Raspberry PI and patched openvpn server, built from source code 2.3.10


# Tested on
# Raspbian Jessie Lite version date: March 2016
#
# This post builds a scrambled openvpn server on a Raspberry PI
# from source code for openvpn 2.3.10 plus patch to add scramble functionality
# To get it working, you need both sides patched, the server and the client
# plus you need to add a scramble key to server and client scripts.
# Below we will use the following password scramble key "test"
# This password key must be the same in server and client openvpn scripts
# i.e. scramble obfuscate test

# For patched Windows Client see
# https://scramblevpn.wordpress.com/2013/09/28/build-patched-windows-openvpn-client/
# For details about the patch and options see
# https://forums.openvpn.net/topic12605.html
# https://forums.openvpn.net/viewtopic.php?f=15&t=12605
#
# This patch has been updated by designers at tunnelblick

# This post will use their patch
# https://github.com/Tunnelblick/Tunnelblick/tree/master/third_party/sources/openvpn
# https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-2.3.11/patches/02-tunnelblick-openvpn_xorpatch.diff
# mirror https://www.dropbox.com/s/3nsht8tjnyaq2oo/02-tunnelblick-openvpn_xorpatch.diff?dl=0

######################################################
# Now to Raspberry PI
# Firstly, if you already have an earlier formal installation of openvpn, remove it
sudo mkdir $HOME/config_backup
sudo cp -rf /etc/openvpn/* $HOME/config_backup/
sudo apt-get purge openvpn -y

# We need to add a few components
sudo apt-get update
sudo apt-get install gcc make automake autoconf dh-autoreconf file patch perl dh-make debhelper devscripts gnupg lintian quilt libtool pkg-config libssl-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev chkconfig git nano -y

# fetch source code & apply patch
cd $HOME/
wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.10.zip
unzip openvpn-2.3.10.zip
wget https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-2.3.11/patches/02-tunnelblick-openvpn_xorpatch.diff
# mirror https://www.dropbox.com/s/3nsht8tjnyaq2oo/02-tunnelblick-openvpn_xorpatch.diff?dl=0
cp 02-tunnelblick-openvpn_xorpatch.diff openvpn-2.3.10/
cd openvpn-2.3.10/
git apply 02-tunnelblick-openvpn_xorpatch.diff

# This is the bit where we make and install the new openvpn server
sudo mkdir /etc/openvpn/
cd $HOME/openvpn-2.3.10/
sudo ./configure --prefix=/usr
sudo make
sudo make install
sudo wget --no-check-cert https://www.dropbox.com/s/nz4dyons6tlsbr4/etcinitdopenvpn.sh -O /etc/init.d/openvpn
sudo chmod +x /etc/init.d/openvpn
sudo update-rc.d openvpn defaults

# Check startup script is correctly set
chkconfig --list | grep openvpn
# expect
# openvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:off

# Now we create unique keys and certs using easyrsa3
# For test purposes only, here is a pair of client/server scripts
# https://www.dropbox.com/s/u06t53fb7qwov47/client1.ovpn?dl=0
# https://www.dropbox.com/s/cxt7ajdxczifsqm/server.conf?dl=0

mkdir $HOME/clientside
mkdir $HOME/serverside
cd $HOME/serverside
wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
unzip master.zip
cd easy-rsa-master/easyrsa3
openvpn --genkey --secret ta.key
./easyrsa init-pki
./easyrsa --batch build-ca nopass
./easyrsa --batch build-server-full server nopass
./easyrsa --batch build-client-full client1 nopass
./easyrsa gen-dh

cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/ca.crt $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/issued/server.crt $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/dh.pem $HOME/serverside/dh2048.pem
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/private/server.key $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/ta.key $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/issued/client1.crt $HOME/clientside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/ta.key $HOME/clientside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/ca.crt $HOME/clientside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/private/client1.key $HOME/clientside/

# Client Script
nano $HOME/clientside/raspberrypi.ovpn

client
dev tun
proto udp
scramble obfuscate test
remote change_this_to_server_address 34557
resolv-retry infinite
nobind
persist-key
persist-tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

# Now merge certs and keys into client script, so we only have one file to handle
cd $HOME/clientside/
wget --no-check-cert https://www.dropbox.com/s/v228zvccef9d10c/merge.sh -O merge.sh
sudo chmod +x merge.sh
sudo ./merge.sh
sudo chown $USER $HOME/clientside/raspberrypi.ovpn

# Now transfer client script raspberrypi.ovpn
# in $HOME/clientside/ to your client PC
# Due to permissions, I had to transfer it to C:\
# Then in windows, copy the file
# to C:\Program Files (x86)\OpenVPN\config

# Server Script
nano $HOME/serverside/server.conf

port 34557
proto udp
scramble obfuscate test
dev tun
ca ca.crt
cert server.crt
key server.key
tls-auth ta.key 0
dh dh2048.pem
sndbuf 0
rcvbuf 0
chroot /etc/openvpn/jail
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
user nobody
group nogroup
status /etc/openvpn/openvpn-status.log
verb 3
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30

# Now merge certs and keys into server script, so we only have one file to handle
cd $HOME/serverside/
wget --no-check-cert https://www.dropbox.com/s/9wc3we8ezfucj1j/merge_server.sh -O merge_server.sh
sudo chmod +x merge_server.sh
sudo ./merge_server.sh

# Now copy the merged server script to /etc/openvpn/ and make jail
sudo cp $HOME/serverside/server.conf /etc/openvpn/
sudo mkdir /etc/openvpn/jail/
sudo mkdir /etc/openvpn/jail/tmp/

# uncomment to allow data redirect
sudo nano /etc/sysctl.conf

net.ipv4.ip_forward=1


# The firewall settings can really screw everything up
# There are a number of ways, it depends of how you're using the PI
# I am using it as a headless remote server, this means no desktop
# environment, and no other firewall conflicting data loaded.
# Alternative Firewall setting if static IP of PI is 10.0.0.10
# check with ifconfig. Also this should be the firewall.sh file
#
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source LOCALIP
#
# sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 10.0.0.10
#
# And Start everything
# sudo sysctl -w net.ipv4.ip_forward=1
#
#
#

# Make file for firewall setting
sudo nano /usr/local/bin/firewall.sh

#!/bin/bash
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s "10.8.0.0/24" -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s "10.8.0.0/24" -j MASQUERADE

# Make firewall script executable, run it and check
sudo chmod +x /usr/local/bin/firewall.sh
sudo /usr/local/bin/firewall.sh
sudo iptables --list

# add new text line into file /etc/rc.local
# before ‘exit 0' to ensure the firewall rules are run at reboot or power up.
sudo nano /etc/rc.local

/usr/local/bin/firewall.sh

# reboot the pi
sudo reboot

# TIP: Check server can start ok
sudo /etc/init.d/openvpn restart

# TIP:Check tun0 interface started
ifconfig

# Connect VPN client from remote location
# does not work when client and server are connected
# to same router and you try external IP address.
# If you want to do a local test at home
# connect to local IP address of server e.g. 192.168.1.4
# when you go to your remote location, connect to no-ip address or external static IP

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

3 Responses to Raspberry PI and patched openvpn server, built from source code 2.3.10

  1. Ahmed Kamal says:

    Thanks for this great guide! Would you be interested in maintaining binaries as well to make everyone’s life easier ?

  2. Max Power says:

    Thanks for the great instructions! If someone needs an Android app with scramble support:
    https://www.bolehvpn.net/blog/2015/04/09/new-bolehvpn-android-client-with-lollipop-support/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s