Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


[Tutorial] Build Your Ultimate Scrambled VPN - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

[Tutorial] Build Your Ultimate Scrambled VPN

24

Comments

  • Thanks might need this

  • wow, thank you for the great tutorial. usefull for everyone not just to avoid GFW.

  • testing in idle vps by china unicom network, succeed to connect but failure to get an local ip address if using local bridge, but if i change into securenat no problem,

  • @soundee said:
    testing in idle vps by china unicom network, succeed to connect but failure to get an local ip address if using local bridge, but if i change into securenat no problem,

    If you are not getting local ip address, that means there is a problem with your dnsmasq setup. You can check and see if dnsmasq is running or the configuration file is set correctly. Softether's SecureNAT comes with its own DHCP server, so it works without dnsmasq.

  • khavkhav Member

    @halczy what would be the iptables rule if the server is running on bare metal(not using any virtualization)

    P.S i am referring to the scrambled OpenVPN server on Centos 6

  • @khav said:
    halczy what would be the iptables rule if the server is running on bare metal(not using any virtualization)

    P.S i am referring to the scrambled OpenVPN server on Centos 6

    It should be the same as the KVM/XEN setup. If your local connection is eth0, then use

    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
    sudo service iptables save
    

    Let me know if it doesn't work.

  • Did anyone try the Softether L2 bridging for high bw? I'm using N2N which gives me ~40Mbit @ 100Mbit while OpenVPN did not even do 20Mbit

  • khavkhav Member

    @halczy
    Will this line be same for all servers
    server 10.8.0.0 255.255.255.0

    I am trying to setup openvpn on a ramnode server atm

    Thanks for clearing my doubts
    Regards mate:)

  • khavkhav Member

    @halczy i am not able to connect:(
    Installation completed with no errors
    tail -f /var/log/messages

    Mar 13 10:07:14 khav openvpn[20379]: /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 m                  tu 1500
    Mar 13 10:07:14 khav kernel: tun0: Disabled Privacy Extensions
    Mar 13 10:07:14 khav openvpn[20379]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0                   gw 10.8.0.2
    Mar 13 10:07:14 khav openvpn[20384]: GID set to openvpn
    Mar 13 10:07:14 khav openvpn[20384]: UID set to nobody
    Mar 13 10:07:14 khav openvpn[20384]: UDPv4 link local (bound): [undef]
    Mar 13 10:07:14 khav openvpn[20384]: UDPv4 link remote: [undef]
    Mar 13 10:07:14 khav openvpn[20384]: MULTI: multi_init called, r=256 v=256
    Mar 13 10:07:14 khav openvpn[20384]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
    Mar 13 10:07:14 khav openvpn[20384]: Initialization Sequence Completed
    

    Do we need to add something in the configuration when our server has both ipv4 and ipv6 ip address? {just a guess , its the first time i am setting openvpn ever}

  • @halczy said:
    If you are not getting local ip address, that means there is a problem with your dnsmasq setup. You can check and see if dnsmasq is running or the configuration file is set correctly. Softether's SecureNAT comes with its own DHCP server, so it works without dnsmasq.

    I think the dnsmasq already running in background, still trying to figure out.

  • @khav

    If you used my server configuration file along with the same iptables rule. Using server 10.8.0.0 255.255.255.0 is fine.

    From the look of your server log, the openvpn server is running just fine. Can you paste the client log? Also, remember to save the iptables rule. It shouldn't matter whether of not your server has ipv6 addresses, we are only using ipv4 in this case.

    You mentioned that your got your server from Ramnode. Is it KVM or OpenVZ? I don't think they sell dedicated servers there.

  • @soundee said:
    I think the dnsmasq already running in background, still trying to figure out.

    Maybe double check the dnsmasq config file. You will also need matching iptables rules and modified Softether boot script. Remember to restart dnsmasq and vpnserver when done.

  • khavkhav Member

    @halczy yes my server is KVM
    I was asking about the iptables rules for dedicated servers just in case i move to a dedi in future

    I use openvpn on windows ....it just says connecting to scrabled-cilent and then connecting to scrambled cilent has failed.No log whatsoever could be found in the log folder
    Btw i copied only scrambled-client.ovpn to openvpn/config folder on windows.Is there anything i am missing here?

    I used this iptables rule

    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

  • The GFW in China doens't block what you are saying it is.

  • @khav

    Did you download the custom/scrambled version of openvpn? If not, you can get them here http://scramblevpn.wordpress.com/2013/09/28/build-patched-windows-openvpn-client/ and replaced the stock one.

    When you are connecting, there should be a pop-up window with logs in it.

  • dms1899 said: The GFW in China doens't block what you are saying it is.

    This varies by canton and city (and ISP). Wūlǔmùqí (i'm not sure if thats right, en. Urumqi) is far more censored than Shanghai or Bejing, Shenzhen is almost not at all.

  • marcmmarcm Member

    Danke :)

  • khavkhav Member

    @halczy
    I didn't knew that i had to download the scrambled version of openvpn client
    I did it and now everything works fine.....Thanks a ton dude

    It would be great if you could share how to add user/pass to connect to the vpn for security reasons:P

    Thanks again:)

  • halczyhalczy Member
    edited March 2014

    @khav said:
    It would be great if you could share how to add user/pass to connect to the vpn for security reasons:P

    Actually the setup should be pretty secure. It use certificates to authenticate with the server. So, only the one with the configuration file can access it. If you prefer to use a username/password setup.

    Add the following lines to your server configuration file.

    plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
    client-cert-not-required
    username-as-common-name
    

    Remove the following line from your server configuration file

    tls-auth /etc/openvpn/ta.key 0
    

    Add the following lines to your client configuration file. Also copy the ca.crt file from /etc/openvpn/easy-rsa/2.0/keys on your server to the directory that the client configuration file is in.

    ca ca.crt
    auth-user-pass
    

    Remove this line and everything after <ca> in the client configuration file.

    ns-cert-type server
    
    <ca>
    -----BEGIN CERTIFICATE-----
    ...
    

    You should be prompt for a username/password now, use your linux username/password to connect. If your plan to share your vpn with lots of friends, I would recommend setting up Softether, it offers a pretty slick user management feature.

  • khavkhav Member

    @halczy i have no doubt that your setup is secure
    It's just that i want username password autorization + your current certificate setup.In this case even if someone copy my configuration file , he/she will still need a username & password to connect to vpn

    I think that using ssh username /password to connect would be secure.It way better to add another linux user

  • khavkhav Member

    @halczy

    I created a automated bash script to carry out the setup
    http://lowendtalk.com/discussion/23555/scrambled-openvpn-auto-installer-script

    Hope it helps people

    Thanked by 2garconcn muratai
  • john564john564 Member
    edited March 2014

    A great Tutorial, good job. many thanks,

    scrambled openvpn rpm and deb package are also available,
    might be useful for some. But package dependencies might cause trouble.

    Centos
    http://vpnchinaopenvz.wordpress.com/2014/03/18/build-scrambled-openvpn-linux-rpm-package-for-virtual-server/

    Debian
    http://vpnchinaopenvz.wordpress.com/2014/03/15/8/

    For the server script, I think, in Centos 'group nobody'
    in debian 'group nogroup'
    can check available groups with cat /etc/group

    Thanked by 1qm78
  • halczy said: Please replace [...] with your own specs

    interface=[Your Tap Device Name]
    dhcp-range=[Your Tap Device Name],[Starting IP],[Ending IP],12h
    dhcp-option=[Your Tap Device Name],3,[Server Gateway IP]

    Is the server gateway IP same as the external IPv4 of the server? Or it is the internal IP like 192.168.xxx.1?

  • halczyhalczy Member
    edited March 2014

    @zhuanyi

    That will be the internal IP. If your tap device is named abc and your internal gateway is set to 10.2.1.1. Then the following will be your configuration.

    interface=tap_avc
    dhcp-range=tap_abc,10.2.1.10,10.2.1.250,12h
    dhcp-option=tap_abc,3,10.2.1.1
    server=74.82.42.42
    server=4.2.2.2
    

    server=xxx.xxx.xxx.xxx will be pushed as your client's DNS server.

    Thanked by 1zhuanyi
  • great tutorials sir ..
    thx :)

  • @halczy said:
    zhuanyi

    That will be the internal IP. If your tap device is named abc and your internal gateway is set to 10.2.1.1. Then the following will be your configuration.

    interface=tap_avc
    dhcp-range=tap_abc,10.2.1.10,10.2.1.250,12h
    dhcp-option=tap_abc,3,10.2.1.1
    server=74.82.42.42
    server=4.2.2.2
    

    server=xxx.xxx.xxx.xxx will be pushed as your client's DNS server.

    So I followed your tutorial and set up the IP table rules, however I was able to connect to Softether through Windows client but once I am connected I can't visit any website.

    Is there a log file that I should check to make sure I have not done anything silly? Here is my IP table file if it helps:

    # Generated by iptables-save v1.4.7 on Sat Mar 22 02:32:40 2014
    *security
    :INPUT ACCEPT [65:4965]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [52:8468]
    COMMIT
    # Completed on Sat Mar 22 02:32:40 2014
    # Generated by iptables-save v1.4.7 on Sat Mar 22 02:32:40 2014
    *raw
    :PREROUTING ACCEPT [65:4965]
    :OUTPUT ACCEPT [52:8468]
    COMMIT
    # Completed on Sat Mar 22 02:32:40 2014
    # Generated by iptables-save v1.4.7 on Sat Mar 22 02:32:40 2014
    *nat
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 106.xxx.xxx.xxx
    COMMIT
    # Completed on Sat Mar 22 02:32:40 2014
    # Generated by iptables-save v1.4.7 on Sat Mar 22 02:32:40 2014
    *mangle
    :PREROUTING ACCEPT [65:4965]
    :INPUT ACCEPT [65:4965]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [52:8468]
    :POSTROUTING ACCEPT [52:8468]
    COMMIT
    # Completed on Sat Mar 22 02:32:40 2014
    # Generated by iptables-save v1.4.7 on Sat Mar 22 02:32:40 2014
    *filter
    :INPUT ACCEPT [65:4965]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [52:8468]
    COMMIT
    # Completed on Sat Mar 22 02:32:40 2014
    
    

    106.xxx.xxx.xxx is my server's IPv4 address.

    Here are some relevant sections of my dnsmasq config file:

    # Add other name servers here, with domain specs if they are for
    # non-public domains.
    #server=/localnet/192.168.0.1
    server=8.8.8.8
    server=8.8.4.4
    
    # Uncomment this to enable the integrated DHCP server, you need
    # to supply the range of addresses available for lease and optionally
    # a lease time. If you have more than one network, you will need to
    # repeat this for each network on which you want to supply DHCP
    # service.
    dhcp-range=tap_123,10.8.0.10,10.8.0.150,12h
    
    # Override the default route supplied by dnsmasq, which assumes the
    # router is the same machine as the one running dnsmasq.
    dhcp-option=tap_123,3,10.8.0.1
    

    Everything else in the config file is default.

    Here is my Linux version if it helps:

     more system-release
    CentOS release 6.5 (Final)
    

    Thanks for your help!

  • @zhuanyi

    If you can connect to Softether but not the internet, that means either your dnsmasq or your iptables is not setup properly. What IP was assigned to your Softether client when you are connected? If you get something like 10.8.X.X, that means your dnsmasq is fine. In that case, it might be your iptables setting.

    Try the following things, see if it works.

    In your dnsmasq config file, I don't see that line below. Make sure it is there.

    interface=tap_123
    

    Also, check your IP forward setting and add the following to your iptables.

    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -s 10.8.0.0/24 -j ACCEPT
    

    And you are not using OpenVZ right?

    Thanked by 1zhuanyi
  • @halczy said:
    zhuanyi

    If you can connect to Softether but not the internet, that means either your dnsmasq or your iptables is not setup properly. What IP was assigned to your Softether client when you are connected? If you get something like 10.8.X.X, that means your dnsmasq is fine. In that case, it might be your iptables setting.

    Try the following things, see if it works.

    In your dnsmasq config file, I don't see that line below. Make sure it is there.

    interface=tap_123
    

    Also, check your IP forward setting and add the following to your iptables.

    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -s 10.8.0.0/24 -j ACCEPT
    

    And you are not using OpenVZ right?

    Thanks! Those 2 line helped, also I enabled ipv4 forward in the /etc/sysctl.conf file. I must have missed those lines in the tutorial. Thanks so much!

  • Can you make another tutorial where openvpn server is installed in Ubuntu? What would change in the tutorial if that is the case?

  • The Chinese in SH seem to have given up blocking openvpn, normal openvpn is working again.

    Here is a tutorial for scrambled openvpn, Ubuntu

    http://vpnchinaopenvz.wordpress.com/2014/03/16/openvz-and-patched-openvpn-server/

Sign In or Register to comment.