Howto/20130118 Setup Routed Tun OpenVPN server on Ubuntu 12.04

From Interpause
Revision as of 14:48, 18 January 2013 by Andrew (talk | contribs) (→‎Motivation)
Jump to navigationJump to search

Motivation

To be able to workaround Petro-Canada Mobility/7-11 Speakout's proxied 3g data connection so that I can make free calls to a landline using a voip app such as Fongo. My previous solution was to use another app Droidvpn but this had two issues: 1) it is only free for 100 megs/day and 2) it requires a rooted android phone. Setting up and using my own server therefore removes the 100 meg/day limit and does not require a rooted android phone. I initially did the following steps on my own home server as a test, but because it requires using port 443 which my webserver was already using, I ended up renting an unmanaged VPS for much cheaper than droidvpn charges (especially when it's split amongst me, the wife and my dad).

Source material

  1. OpenVPN howto: http://openvpn.net/index.php/open-source/documentation/howto.html
  2. Redflagdeals post: http://forums.redflagdeals.com/speakout-data-android-calling-all-users-tips-tricks-1053209/175/#post15982561
  3. My previous OpenVPN setup guide for bridged VPNs: Howto/Setup Bridged OpenVPN server on Ubuntu 10.04

My setup

  • An android phone (tested with an Xperia Ray running stock Sony Android 4.0 ROM) with a proxied 3g data connection via Petro-Canada Mobility
  • A server running Ubuntu 12.04 64-bit with port 443 available
  • OpenVPN server configuration: tun, tcp, pre-shared key/cert authentication

The Steps

Step 1) Install server software
sudo apt-get install openvpn iptables-persistent openssl
Step 2) Obtain conf files

Copy sample conf files located in /usr/share/doc/openvpn/examples/sample-config-files/ to /etc/openvpn

Step 3) Generate certificates and keys for the server and multiple clients

Follow guide @ http://openvpn.net/index.php/open-source/documentation/howto.html#pki Tip: You may need to rename the openssl-1.0.0.cnf file to openssl.cnf.

Step 4) Edit the server.conf file.

Notes: Only tun is supported on android 4.0, port 443 and tcp rather than udp must be used for proxied openvpn connections.

port 443
proto tcp
;proto udp
dev tun
;dev tap
ca ca.crt # this was generated in previous step
cert server.crt # this was generated in previous step
key server.key # this was generated in previous step
dh dh1024.pem # this was generated in previous step
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 8.8.8.8"
duplicate-cn # it's not recommended for clients to share cert/keys,
             # but I'm gonna do it anyways
user nobody
group nogroup
Step 5) Enable ip forwarding

Edit /etc/sysctl.conf

net.ipv4.ip_forward=1
Step 6) Route all traffic through the vpn using iptables

Note: 10.8.0.0 was defined in server.conf and eth0 is assumed to be the network device as defined in the output of ifconfig. Tip: Using iptables-save (iptables-persistent) will ensure that the settings are reloaded on next reboot.

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
sudo iptables-save > /etc/iptables/rules.v4
Step 7) Start the server

Simply rebooting should start the server. Tip: Run the openvpn server manually rather than as a daemon to facilitate debugging.

sudo openvpn --config server.conf --script-security 2
Step 8) Copy necessary files to the openvpn client (the phone)

Copy the 4 following files: 1) ca*.crt the Root CA certificate, 2) client1*.crt the Client1 Certificate, 3) client1*.key the Client1 Key, 4) client*.conf the sample openvpn client config file which we shall modify next

Step 9) Edit the openvpn client config file

Tip: It might be easier to edit the config file on a computer before transferring to the phone.

;dev tap
dev tun
proto tcp
;proto udp
remote buffalo.interpause.com 443 # change this to the ip of your server
resolv-retry infinite
http-proxy 10.128.1.69 80 # this is petro-canada mobility's APN http proxy
# more info: http://mobility.petro-canada.ca/en/questions/138.aspx
ca ca.crt # this was generated previously and is the same file used by the server
cert client.crt # this was generated previously
key client.key # this was generated previously
;ns-cert-type server
remote-cert-tls server
Step 10) Install client software on phone

https://play.google.com/store/apps/details?id=de.blinkt.openvpn

Step 11) Configure the app

Open the app, go to the vpn profiles page, open the client conf file, save the imported profile, update location of 3 client files (server cert, client cert and client key).

Step 12) Start the client

Disable wifi, enable 3g, connect to the vpn. Most if not all apps should work as if the 3g data connection was not proxied.