Raspberry PI and patched openvpn server, built from source code(version 2.0)

# Added 22/9/2013: start openvpn server as service
# Added 22/9/2013: script to combine keys and certs inline in client config
# Update 9/2/2014: easy-rsa updated
# Update 9/2/2014: re-tested and verified working RPI 2014-01-07-wheezy-raspbian

# This post builds a patched openvpn server on a Raspberry PI
# In places like China, one of many methods to bypass vpn blocking
# is to add a patch to scramble the protocol.

# To get it working, you need both sides patched, the server and the client
# plus you need to add a key to server and client scripts.
# Below we will use the following password scramble key “test”
# This password key must be the same in server and client openvpn scripts
# i.e. scramble obfuscate test

# For patched Windows Client see
# https://scramblevpn.wordpress.com/2013/09/28/build-patched-windows-openvpn-client/
# For details about the patch and options see
# https://forums.openvpn.net/topic12605.html

######################################################
# Now to Raspberry PI
# Firstly, if you already have an earlier formal installation of openvpn, remove it
sudo mkdir $HOME/config_backup
sudo cp -rf /etc/openvpn/* $HOME/config_backup/
sudo apt-get purge openvpn -y

# Now download OpenVPN source code and update with patch
cd $HOME
wget https://github.com/OpenVPN/openvpn/archive/release/2.3.zip
unzip 2.3.zip
wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip
unzip master.zip

cp openvpn_xorpatch-master/openvpn_xor.patch openvpn-release-2.3/
cd openvpn-release-2.3/
git apply --check openvpn_xor.patch
git apply openvpn_xor.patch
cd $HOME
sudo mv ./openvpn-release-2.3/ /etc/openvpn

# We need to add a few components to be able to compile
sudo apt-get update
sudo apt-get install gcc make automake autoconf dh-autoreconf file patch perl dh-make debhelper devscripts gnupg lintian quilt libtool pkg-config libssl-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev -y

# This is the bit where we make the new openvpn server
cd /etc/openvpn/
sudo autoreconf -i -v -f
sudo ./configure --prefix=/usr
sudo make
sudo make install
sudo wget https://gist.github.com/john564/6765292/raw/0a97df1237a138a5a941bbec45b6cd41e973f840/etc+init.d+openvpn -O /etc/init.d/openvpn
sudo chmod +x /etc/init.d/openvpn
sudo update-rc.d openvpn defaults

# Now we set up the server keys and certs
# TIP: You must answer y to Sign the certificate? [y/n]:y
# TIP: You must answer y to commit? [y/n]y
# everything else just keep pressing return
cd /etc/openvpn
sudo wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz
sudo tar -zxvf easy-rsa-2.2.0_master.tar.gz
sudo cp -R easy-rsa-2.2.0_master/easy-rsa/ /etc/openvpn/
sudo chown -R $USER /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa/2.0/
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
./build-key client1

cd /etc/openvpn/easy-rsa/2.0/keys
sudo cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
sudo mkdir $HOME/openvpn-client-files
sudo cp ca.crt client1.crt client1.key $HOME/openvpn-client-files
sudo openvpn --genkey --secret /etc/openvpn/ta.key
sudo cp /etc/openvpn/ta.key $HOME/openvpn-client-files

# Now we create the OpenVPN client configuration on the Raspberry PI
sudo nano $HOME/openvpn-client-files/raspberrypi-client-scrambled.ovpn


client
dev tun
scramble obfuscate test
proto udp
remote change_this_to_server_address 34557
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3

# Now we merge client certs and keys into the client script
sudo wget https://gist.github.com/john564/6763098/raw/9e3e42fc9c171e238a08c62a64cf2e0ec5c50c73/combine.sh -O $HOME/openvpn-client-files/combine.sh

cd $HOME/openvpn-client-files/
sudo chmod +x $HOME/openvpn-client-files/combine.sh
sudo $HOME/openvpn-client-files/combine.sh
sudo chown $USER $HOME/openvpn-client-files/raspberrypi-client-scrambled.ovpn

# Now transfer combined client script raspberrypi-client-scrambled.ovpn
# in $HOME/openvpn-client-files to your client PC
# Due to permissions, I had to transfer it to C:\
# then in windows, copy the file(s)
# to C:\Program Files (x86)\OpenVPN\config
# or windows 32bit
# C:\Program Files\OpenVPN\config

# Back to Raspberry PI, Now we create file for server config
# Below is my OpenVPN server configuration saved as /etc/openvpn/server.conf
sudo nano /etc/openvpn/server.conf

port 34557
proto udp
dev tun
scramble obfuscate test
ca ca.crt
cert server.crt
key server.key
tls-auth ta.key 0
dh dh1024.pem
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
user nobody
group nogroup
status openvpn-status.log
verb 3
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30

# uncomment to allow data redirect
sudo nano /etc/sysctl.conf

net.ipv4.ip_forward=1

# Make file for firewall setting
sudo nano /usr/local/bin/firewall.sh

#!/bin/bash
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s "10.8.0.0/24" -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s "10.8.0.0/24" -j MASQUERADE

# Make firewall script executable, run it and check
sudo chmod +x /usr/local/bin/firewall.sh
sudo /usr/local/bin/firewall.sh
sudo iptables --list

# add new text line into file /etc/rc.local
# before ‘exit 0′ to ensure the firewall rules are run at reboot or power up.
sudo nano /etc/rc.local

/usr/local/bin/firewall.sh

# reboot the pi
sudo reboot


# Connect VPN client from remote location
# does not work when client and server are connected
# to same router and you try external IP address.
# If you want to do a local test at home
# connect to local IP address of server e.g. 192.168.1.4
# when you go to your remote location, connect to no-ip address or external static IP


# check VPN is working by checking your IP address changes
# after you connect http://ipchicken.com/
#

# TIPs
sudo /etc/init.d/openvpn status
ifconfig

# useful to debug starting openvpn manually to check for any errors

sudo /etc/init.d/openvpn stop
cd /etc/openvpn/
sudo openvpn /etc/openvpn/server.conf

Advertisements
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

2 Responses to Raspberry PI and patched openvpn server, built from source code(version 2.0)

  1. dadang says:

    Tue Mar 04 19:54:34 2014 us=379000 PID packet_id_free
    Tue Mar 04 19:54:34 2014 us=379000 SIGUSR1[soft,connection-reset] received, process restarting
    Tue Mar 04 19:54:34 2014 us=379000 Restart pause, 5 second(s)
    Tue Mar 04 19:54:39 2014 us=371000 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
    Tue Mar 04 19:54:39 2014 us=371000 Re-using SSL/TLS context
    Tue Mar 04 19:54:39 2014 us=371000 LZO compression initialized
    Tue Mar 04 19:54:39 2014 us=371000 MTU DYNAMIC mtu=0, flags=1, 0 -> 168
    Tue Mar 04 19:54:39 2014 us=371000 PID packet_id_init seq_backtrack=0 time_backtrack=0
    Tue Mar 04 19:54:39 2014 us=371000 PID packet_id_init seq_backtrack=0 time_backtrack=0
    Tue Mar 04 19:54:39 2014 us=371000 PID packet_id_init seq_backtrack=0 time_backtrack=0
    Tue Mar 04 19:54:39 2014 us=371000 PID packet_id_init seq_backtrack=0 time_backtrack=0
    Tue Mar 04 19:54:39 2014 us=371000 Control Channel MTU parms [ L:1560 D:168 EF:68 EB:0 ET:0 EL:0 ]
    Tue Mar 04 19:54:39 2014 us=371000 MTU DYNAMIC mtu=1450, flags=2, 1560 -> 1450
    Tue Mar 04 19:54:39 2014 us=371000 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Tue Mar 04 19:54:39 2014 us=371000 RESOLVE_REMOTE flags=0x0101 phase=1 rrs=0 sig=-1 status=1
    Tue Mar 04 19:54:39 2014 us=371000 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
    Tue Mar 04 19:54:39 2014 us=371000 Local Options String: ‘V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client’
    Tue Mar 04 19:54:39 2014 us=371000 Expected Remote Options String: ‘V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server’
    Tue Mar 04 19:54:39 2014 us=371000 Local Options hash (VER=V4): ‘2f2c6498’
    Tue Mar 04 19:54:39 2014 us=371000 Expected Remote Options hash (VER=V4): ‘9915e4a2’
    Tue Mar 04 19:54:39 2014 us=371000 Attempting to establish TCP connection with 49.213.23.56:34557
    Tue Mar 04 19:55:00 2014 us=368000 TCP: connect to 49.213.23.56:34557 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
    Tue Mar 04 19:55:26 2014 us=374000 TCP: connect to 49.213.23.56:34557 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)

    how to solved????

  2. scramblevpn says:

    1)
    start by checking if it works at home, with raspberry pi and PC connected to same router
    change server IP to the local IP of the raspberry PI e.g. 192.168.1.4
    If you still have problem, then problem is scripts
    also check, remove the scramble option from client and server, and repeat, to see if patch is built correct.

    2) If it works at home, then next, test connecting to home from nearby network
    using external IP address of server
    If you still have problem, it might be home router.

    3) if it works from nearby network,
    next is to test across Chinese GFW,

    sometimes you gotta wait some time, you will receive a number of resets,
    eventually it should connect.

    If it does not, it might be GFW blocking
    check client in China is using correct patch and setup,
    do another local test within China,
    using another PI server with same setup.
    If works locally within China, and not across GFW.
    it really is blocked by GFW,

    then try different scramble options. e.g. scramble reverse
    remember match server and client.

    The Chinese may throttle the IP address. then you move the server or change IP

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s