Howto/20130118 Setup Routed Tun OpenVPN server on Ubuntu 12.04

From Interpause
Jump to navigationJump to search

Donations

Donations are not required but much appreciated. If you find the following helpful, you may send donations to my Paypal address lucky13bbq@yahoo.com. Thanks!

Motivation

  1. To be able to workaround Petro-Canada Mobility/7-11 Speakout's proxied 3g data connection so that I can make free calls to a landline using a voip app such as Fongo. My previous solution was to use another app Droidvpn but this had two issues: 1) it is only free for 100 megs/day and 2) it requires a rooted android phone. Setting up and using my own server therefore removes the 100 meg/day limit and does not require a rooted android phone. I initially did the following steps on my own home server as a test, but because it requires using port 443 which my webserver was already using, I ended up renting an unmanaged VPS for much cheaper than droidvpn charges (especially when it's split amongst me, the wife and my dad).
  2. To able to access hulu.com and netflix US. Should also work with Amazon Instant Video. Assumes that your vpn server is located in the US.

Source material

  1. OpenVPN howto: http://openvpn.net/index.php/open-source/documentation/howto.html
  2. Redflagdeals post: http://forums.redflagdeals.com/speakout-data-android-calling-all-users-tips-tricks-1053209/175/#post15982561
  3. My previous OpenVPN setup guide for bridged VPNs: Howto/Setup Bridged OpenVPN server on Ubuntu 10.04
  4. Workaround if ipt_MASQUERADE module is missing: http://forum.openvz.org/index.php?t=msg&goto=8117 (and to some extent http://ubuntuforums.org/showthread.php?t=1795535 )
  5. bytecounts: https://openvpn.net/archive/openvpn-users/2007-08/msg00184.html

My setup

  • An android phone running the openvpn client (tested with an Xperia Ray running stock Sony Android 4.0 ROM) with a proxied 3g data connection via Petro-Canada Mobility
  • A server running Ubuntu 12.04 64-bit with port 443 available
  • OpenVPN server configuration: tun, tcp, pre-shared key/cert authentication
  • Ouput openvpn bytecounts to log server usage
  • The Phantom (thephantom1492@yahoo.com) has tested running the openvpn client on his iphone (see below), thanks for the contribution!

The Steps

Step 1) Install server software
sudo apt-get install openvpn iptables-persistent openssl
Step 2) Obtain conf files

Copy sample conf files located in /usr/share/doc/openvpn/examples/sample-config-files/ to /etc/openvpn

Step 3) Generate certificates and keys for the server and multiple clients

Follow guide @ http://openvpn.net/index.php/open-source/documentation/howto.html#pki Tip: You may need to rename the openssl-1.0.0.cnf file to openssl.cnf.

Step 4) Edit the server.conf file.

Notes: Only tun is supported on the openvpn android 4.0 client. Also, port 443 and tcp rather than udp must be used for proxied openvpn connections.

port 443
proto tcp
;proto udp
dev tun
;dev tap
ca ca.crt # this was generated in previous step
cert server.crt # this was generated in previous step
key server.key # this was generated in previous step
dh dh1024.pem # this was generated in previous step
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 8.8.8.8"
duplicate-cn # it's not recommended for clients to share cert/keys,
             # but I'm gonna do it anyways
user nobody
group nogroup
management localhost 8000 # enable management interface
script-security 2 # to run scripts
client-disconnect "scripts/client-disconnect.sh" # log bytecounts to a file
Step 5) Enable ip forwarding

Edit /etc/sysctl.conf

net.ipv4.ip_forward=1
Step 6) Route all traffic through the vpn using iptables

Note: 10.8.0.0 was defined in server.conf and eth0 is assumed to be the network device as defined in the output of ifconfig. For a VPS, this might be venet0. Tip: Using iptables-save (iptables-persistent) will ensure that the settings are reloaded on next reboot.

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
sudo iptables-save | sudo tee /etc/iptables/rules.v4

Troubleshooting tip: On a second VPS I setup up under OpenVZ, I had a problem with the ipt_MASQUERADE module being absent. So I had to do the following instead:

sudo iptables -t nat -A POSTROUTING -j SNAT --to-source <server_wan_ip_or_vps_venet_ip>
sudo iptables-save | sudo tee /etc/iptables/rules.v4
Step 7) Log bytecounts to a file using a script

Every time a user disconnects, bytecounts will written to a file. Place the following script in /etc/openvpn/scripts/client-disconnect.sh

#!/bin/sh

LOGGER=/usr/bin/logger

$LOGGER -s -plocal3.debug -t "[openvpn client-disconnect] `date`" NAME=${common_name} SENT/RECEIVED=${bytes_sent}/${bytes_received} 
VIRT_IP=${ifconfig_pool_remote_ip} REAL_IP=${untrusted_ip} 2>> /etc/openvpn/bytecounts.log

Change permissions of the script file and bytecounts.log file

sudo chmod a+x /etc/openvpn/scripts/client-disconnect.sh
sudo touch /etc/openvpn/bytecounts.log && sudo chown nobody /etc/openvpn/bytecounts.log
Step 8) Start the server

Simply rebooting should start the server.

sudo /etc/init.d/openvpn restart

Tip: Run the openvpn server manually rather than as a daemon to facilitate debugging as follows.

sudo openvpn --config server.conf
Step 9) Copy necessary files to the openvpn client (the phone)

Copy the 4 following files: 1) ca*.crt the Root CA certificate, 2) client1*.crt the Client1 Certificate, 3) client1*.key the Client1 Key, 4) client*.conf the sample openvpn client config file which we shall modify next

Step 10) Edit the openvpn client config file

Tip: It might be easier to edit the config file on a computer before transferring to the phone.

;dev tap
dev tun
proto tcp
;proto udp
remote your.server.com 443 # change this to the ip of your server
resolv-retry infinite
http-proxy 10.128.1.69 80 # this is petro-canada mobility's APN http proxy
# do not use the previous line with wifi
# more info: http://mobility.petro-canada.ca/en/questions/138.aspx
ca ca.crt # this was generated previously and is the same file used by the server
cert client.crt # this was generated previously
key client.key # this was generated previously
;ns-cert-type server
remote-cert-tls server
Step 11a) Install client software on an android smartphone

Two options for Android 4+ that don't require root:

  • Official (recommended): https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en You will need to import the profile from SD then add a proxy manually in the Settings menu. If you have more than one VPN server, the client will fallback to the next server if the first server is unavailable which is nice.
  • Unofficial: https://play.google.com/store/apps/details?id=de.blinkt.openvpn Open the app, go to the vpn profiles page, open the client conf file, save the imported profile, verify location of 3 client files (server cert, client cert and client key). The proxy must be set in the config file. Note unlike the official app, this app only connects to a single server and will not fallback to a second server if the first is unavailable.

For Android 2.3, root required and need both apps:

  1. OpenVPN Installer: https://play.google.com/store/apps/details?id=de.schaeuffelhut.android.openvpn.installer&hl=en
  2. OpenVPN Settings: https://play.google.com/store/apps/details?id=de.schaeuffelhut.android.openvpn&hl=en (Note: If you are unable to browse, it might mean that the dns servers are not getting pushed to the client. In the config preferences, enable "Use VPN DNS server" and set the VPN DNS server to Google's DNS server to 8.8.8.8)
Step 11b) Install client software on a pc

http://openvpn.net/index.php?option=com_content&id=357

Step 11c) Install client software on iphone (thanks The Phantom thephantom1492@yahoo.com)
  • IPhone (tested on 4s), should work on ipad too.
  • On the appstore, install openvpn, free apps.
  • You need to make a config file, here is an example:
---- start of config.ovpn ----
dev tun
proto tcp
remote put.your.ip.address.here.or.your.hostname 443
cipher AES-128-CBC
auth SHA1
resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
auth-user-pass

<ca>
-----BEGIN CERTIFICATE-----
paste your server.ca certificate here
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
paste your user.crt data here
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
paste your user.key here
-----END RSA PRIVATE KEY-----
</key>
---- end of config.ovpn ----
  • Transfer the file using itune or email it to yourself (use the mail app, then click on the attachment and open with openvpn). OpenVPN will now open.
  • Add the profile, put your username and password.
  • Then, go to the Settings app, find openvpn.
  • Protocol: TCP
  • Enable proxy
  • Host: 10.128.1.69
  • Port: 80
  • Then you should be able to connect.
Step 12) Start the client

Disable wifi, enable 3g, connect to the vpn. Most if not all apps should work as if the 3g data connection was not proxied. Also, if you rented a VPS in the US, you should be able to watch netflix US as well as hulu.com (I needed to sideload the hulu plus app however, google it). Should also work with Amazon Instant Video (untested).

Bonus step 13) Forward torrent traffic through the vpn on port 44444 to 10.8.0.6
iptables -t nat -A PREROUTING -p tcp --dport 6880 -j DNAT --to 10.8.0.6:6880

iptables -t nat -A PREROUTING -p tcp --dport 44444 -j DNAT --to 10.8.0.6:44444

iptables -t nat -A PREROUTING -p udp --dport 44444 -j DNAT --to 10.8.0.6:44444

Troubleshooting

On Ubuntu 20.04, if openvpn fails with error "dh key too small", try
openssl dhparam -out /etc/openvpn/dh2048.pem 2048
  • and change in /etc/openvpn/server.conf – from dh dh1024.pem to dh dh2048.pem

Source: https://kudzia.eu/b/2019/08/openvpn-openssl-error1408518assl-routinesssl3_ctx_ctrldh-key-too-small-after-upgrade-to-debina-buster/

On Ubuntu 16.04, if openvpn starts manually but fails to start as a service

Comment out the LimitNPROC line in /lib/systemd/system/openvpn@.service.

Source: https://serverfault.com/questions/891810/openvpn-wont-start-as-a-service-with-config-file

On Ubuntu 18.04, if CRL expired error appears in the log
  • Edit the easy-rsa/vars file and raised the CRL publish time to 10 years
set_var EASYRSA_CRL_DAYS 3650
  • Generate new crl.pem
easyrsa gen-crl
  • Copy or sym link new crl.pem file to openvpn server config folder
  • Restart server

Source: https://forum.openwrt.org/t/solved-openvpn-tls-handshake-timeout/46662/13