Scrambled OpenVPN For Dummies: How to Install on CentOS VPS
– Why did I call it for dummies? Simply because I try to make this
tutorial crystal clear so even dummies can follow all steps outlined
below so they can build their own Scrambled OpenVPN server to avoid
Internet blocking in some strict countries (you name it) where common OpenVPN-based VPN connection
can be detected and shut down. Yeah there is such kind of technology
that can actively look for VPN connections and block VPN servers. Call
it Great Firewall (GFW), it is known to use Deep Packet Inspection to
identify and block PPTP and OpenVPN connections.
So how to bypass such technology? Simply use unusual VPN technology that GFW can not detect it (as for know) like: Scrambled OpenVPN, Softehter Protocol, L2TP over IPsec, SSTP and VPN over ICMP / VPN over DNS.
In this tutorial I’ll show you a guide (with pics) to install, build, and setup undetected scrambled OpenVPN server that works on low end vps (tested on Iniz 128MB box – my favorite after RamNode). Credit to original guide at LET.
Step 0 – ONLY for OpenVZ users, login to your VPS control panel (usually SolusVM) and enable TUN/TAP option.
Step 1 – Login to your server as root or as a user with root privilege. I chose as root to void using “sudo” in every command I have to issue then set secondary user later as basic and common security practice (read: Basic CentOS server setup).
Step 2 – Now download and install RHEL EPEL Repo for CentOS 6:
Step 3 – Next, you may also want to update and upgrade your VPS. Issue these two command syntax:
Sorry I gave no screenshot for that. It’s long and boring and it should be very understandable.
Step 4 – As we want to install OpenVPS from source, we’ll need some dependencies to compile it. So install them using this command:
pic:
You may need to hit Y if asked for confirmation.
Step 5 – Now, this is the very important step. We gonna download OpenVPN package and a special obfuscate patch file:
pic:
then unzip /extract it:
pic (it’s a bit long but at the end you should see something like this):
Downloading patch file:
pic:
then unzip it:
pic:
Backup download links:
Step 6 – Apply the patch to the source files. To do that, issue each command below line by line:
copying the patch file to OpenVPN folder
pic:
Now go back to upper directory:
Step 7 – It’s building time. As long as you’ve installed all required packages before (step 4 above), the process should complete successfully. First, we need to go to /etc/openvpn
Now configure it:
Step 8 – Now we’ve configured all necessary things, it’s time to really build it with simple “make” command:
Step 9 – At this point you’ve installed OpenVPN. Before we run and configure it, it is better to make it automatically run on boot:
But download this required startup script file at first:
Step 1 – Download Easy-Rsa package for creating keys and certificates. Issue these few lines of command:
Then extract it and copy the files:
Step 2 – Now lets build the CA certificate needed to use OpenVPN server:
The magic command, enter whatever info you want to build the CA certificate.
Step 3 – Building the key server. You will be asked for a password and you will need to answer y to sign and commit the certificate.
Step 4 – Now issue command below to build Diffie Hellman:
Step 5 – Next, lets build the client key, you can build as many as you want. Just change client to something else like user, yourname, user001, etc. Again, you will be asked for a password in the following step and you will need to answer y to sign and commit the certificate.
Step 6- Now copy the server side certificates and keys to appropriate location:
Step 7 – Next copy client files to a folder where you can download it:
pic:
Step 8 – Now generate a ta.key and copy it to the separate folder where we can later download it:
Step 9 – Another crucial step, create the OpenVPN client configuration file. You will need to fill in your server’s IP and you can choose whatever keyword after scramble obfuscate. Just make sure you have the same keyword in your server configuration file as well. Also, choose a UDP port that is best for your network setting. I use 443 in this tutorial.
Hit Control+O to save then Control+X to exit Nano editor.
pic:
Step 10 – Now merge the certificates and keys to make it an inline configuration file.
You may need to firstly edit merge.sh and adjust the configuration
(like renaming client.crt and client.key to the ones you defined – you
can use nano).
Next, issue this command:
Pic:
Step 11 – Final configuration on your server, setup the configuration file on the server side (server.conf):
Again, we’ll use Nano editor:
then put these lines there:
Hit Control+O then Control+X to save and exit.
Step 12 – Now you can download client configuration file to your computer to use with OpenVPN client app. For this, you can use FileZilla, simply enter your server IP, username, password and use port 22 (default SSH port if you haven’t change it yet)
Go to client-files directory and grab the config file
Step 13 – That’s it. Copy that file to the OpenVPN’s Client config folders in your computer Now open your OpenVPN client app and use it as usual.
Enjoy…
So how to bypass such technology? Simply use unusual VPN technology that GFW can not detect it (as for know) like: Scrambled OpenVPN, Softehter Protocol, L2TP over IPsec, SSTP and VPN over ICMP / VPN over DNS.
In this tutorial I’ll show you a guide (with pics) to install, build, and setup undetected scrambled OpenVPN server that works on low end vps (tested on Iniz 128MB box – my favorite after RamNode). Credit to original guide at LET.
Step 0 – ONLY for OpenVZ users, login to your VPS control panel (usually SolusVM) and enable TUN/TAP option.
Step 1 – Login to your server as root or as a user with root privilege. I chose as root to void using “sudo” in every command I have to issue then set secondary user later as basic and common security practice (read: Basic CentOS server setup).
Step 2 – Now download and install RHEL EPEL Repo for CentOS 6:
# For RHEL/CentOS 6 32-Bit # wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm # For RHEL/CentOS 6 64-Bit # wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpmNow install that repo using this command:
## For RHEL/CentOS 6 32-Bit ## rpm -ivh epel-release-6-8.noarch.rpm ## For RHEL/CentOS 6 64-Bit ## rpm -ivh epel-release-6-8.noarch.rpmPic (click for larger version):
Step 3 – Next, you may also want to update and upgrade your VPS. Issue these two command syntax:
1
2
| yum update -yyum upgrade |
Step 4 – As we want to install OpenVPS from source, we’ll need some dependencies to compile it. So install them using this command:
1
| yum install autoconf.noarch automake file gcc libtool patch quilt git make rpm-build zlib-devel pam-devel openssl-devel lzo-devel |
You may need to hit Y if asked for confirmation.
Step 5 – Now, this is the very important step. We gonna download OpenVPN package and a special obfuscate patch file:
1
| wget https://github.com/OpenVPN/openvpn/archive/release/2.3.zip |
then unzip /extract it:
1
| unzip 2.3.zip |
Downloading patch file:
1
| wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip |
then unzip it:
1
| unzip master.zip |
Backup download links:
1
2
| OpenVPN 2.3.2: https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/2.3.zipAbfuscate Patch: https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/master.zip |
copying the patch file to OpenVPN folder
cp openvpn_xorpatch-master/openvpn_xor.patch openvpn-release-2.3/ Going in to extracted OpenVPN folder
cd openvpn-release-2.3/Applying the patch:
1
2
| git apply --check openvpn_xor.patchgit apply openvpn_xor.patch |
Now go back to upper directory:
cd ..then move extracted OpenVPN folder to /etc/openvpn:
mv ./openvpn-release-2.3/ /etc/openvpnpic:
Step 7 – It’s building time. As long as you’ve installed all required packages before (step 4 above), the process should complete successfully. First, we need to go to /etc/openvpn
cd /etc/openvpnNow issue this command:
autoreconf -i -v -fpic:
Now configure it:
./configure --prefix=/usrpic:
Step 8 – Now we’ve configured all necessary things, it’s time to really build it with simple “make” command:
make make installThe process is a bit long so I took what I can (pic):
Step 9 – At this point you’ve installed OpenVPN. Before we run and configure it, it is better to make it automatically run on boot:
But download this required startup script file at first:
wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/openvpn -O /etc/rc.d/init.d/openvpnNow this command:
chmod +x /etc/rc.d/init.d/openvpn chkconfig --add openvpn chkconfig openvpn onpic:
Configuring and Using Scrambled OpenVPN
Now that our OpenVPN server is installed, but we still need to setup some configurations before using it, including to install Easy-Rsa package for creating keys and certificates and so on and so on.Step 1 – Download Easy-Rsa package for creating keys and certificates. Issue these few lines of command:
cd /etc/openvpn wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gzpic :
Then extract it and copy the files:
tar zxvf easy-rsa-2.2.0_master.tar.gz
cp -R easy-rsa-2.2.0_master/easy-rsa/ /etc/openvpn/
chown -R $USER /etc/openvpn/easy-rsa/
pic:Step 2 – Now lets build the CA certificate needed to use OpenVPN server:
cd /etc/openvpn/easy-rsa/2.0/ source vars ./clean-allpic:
The magic command, enter whatever info you want to build the CA certificate.
./build-capic:
Step 3 – Building the key server. You will be asked for a password and you will need to answer y to sign and commit the certificate.
./build-key-server serverpic:
Step 4 – Now issue command below to build Diffie Hellman:
./build-dhpic:
Step 5 – Next, lets build the client key, you can build as many as you want. Just change client to something else like user, yourname, user001, etc. Again, you will be asked for a password in the following step and you will need to answer y to sign and commit the certificate.
./build-key clientpic:
Step 6- Now copy the server side certificates and keys to appropriate location:
cd keys cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpnpic:
Step 7 – Next copy client files to a folder where you can download it:
mkdir $HOME/client-files sudo cp ca.crt client.crt client.key $HOME/client-fileschange client.crt and client.key with the name you defined in step 5.
pic:
Step 8 – Now generate a ta.key and copy it to the separate folder where we can later download it:
openvpn --genkey --secret /etc/openvpn/ta.key cp /etc/openvpn/ta.key $HOME/client-filespic:
Step 9 – Another crucial step, create the OpenVPN client configuration file. You will need to fill in your server’s IP and you can choose whatever keyword after scramble obfuscate. Just make sure you have the same keyword in your server configuration file as well. Also, choose a UDP port that is best for your network setting. I use 443 in this tutorial.
nano $HOME/client-files/scrambled-client.ovpnnow fill in this lines to that file, again, replace **YOUR SERVER IP** with the real IP of your vps:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| clientdev tunscramble obfuscate servermomproto udpremote **YOUR SERVER IP** 443resolv-retry infinitenobindpersist-keypersist-tunca ca.crtcert client.crtkey client.keytls-auth ta.key 1ns-cert-type servercipher AES-256-CBCcomp-lzoverb 3fast-ioscript-security 2 |
pic:
Step 10 – Now merge the certificates and keys to make it an inline configuration file.
1
| wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/merge.sh -O $HOME/client-files/merge.sh |
Next, issue this command:
1
2
3
4
| cd $HOME/client-files/chmod +x $HOME/client-files/merge.sh$HOME/client-files/merge.shchown $USER $HOME/client-files/scrambled-client.ovpn |
Step 11 – Final configuration on your server, setup the configuration file on the server side (server.conf):
Again, we’ll use Nano editor:
1
| nano /etc/openvpn/server.conf |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| port 443proto udpdev tunscramble obfuscate servermomca /etc/openvpn/ca.crtcert /etc/openvpn/server.crtkey /etc/openvpn/server.keytls-auth /etc/openvpn/ta.key 0dh /etc/openvpn/dh1024.pemserver 10.8.0.0 255.255.255.0cipher AES-256-CBCcomp-lzopersist-keypersist-tunuser nobody # If server fails to start, please change this to an existing usergroup openvpn # If server fails to start, please change this to an existing groupstatus openvpn-status.logverb 3tun-mtu 1500tun-mtu-extra 32mssfix 1450push "redirect-gateway def1"push "dhcp-option DNS 8.8.8.8"push "dhcp-option DNS 8.8.4.4"keepalive 5 30 |
Step 12 – Now you can download client configuration file to your computer to use with OpenVPN client app. For this, you can use FileZilla, simply enter your server IP, username, password and use port 22 (default SSH port if you haven’t change it yet)
Go to client-files directory and grab the config file
Step 13 – That’s it. Copy that file to the OpenVPN’s Client config folders in your computer Now open your OpenVPN client app and use it as usual.
Enjoy…
No comments:
Post a Comment