Howto/20130118 Setup Routed Tun OpenVPN server on Ubuntu 12.04

From Interpause
Revision as of 11:14, 18 January 2013 by Andrew (talk | contribs) (→‎The Steps)
Jump to navigationJump to search

Motivation

To be able to workaround Petro-Canada Mobility/7-11 Speakout's proxied 3g data connection so that I can make free calls to a landline using a voip app such as Fongo. My previous solution was to use another app Droidvpn but this had two issues: 1) it is only free for 100 megs/day and 2) it requires a rooted android phone. Setting up and using my own server therefore removes the 100 meg/day limit and does not require a rooted android phone. I initially did the following steps on my own home server as a test, but because it requires using port 443 which my webserver was already using, I ended up renting a VPS located in Buffalo, NY for 12$ USD/year.

Source material

  1. OpenVPN howto: http://openvpn.net/index.php/open-source/documentation/howto.html
  2. Redflagdeals post: http://forums.redflagdeals.com/speakout-data-android-calling-all-users-tips-tricks-1053209/175/#post15982561
  3. My previous OpenVPN setup guide for bridged VPNs: Howto/Setup Bridged OpenVPN server on Ubuntu 10.04

My setup

  • An android phone (tested with version 4.0) with a proxied 3g data connection via Petro-Canada Mobility
  • A server running Ubuntu 12.04 64-bit with port 443 available

The Steps

Step 1) Install server software
sudo apt-get install openvpn iptables-persistent openssl
Step 2) Obtain conf files

Copy sample conf files located in /usr/share/doc/openvpn/examples/sample-config-files/ to /etc/openvpn

Step 3) Generate certificates and keys for the server and multiple clients

Follow guide @ http://openvpn.net/index.php/open-source/documentation/howto.html#pki Tip: You may need to rename the openssl-1.0.0.cnf file to openssl.cnf.

Step 4) Edit the server.conf file.

Notes: Only tun is supported on android 4.0, port 443 and tcp rather than udp must be used for proxied openvpn connections.

port 443
proto tcp
;proto udp
dev tun
;dev tap
ca ca.crt # this was generated in previous step
cert server.crt # this was generated in previous step
key server.key # this was generated in previous step
dh dh1024.pem # this was generated in previous step
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 8.8.8.8"
duplicate-cn # it's not recommended for clients to share cert/keys,
             # but I'm gonna do it anyways
user nobody
group nogroup
Step 5) Enable ip forwarding

Edit /etc/sysctl.conf

net.ipv4.ip_forward=1
Step 6) Route all traffic through the vpn using iptables

Note: 10.8.0.0 was defined in server.conf and eth0 is assumed to be the network device as defined in the output of ifconfig. Tip: Using iptables-save (iptables-persistent) will ensure that the settings are reloaded on next reboot.

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
sudo iptables-save > /etc/iptables/rules.v4
Step 7) Start the server

Simply rebooting should start the server. Tip: Run the openvpn server manually rather than as a daemon to facilitate debugging.

sudo openvpn --config server.conf --script-security 2
Step 8) Copy necessary files to the openvpn client (the phone)

Copy the 4 following files: 1) ca*.crt the Root CA certificate, 2) client1*.crt the Client1 Certificate, 3) client1*.key the Client1 Key, 4) client*.conf the sample openvpn client config file which we shall modify next

Step 9) Edit the openvpn client config file

Tip: It might be easier to edit the config file on a computer before transferring to the phone.

;dev tap
dev tun
proto tcp
;proto udp
remote buffalo.interpause.com 443 # change this to the ip of your server
resolv-retry infinite
http-proxy 10.128.1.69 80 # this is petro-canada mobility's APN http proxy
# more info: http://mobility.petro-canada.ca/en/questions/138.aspx
ca ca.crt # this was generated previously and is the same file used by the server
cert client.crt # this was generated previously
key client.key # this was generated previously
;ns-cert-type server
remote-cert-tls server