Raspberry PI and patched openvpn server, built from source code 2.3.8


# Tested on
# Raspbian Wheezy version date: 2015-05-05
#
# This post builds a scrambled openvpn server on a Raspberry PI
# from source code for openvpn 2.3.8 plus patch to add scramble functionality
# To get it working, you need both sides patched, the server and the client
# plus you need to add a scramble key to server and client scripts.
# Below we will use the following password scramble key "test"
# This password key must be the same in server and client openvpn scripts
# i.e. scramble obfuscate test

# For patched Windows Client see
# https://scramblevpn.wordpress.com/2013/09/28/build-patched-windows-openvpn-client/
# For details about the patch and options see
# https://forums.openvpn.net/topic12605.html

######################################################
# Now to Raspberry PI
# Firstly, if you already have an earlier formal installation of openvpn, remove it
sudo mkdir $HOME/config_backup
sudo cp -rf /etc/openvpn/* $HOME/config_backup/
sudo apt-get purge openvpn -y

# fetch source code & apply patch
cd $HOME/
wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.8.zip
unzip openvpn-2.3.8.zip
wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip
unzip master.zip
cp openvpn_xorpatch-master/openvpn_xor.patch openvpn-2.3.8/
cd openvpn-2.3.8/
git apply openvpn_xor.patch
cd $HOME

# We need to add a few components to be able to compile
sudo apt-get update
sudo apt-get install --only-upgrade openssl -y
sudo apt-get install gcc make automake autoconf dh-autoreconf file patch perl dh-make debhelper devscripts gnupg lintian quilt libtool pkg-config libssl-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev chkconfig -y

# This is the bit where we make and install the new openvpn server
sudo mkdir /etc/openvpn/
cd $HOME/openvpn-2.3.8/
sudo ./configure --prefix=/usr
sudo make
sudo make install
sudo wget --no-check-cert https://www.dropbox.com/s/nz4dyons6tlsbr4/etcinitdopenvpn.sh -O /etc/init.d/openvpn
sudo chmod +x /etc/init.d/openvpn
sudo update-rc.d openvpn defaults

# Check startup script is correctly set
chkconfig --list | grep openvpn
# expect
# openvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:off

# Now we create unique keys and certs using easyrsa3
# This can be tricky first time, for more detailed guide with TIPs
# see http://tryapi.wordpress.com/2014/10/19/easyrsa3/
# For test purposes only, here are a pair of client/server scripts
# https://www.dropbox.com/s/u06t53fb7qwov47/client1.ovpn?dl=0
# https://www.dropbox.com/s/cxt7ajdxczifsqm/server.conf?dl=0
mkdir $HOME/clientside
cd $HOME/clientside
git clone git://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa gen-req client1 nopass

mkdir $HOME/serverside
cd $HOME/serverside
git clone git://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req server nopass
./easyrsa sign-req server server
openssl dhparam -out dh2048.pem 2048
openvpn --genkey --secret ta.key
./easyrsa import-req $HOME/clientside/easy-rsa/easyrsa3/pki/reqs/client1.req client1
./easyrsa sign-req client client1
# Copy certs and keys to correct directory,
# Later we will merge them with the config file
cp $HOME/serverside/easy-rsa/easyrsa3/pki/ca.crt $HOME/serverside/
cp $HOME/serverside/easy-rsa/easyrsa3/pki/issued/server.crt $HOME/serverside/
cp $HOME/serverside/easy-rsa/easyrsa3/dh2048.pem $HOME/serverside/
cp $HOME/serverside/easy-rsa/easyrsa3/pki/private/server.key $HOME/serverside/
cp $HOME/serverside/easy-rsa/easyrsa3/ta.key $HOME/serverside/
cp $HOME/serverside/easy-rsa/easyrsa3/pki/issued/client1.crt $HOME/clientside/
cp $HOME/serverside/easy-rsa/easyrsa3/ta.key $HOME/clientside/
cp $HOME/serverside/easy-rsa/easyrsa3/pki/ca.crt $HOME/clientside/
cp $HOME/clientside/easy-rsa/easyrsa3/pki/private/client1.key $HOME/clientside/

# Client Script
nano $HOME/clientside/raspberrypi.ovpn

client
dev tun
proto udp
scramble obfuscate test
remote change_this_to_server_address 34557
resolv-retry infinite
nobind
persist-key
persist-tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

# Now merge certs and keys into client script, so we only have one file to handle
cd $HOME/clientside/
wget --no-check-cert https://www.dropbox.com/s/v228zvccef9d10c/merge.sh -O merge.sh
sudo chmod +x merge.sh
sudo ./merge.sh
sudo chown $USER $HOME/clientside/raspberrypi.ovpn

# Now transfer client script raspberrypi.ovpn
# in $HOME/clientside/ to your client PC
# Due to permissions, I had to transfer it to C:\
# Then in windows, copy the file
# to C:\Program Files (x86)\OpenVPN\config

# Server Script
nano $HOME/serverside/server.conf

port 34557
proto udp
scramble obfuscate test
dev tun
ca ca.crt
cert server.crt
key server.key
tls-auth ta.key 0
dh dh2048.pem
sndbuf 0
rcvbuf 0
chroot /etc/openvpn/jail
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
user nobody
group nogroup
status /etc/openvpn/openvpn-status.log
verb 3
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30

# Now merge certs and keys into server script, so we only have one file to handle
cd $HOME/serverside/
wget --no-check-cert https://www.dropbox.com/s/9wc3we8ezfucj1j/merge_server.sh -O merge_server.sh
sudo chmod +x merge_server.sh
sudo ./merge_server.sh

# Now copy the merged server script to /etc/openvpn/ and make jail
sudo cp $HOME/serverside/server.conf /etc/openvpn/
sudo mkdir /etc/openvpn/jail/
sudo mkdir /etc/openvpn/jail/tmp/
sudo cp /etc/openvpn/update-resolv-conf /etc/openvpn/jail/

# uncomment to allow data redirect
sudo nano /etc/sysctl.conf

net.ipv4.ip_forward=1

# Make file for firewall setting
sudo nano /usr/local/bin/firewall.sh

#!/bin/bash
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s "10.8.0.0/24" -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s "10.8.0.0/24" -j MASQUERADE

# Make firewall script executable, run it and check
sudo chmod +x /usr/local/bin/firewall.sh
sudo /usr/local/bin/firewall.sh
sudo iptables --list

# add new text line into file /etc/rc.local
# before ‘exit 0' to ensure the firewall rules are run at reboot or power up.
sudo nano /etc/rc.local

/usr/local/bin/firewall.sh

# reboot the pi
sudo reboot

# TIP: Check server can start ok
sudo /etc/init.d/openvpn restart

# TIP:Check tun0 interface started
ifconfig

# Connect VPN client from remote location
# does not work when client and server are connected
# to same router and you try external IP address.
# If you want to do a local test at home
# connect to local IP address of server e.g. 192.168.1.4
# when you go to your remote location, connect to no-ip address or external static IP

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

5 Responses to Raspberry PI and patched openvpn server, built from source code 2.3.8

  1. Edward says:

    I have a quick question on creating additional users…
    I seem to be messing up on that part of creating additional users.
    I notice that the shell script backups the ta.key and ca.crt
    Do I have to get them re-created each time for each user?

    • scramblevpn says:

      # Making a second user
      mkdir $HOME/clientside
      cd $HOME/clientside
      git clone git://github.com/OpenVPN/easy-rsa
      cd easy-rsa/easyrsa3
      ./easyrsa init-pki
      ./easyrsa gen-req client1 nopass
      ./easyrsa gen-req client2 nopass

      mkdir $HOME/serverside
      cd $HOME/serverside
      git clone git://github.com/OpenVPN/easy-rsa
      cd easy-rsa/easyrsa3
      ./easyrsa init-pki
      ./easyrsa build-ca
      ./easyrsa gen-req server nopass
      ./easyrsa sign-req server server
      openssl dhparam -out dh2048.pem 2048
      openvpn --genkey --secret ta.key
      ./easyrsa import-req $HOME/clientside/easy-rsa/easyrsa3/pki/reqs/client1.req client1
      ./easyrsa import-req $HOME/clientside/easy-rsa/easyrsa3/pki/reqs/client2.req client2
      ./easyrsa sign-req client client1
      ./easyrsa sign-req client client2

      # Copy certs and keys to correct directory.
      cp $HOME/serverside/easy-rsa/easyrsa3/pki/ca.crt $HOME/serverside/
      cp $HOME/serverside/easy-rsa/easyrsa3/pki/issued/server.crt $HOME/serverside/
      cp $HOME/serverside/easy-rsa/easyrsa3/dh2048.pem $HOME/serverside/
      cp $HOME/serverside/easy-rsa/easyrsa3/pki/private/server.key $HOME/serverside/
      cp $HOME/serverside/easy-rsa/easyrsa3/ta.key $HOME/serverside/

      mkdir $HOME/clientside/client1
      mkdir $HOME/clientside/client2
      cp $HOME/serverside/easy-rsa/easyrsa3/pki/issued/client1.crt $HOME/clientside/client1/
      cp $HOME/serverside/easy-rsa/easyrsa3/pki/issued/client2.crt $HOME/clientside/client2/
      cp $HOME/serverside/easy-rsa/easyrsa3/ta.key $HOME/clientside/client1/
      cp $HOME/serverside/easy-rsa/easyrsa3/ta.key $HOME/clientside/client2/
      cp $HOME/serverside/easy-rsa/easyrsa3/pki/ca.crt $HOME/clientside/client1/
      cp $HOME/serverside/easy-rsa/easyrsa3/pki/ca.crt $HOME/clientside/client2/
      cp $HOME/clientside/easy-rsa/easyrsa3/pki/private/client1.key $HOME/clientside/client1/
      cp $HOME/clientside/easy-rsa/easyrsa3/pki/private/client2.key $HOME/clientside/client2/

      # Client1 Script
      nano $HOME/clientside/client1/raspberrypi.ovpn

      client
      dev tun
      proto udp
      scramble obfuscate test
      remote change_this_to_server_address 34557
      resolv-retry infinite
      nobind
      persist-key
      persist-tun
      ca ca.crt
      cert client1.crt
      key client1.key
      tls-auth ta.key 1
      remote-cert-tls server
      cipher AES-256-CBC
      comp-lzo
      verb 3

      # Client2 Script
      nano $HOME/clientside/client2/raspberrypi2.ovpn

      client
      dev tun
      proto udp
      scramble obfuscate test
      remote change_this_to_server_address 34557
      resolv-retry infinite
      nobind
      persist-key
      persist-tun
      ca ca.crt
      cert client2.crt
      key client2.key
      tls-auth ta.key 1
      remote-cert-tls server
      cipher AES-256-CBC
      comp-lzo
      verb 3

      # Now merge certs and keys into client script, so we only have one file to handle
      cd $HOME/clientside/client1/
      wget --no-check-cert https://www.dropbox.com/s/v228zvccef9d10c/merge.sh -O merge.sh
      sudo chmod +x merge.sh
      sudo ./merge.sh
      sudo chown $USER $HOME/clientside/client1/raspberrypi.ovpn

      cd $HOME/clientside/client2/
      wget --no-check-cert https://www.dropbox.com/s/v228zvccef9d10c/merge.sh -O merge.sh
      nano $HOME/clientside/client2/merge.sh

      # Change the following

      ca="ca.crt"
      cert="client2.crt"
      key="client2.key"
      tlsauth="ta.key"
      ovpndest="raspberrypi2.ovpn"

      sudo chmod +x merge.sh
      sudo ./merge.sh
      sudo chown $USER $HOME/clientside/client2/raspberrypi2.ovpn

  2. Tian says:

    After these steps, what do you do with the new server key and cert that is generated? and is it necessary to make a new dh2048 file each time i want to add a client?

  3. Tony says:

    Hi, I see your instructions here are for version 2.3.8 but your windows binaries are 2.3.6. Can you bring everything up in sync 🙂 Thx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s