Raspberry PI patched openvpn server (version 1.1)

# Also see another Post, (Version 3) different procedure, using easyrsa3
# https://scramblevpn.wordpress.com/2014/02/06/raspberry-pi-and-patched-openvpn-serverversion-3-0/

# This post Re-tested and working on 2014-01-07-wheezy-raspbian
# Tested on 2013-07-26-wheezy-raspbian
# This post builds a patched openvpn server on a Raspberry PI
# When the openvpn protocol is blocked, you need to add a patch
# to scramble the protocol.

# To get it completely working, you need both sides patched, the server and the client
# plus you need to add a scramble key to server and client scripts.
# Below we will use the following simple password scramble key “test”
# This password key must be the same in server and client openvpn scripts
# scramble obfuscate test

# To make a patched Windows Client, you need to cross compile from *nix.
# Follow these instruction to cross compile from Ubuntu to Windows
https://community.openvpn.net/openvpn/wiki/SettingUpGenericBuildsystem
# For details about the patch and options see
https://forums.openvpn.net/topic12605.html

# Otherwise download a patched version of openvpn.exe
# for Openvpn 2.2.2 http://www.obfsvpn.com/openvpn.7z
# Replace the openvpn.exe file in the openvpn\bin directory
# Usually C:\Program Files (x86)\OpenVPN\bin

######################################################
# Now to Raspberry PI, where we build a server that supports scrambled openvpn
# We download openvpn source code and update with patch
# then setup the openvpn server

cd /home/pi/
wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip
unzip master.zip

wget https://github.com/OpenVPN/openvpn/archive/release/2.3.zip
unzip 2.3.zip

cp openvpn_xorpatch-master/openvpn_xor.patch openvpn-release-2.3/
cd openvpn-release-2.3/
git apply --check openvpn_xor.patch
git apply openvpn_xor.patch

# We need to add a few components to be able to compile
sudo apt-get update
sudo apt-get install gcc make automake autoconf dh-autoreconf file patch perl dh-make debhelper devscripts gnupg lintian quilt libtool pkg-config libssl-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev -y
sudo apt-get update

# if you already have an earlier formal installation of openvpn, remove it
sudo mkdir $HOME/config_backup
sudo cp -rf /etc/openvpn/* $HOME/config_backup/
sudo apt-get remove openvpn

# This is the bit where we make the new openvpn server
cd /home/pi/openvpn-release-2.3
sudo autoreconf -i -v -f
sudo ./configure
sudo make
sudo make install

# Now set up the server
cd /home/pi/openvpn-release-2.3
sudo wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz
sudo tar -zxvf easy-rsa-2.2.0_master.tar.gz
sudo cp -R easy-rsa-2.2.0_master/easy-rsa/ /home/pi/openvpn-release-2.3/
sudo chown -R $USER /home/pi/openvpn-release-2.3/easy-rsa/
cd /home/pi/openvpn-release-2.3/easy-rsa/2.0/
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
./build-key clientpi

cd /home/pi/openvpn-release-2.3/easy-rsa/2.0/keys
sudo cp ca.crt ca.key dh1024.pem server.crt server.key /home/pi/openvpn-release-2.3/
sudo mkdir $HOME/openvpn-client-files
sudo cp ca.crt clientpi.crt clientpi.key $HOME/openvpn-client-files
sudo mv $HOME/openvpn-client-files/ca.crt $HOME/openvpn-client-files/capi.crt
sudo chmod +r $HOME/openvpn-client-files/clientpi.key
sudo openvpn --genkey --secret /home/pi/openvpn-release-2.3/tapi.key
sudo cp /home/pi/openvpn-release-2.3/tapi.key $HOME/openvpn-client-files
sudo chmod +r $HOME/openvpn-client-files/tapi.key

sudo nano $HOME/openvpn-client-files/raspberrypi-client-scrambled.ovpn

client
dev tun
scramble obfuscate test
proto udp
remote change_this_to_server_address 34557
resolv-retry infinite
nobind
persist-key
persist-tun
ca capi.crt
cert clientpi.crt
key clientpi.key
tls-auth tapi.key 1
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3

sudo nano /home/pi/openvpn-release-2.3/server.conf

port 34557
proto udp
dev tun
scramble obfuscate test
ca ca.crt
cert server.crt
key server.key
tls-auth tapi.key 0
dh dh1024.pem
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
user nobody
group nogroup
status openvpn-status.log
verb 3
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30

# uncomment to allow data redirect
sudo nano /etc/sysctl.conf

net.ipv4.ip_forward=1

# Make file for firewall setting
sudo nano /usr/local/bin/firewall.sh

#!/bin/bash
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s "10.8.0.0/24" -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s "10.8.0.0/24" -j MASQUERADE

# Make firewall script executable, run it and check
sudo chmod +x /usr/local/bin/firewall.sh
sudo /usr/local/bin/firewall.sh
sudo iptables --list

# add two new text lines into file /etc/rc.local
# before ‘exit 0′ to ensure the firewall and openvpn server is created at reboot or power up.
sudo nano /etc/rc.local

/usr/local/bin/firewall.sh
/home/pi/startscript.sh start

cd $HOME
sudo nano startscript.sh

Script available here -> http://pastebin.com/MMKd9AWn

# Make script executable, run and check status
sudo chmod +x startscript.sh
sudo /home/pi/startscript.sh start
sudo /home/pi/startscript.sh status

# or alternative start openvpn as follows
sudo openvpn /home/pi/openvpn-release-2.3/server.conf

# reboot the pi
sudo reboot


# Connect VPN client from remote location
# does not work when client and server are connected
# to same router and you try external IP address.
# If you want to do a local test at home
# connect to local IP address of server e.g. 192.168.1.4
# when you go to your remote location, connect to no-ip address or external static IP


# check VPN is working by checking your IP address changes
# after you connect http://ipchicken.com/
#
# Extra: If you want to put the certs and keys inline, within the client script
# see http://pastebin.com/TAu3T7JX#

Advertisements
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

2 Responses to Raspberry PI patched openvpn server (version 1.1)

  1. George says:

    very nice but can you help with the below step?

    sudo git clone git://github.com/OpenVPN/easy-rsa.git
    sudo cp -r ./easy-rsa/easy-rsa/2.0/* ./easy-rsa/

    in my case i only have easyrsa3 in this directory, how can i get /2.0 directory ?

    ubuntu@x:/etc/openvpn$ sudo git clone git://github.com/OpenVPN/easy-rsa.git
    Cloning into ‘easy-rsa’…
    remote: Reusing existing pack: 323, done.
    remote: Total 323 (delta 0), reused 0 (delta 0)
    Receiving objects: 100% (323/323), 122.62 KiB, done.
    Resolving deltas: 100% (124/124), done.
    ubuntu@x:/etc/openvpn$ sudo cp -r ./easy-rsa/easy-rsa/2.0/* ./easy-rsa/
    cp: cannot stat `./easy-rsa/easy-rsa/2.0/*’: No such file or directory
    ubuntu@x:/etc/openvpn$ sudo git clone git://github.com/OpenVPN/easy-rsa.git
    fatal: destination path ‘easy-rsa’ already exists and is not an empty directory.
    ubuntu@x:/etc/openvpn$ sudo cp -r ./easy-rsa/easy-rsa/2.0/* ./easy-rsa/
    cp: cannot stat `./easy-rsa/easy-rsa/2.0/*’: No such file or directory
    ubuntu@x:/etc/openvpn$ sudo chown -R $USER /etc/openvpn/easy-rsa/
    ubuntu@x:/etc/openvpn$ cd /etc/openvpn/easy-rsa/
    ubuntu@x:/etc/openvpn/easy-rsa$ source vars
    -bash: vars: No such file or directory

    • scramblevpn says:

      easyrsa project has been updated to easyrsa3

      I have modified as little as possible in this old post,
      But the easyrsa update caused a few other changes,
      e.g. default is now dh1024.pem
      so script also had to be changed.

      anyway, tested again now after changes and all seems working ok.
      Any problems, please post comment.

      Thanks for your contribution.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s