Raspberry PI and patched openvpn server, built from source code 2.4.1


# Tested on
# Raspbian Jessie Lite version date: March 2017
#
# This post builds a scrambled openvpn server on a Raspberry PI
# from source code for openvpn 2.4.1 plus patch to add scramble functionality
# To get it working, you need both sides patched, the server and the client
# plus you need to add a scramble key to server and client scripts.
# Below we will use the following password scramble key "test"
# This password key must be the same in server and client openvpn scripts
# i.e. scramble obfuscate test

# For patched Windows Client see
# https://scramblevpn.wordpress.com/2013/09/28/build-patched-windows-openvpn-client/
# For patched OS X Client see
# https://tunnelblick.net/downloads.html
# For patched Android Client
# https://users.bolehvpn.net/clients/bolehvpn_0.6.64.apk
# https://www.dropbox.com/s/ixl90g19xzkgh53/bolehvpn_0.6.64.apk

# For details about the patch and options see
# https://forums.openvpn.net/topic12605.html
# https://forums.openvpn.net/viewtopic.php?f=15&t=12605
# https://tunnelblick.net/cOpenvpn_xorpatch.html
# This patch has been updated by designers at tunnelblick

# This post will use their patch
# https://github.com/Tunnelblick/Tunnelblick/tree/master/third_party/sources/openvpn
# https://github.com/clayface/openvpn_xorpatch

######################################################
# Now to Raspberry PI
# Firstly, if you already have an earlier formal installation of openvpn, remove it
sudo mkdir $HOME/config_backup
sudo cp -rf /etc/openvpn/* $HOME/config_backup/
sudo apt-get purge openvpn -y

# We need to add a few components
sudo apt-get update
sudo apt-get install gcc make automake autoconf dh-autoreconf file patch perl dh-make debhelper devscripts gnupg lintian quilt libtool pkg-config libssl-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev chkconfig git nano -y

# fetch source code & apply patch
cd $HOME/
wget http://swupdate.openvpn.org/community/releases/openvpn-2.4.1.zip
unzip openvpn-2.4.1.zip
cd openvpn-2.4.1/
wget https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-2.4.1/patches/02-tunnelblick-openvpn_xorpatch-a.diff
wget https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-2.4.1/patches/03-tunnelblick-openvpn_xorpatch-b.diff
wget https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-2.4.1/patches/04-tunnelblick-openvpn_xorpatch-c.diff
wget https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-2.4.1/patches/05-tunnelblick-openvpn_xorpatch-d.diff
wget https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-2.4.1/patches/06-tunnelblick-openvpn_xorpatch-e.diff

# We apply patch the long way

git apply 02-tunnelblick-openvpn_xorpatch-a.diff
git apply 03-tunnelblick-openvpn_xorpatch-b.diff
git apply 04-tunnelblick-openvpn_xorpatch-c.diff
git apply 05-tunnelblick-openvpn_xorpatch-d.diff
git apply 06-tunnelblick-openvpn_xorpatch-e.diff


# Comments about patch, the Tunnelblick guys remove the older revision patches
# when they update version, this means you might get "404: Not Found"
# if you do, check https://github.com/Tunnelblick/Tunnelblick/tree/master/third_party/sources/openvpn for current version

# This is the bit where we make and install the new openvpn server
sudo mkdir /etc/openvpn/
cd $HOME/openvpn-2.4.1/
./configure --prefix=/usr
make
sudo make install
sudo wget --no-check-cert https://www.dropbox.com/s/nz4dyons6tlsbr4/etcinitdopenvpn.sh -O /etc/init.d/openvpn
sudo chmod +x /etc/init.d/openvpn
sudo update-rc.d openvpn defaults

# Check startup script is correctly set
chkconfig --list | grep openvpn
# expect
# openvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:off

# Now we create unique keys and certs using easyrsa3
# For test purposes only, here is an already prepared pair of scripts
# https://www.dropbox.com/s/u06t53fb7qwov47/client1.ovpn?dl=0
# https://www.dropbox.com/s/cxt7ajdxczifsqm/server.conf?dl=0

mkdir $HOME/clientside
mkdir $HOME/serverside
cd $HOME/serverside
wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
unzip master.zip
cd easy-rsa-master/easyrsa3
openvpn --genkey --secret ta.key
./easyrsa init-pki
./easyrsa --batch build-ca nopass
./easyrsa --batch build-server-full server nopass
./easyrsa --batch build-client-full client1 nopass
./easyrsa gen-dh

cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/ca.crt $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/issued/server.crt $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/dh.pem $HOME/serverside/dh2048.pem
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/private/server.key $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/ta.key $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/issued/client1.crt $HOME/clientside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/ta.key $HOME/clientside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/ca.crt $HOME/clientside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/private/client1.key $HOME/clientside/

# Client Script
nano $HOME/clientside/raspberrypi.ovpn

client
dev tun
proto udp
scramble obfuscate test
remote change_this_to_server_address 34557
resolv-retry infinite
nobind
persist-key
persist-tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

# Now merge certs and keys into client script, so we only have one file to handle
cd $HOME/clientside/
wget --no-check-cert https://www.dropbox.com/s/v228zvccef9d10c/merge.sh -O merge.sh
sudo chmod +x merge.sh
sudo ./merge.sh
sudo chown $USER $HOME/clientside/raspberrypi.ovpn

# Now transfer client script raspberrypi.ovpn
# in $HOME/clientside/ to your client PC
# Due to permissions, I had to transfer it to C:\
# Then in windows, copy the file
# to C:\Program Files (x86)\OpenVPN\config

# Server Script
nano $HOME/serverside/server.conf

port 34557
proto udp
scramble obfuscate test
dev tun
ca ca.crt
cert server.crt
key server.key
tls-auth ta.key 0
dh dh2048.pem
sndbuf 0
rcvbuf 0
chroot /etc/openvpn/jail
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
user nobody
group nogroup
status /etc/openvpn/openvpn-status.log
verb 3
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30

# Now merge certs and keys into server script, so we only have one file to handle
cd $HOME/serverside/
wget --no-check-cert https://www.dropbox.com/s/9wc3we8ezfucj1j/merge_server.sh -O merge_server.sh
sudo chmod +x merge_server.sh
sudo ./merge_server.sh

# Now copy the merged server script to /etc/openvpn/ and make jail
sudo cp $HOME/serverside/server.conf /etc/openvpn/
sudo mkdir /etc/openvpn/jail/
sudo mkdir /etc/openvpn/jail/tmp/

# uncomment to allow data redirect
sudo nano /etc/sysctl.conf

net.ipv4.ip_forward=1


# These firewall settings really screw everything up if you have ufw enabled
#
# There are a number of ways to configure the firewall, it depends of
# how you're using the PI.
# I am using it as a headless remote server, this means no desktop
# environment, and no other firewall conflicting data loaded.
# Alternative Firewall setting if static IP of PI is 10.0.0.10
# check with ifconfig. Also this should be the firewall.sh file
#
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source LOCALIP
#
# sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 10.0.0.10
#
# And Start everything
# sudo sysctl -w net.ipv4.ip_forward=1
#
#
#

# Make file for firewall setting
# My firewall setting, may not suit all
sudo nano /usr/local/bin/firewall.sh

#!/bin/bash
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s "10.8.0.0/24" -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s "10.8.0.0/24" -j MASQUERADE

# Make firewall script executable, run it and check
sudo chmod +x /usr/local/bin/firewall.sh
sudo /usr/local/bin/firewall.sh
sudo iptables --list

# add new text line into file /etc/rc.local
# before ‘exit 0' to ensure the firewall rules are run at reboot or power up.
sudo nano /etc/rc.local

/usr/local/bin/firewall.sh

# reboot the pi
sudo reboot

# TIP: Check server can start ok
sudo /etc/init.d/openvpn restart

# TIP:Check tun0 interface started
ifconfig

# Connect VPN client from remote location
# does not work when client and server are connected
# to same router and you try external IP address.
# If you want to do a local test at home
# connect to local IP address of server e.g. 192.168.1.4
# when you go to your remote location, connect to no-ip address or external static IP

Posted in Uncategorized | 7 Comments

Compile patched openvpn ipk package for openwrt/lede router


#
#
# Cross compile ipk on digital ocean Debian 8 64 bit
# Guide https://lede-project.org/docs/guide-developer/compile_packages_for_lede_with_the_sdk
#
# Raspberry Pi 3 as openwrt router, want to install scramble openvpn
# Quickest way is to compile the existing base openvpn with the xor patch added
# at the moment the openwrt/lede base for openvpn is 2.4.0
# and the scramble xor patch from tunnelblick is 2.4.1,
# but this is ok, as the patch is compatible and works on 2.4.0
#
# https://github.com/Tunnelblick/Tunnelblick/tree/master/third_party/sources/openvpn/openvpn-2.4.1/patches
#
# We do our cross compiling work on a Debian 8.7 64 bit VPS
# First create new user e.g. use83

adduser usr83

# Follow the prompts to set the new user's information.
# It is fine to accept the defaults to leave all of this information blank.

usermod -aG sudo usr83
su - usr83
sudo ls

sudo apt-get update
sudo apt-get install git-core build-essential libssl-dev libncurses5-dev unzip gawk zlib1g-dev subversion mercurial asciidoc bash bc binutils bzip2 fastjar flex git-core gcc util-linux gawk libgtk2.0-dev intltool zlib1g-dev make genisoimage libncurses5-dev libssl-dev patch perl-modules rsync ruby sdcc unzip wget gettext xsltproc zlib1g-dev openjdk-7-jdk libboost1.55-dev libxml-parser-perl libusb-dev bin86 bcc sharutils openjdk-7-jdk -y

#
# install SDK, you find it in the same directory that you got your
# openwrt/LEDE router package
# fetch pre-compiled sdk, I'm using Raspberry Pi 3 as openwrt/lede router.
# This was mine
# https://downloads.lede-project.org/releases/17.01.0/targets/brcm2708/bcm2710/
#

wget https://downloads.lede-project.org/releases/17.01.0/targets/brcm2708/bcm2710/lede-sdk-17.01.0-brcm2708-bcm2710_gcc-5.4.0_musl-1.1.16_eabi.Linux-x86_64.tar.xz

tar -xvf ./lede-sdk-17.01.0-brcm2708-bcm2710_gcc-5.4.0_musl-1.1.16_eabi.Linux-x86_64.tar.xz

cd $HOME/lede-sdk-17.01.0-brcm2708-bcm2710_gcc-5.4.0_musl-1.1.16_eabi.Linux-x86_64

make menuconfig

# Select Global Build Settings and press enter, in the submenu
# un-tick all 4
#
# “Select all target specific packages by default”
# “Select all kernel module packages by default”
# “Select all userspace packages by default”
# “Cryptographically sign package lists”
#
# Now save your changes and exit from the SDK's menu.

./scripts/feeds update -a
./scripts/feeds install openvpn

cd ./package/feeds/base/openvpn/patches
wget https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-2.4.1/patches/02-tunnelblick-openvpn_xorpatch-a.diff
wget https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-2.4.1/patches/03-tunnelblick-openvpn_xorpatch-b.diff
wget https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-2.4.1/patches/04-tunnelblick-openvpn_xorpatch-c.diff
wget https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-2.4.1/patches/05-tunnelblick-openvpn_xorpatch-d.diff
wget https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-2.4.1/patches/06-tunnelblick-openvpn_xorpatch-e.diff

cd $HOME/lede-sdk-17.01.0-brcm2708-bcm2710_gcc-5.4.0_musl-1.1.16_eabi.Linux-x86_64

make menuconfig

# goto Network/vpn/
# enter M for openvpn-mbedtls
#
# save and exit

make

ls bin/packages/arm_cortex-a53_neon-vfpv4/base


# this will produce ipk
# openvpn-mbedtls_2.4.0-3_arm_cortex-a53_neon-vfpv4.ipk
#
# https://www.dropbox.com/s/rc95fq3xi6ynp3p/openvpn-mbedtls_2.4.0-3_arm_cortex-a53_neon-vfpv4.ipk
#

Posted in Uncategorized | Leave a comment

Raspberry PI and patched openvpn server, built from source code 2.3.11


# Tested on
# Raspbian Jessie Lite version date: March 2016
#
# This post builds a scrambled openvpn server on a Raspberry PI
# from source code for openvpn 2.3.11 plus patch to add scramble functionality
# To get it working, you need both sides patched, the server and the client
# plus you need to add a scramble key to server and client scripts.
# Below we will use the following password scramble key "test"
# This password key must be the same in server and client openvpn scripts
# i.e. scramble obfuscate test

# For patched Windows Client see
# https://scramblevpn.wordpress.com/2013/09/28/build-patched-windows-openvpn-client/
# For patched OS X Client see
# https://tunnelblick.net/downloads.html
# For patched Android Client (lollipop 5.0.2)
# https://www.bolehvpn.net/downloads/BolehVPN.apk
# https://www.dropbox.com/s/ubr8euhe13er71m/bolehvpn.apk

# For details about the patch and options see
# https://forums.openvpn.net/topic12605.html
# https://forums.openvpn.net/viewtopic.php?f=15&t=12605
# https://tunnelblick.net/cOpenvpn_xorpatch.html
# This patch has been updated by designers at tunnelblick

# This post will use their patch
# https://github.com/Tunnelblick/Tunnelblick/tree/master/third_party/sources/openvpn
# https://github.com/clayface/openvpn_xorpatch
# https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-2.3.11/patches/02-tunnelblick-openvpn_xorpatch.diff
# mirror https://www.dropbox.com/s/3nsht8tjnyaq2oo/02-tunnelblick-openvpn_xorpatch.diff?dl=0

######################################################
# Now to Raspberry PI
# Firstly, if you already have an earlier formal installation of openvpn, remove it
sudo mkdir $HOME/config_backup
sudo cp -rf /etc/openvpn/* $HOME/config_backup/
sudo apt-get purge openvpn -y

# We need to add a few components
sudo apt-get update
sudo apt-get install gcc make automake autoconf dh-autoreconf file patch perl dh-make debhelper devscripts gnupg lintian quilt libtool pkg-config libssl-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev chkconfig git nano -y

# fetch source code & apply patch
cd $HOME/
wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.11.zip
unzip openvpn-2.3.11.zip
wget https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-2.3.11/patches/02-tunnelblick-openvpn_xorpatch.diff
cp 02-tunnelblick-openvpn_xorpatch.diff openvpn-2.3.11/
cd openvpn-2.3.11/
git apply 02-tunnelblick-openvpn_xorpatch.diff

# Comments about patch, the Tunnelblick guys remove the older revision patches
# when they update version, this means you might get "404: Not Found"
# if you do, check https://github.com/Tunnelblick/Tunnelblick/tree/master/third_party/sources/openvpn for current version

# This is the bit where we make and install the new openvpn server
sudo mkdir /etc/openvpn/
cd $HOME/openvpn-2.3.11/
./configure --prefix=/usr
make
sudo make install
sudo wget --no-check-cert https://www.dropbox.com/s/nz4dyons6tlsbr4/etcinitdopenvpn.sh -O /etc/init.d/openvpn
sudo chmod +x /etc/init.d/openvpn
sudo update-rc.d openvpn defaults

# Check startup script is correctly set
chkconfig --list | grep openvpn
# expect
# openvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:off

# Now we create unique keys and certs using easyrsa3
# For test purposes only, here is an already prepared pair of scripts
# https://www.dropbox.com/s/u06t53fb7qwov47/client1.ovpn?dl=0
# https://www.dropbox.com/s/cxt7ajdxczifsqm/server.conf?dl=0

mkdir $HOME/clientside
mkdir $HOME/serverside
cd $HOME/serverside
wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
unzip master.zip
cd easy-rsa-master/easyrsa3
openvpn --genkey --secret ta.key
./easyrsa init-pki
./easyrsa --batch build-ca nopass
./easyrsa --batch build-server-full server nopass
./easyrsa --batch build-client-full client1 nopass
./easyrsa gen-dh

cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/ca.crt $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/issued/server.crt $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/dh.pem $HOME/serverside/dh2048.pem
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/private/server.key $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/ta.key $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/issued/client1.crt $HOME/clientside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/ta.key $HOME/clientside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/ca.crt $HOME/clientside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/private/client1.key $HOME/clientside/

# Client Script
nano $HOME/clientside/raspberrypi.ovpn

client
dev tun
proto udp
scramble obfuscate test
remote change_this_to_server_address 34557
resolv-retry infinite
nobind
persist-key
persist-tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

# Now merge certs and keys into client script, so we only have one file to handle
cd $HOME/clientside/
wget --no-check-cert https://www.dropbox.com/s/v228zvccef9d10c/merge.sh -O merge.sh
sudo chmod +x merge.sh
sudo ./merge.sh
sudo chown $USER $HOME/clientside/raspberrypi.ovpn

# Now transfer client script raspberrypi.ovpn
# in $HOME/clientside/ to your client PC
# Due to permissions, I had to transfer it to C:\
# Then in windows, copy the file
# to C:\Program Files (x86)\OpenVPN\config

# Server Script
nano $HOME/serverside/server.conf

port 34557
proto udp
scramble obfuscate test
dev tun
ca ca.crt
cert server.crt
key server.key
tls-auth ta.key 0
dh dh2048.pem
sndbuf 0
rcvbuf 0
chroot /etc/openvpn/jail
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
user nobody
group nogroup
status /etc/openvpn/openvpn-status.log
verb 3
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30

# Now merge certs and keys into server script, so we only have one file to handle
cd $HOME/serverside/
wget --no-check-cert https://www.dropbox.com/s/9wc3we8ezfucj1j/merge_server.sh -O merge_server.sh
sudo chmod +x merge_server.sh
sudo ./merge_server.sh

# Now copy the merged server script to /etc/openvpn/ and make jail
sudo cp $HOME/serverside/server.conf /etc/openvpn/
sudo mkdir /etc/openvpn/jail/
sudo mkdir /etc/openvpn/jail/tmp/

# uncomment to allow data redirect
sudo nano /etc/sysctl.conf

net.ipv4.ip_forward=1


# These firewall settings really screw everything up if you have ufw enabled
#
# There are a number of ways to configure the firewall, it depends of
# how you're using the PI.
# I am using it as a headless remote server, this means no desktop
# environment, and no other firewall conflicting data loaded.
# Alternative Firewall setting if static IP of PI is 10.0.0.10
# check with ifconfig. Also this should be the firewall.sh file
#
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source LOCALIP
#
# sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 10.0.0.10
#
# And Start everything
# sudo sysctl -w net.ipv4.ip_forward=1
#
#
#

# Make file for firewall setting
# My firewall setting, may not suit all
sudo nano /usr/local/bin/firewall.sh

#!/bin/bash
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s "10.8.0.0/24" -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s "10.8.0.0/24" -j MASQUERADE

# Make firewall script executable, run it and check
sudo chmod +x /usr/local/bin/firewall.sh
sudo /usr/local/bin/firewall.sh
sudo iptables --list

# add new text line into file /etc/rc.local
# before ‘exit 0' to ensure the firewall rules are run at reboot or power up.
sudo nano /etc/rc.local

/usr/local/bin/firewall.sh

# reboot the pi
sudo reboot

# TIP: Check server can start ok
sudo /etc/init.d/openvpn restart

# TIP:Check tun0 interface started
ifconfig

# Connect VPN client from remote location
# does not work when client and server are connected
# to same router and you try external IP address.
# If you want to do a local test at home
# connect to local IP address of server e.g. 192.168.1.4
# when you go to your remote location, connect to no-ip address or external static IP

Posted in Uncategorized | Leave a comment

Raspberry PI and patched openvpn server, built from source code 2.3.10


# Tested on
# Raspbian Jessie Lite version date: March 2016
#
# This post builds a scrambled openvpn server on a Raspberry PI
# from source code for openvpn 2.3.10 plus patch to add scramble functionality
# To get it working, you need both sides patched, the server and the client
# plus you need to add a scramble key to server and client scripts.
# Below we will use the following password scramble key "test"
# This password key must be the same in server and client openvpn scripts
# i.e. scramble obfuscate test

# For patched Windows Client see
# https://scramblevpn.wordpress.com/2013/09/28/build-patched-windows-openvpn-client/
# For details about the patch and options see
# https://forums.openvpn.net/topic12605.html
# https://forums.openvpn.net/viewtopic.php?f=15&t=12605
#
# This patch has been updated by designers at tunnelblick

# This post will use their patch
# https://github.com/Tunnelblick/Tunnelblick/tree/master/third_party/sources/openvpn
# https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-2.3.11/patches/02-tunnelblick-openvpn_xorpatch.diff
# mirror https://www.dropbox.com/s/3nsht8tjnyaq2oo/02-tunnelblick-openvpn_xorpatch.diff?dl=0

######################################################
# Now to Raspberry PI
# Firstly, if you already have an earlier formal installation of openvpn, remove it
sudo mkdir $HOME/config_backup
sudo cp -rf /etc/openvpn/* $HOME/config_backup/
sudo apt-get purge openvpn -y

# We need to add a few components
sudo apt-get update
sudo apt-get install gcc make automake autoconf dh-autoreconf file patch perl dh-make debhelper devscripts gnupg lintian quilt libtool pkg-config libssl-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev chkconfig git nano -y

# fetch source code & apply patch
cd $HOME/
wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.10.zip
unzip openvpn-2.3.10.zip
wget https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-2.3.11/patches/02-tunnelblick-openvpn_xorpatch.diff
# mirror https://www.dropbox.com/s/3nsht8tjnyaq2oo/02-tunnelblick-openvpn_xorpatch.diff?dl=0
cp 02-tunnelblick-openvpn_xorpatch.diff openvpn-2.3.10/
cd openvpn-2.3.10/
git apply 02-tunnelblick-openvpn_xorpatch.diff

# This is the bit where we make and install the new openvpn server
sudo mkdir /etc/openvpn/
cd $HOME/openvpn-2.3.10/
sudo ./configure --prefix=/usr
sudo make
sudo make install
sudo wget --no-check-cert https://www.dropbox.com/s/nz4dyons6tlsbr4/etcinitdopenvpn.sh -O /etc/init.d/openvpn
sudo chmod +x /etc/init.d/openvpn
sudo update-rc.d openvpn defaults

# Check startup script is correctly set
chkconfig --list | grep openvpn
# expect
# openvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:off

# Now we create unique keys and certs using easyrsa3
# For test purposes only, here is a pair of client/server scripts
# https://www.dropbox.com/s/u06t53fb7qwov47/client1.ovpn?dl=0
# https://www.dropbox.com/s/cxt7ajdxczifsqm/server.conf?dl=0

mkdir $HOME/clientside
mkdir $HOME/serverside
cd $HOME/serverside
wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
unzip master.zip
cd easy-rsa-master/easyrsa3
openvpn --genkey --secret ta.key
./easyrsa init-pki
./easyrsa --batch build-ca nopass
./easyrsa --batch build-server-full server nopass
./easyrsa --batch build-client-full client1 nopass
./easyrsa gen-dh

cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/ca.crt $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/issued/server.crt $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/dh.pem $HOME/serverside/dh2048.pem
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/private/server.key $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/ta.key $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/issued/client1.crt $HOME/clientside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/ta.key $HOME/clientside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/ca.crt $HOME/clientside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/private/client1.key $HOME/clientside/

# Client Script
nano $HOME/clientside/raspberrypi.ovpn

client
dev tun
proto udp
scramble obfuscate test
remote change_this_to_server_address 34557
resolv-retry infinite
nobind
persist-key
persist-tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

# Now merge certs and keys into client script, so we only have one file to handle
cd $HOME/clientside/
wget --no-check-cert https://www.dropbox.com/s/v228zvccef9d10c/merge.sh -O merge.sh
sudo chmod +x merge.sh
sudo ./merge.sh
sudo chown $USER $HOME/clientside/raspberrypi.ovpn

# Now transfer client script raspberrypi.ovpn
# in $HOME/clientside/ to your client PC
# Due to permissions, I had to transfer it to C:\
# Then in windows, copy the file
# to C:\Program Files (x86)\OpenVPN\config

# Server Script
nano $HOME/serverside/server.conf

port 34557
proto udp
scramble obfuscate test
dev tun
ca ca.crt
cert server.crt
key server.key
tls-auth ta.key 0
dh dh2048.pem
sndbuf 0
rcvbuf 0
chroot /etc/openvpn/jail
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
user nobody
group nogroup
status /etc/openvpn/openvpn-status.log
verb 3
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30

# Now merge certs and keys into server script, so we only have one file to handle
cd $HOME/serverside/
wget --no-check-cert https://www.dropbox.com/s/9wc3we8ezfucj1j/merge_server.sh -O merge_server.sh
sudo chmod +x merge_server.sh
sudo ./merge_server.sh

# Now copy the merged server script to /etc/openvpn/ and make jail
sudo cp $HOME/serverside/server.conf /etc/openvpn/
sudo mkdir /etc/openvpn/jail/
sudo mkdir /etc/openvpn/jail/tmp/

# uncomment to allow data redirect
sudo nano /etc/sysctl.conf

net.ipv4.ip_forward=1


# The firewall settings can really screw everything up
# There are a number of ways, it depends of how you're using the PI
# I am using it as a headless remote server, this means no desktop
# environment, and no other firewall conflicting data loaded.
# Alternative Firewall setting if static IP of PI is 10.0.0.10
# check with ifconfig. Also this should be the firewall.sh file
#
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source LOCALIP
#
# sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 10.0.0.10
#
# And Start everything
# sudo sysctl -w net.ipv4.ip_forward=1
#
#
#

# Make file for firewall setting
sudo nano /usr/local/bin/firewall.sh

#!/bin/bash
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s "10.8.0.0/24" -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s "10.8.0.0/24" -j MASQUERADE

# Make firewall script executable, run it and check
sudo chmod +x /usr/local/bin/firewall.sh
sudo /usr/local/bin/firewall.sh
sudo iptables --list

# add new text line into file /etc/rc.local
# before ‘exit 0' to ensure the firewall rules are run at reboot or power up.
sudo nano /etc/rc.local

/usr/local/bin/firewall.sh

# reboot the pi
sudo reboot

# TIP: Check server can start ok
sudo /etc/init.d/openvpn restart

# TIP:Check tun0 interface started
ifconfig

# Connect VPN client from remote location
# does not work when client and server are connected
# to same router and you try external IP address.
# If you want to do a local test at home
# connect to local IP address of server e.g. 192.168.1.4
# when you go to your remote location, connect to no-ip address or external static IP

Posted in Uncategorized | 3 Comments

obfsproxy and openvpn


# Using a Cheap 64MB RAM NAT VPS in US as server
# Raspberry PI to run obfsproxy client. Then connect to Raspberry PI
# using any device supporting openvpn, like IPad or Android pad.
# This solution has pros and cons, no messing trying to get obfsproxy
# client working on every device but then again you always need to
# connect via the Raspberry PI.

nu
#
# obfsproxy is what Tor uses to bypass blocking.
# It can also be used for openvpn.
# Its just another envelope, you hide openvpn within it.
#

# Install opfsproxy on VPS and
# Raspberry PI with same linux commands

# Install python and tools we need to build obfsproxy
sudo apt-get install python2.7 python-pip python-dev build-essential libgmp-dev -y
# Fetch and install obfsproxy
sudo pip install https://pypi.python.org/packages/source/o/obfsproxy/obfsproxy-0.2.13.tar.gz

# make random password for scramblesuit
python -c 'import base64, os; print base64.b32encode(os.urandom(20))'
# e.g. JNI3LYK2VZM3UY37WEALJQ442VFYX6ZS
# Server side
sudo nano /usr/local/bin/server_scramblesuit.sh

#!/bin/bash
# Persistent data (the server's state) is stored in
# /tmp/scramblesuit-server
python /usr/local/bin/obfsproxy \
--no-log \
--data-dir=/tmp/scramblesuit-server \
scramblesuit \
--password=JNI3LYK2VZM3UY37WEALJQ442VFYX6ZS \
--dest 127.0.0.1:15410 \
server 192.168.16.154:15411

# Start server on VPS
sudo chmod +x /usr/local/bin/server_scramblesuit.sh
sudo /usr/local/bin/server_scramblesuit.sh &

# Auto start scramblesuit server
# after boot or restart
# add new text line into file /etc/rc.local before EXIT 0

sudo nano /etc/rc.local

/usr/local/bin/server_scramblesuit.sh

# openvpn server script, listen on 15410 , protocol TCP
# Remember it must be TCP, cannot handle UDP

port 15410
proto tcp
:
:

# Client side (Raspberry Pi)

sudo nano /usr/local/bin/client_scramblesuit.sh

#!/bin/bash

# This command starts an obfsproxy instance which listens
# for connections on 10.0.0.10:1191
# Incoming data is obfuscated and forwarded to the
# destination server running on 45.43.000.00:15411
#
# The Raspberry PI address is 10.0.0.10
# The VPS address 45.43.000.00 example, not actual
#
# The obfsproxy client's session ticket is stored in
# /tmp/scramblesuit-client

python /usr/local/bin/obfsproxy \
--log-min-severity=debug \
--data-dir=/tmp/scramblesuit-client \
scramblesuit \
--password=JNI3LYK2VZM3UY37WEALJQ442VFYX6ZS \
--dest 45.43.000.00:15411 \
client 10.0.0.10:1191

# Auto start scramblesuit client
# after boot or restart
# add new text line into file /etc/rc.local before EXIT 0

sudo nano /etc/rc.local

sudo /usr/local/bin/client_scramblesuit.sh

# Start client on Raspberry PI
sudo chmod +x /usr/local/bin/client_scramblesuit.sh
sudo /usr/local/bin/client_scramblesuit.sh &

# openvpn client script modified to send data to obfsproxy

client
dev tun
proto tcp
remote 10.0.0.10 1191
:
:


# NOTES
#
# After long time the program freezes, might need to restart/reboot
#
# The above setup has separate machines for openvpn and obfsproxy clients.
# If they are on the same machine you need to modify openvpn script
# as follows.
#
# push "redirect-gateway local"
# push "route vpn_server_ip 255.255.255.255 net_gateway"
#
# Otherwise when you establish the openvpn connection
# it breaks the obfsproxy connection.
#
# The server_scramblesuit.sh script has a funny looking IP
# 192.168.16.154:15411 because its a NAT
# If it was normal dedicated IPv4 it would be
# 45.43.000.00:15411
#
# usage: obfsproxy [-h] [-v] [--log-file LOG_FILE]
# [--log-min-severity {error,warning,info,debug}] [--no-log]
# [--no-safe-logging] [--data-dir DATA_DIR] [--proxy PROXY]
# {managed,obfs2,dummy,obfs3,scramblesuit,b64} ...
#
# Until you know your scripts are correct run obfsproxy in debug mode
# and not in the background, no &.
#
# --log-min-severity=debug
# when all is ok, then
# --no-log
#
##############################################################
##############################################################
##############################################################
##################### THE END ##############################
##############################################################
##############################################################
##############################################################
# Other info not directly needed for above
# Install obfsproxy using apt-get install obfsproxy

# either
https://packages.debian.org/sid/obfs4proxy

# or

echo "deb http://deb.torproject.org/torproject.org wheezy main" >> \
/etc/apt/sources.list.d/tor.list

gpg --keyserver keys.gnupg.net --recv 886DDD89

gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -

apt-get update

apt-get install obfsproxy

# for info https://www.torproject.org/download/download

# There are two versions of obfsproxy, one is written in "python language",
# The second in "go language", so far only tested python based as stand alone transport.

# Sample scripts
https://gitweb.torproject.org/user/phw/scramblesuit.git/tree/test

# Check latest python obfsproxy (current is 0.2.13)
# https://pypi.python.org/pypi/obfsproxy
# or

git clone https://git.torproject.org/pluggable-transports/obfsproxy.git

Posted in Uncategorized | Leave a comment

using chroot /etc/openvpn/jail

# creating a security jail

# add directories
sudo mkdir /etc/openvpn/jail/
sudo mkdir /etc/openvpn/jail/tmp/
sudo cp /etc/openvpn/update-resolv-conf /etc/openvpn/jail/

# in your server.conf script
# add to server script
sudo nano /etc/openvpn/server.conf

chroot /etc/openvpn/jail

# and modify in server script
status /etc/openvpn/openvpn-status.log

# test server starts
sudo /etc/init.d/openvpn restart

Posted in Uncategorized | Leave a comment

Raspberry PI and patched openvpn server, built from source code 2.3.8


# Tested on
# Raspbian Wheezy version date: 2015-05-05
#
# This post builds a scrambled openvpn server on a Raspberry PI
# from source code for openvpn 2.3.8 plus patch to add scramble functionality
# To get it working, you need both sides patched, the server and the client
# plus you need to add a scramble key to server and client scripts.
# Below we will use the following password scramble key "test"
# This password key must be the same in server and client openvpn scripts
# i.e. scramble obfuscate test

# For patched Windows Client see
# https://scramblevpn.wordpress.com/2013/09/28/build-patched-windows-openvpn-client/
# For details about the patch and options see
# https://forums.openvpn.net/topic12605.html

######################################################
# Now to Raspberry PI
# Firstly, if you already have an earlier formal installation of openvpn, remove it
sudo mkdir $HOME/config_backup
sudo cp -rf /etc/openvpn/* $HOME/config_backup/
sudo apt-get purge openvpn -y

# fetch source code & apply patch
cd $HOME/
wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.8.zip
unzip openvpn-2.3.8.zip
wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip
unzip master.zip
cp openvpn_xorpatch-master/openvpn_xor.patch openvpn-2.3.8/
cd openvpn-2.3.8/
git apply openvpn_xor.patch
cd $HOME

# We need to add a few components to be able to compile
sudo apt-get update
sudo apt-get install --only-upgrade openssl -y
sudo apt-get install gcc make automake autoconf dh-autoreconf file patch perl dh-make debhelper devscripts gnupg lintian quilt libtool pkg-config libssl-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev chkconfig -y

# This is the bit where we make and install the new openvpn server
sudo mkdir /etc/openvpn/
cd $HOME/openvpn-2.3.8/
sudo ./configure --prefix=/usr
sudo make
sudo make install
sudo wget --no-check-cert https://www.dropbox.com/s/nz4dyons6tlsbr4/etcinitdopenvpn.sh -O /etc/init.d/openvpn
sudo chmod +x /etc/init.d/openvpn
sudo update-rc.d openvpn defaults

# Check startup script is correctly set
chkconfig --list | grep openvpn
# expect
# openvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:off

# Now we create unique keys and certs using easyrsa3
# This can be tricky first time, for more detailed guide with TIPs
# see http://tryapi.wordpress.com/2014/10/19/easyrsa3/
# For test purposes only, here are a pair of client/server scripts
# https://www.dropbox.com/s/u06t53fb7qwov47/client1.ovpn?dl=0
# https://www.dropbox.com/s/cxt7ajdxczifsqm/server.conf?dl=0
mkdir $HOME/clientside
cd $HOME/clientside
git clone git://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa gen-req client1 nopass

mkdir $HOME/serverside
cd $HOME/serverside
git clone git://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req server nopass
./easyrsa sign-req server server
openssl dhparam -out dh2048.pem 2048
openvpn --genkey --secret ta.key
./easyrsa import-req $HOME/clientside/easy-rsa/easyrsa3/pki/reqs/client1.req client1
./easyrsa sign-req client client1
# Copy certs and keys to correct directory,
# Later we will merge them with the config file
cp $HOME/serverside/easy-rsa/easyrsa3/pki/ca.crt $HOME/serverside/
cp $HOME/serverside/easy-rsa/easyrsa3/pki/issued/server.crt $HOME/serverside/
cp $HOME/serverside/easy-rsa/easyrsa3/dh2048.pem $HOME/serverside/
cp $HOME/serverside/easy-rsa/easyrsa3/pki/private/server.key $HOME/serverside/
cp $HOME/serverside/easy-rsa/easyrsa3/ta.key $HOME/serverside/
cp $HOME/serverside/easy-rsa/easyrsa3/pki/issued/client1.crt $HOME/clientside/
cp $HOME/serverside/easy-rsa/easyrsa3/ta.key $HOME/clientside/
cp $HOME/serverside/easy-rsa/easyrsa3/pki/ca.crt $HOME/clientside/
cp $HOME/clientside/easy-rsa/easyrsa3/pki/private/client1.key $HOME/clientside/

# Client Script
nano $HOME/clientside/raspberrypi.ovpn

client
dev tun
proto udp
scramble obfuscate test
remote change_this_to_server_address 34557
resolv-retry infinite
nobind
persist-key
persist-tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

# Now merge certs and keys into client script, so we only have one file to handle
cd $HOME/clientside/
wget --no-check-cert https://www.dropbox.com/s/v228zvccef9d10c/merge.sh -O merge.sh
sudo chmod +x merge.sh
sudo ./merge.sh
sudo chown $USER $HOME/clientside/raspberrypi.ovpn

# Now transfer client script raspberrypi.ovpn
# in $HOME/clientside/ to your client PC
# Due to permissions, I had to transfer it to C:\
# Then in windows, copy the file
# to C:\Program Files (x86)\OpenVPN\config

# Server Script
nano $HOME/serverside/server.conf

port 34557
proto udp
scramble obfuscate test
dev tun
ca ca.crt
cert server.crt
key server.key
tls-auth ta.key 0
dh dh2048.pem
sndbuf 0
rcvbuf 0
chroot /etc/openvpn/jail
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
user nobody
group nogroup
status /etc/openvpn/openvpn-status.log
verb 3
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30

# Now merge certs and keys into server script, so we only have one file to handle
cd $HOME/serverside/
wget --no-check-cert https://www.dropbox.com/s/9wc3we8ezfucj1j/merge_server.sh -O merge_server.sh
sudo chmod +x merge_server.sh
sudo ./merge_server.sh

# Now copy the merged server script to /etc/openvpn/ and make jail
sudo cp $HOME/serverside/server.conf /etc/openvpn/
sudo mkdir /etc/openvpn/jail/
sudo mkdir /etc/openvpn/jail/tmp/
sudo cp /etc/openvpn/update-resolv-conf /etc/openvpn/jail/

# uncomment to allow data redirect
sudo nano /etc/sysctl.conf

net.ipv4.ip_forward=1

# Make file for firewall setting
sudo nano /usr/local/bin/firewall.sh

#!/bin/bash
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s "10.8.0.0/24" -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s "10.8.0.0/24" -j MASQUERADE

# Make firewall script executable, run it and check
sudo chmod +x /usr/local/bin/firewall.sh
sudo /usr/local/bin/firewall.sh
sudo iptables --list

# add new text line into file /etc/rc.local
# before ‘exit 0' to ensure the firewall rules are run at reboot or power up.
sudo nano /etc/rc.local

/usr/local/bin/firewall.sh

# reboot the pi
sudo reboot

# TIP: Check server can start ok
sudo /etc/init.d/openvpn restart

# TIP:Check tun0 interface started
ifconfig

# Connect VPN client from remote location
# does not work when client and server are connected
# to same router and you try external IP address.
# If you want to do a local test at home
# connect to local IP address of server e.g. 192.168.1.4
# when you go to your remote location, connect to no-ip address or external static IP

Posted in Uncategorized | 5 Comments