and set it.

      sudo wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/vpnserver -O /etc/init.d/vpnserver
      

      We will enable the script to run at boot.

      sudo chmod 755 /etc/init.d/vpnserver
      sudo chkconfig vpnserver on
      

      Make sure the startup script is correctly set. Level 2/3/4/5 should be on.

      chkconfig --list | grep openvpn
      
    5. Check and see if the Softether Server is ready to run

      sudo ./vpncmd
      3
      check
      

      If no error is returned, then you are good to go. We will start the Softether server now.

      sudo service vpnserver start
      
    6. Now we can set the server administrator password. Hit enter when it ask for IP and Virtual Hub Name.

      sudo ./vpncmd
      1
      Hostname of IP Address of Destination: [Enter]
      Specify Virtual Hub Name: [Enter]
      ServerPasswordSet
      
    7. To speed up the process, We will use the GUI management tool to continute the setup.

      Since the GUI management tool is only available on Windows, we need to install it on Linux via Wine. If you are already on Windows, just install it directly.

      Download the GUI Tool:
      https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/softether-vpnserver_vpnbridge-v4.04-9412-rtm-2014.01.15-windows-x86_x64-intel.exe
      

      Select the Admin Tools Only option when installing

    8. Once you have the GUI tool open. Select New Setting to set a connection profile.

      Setting Name: [Any name will do] Host Name: [Your Server IP] Port: [Left as default] Password: [The password you set in step 6]

      Save and click on Connect

    9. We will set it as Remote Access VPN Server. Click next and then yes to initialize the server.

    10. It will ask for a Virtual Hub Name. This is important as you will need to refer back to this later when setting up L2TP / IPsec.

    Thanked by 3mark fan kontam
  • halczyhalczy Member
    edited February 2014
    1. Set a DDNS Hostname by clicking Set to Above Hostname

    2. For personal VPN use, we will only enable L2TP over IPsec. Also, set a IPsec Pre-Shared Key. Write this down somewhere since you will need it later.

    3. Enable VPN Azure if you have any Windows devices that you plan to use. If not, please disable it just in case.

    4. Select Create Users. Set username and password.

    5. Close the VPN Easy Setup Tasks and return to the main menu. Click Local Bridge Setting in the bottom left corner.

    6. In the local bridge setting page, select the virtual hub that you just created. Now select Bridge with New Tap Device and then name your tap device. You will need remember the name for the set up later, and now click Create Local Bridge to finish the local bridge setup.

    7. Moving back to your server's command line. We will install dnsmasq to act as DHCP server.

      sudo yum install dnsmasq
      sudo chkconfig dnsmasq on
      
    8. We will need to edit dnsmasq's config file to set our tap device and ip range.

      sudo nano /etc/dnsmasq.conf
      

      Please replace [...] with your own specs

      interface=[Your Tap Device Name]
      dhcp-range=[Your Tap Device Name],[Starting IP],[Ending IP],12h
      dhcp-option=[Your Tap Device Name],3,[Server Gateway IP]
      

    9. We will need to modify the Softether's startup script to match what we just setup.

      sudo nano /etc/init.d/vpnserver
      

      Please replace [...] with your own specs

      #!/bin/sh
      ### BEGIN INIT INFO
      # Provides:          vpnserver
      # Required-Start:    $remote_fs $syslog
      # Required-Stop:     $remote_fs $syslog
      # Default-Start:     2 3 4 5
      # Default-Stop:      0 1 6
      # Short-Description: Start daemon at boot time
      # Description:       Enable Softether by daemon.
      ### END INIT INFO
      DAEMON=/usr/local/vpnserver/vpnserver
      LOCK=/var/lock/subsys/vpnserver
      TAP_ADDR=[Server Gateway IP]
      
      test -x $DAEMON || exit 0
      case "$1" in
      start)
      $DAEMON start
      touch $LOCK
      sleep 1
      /sbin/ifconfig [Your Tap Device Name] $TAP_ADDR
      ;;
      stop)
      $DAEMON stop
      rm $LOCK
      ;;
      restart)
      $DAEMON stop
      sleep 3
      $DAEMON start
      sleep 1
      /sbin/ifconfig [Your Tap Device Name] $TAP_ADDR
      ;;
      *)
      echo "Usage: $0 {start|stop|restart}"
      exit 1
      esac
      exit 0
      

    10. Now we will add the additional rule to our iptables

      sudo iptables -t nat -A POSTROUTING -s [Your Gateway]/24 -j SNAT --to-source [Your Server IP]
      sudo service iptables save
      

    11. We will reboot the server now to finish the install.

    12. (Optional) Softether by default enable their OpenVPN clone. You should turn it off just in case. To turn it off, select OpenVPN / MS-SSTP Setting at the bottom right corner. Then uncheck Enable OpenVPN Clone Server Function.

    13. (Optional) To enable VPN over ICMP / DNS function, select Encryption and Network located in the middle of the menu. Then select VPN over ICMP / DNS Settings, it is located near the bottom right. Check one or both options and there you have it.

    Softether VPN Client on Windows

    1. Download the client.

      https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/softether-vpnclient-v4.04-9412-rtm-2014.01.15-windows-x86_x64-intel.exe
      
    2. Select add new connection.

    3. If you see this. You are good to go. Enjoy your internet freedom!

    End note: This tutorial is source with materials from

    http://scramblevpn.wordpress.com/

    http://blog.lincoln.hk/blog/2013/05/17/softether-on-vps-using-local-bridge/

    Thanked by 2mark kontam
  • Clearly a lot of work has gone into this. Thank you for taking the time to publish this, very interesting.

  • <3 xor-patch and obfsproxy with openvpn at china telecom for over a year.

  • Thank you for the time to write this tutorial :)

    My blog| Are you super f***in bussy??
  • GunterGunter Member
    edited February 2014

    Have SSH Tunnels been blocked yet?

    As well thank you for your tutorial, it was well written and excellently formatted :)

  • belinikbelinik Member
    edited February 2014

    nice tutorial, I have used softether's protocol for 2 years(not for bypass but to speedboost) and it has been great. I am moving there soon, using china telecom dsl(sadly no fiber for another year). To reach website from the state what location do you suggest to build a vpn?(hkg/japan/lax) I have seattle with ramnode which is workable but looking for something better.

  • Thank you for your effort. :)

    I'm Good!

  • @halczy Wow!! It takes much effort to write this guide. Thank you, I learn something new every day.

  • racksxracksx Member, Provider

    Superb, :) to have VPN much better just install openpanel with extension openapp network and just have vpn with few commands on debian/ubuntu :)

  • halczyhalczy Member
    edited February 2014

    @darknyan said: Have SSH Tunnels been blocked yet?

    As well thank you for your tutorial, it was well written and excellently formatted :)

    It not blocked yet, but rumor has it that GFW can identify ssh traffic pattern to see if you are using it as proxy. I rarely use it and don't see that would be a problem. GAE proxy is also a good alternative, it uses Google's Beijing data center and hop to Kansas via IPv6.

  • @belinik said: nice tutorial, I have used softether's protocol for 2 years(not for bypass but to speedboost) and it has been great. I am moving there soon, using china telecom dsl(sadly no fiber for another year). To reach website from the state what location do you suggest to build a vpn?(hkg/japan/lax) I have seattle with ramnode which is workable but looking for something better.

    Well, my experience is that west coast servers in the states is much better than servers in Hong Kong or Japan. You can get around 170ms pings and on a good day you can get up to 60mbps. I have the 100mbps fiber and when on a VPN connection, I have never surpass 60mbps. 25mbps will be the average. Hong Kong has lower pings at around 50-100ms, but the bandwidth seems limited for some reason. I blame CT's weird routing.

    Thanked by 1belinik
  • @halczy said: It not blocked yet, but rumor has it that GFW can identify ssh traffic pattern to see if you are using it as proxy. I rarely use it and don't see that would be a problem. GAE proxy is also a good alternative, it uses Google's Beijing data center and hop to Kansas via IPv6.

    Google has Beijing data center?I don't know that.

  • After failed to set up VPN from Openvpn and L2TP in China mainland, I used openvpn connect(web) to set servaral VPN, it works fine most time.

  • halczyhalczy Member
    edited February 2014

    @Edo said: Google has Beijing data center?I don't know that.

    They still have that data center operating. And one of the few in China with IPv6. GFW doesn't work that well when it comes to IPv6.

  • @halczy said: They still have that data center operating. And one of the few in China with IPv6. GFW doesn't work that well when it comes to IPv6.

    Yes,now GFW doesn't block IPV6.but oneday,GFW will block IPV6 too,damn it.

  • Props for a very nice tutorial.

    HostGuard VPS Control Panel

  • rskrsk Member, Provider

    halczy said: Softether VPN Server

    @halczy does softether come scrambled by default? Also, what is the method to connect to scrambled openvpn from Windows? You only did it for Ubuntu.

    I never seem to understand >.>

    Thanks for your help in advance.

  • @rsk said: does softether come scrambled by default?

    Yes. Softehter is scrambled by default. Or at least GFW can't seem to be able to identify it yet.

    I personally just use Softether on my windows client. If you need the scrambled OpenVPN client for windows, this blog has it already complied. Just replace openvpn.exe with the original.

    http://scramblevpn.wordpress.com/2013/09/28/build-patched-windows-openvpn-client/
    
  • Great tutorial!

    --post via l2tp

  • support123support123 Member, Provider

    such give wow good work!!

    I am not Rick

  • Out of curiosity, what is the penalty if the authorities caught you avoiding the GFW?

  • Bookmark this nice tutorial

  • nice tutorial, thanks

  • halczyhalczy Member
    edited February 2014

    @Jono20201 said: Out of curiosity, what is the penalty if the authorities caught you avoiding the GFW?

    I haven't heard of anyone that actually got into legal trouble after getting caught by the GFW. Usually they just disconnect your internet for like two minutes or so, then block the VPN's IP address. I believe it is fully automated now. If you are a repeat offender, expect "interesting" connection problems from now on.

  • @halczy said: I haven't heard of anyone that actually got into legal trouble after getting caught by the GFW. Usually they just disconnect your internet for like two minutes or so, then block the VPN's IP address. I believe it is fully automated now. If you are a repeat offender, expect "interesting" connection problems from now on.

    Sometimes depends on where you use it. It has been confirmed that SAs are receiving some kinds of "reminders" from the network police. If it 's in universities, there was some of users being called by the IT department.

    It is confirmed that GFW had acquired some way to detect "abnormal" traffic via SSH tunnel. For servers have unusual traffic detected, the SSH port may be blocked.

    I am quite interested in whether OpenVPN with obfuscate will survive. Elder reports said GFW will block the handshake progress of OpenVPN, don't know whether they are blocking OpenVPN traffic now.

  • thanks for the tutorial

  • khavkhav Member

    Thanks for the awesome tutorial mate........ I intend to create a bash script for it soon and share it with the LET community Ofc full credits will be given to you

  • Thanks might need this

  • wow, thank you for the great tutorial. usefull for everyone not just to avoid GFW.

    wget http://freevps.us/downloads/bench.sh -O - -o /dev/null|bash && dd if=/dev/zero of=test bs=64k count=16k conv=fdatasync; rm -rf test

  • testing in idle vps by china unicom network, succeed to connect but failure to get an local ip address if using local bridge, but if i change into securenat no problem,

  • @soundee said: testing in idle vps by china unicom network, succeed to connect but failure to get an local ip address if using local bridge, but if i change into securenat no problem,

    If you are not getting local ip address, that means there is a problem with your dnsmasq setup. You can check and see if dnsmasq is running or the configuration file is set correctly. Softether's SecureNAT comes with its own DHCP server, so it works without dnsmasq.

  • khavkhav Member

    @halczy what would be the iptables rule if the server is running on bare metal(not using any virtualization)

    P.S i am referring to the scrambled OpenVPN server on Centos 6

  • @khav said: halczy what would be the iptables rule if the server is running on bare metal(not using any virtualization)

    P.S i am referring to the scrambled OpenVPN server on Centos 6

    It should be the same as the KVM/XEN setup. If your local connection is eth0, then use

    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
    sudo service iptables save
    

    Let me know if it doesn't work.

  • WilliamWilliam Member, Provider

    Did anyone try the Softether L2 bridging for high bw? I'm using N2N which gives me ~40Mbit @ 100Mbit while OpenVPN did not even do 20Mbit

  • khavkhav Member

    @halczy Will this line be same for all servers server 10.8.0.0 255.255.255.0

    I am trying to setup openvpn on a ramnode server atm

    Thanks for clearing my doubts Regards mate:)

  • khavkhav Member

    @halczy i am not able to connect:( Installation completed with no errors tail -f /var/log/messages

    Mar 13 10:07:14 khav openvpn[20379]: /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 m                  tu 1500
    Mar 13 10:07:14 khav kernel: tun0: Disabled Privacy Extensions
    Mar 13 10:07:14 khav openvpn[20379]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0                   gw 10.8.0.2
    Mar 13 10:07:14 khav openvpn[20384]: GID set to openvpn
    Mar 13 10:07:14 khav openvpn[20384]: UID set to nobody
    Mar 13 10:07:14 khav openvpn[20384]: UDPv4 link local (bound): [undef]
    Mar 13 10:07:14 khav openvpn[20384]: UDPv4 link remote: [undef]
    Mar 13 10:07:14 khav openvpn[20384]: MULTI: multi_init called, r=256 v=256
    Mar 13 10:07:14 khav openvpn[20384]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
    Mar 13 10:07:14 khav openvpn[20384]: Initialization Sequence Completed
    

    Do we need to add something in the configuration when our server has both ipv4 and ipv6 ip address? {just a guess , its the first time i am setting openvpn ever}

  • @halczy said: If you are not getting local ip address, that means there is a problem with your dnsmasq setup. You can check and see if dnsmasq is running or the configuration file is set correctly. Softether's SecureNAT comes with its own DHCP server, so it works without dnsmasq.

    I think the dnsmasq already running in background, still trying to figure out.

  • @khav

    If you used my server configuration file along with the same iptables rule. Using server 10.8.0.0 255.255.255.0 is fine.

    From the look of your server log, the openvpn server is running just fine. Can you paste the client log? Also, remember to save the iptables rule. It shouldn't matter whether of not your server has ipv6 addresses, we are only using ipv4 in this case.

    You mentioned that your got your server from Ramnode. Is it KVM or OpenVZ? I don't think they sell dedicated servers there.

  • @soundee said: I think the dnsmasq already running in background, still trying to figure out.

    Maybe double check the dnsmasq config file. You will also need matching iptables rules and modified Softether boot script. Remember to restart dnsmasq and vpnserver when done.

  • khavkhav Member

    @halczy yes my server is KVM I was asking about the iptables rules for dedicated servers just in case i move to a dedi in future

    I use openvpn on windows ....it just says connecting to scrabled-cilent and then connecting to scrambled cilent has failed.No log whatsoever could be found in the log folder Btw i copied only scrambled-client.ovpn to openvpn/config folder on windows.Is there anything i am missing here?

    I used this iptables rule

    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

  • The GFW in China doens't block what you are saying it is.

  • @khav

    Did you download the custom/scrambled version of openvpn? If not, you can get them here http://scramblevpn.wordpress.com/2013/09/28/build-patched-windows-openvpn-client/ and replaced the stock one.

    When you are connecting, there should be a pop-up window with logs in it.

  • WilliamWilliam Member, Provider

    dms1899 said: The GFW in China doens't block what you are saying it is.

    This varies by canton and city (and ISP). Wūlǔmùqí (i'm not sure if thats right, en. Urumqi) is far more censored than Shanghai or Bejing, Shenzhen is almost not at all.

  • marcmmarcm Member

    Danke :)

  • khavkhav Member

    @halczy I didn't knew that i had to download the scrambled version of openvpn client I did it and now everything works fine.....Thanks a ton dude

    It would be great if you could share how to add user/pass to connect to the vpn for security reasons:P

    Thanks again:)

  • halczyhalczy Member
    edited March 2014

    @khav said: It would be great if you could share how to add user/pass to connect to the vpn for security reasons:P

    Actually the setup should be pretty secure. It use certificates to authenticate with the server. So, only the one with the configuration file can access it. If you prefer to use a username/password setup.

    Add the following lines to your server configuration file.

    plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
    client-cert-not-required
    username-as-common-name
    

    Remove the following line from your server configuration file

    tls-auth /etc/openvpn/ta.key 0
    

    Add the following lines to your client configuration file. Also copy the ca.crt file from /etc/openvpn/easy-rsa/2.0/keys on your server to the directory that the client configuration file is in.

    ca ca.crt
    auth-user-pass
    

    Remove this line and everything after <ca> in the client configuration file.

    ns-cert-type server
    
    <ca>
    -----BEGIN CERTIFICATE-----
    ...
    

    You should be prompt for a username/password now, use your linux username/password to connect. If your plan to share your vpn with lots of friends, I would recommend setting up Softether, it offers a pretty slick user management feature.

  • khavkhav Member

    @halczy i have no doubt that your setup is secure It's just that i want username password autorization + your current certificate setup.In this case even if someone copy my configuration file , he/she will still need a username & password to connect to vpn

    I think that using ssh username /password to connect would be secure.It way better to add another linux user

Sign In or Register to comment.