build deb linux package



# openvpn 2.3.4 Deb package available for Raspberry pi, Still works
# Tested on
# Raspbian Jessie Lite version date: March 2016

sudo apt-get install openssl-blacklist openvpn-blacklist liblzo2-dev libpam0g-dev libpkcs11-helper1-dev -y
wget --no-check-cert https://www.dropbox.com/s/5y4218mmue2mv9x/openvpn_2.3.4-Scramblevpn-raspbian_armhf.deb
sudo dpkg -i openvpn_2.3.4-Scramblevpn-raspbian_armhf.deb

# uninstall
sudo dpkg -r openvpn


# I tried to update this post to latest openvpn, version, but
# seems I can't use https://github.com/mattock/openvpn-build to
# build a deb package anymore.
#
# So the how-to guide below does not work anymore
#
#


#############################################################################
#############################################################################
########################## OLD POST ###############################
#############################################################################
#############################################################################

# The output is a .deb package used to install openvpn program on Raspberry PI
# Tested working on 2014-01-07-wheezy-raspbian
# Base source openvpn-2.3.4
#
#==================================================================

# First issue, real trouble trying to install from repository, the default is just too slow.

sudo apt-get install git nano

# edit to change repository
sudo nano /etc/apt/sources.list

deb http://mirrors.neusoft.edu.cn/raspbian/raspbian/ jessie main contrib non-free rpi

sudo apt-get update

# Need a few components to be able to compile and later install deb package
sudo apt-get install gcc make automake autoconf dh-autoreconf file patch perl dh-make debhelper devscripts gnupg lintian quilt libtool pkg-config libssl-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev -y
sudo apt-get install openssl-blacklist openvpn-blacklist openssl -y

# Now we start
cd $HOME/
git clone https://github.com/mattock/openvpn-build
cd $HOME/openvpn-build/debian/openvpn/
cp changelog.sample changelog
# Edit Changed log to say 2.3.4-Scramblevpn-raspbian
sudo nano changelog

openvpn (2.3.4-Scramblevpn-raspbian) stable; urgency=low

* somechange by someone
* another change by another

-- John Doe Tue, 2 Jul 2012 13:06:00 +0000

# fetch source code & apply patch
cd $HOME/openvpn-build/debian/openvpn
wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.4.zip
unzip openvpn-2.3.4.zip
git clone https://github.com/clayface/openvpn_xorpatch
cp openvpn_xorpatch/openvpn_xor.patch openvpn-2.3.4/
cd openvpn-2.3.4/
git apply --check openvpn_xor.patch
git apply openvpn_xor.patch

# edit to change dependency from libssl0.9.8 to libssl1.0.0
dpkg --get-selections | grep libssl
sudo nano $HOME/openvpn-build/debian/openvpn/debian/control

Depends: debconf | debconf-2.0, ${shlibs:Depends}, ${misc:Depends}, libssl1.0.0 (>= 0.9.8k), openssl-blacklist (>= 0.4), openvpn-blacklist, net-tools

# Build Deb package
cd $HOME/openvpn-build/debian/openvpn
sudo cp -r debian openvpn-2.3.4/
sudo cp changelog openvpn-2.3.4/debian/
cd openvpn-2.3.4
sudo dpkg-buildpackage -b
ls -l $HOME/openvpn-build/debian/openvpn
cd $HOME/openvpn-build/debian/openvpn

# Test Install
sudo dpkg -i openvpn_2.3.4-Scramblevpn-raspbian_armhf.deb

# Test uninstall
sudo dpkg -r openvpn

# If you are on different h/w or linux system please build your own package
# something like above.

###########################################################################
Other compiled versions

TODO

Posted in Uncategorized | 5 Comments

Build patched openvpn Linux package

# This post replaced by

https://scramblevpn.wordpress.com/2014/05/28/build-deb-linux-package/

# due to openvpn-2.3.4 heartbleed update

#==================================================================
#==================================================================
#==================================================================
# Old post. This is no longer valid and supported
# Base source openvpn-2.3.2
#
#==================================================================

# Need a few components to be able to compile and later install deb package
sudo apt-get update -y
sudo apt-get install gcc make automake autoconf dh-autoreconf file patch perl dh-make debhelper devscripts gnupg lintian quilt libtool pkg-config libssl-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev -y
wget http://snapshot.debian.org/archive/debian-ports/20110407T130234Z/pool-armhf/main/o/openssl098/libssl0.9.8_0.9.8o-7_armhf.deb
sudo dpkg -i libssl0.9.8_0.9.8o-7_armhf.deb
sudo apt-get install openssl-blacklist openvpn-blacklist

# Now we start
cd $HOME/
git clone https://github.com/mattock/openvpn-build
cd $HOME/openvpn-build/debian/openvpn/
cp changelog.sample changelog
# Edit Changed log to say 2.3.2-Scramblevpn-raspbian
sudo nano changelog

openvpn (2.3.2-Scramblevpn-raspbian) stable; urgency=low

* somechange by someone
* another change by another

-- John Doe Tue, 2 Jul 2012 13:06:00 +0000

# fetch source code & apply patch
cd $HOME/openvpn-build/debian/openvpn
wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.2.zip
unzip openvpn-2.3.2.zip
wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip
unzip master.zip
cp openvpn_xorpatch-master/openvpn_xor.patch openvpn-2.3.2/
cd openvpn-2.3.2/
git apply --check openvpn_xor.patch
git apply openvpn_xor.patch

# Build Deb package
cd $HOME/openvpn-build/debian/openvpn
sudo cp -r debian openvpn-2.3.2/
sudo cp changelog openvpn-2.3.2/debian/
cd openvpn-2.3.2
sudo dpkg-buildpackage -b
ls -l $HOME/openvpn-build/debian/openvpn
cd $HOME/openvpn-build/debian/openvpn

# Test Install
sudo dpkg -i openvpn_2.3.2-Scramblevpn-raspbian_armhf.deb

# Test uninstall
sudo dpkg -r openvpn

# If you are on different h/w or linux system please build your own package
# something like above.
# Deb package available for Raspberry pi, Install as follows

wget http://snapshot.debian.org/archive/debian-ports/20110407T130234Z/pool-armhf/main/o/openssl098/libssl0.9.8_0.9.8o-7_armhf.deb
sudo dpkg -i libssl0.9.8_0.9.8o-7_armhf.deb
sudo apt-get install openssl-blacklist openvpn-blacklist liblzo2-dev libpam0g-dev libpkcs11-helper1-dev -y
wget --no-check-cert https://www.dropbox.com/s/pdhlcw7870ucsle/openvpn_2.3.2-Scramblevpn-raspbian_armhf.deb
sudo dpkg -i openvpn_2.3.2-Scramblevpn-raspbian_armhf.deb

###########################################################################
Other compiled versions
There is a dependency on libssl0.9.8, so you need to download and install from
https://packages.debian.org/squeeze/libssl0.9.8

Ubuntu AMD64
https://www.dropbox.com/s/0v3mpijtb5ogyk4/openvpn_2.3.2-scramblevpn-64bitubuntu1204_amd64.deb

Ubuntu 12.04 32-bit Minimal
https://www.dropbox.com/s/u4pba8ip5ggwy3z/openvpn_2.3.2-scramble-ubuntu1204_i386.deb

Posted in Uncategorized | 2 Comments

Build patched Windows openvpn Client


#
#
# Till now the scramble openvpn patch works.
# But read more about the controversy here
# https://tunnelblick.net/cOpenvpn_xorpatch.html#the-openvpn_xorpatch-controversy
#
# Patch sources
# https://github.com/Tunnelblick/Tunnelblick/tree/master/third_party/sources/openvpn
# https://github.com/clayface/openvpn_xorpatch
#
##########################################################
#
#
# for Openvpn 2.4.1 using tunnelblick patch for 32bit windows
# https://www.dropbox.com/s/i3qmr712d8bnqiz/openvpn.exe
# Replace the openvpn.exe file in C:\Program Files\OpenVPN\bin
#
# for Openvpn 2.4.1 using tunnelblick patch for 64bit windows
# https://www.dropbox.com/s/0fie1kr5gppqjfy/openvpn.exe
# Replace the openvpn.exe file in C:\Program Files\OpenVPN\bin
#
# For older versions, see bottom of post.
# But Safest is to make your own patched server and client
#
##########################################################
# Building patched windows openvpn
# Using Ubuntu 14.04 trusty 64-bit server
# Built using a VPS by digitalocean 512MB Ram 20GB SSD Disk Ubuntu 14.04 x64 San Francisco
#
# My Guides
# https://community.openvpn.net/openvpn/wiki/SettingUpGenericBuildsystem
# https://community.openvpn.net/openvpn/wiki/BuildingUsingGenericBuildsystem
#
# And these are the commands to build the openvpn.exe from source code and patch

wget https://community.openvpn.net/openvpn/raw-attachment/wiki/SettingUpGenericBuildsystem/setup-generic-buildsystem.5.sh
chmod +x ./setup-generic-buildsystem.5.sh

# If Ubuntu 14.04 trusty
./setup-generic-buildsystem.5.sh trusty

# Now lets build it without patch
# This will fetch the source code for us.

cd openvpn-build/generic
IMAGEROOT=`pwd`/image-win32 CHOST=i686-w64-mingw32 CBUILD=x86_64-pc-linux-gnu ./build

# We don't want this compiled version, so delete it
rm -rf image-*

# get the patch
cd ~/openvpn-build/generic/patches
wget https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-2.4.1/patches/02-tunnelblick-openvpn_xorpatch-a.diff
wget https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-2.4.1/patches/03-tunnelblick-openvpn_xorpatch-b.diff
wget https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-2.4.1/patches/04-tunnelblick-openvpn_xorpatch-c.diff
wget https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-2.4.1/patches/05-tunnelblick-openvpn_xorpatch-d.diff
wget https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-2.4.1/patches/06-tunnelblick-openvpn_xorpatch-e.diff

# We apply patch the long way
cd $HOME/openvpn-build/generic/sources
tar xfz ./openvpn-2.4.1.tar.gz
rm openvpn-2.4.1.tar.gz
cp ~/openvpn-build/generic/patches/02-tunnelblick-openvpn_xorpatch-a.diff ~/openvpn-build/generic/sources/openvpn-2.4.1
cp ~/openvpn-build/generic/patches/03-tunnelblick-openvpn_xorpatch-b.diff ~/openvpn-build/generic/sources/openvpn-2.4.1
cp ~/openvpn-build/generic/patches/04-tunnelblick-openvpn_xorpatch-c.diff ~/openvpn-build/generic/sources/openvpn-2.4.1
cp ~/openvpn-build/generic/patches/05-tunnelblick-openvpn_xorpatch-d.diff ~/openvpn-build/generic/sources/openvpn-2.4.1
cp ~/openvpn-build/generic/patches/06-tunnelblick-openvpn_xorpatch-e.diff ~/openvpn-build/generic/sources/openvpn-2.4.1
cd ~/openvpn-build/generic/sources/openvpn-2.4.1
git apply --check 02-tunnelblick-openvpn_xorpatch-a.diff
git apply --check 03-tunnelblick-openvpn_xorpatch-b.diff
git apply --check 04-tunnelblick-openvpn_xorpatch-c.diff
git apply --check 05-tunnelblick-openvpn_xorpatch-d.diff
git apply --check 06-tunnelblick-openvpn_xorpatch-e.diff
git apply 02-tunnelblick-openvpn_xorpatch-a.diff
git apply 03-tunnelblick-openvpn_xorpatch-b.diff
git apply 04-tunnelblick-openvpn_xorpatch-c.diff
git apply 05-tunnelblick-openvpn_xorpatch-d.diff
git apply 06-tunnelblick-openvpn_xorpatch-e.diff
cd ~/openvpn-build/generic/sources
tar cfz ./openvpn-2.4.1.tar.gz ./openvpn-2.4.1
rm -rf ./openvpn-2.4.1

# Now lets build it
cd ~/openvpn-build/generic/

# build for openvpn 32 bit
IMAGEROOT=`pwd`/image-win32 CHOST=i686-w64-mingw32 CBUILD=x86_64-pc-linux-gnu ./build

# build for openvpn 64 bit
IMAGEROOT=`pwd`/image-win64 CHOST=x86_64-w64-mingw32 CBUILD=x86_64-pc-linux-gnu ./build

# Check we have openvpn.exe
ls $HOME/openvpn-build/generic/image-win32/openvpn/bin
ls $HOME/openvpn-build/generic/image-win64/openvpn/bin

# Use Winscp, copy openvpn.exe from ubuntu server
# to windows c\:
# Then in windows, copy over to openvpn bin directory

#
# Guide: Building OpenVPN and it's dependencies
#
# The ''./build'' command fetches all the dependencies, builds them and builds OpenVPN.
# To build a native binary:
# IMAGEROOT=`pwd`/image-native ./build
#
# To build for Windows 32bit on Linux 64bit:
# IMAGEROOT=`pwd`/image-win32 CHOST=i686-w64-mingw32 CBUILD=x86_64-pc-linux-gnu ./build
#
# To build for Windows 64bit on Linux 64bit:
# IMAGEROOT=`pwd`/image-win64 CHOST=x86_64-w64-mingw32 CBUILD=x86_64-pc-linux-gnu ./build
#
# To build for Arm on Linux 64bit:
# IMAGEROOT=`pwd`/image-arm CHOST=arm-linux-gnueabi CBUILD=x86_64-pc-linux-gnu ./build
#####################################################################
#
# old Patched openvpn for earlier versions
#
# for Openvpn 2.4.0 using tunnelblick patch 32bit
# https://www.dropbox.com/s/z3ox14scp18koao/openvpn.exe
# Replace the openvpn.exe file in C:\Program Files\OpenVPN\bin
#
# for Openvpn 2.4.0 using tunnelblick patch 64bit
# https://www.dropbox.com/s/hh986ugknpnkxsg/openvpn.exe
# Replace the openvpn.exe file in C:\Program Files\OpenVPN\bin
#
# for Openvpn 2.3.10 clayface patch 32bit
# https://www.dropbox.com/s/sw2rqr0g50tvw9f/openvpn.exe
# Replace the openvpn.exe file in C:\Program Files (x86)\OpenVPN\bin
#
# for Openvpn 2.3.10 clayface patch 64bit
# https://www.dropbox.com/s/ivn5xsni15cucjy/openvpn.exe
# Replace the openvpn.exe file in C:\Program Files\OpenVPN\bin
#
# for Openvpn 2.3.10 tunnelblick patch 32bit
# https://www.dropbox.com/s/qagttkh0zna7hyl/openvpn.exe
# Replace the openvpn.exe file in C:\Program Files (x86)\OpenVPN\bin
#
# for Openvpn 2.3.10 tunnelblick patch 64bit
# https://www.dropbox.com/s/r2xrlqqe040k4cp/openvpn.exe
# Replace the openvpn.exe file in C:\Program Files\OpenVPN\bin
#
# for Openvpn 2.3.6 32bit
# https://www.dropbox.com/s/nxzv3d0tfcs331m/openvpn.exe
# Replace the openvpn.exe file in C:\Program Files (x86)\OpenVPN\bin
#
# for Openvpn 2.3.6 64bit
# https://www.dropbox.com/s/benu8o3n2jck7ni/openvpn.exe
# Replace the openvpn.exe file in C:\Program Files\OpenVPN\bin
#
# for Openvpn 2.3.5 32bit
# https://www.dropbox.com/s/gbpwf2lafhbd1e3/openvpn.exe
# Replace the openvpn.exe file in C:\Program Files (x86)\OpenVPN\bin
#
# for Openvpn 2.3.5 64bit
# https://www.dropbox.com/s/is3c7g9l5hh6guh/openvpn.exe
# Replace the openvpn.exe file in C:\Program Files\OpenVPN\bin
#
# for Openvpn 2.3.4 32bit
# https://www.dropbox.com/s/l01si68evyfxqar/openvpn.exe
# Replace the openvpn.exe file in C:\Program Files (x86)\OpenVPN\bin
#
# for Openvpn 2.3.4 64bit
# https://www.dropbox.com/s/4jhdgnvgs2c29d6/openvpn.exe
# Replace the openvpn.exe file in C:\Program Files\OpenVPN\bin
#
# for Openvpn 2.3.2 32bit
# https://www.dropbox.com/sh/7i36q61cbahonup/fK4ItfTreB/openvpn.exe
# Replace the openvpn.exe file in openvpn/bin
#
# for Openvpn 2.3.2 64bit
# https://www.dropbox.com/s/01s0vq98oxlhim2/openvpn.exe
# Replace the openvpn.exe file in C:\Program Files\OpenVPN\bin
#
# for Openvpn 2.2.2
# http://www.obfsvpn.com/openvpn.7z
# unzip and Replace the openvpn.exe file in the openvpn/bin directory
# Usually C:\Program Files (x86)\OpenVPN\bin
#

Posted in Uncategorized | 7 Comments

Raspberry PI and patched openvpn server, built from source code(version 2.0)

# Added 22/9/2013: start openvpn server as service
# Added 22/9/2013: script to combine keys and certs inline in client config
# Update 9/2/2014: easy-rsa updated
# Update 9/2/2014: re-tested and verified working RPI 2014-01-07-wheezy-raspbian

# This post builds a patched openvpn server on a Raspberry PI
# In places like China, one of many methods to bypass vpn blocking
# is to add a patch to scramble the protocol.

# To get it working, you need both sides patched, the server and the client
# plus you need to add a key to server and client scripts.
# Below we will use the following password scramble key “test”
# This password key must be the same in server and client openvpn scripts
# i.e. scramble obfuscate test

# For patched Windows Client see
# https://scramblevpn.wordpress.com/2013/09/28/build-patched-windows-openvpn-client/
# For details about the patch and options see
# https://forums.openvpn.net/topic12605.html

######################################################
# Now to Raspberry PI
# Firstly, if you already have an earlier formal installation of openvpn, remove it
sudo mkdir $HOME/config_backup
sudo cp -rf /etc/openvpn/* $HOME/config_backup/
sudo apt-get purge openvpn -y

# Now download OpenVPN source code and update with patch
cd $HOME
wget https://github.com/OpenVPN/openvpn/archive/release/2.3.zip
unzip 2.3.zip
wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip
unzip master.zip

cp openvpn_xorpatch-master/openvpn_xor.patch openvpn-release-2.3/
cd openvpn-release-2.3/
git apply --check openvpn_xor.patch
git apply openvpn_xor.patch
cd $HOME
sudo mv ./openvpn-release-2.3/ /etc/openvpn

# We need to add a few components to be able to compile
sudo apt-get update
sudo apt-get install gcc make automake autoconf dh-autoreconf file patch perl dh-make debhelper devscripts gnupg lintian quilt libtool pkg-config libssl-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev -y

# This is the bit where we make the new openvpn server
cd /etc/openvpn/
sudo autoreconf -i -v -f
sudo ./configure --prefix=/usr
sudo make
sudo make install
sudo wget https://gist.github.com/john564/6765292/raw/0a97df1237a138a5a941bbec45b6cd41e973f840/etc+init.d+openvpn -O /etc/init.d/openvpn
sudo chmod +x /etc/init.d/openvpn
sudo update-rc.d openvpn defaults

# Now we set up the server keys and certs
# TIP: You must answer y to Sign the certificate? [y/n]:y
# TIP: You must answer y to commit? [y/n]y
# everything else just keep pressing return
cd /etc/openvpn
sudo wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz
sudo tar -zxvf easy-rsa-2.2.0_master.tar.gz
sudo cp -R easy-rsa-2.2.0_master/easy-rsa/ /etc/openvpn/
sudo chown -R $USER /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa/2.0/
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
./build-key client1

cd /etc/openvpn/easy-rsa/2.0/keys
sudo cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
sudo mkdir $HOME/openvpn-client-files
sudo cp ca.crt client1.crt client1.key $HOME/openvpn-client-files
sudo openvpn --genkey --secret /etc/openvpn/ta.key
sudo cp /etc/openvpn/ta.key $HOME/openvpn-client-files

# Now we create the OpenVPN client configuration on the Raspberry PI
sudo nano $HOME/openvpn-client-files/raspberrypi-client-scrambled.ovpn


client
dev tun
scramble obfuscate test
proto udp
remote change_this_to_server_address 34557
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3

# Now we merge client certs and keys into the client script
sudo wget https://gist.github.com/john564/6763098/raw/9e3e42fc9c171e238a08c62a64cf2e0ec5c50c73/combine.sh -O $HOME/openvpn-client-files/combine.sh

cd $HOME/openvpn-client-files/
sudo chmod +x $HOME/openvpn-client-files/combine.sh
sudo $HOME/openvpn-client-files/combine.sh
sudo chown $USER $HOME/openvpn-client-files/raspberrypi-client-scrambled.ovpn

# Now transfer combined client script raspberrypi-client-scrambled.ovpn
# in $HOME/openvpn-client-files to your client PC
# Due to permissions, I had to transfer it to C:\
# then in windows, copy the file(s)
# to C:\Program Files (x86)\OpenVPN\config
# or windows 32bit
# C:\Program Files\OpenVPN\config

# Back to Raspberry PI, Now we create file for server config
# Below is my OpenVPN server configuration saved as /etc/openvpn/server.conf
sudo nano /etc/openvpn/server.conf

port 34557
proto udp
dev tun
scramble obfuscate test
ca ca.crt
cert server.crt
key server.key
tls-auth ta.key 0
dh dh1024.pem
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
user nobody
group nogroup
status openvpn-status.log
verb 3
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30

# uncomment to allow data redirect
sudo nano /etc/sysctl.conf

net.ipv4.ip_forward=1

# Make file for firewall setting
sudo nano /usr/local/bin/firewall.sh

#!/bin/bash
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s "10.8.0.0/24" -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s "10.8.0.0/24" -j MASQUERADE

# Make firewall script executable, run it and check
sudo chmod +x /usr/local/bin/firewall.sh
sudo /usr/local/bin/firewall.sh
sudo iptables --list

# add new text line into file /etc/rc.local
# before ‘exit 0′ to ensure the firewall rules are run at reboot or power up.
sudo nano /etc/rc.local

/usr/local/bin/firewall.sh

# reboot the pi
sudo reboot


# Connect VPN client from remote location
# does not work when client and server are connected
# to same router and you try external IP address.
# If you want to do a local test at home
# connect to local IP address of server e.g. 192.168.1.4
# when you go to your remote location, connect to no-ip address or external static IP


# check VPN is working by checking your IP address changes
# after you connect http://ipchicken.com/
#

# TIPs
sudo /etc/init.d/openvpn status
ifconfig

# useful to debug starting openvpn manually to check for any errors

sudo /etc/init.d/openvpn stop
cd /etc/openvpn/
sudo openvpn /etc/openvpn/server.conf

Posted in Uncategorized | Tagged , | 2 Comments

Raspberry PI patched openvpn server (version 1.1)

# Also see another Post, (Version 3) different procedure, using easyrsa3
# https://scramblevpn.wordpress.com/2014/02/06/raspberry-pi-and-patched-openvpn-serverversion-3-0/

# This post Re-tested and working on 2014-01-07-wheezy-raspbian
# Tested on 2013-07-26-wheezy-raspbian
# This post builds a patched openvpn server on a Raspberry PI
# When the openvpn protocol is blocked, you need to add a patch
# to scramble the protocol.

# To get it completely working, you need both sides patched, the server and the client
# plus you need to add a scramble key to server and client scripts.
# Below we will use the following simple password scramble key “test”
# This password key must be the same in server and client openvpn scripts
# scramble obfuscate test

# To make a patched Windows Client, you need to cross compile from *nix.
# Follow these instruction to cross compile from Ubuntu to Windows
https://community.openvpn.net/openvpn/wiki/SettingUpGenericBuildsystem
# For details about the patch and options see
https://forums.openvpn.net/topic12605.html

# Otherwise download a patched version of openvpn.exe
# for Openvpn 2.2.2 http://www.obfsvpn.com/openvpn.7z
# Replace the openvpn.exe file in the openvpn\bin directory
# Usually C:\Program Files (x86)\OpenVPN\bin

######################################################
# Now to Raspberry PI, where we build a server that supports scrambled openvpn
# We download openvpn source code and update with patch
# then setup the openvpn server

cd /home/pi/
wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip
unzip master.zip

wget https://github.com/OpenVPN/openvpn/archive/release/2.3.zip
unzip 2.3.zip

cp openvpn_xorpatch-master/openvpn_xor.patch openvpn-release-2.3/
cd openvpn-release-2.3/
git apply --check openvpn_xor.patch
git apply openvpn_xor.patch

# We need to add a few components to be able to compile
sudo apt-get update
sudo apt-get install gcc make automake autoconf dh-autoreconf file patch perl dh-make debhelper devscripts gnupg lintian quilt libtool pkg-config libssl-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev -y
sudo apt-get update

# if you already have an earlier formal installation of openvpn, remove it
sudo mkdir $HOME/config_backup
sudo cp -rf /etc/openvpn/* $HOME/config_backup/
sudo apt-get remove openvpn

# This is the bit where we make the new openvpn server
cd /home/pi/openvpn-release-2.3
sudo autoreconf -i -v -f
sudo ./configure
sudo make
sudo make install

# Now set up the server
cd /home/pi/openvpn-release-2.3
sudo wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz
sudo tar -zxvf easy-rsa-2.2.0_master.tar.gz
sudo cp -R easy-rsa-2.2.0_master/easy-rsa/ /home/pi/openvpn-release-2.3/
sudo chown -R $USER /home/pi/openvpn-release-2.3/easy-rsa/
cd /home/pi/openvpn-release-2.3/easy-rsa/2.0/
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
./build-key clientpi

cd /home/pi/openvpn-release-2.3/easy-rsa/2.0/keys
sudo cp ca.crt ca.key dh1024.pem server.crt server.key /home/pi/openvpn-release-2.3/
sudo mkdir $HOME/openvpn-client-files
sudo cp ca.crt clientpi.crt clientpi.key $HOME/openvpn-client-files
sudo mv $HOME/openvpn-client-files/ca.crt $HOME/openvpn-client-files/capi.crt
sudo chmod +r $HOME/openvpn-client-files/clientpi.key
sudo openvpn --genkey --secret /home/pi/openvpn-release-2.3/tapi.key
sudo cp /home/pi/openvpn-release-2.3/tapi.key $HOME/openvpn-client-files
sudo chmod +r $HOME/openvpn-client-files/tapi.key

sudo nano $HOME/openvpn-client-files/raspberrypi-client-scrambled.ovpn

client
dev tun
scramble obfuscate test
proto udp
remote change_this_to_server_address 34557
resolv-retry infinite
nobind
persist-key
persist-tun
ca capi.crt
cert clientpi.crt
key clientpi.key
tls-auth tapi.key 1
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3

sudo nano /home/pi/openvpn-release-2.3/server.conf

port 34557
proto udp
dev tun
scramble obfuscate test
ca ca.crt
cert server.crt
key server.key
tls-auth tapi.key 0
dh dh1024.pem
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
user nobody
group nogroup
status openvpn-status.log
verb 3
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30

# uncomment to allow data redirect
sudo nano /etc/sysctl.conf

net.ipv4.ip_forward=1

# Make file for firewall setting
sudo nano /usr/local/bin/firewall.sh

#!/bin/bash
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s "10.8.0.0/24" -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s "10.8.0.0/24" -j MASQUERADE

# Make firewall script executable, run it and check
sudo chmod +x /usr/local/bin/firewall.sh
sudo /usr/local/bin/firewall.sh
sudo iptables --list

# add two new text lines into file /etc/rc.local
# before ‘exit 0′ to ensure the firewall and openvpn server is created at reboot or power up.
sudo nano /etc/rc.local

/usr/local/bin/firewall.sh
/home/pi/startscript.sh start

cd $HOME
sudo nano startscript.sh

Script available here -> http://pastebin.com/MMKd9AWn

# Make script executable, run and check status
sudo chmod +x startscript.sh
sudo /home/pi/startscript.sh start
sudo /home/pi/startscript.sh status

# or alternative start openvpn as follows
sudo openvpn /home/pi/openvpn-release-2.3/server.conf

# reboot the pi
sudo reboot


# Connect VPN client from remote location
# does not work when client and server are connected
# to same router and you try external IP address.
# If you want to do a local test at home
# connect to local IP address of server e.g. 192.168.1.4
# when you go to your remote location, connect to no-ip address or external static IP


# check VPN is working by checking your IP address changes
# after you connect http://ipchicken.com/
#
# Extra: If you want to put the certs and keys inline, within the client script
# see http://pastebin.com/TAu3T7JX#

Posted in Uncategorized | Tagged , | 2 Comments