Howto/20130118 Setup Routed Tun OpenVPN server on Ubuntu 12.04
Donations
Donations are not required but much appreciated and may be sent to my Paypal address lucky13bbq@yahoo.com. Thanks!
Motivation
- To be able to workaround Petro-Canada Mobility/7-11 Speakout's proxied 3g data connection so that I can make free calls to a landline using a voip app such as Fongo. My previous solution was to use another app Droidvpn but this had two issues: 1) it is only free for 100 megs/day and 2) it requires a rooted android phone. Setting up and using my own server therefore removes the 100 meg/day limit and does not require a rooted android phone. I initially did the following steps on my own home server as a test, but because it requires using port 443 which my webserver was already using, I ended up renting an unmanaged VPS for much cheaper than droidvpn charges (especially when it's split amongst me, the wife and my dad).
- To able to access hulu.com and netflix US. Should also work with Amazon Instant Video. Assumes that your vpn server is located in the US.
Source material
- OpenVPN howto: http://openvpn.net/index.php/open-source/documentation/howto.html
- Redflagdeals post: http://forums.redflagdeals.com/speakout-data-android-calling-all-users-tips-tricks-1053209/175/#post15982561
- My previous OpenVPN setup guide for bridged VPNs: Howto/Setup Bridged OpenVPN server on Ubuntu 10.04
- Workaround if ipt_MASQUERADE module is missing: http://forum.openvz.org/index.php?t=msg&goto=8117 (and to some extent http://ubuntuforums.org/showthread.php?t=1795535 )
My setup
- An android phone (tested with an Xperia Ray running stock Sony Android 4.0 ROM) with a proxied 3g data connection via Petro-Canada Mobility
- A server running Ubuntu 12.04 64-bit with port 443 available
- OpenVPN server configuration: tun, tcp, pre-shared key/cert authentication
- Ouput openvpn bytecounts to log server usage
The Steps
- Step 1) Install server software
sudo apt-get install openvpn iptables-persistent openssl
- Step 2) Obtain conf files
Copy sample conf files located in /usr/share/doc/openvpn/examples/sample-config-files/ to /etc/openvpn
- Step 3) Generate certificates and keys for the server and multiple clients
Follow guide @ http://openvpn.net/index.php/open-source/documentation/howto.html#pki Tip: You may need to rename the openssl-1.0.0.cnf file to openssl.cnf.
- Step 4) Edit the server.conf file.
Notes: Only tun is supported on the openvpn android 4.0 client. Also, port 443 and tcp rather than udp must be used for proxied openvpn connections.
port 443 proto tcp ;proto udp dev tun ;dev tap ca ca.crt # this was generated in previous step cert server.crt # this was generated in previous step key server.key # this was generated in previous step dh dh1024.pem # this was generated in previous step server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" push "dhcp-option DNS 8.8.8.8" duplicate-cn # it's not recommended for clients to share cert/keys, # but I'm gonna do it anyways user nobody group nogroup management localhost 8000 # enable management interface script-security 2 # to run scripts client-disconnect "scripts/client-disconnect.sh" # log bytecounts to a file
- Step 5) Enable ip forwarding
Edit /etc/sysctl.conf
net.ipv4.ip_forward=1
- Step 6) Route all traffic through the vpn using iptables
Note: 10.8.0.0 was defined in server.conf and eth0 is assumed to be the network device as defined in the output of ifconfig. Tip: Using iptables-save (iptables-persistent) will ensure that the settings are reloaded on next reboot.
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE sudo iptables-save | sudo tee /etc/iptables/rules.v4
Troubleshooting tip: On a second VPS I setup up under OpenVZ, I had a problem with the ipt_MASQUERADE module being absent. So I had to do the following instead:
sudo iptables -t nat -A POSTROUTING -j SNAT --to-source <server_wan_ip_or_vps_venet_ip> sudo iptables-save | sudo tee /etc/iptables/rules.v4
- Step 7) Log bytecounts to a file using a script
Every time a user disconnects, bytecounts will written to a file. Place the following script in /etc/openvpn/scripts/client-disconnect.sh
#!/bin/sh LOGGER=/usr/bin/logger $LOGGER -s -plocal3.debug -t "[openvpn client-disconnect] `date`" NAME=${common_name} SENT/RECEIVED=${bytes_sent}/${bytes_received} VIRT_IP=${ifconfig_pool_remote_ip} REAL_IP=${untrusted_ip} 2>> /etc/openvpn/bytecounts.log
Change permissions of the script file and bytecounts.log file
sudo chmod a+x /etc/openvpn/scripts/client-disconnect.sh sudo touch /etc/openvpn/bytecounts.log && sudo chown nobody /etc/openvpn/bytecounts.log
- Step 8) Start the server
Simply rebooting should start the server.
sudo /etc/init.d/openvpn restart
Tip: Run the openvpn server manually rather than as a daemon to facilitate debugging as follows.
sudo openvpn --config server.conf
- Step 9) Copy necessary files to the openvpn client (the phone)
Copy the 4 following files: 1) ca*.crt the Root CA certificate, 2) client1*.crt the Client1 Certificate, 3) client1*.key the Client1 Key, 4) client*.conf the sample openvpn client config file which we shall modify next
- Step 10) Edit the openvpn client config file
Tip: It might be easier to edit the config file on a computer before transferring to the phone.
;dev tap dev tun proto tcp ;proto udp remote your.server.com 443 # change this to the ip of your server resolv-retry infinite http-proxy 10.128.1.69 80 # this is petro-canada mobility's APN http proxy # do not use the previous line with wifi # more info: http://mobility.petro-canada.ca/en/questions/138.aspx ca ca.crt # this was generated previously and is the same file used by the server cert client.crt # this was generated previously key client.key # this was generated previously ;ns-cert-type server remote-cert-tls server
- Step 11a) Install client software on an android smartphone
Two options for Android 4.0 that don't require root:
- Official (not yet tested): https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en
- Unofficial (tested): https://play.google.com/store/apps/details?id=de.blinkt.openvpn
Open the app, go to the vpn profiles page, open the client conf file, save the imported profile, verify location of 3 client files (server cert, client cert and client key). For Android 2.3, root required and need both apps:
- OpenVPN Installer: https://play.google.com/store/apps/details?id=de.schaeuffelhut.android.openvpn.installer&hl=en
- OpenVPN Settings: https://play.google.com/store/apps/details?id=de.schaeuffelhut.android.openvpn&hl=en (Note: If you are unable to browse, it might mean that the dns servers are not getting pushed to the client. In the config preferences, enable "Use VPN DNS server" and set the VPN DNS server to Google's DNS server to 8.8.8.8)
- Step 11b) Install client software on a pc
http://openvpn.net/index.php?option=com_content&id=357
- Step 12) Start the client
Disable wifi, enable 3g, connect to the vpn. Most if not all apps should work as if the 3g data connection was not proxied. Also, if you rented a VPS in the US, you should be able to watch netflix US as well as hulu.com (I needed to sideload the hulu plus app however, google it). Should also work with Amazon Instant Video (untested).