Openvpn is free VPN server solution , i.e if you a have dedicated server or vps with root power you can install openvpn server and use that to push your Internet traffic , your isp 's IP is then not used but you go behind your server ip and all traffic is encrypted , a very handy tool to bypass censorship or traffic shaping plus to make your network secure.
Install OpenVPN
This installs OpenVPN from the Debian/Ubuntu package and creates a new system user/group called "openvpn". It's preferable over using "root" (a major security concern) or "nouser"/"nogroup" (insecure as well, but less so than "root").
Shell cut
Easy-RSA is included with OpenVPN, and makes the task of managing security certificates (CSR's, for granting user/client access to the OpenVPN server) easier.
Shell cut & paste:
Shell cut & paste (answer any questions with their default):
dh:
/etc/openvpn/easy-rsa/keys/dh1024.pem
CA public certificate:
/etc/openvpn/easy-rsa/keys/ca.crt
RA Server certificate & key:
/etc/openvpn/easy-rsa/keys/vpn.myserver.com.crt
/etc/openvpn/easy-rsa/keys/vpn.myserver.com.key
(where "vpn.myserver.com" is obviously replaced by the domain you've chosen).
From now on, if you want to add more domains (as in, more OpenVPN servers), simply use:
cd /etc/openvpn/easy-rsa
source ./vars
./build-key-server
OpenVPN Server Configuration
Here we assume that we call the server "ra-server" and the configuration's filename reflects that. Of course you can change this as you like, and OpenVPN supports multiple .conf files (let's keep it simple for now and stick to one
nano /etc/openvpn/ra-server.conf
and replace any existing contents with the contents below, paying attention to modify whatever the comments (lines starting with a #) specify:
OpenVPN Client Configuration
The first step is to create a CSR on the server, or a "remote client access certificate". You do this with the following steps on the server:
This will generate a file /etc/openvpn/easy-rsa/keys/.p12, ie. "john-laptop.p12", and is what you will give to the remote VPN user/client (only this file - no other keys/certificates!).
Note: Giving it an "Export" password will cause the remote OpenVPN client to ask for this password (from the user). You can leave this blank if you wish, but you should obviously be aware that this means anyone could potentially use the certificate if it fell in the wrong hands.
finally, configure IP forwarding and IPTables for doing NAT on the server:
use notepad or a textfile to write this in opnvpn config
Obviously you replace the as well as the domain name with their actual values. And another note on the filename, you don't have to name these files as such, but I'm doing it here to help you (and the VPN user) to keep tabs on what file belongs to what server & user, simply by looking at the filename.
use scp on linux or winscp on windows to move the csr file from server to client p.c .
right click on openvpn gui and click connect and you just gone off your isp's ip , now all traffic is encrypted and tunneled between your server to you. go to any site like whatismyip.com to check , it should show your server ip. change your dns to google dns or opendns if you don't want to give http info to your isp's dns servers.
looks daunting but hardly takes 15 misn to do it, if have any question feel free to ask here , there still many tweaks to it, like how to stop dns leakage plus ipv6 leakage, that i will come to later , hope it helps.
Install OpenVPN
This installs OpenVPN from the Debian/Ubuntu package and creates a new system user/group called "openvpn". It's preferable over using "root" (a major security concern) or "nouser"/"nogroup" (insecure as well, but less so than "root").
Shell cut
Configure Easy-RSAapt-get install openvpn
adduser --system --no-create-home --group openvpn
Easy-RSA is included with OpenVPN, and makes the task of managing security certificates (CSR's, for granting user/client access to the OpenVPN server) easier.
Shell cut & paste:
You're now editing the /etc/openvpn/easy-rsa/vars file - scroll down until you see "export KEY_COUNTRY=" and edit accordingly, for example:mkdir /etc/openvpn/easy-rsa
cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
nano vars
Exit by pressing CTRL+X and answer Y for "Yes, save".export KEY_COUNTRY="GB"
export KEY_PROVINCE="London"
export KEY_CITY="Hammersmith"
export KEY_ORG="My Company"
export KEY_EMAIL="hello@mycomany.internal"
Shell cut & paste (answer any questions with their default):
And in the following shell cut & paste, simply replace the domain name with what you'd like to use instead:source ./vars
./clean-all
chmod 700 /etc/openvpn/easy-rsa/keys/
./build-ca
./build-dh
The above actions has created the following files:./build-key-server vpn.myserver.com
dh:
/etc/openvpn/easy-rsa/keys/dh1024.pem
CA public certificate:
/etc/openvpn/easy-rsa/keys/ca.crt
RA Server certificate & key:
/etc/openvpn/easy-rsa/keys/vpn.myserver.com.crt
/etc/openvpn/easy-rsa/keys/vpn.myserver.com.key
(where "vpn.myserver.com" is obviously replaced by the domain you've chosen).
From now on, if you want to add more domains (as in, more OpenVPN servers), simply use:
cd /etc/openvpn/easy-rsa
source ./vars
./build-key-server
OpenVPN Server Configuration
Here we assume that we call the server "ra-server" and the configuration's filename reflects that. Of course you can change this as you like, and OpenVPN supports multiple .conf files (let's keep it simple for now and stick to one
nano /etc/openvpn/ra-server.conf
and replace any existing contents with the contents below, paying attention to modify whatever the comments (lines starting with a #) specify:
______server 10.8.0.0 255.255.255.0
# YOUR LOCAL SERVER IP HERE:
local - server ip
dev tun
proto udp
comp-lzo
# THESE 2 LINES ARE HELPFUL FOR THOSE WITH MOBILE (G3 / G3.5) BROADBAND:
tun-mtu 1500
tun-mtu-extra 32
# ROUTE THE CLIENT'S INTERNET ACCESS THROUGH THIS SERVER:
push "redirect-gateway def1 bypass-dns"
keepalive 10 60
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ca /etc/openvpn/easy-rsa/keys/ca.crt
# ENSURE THE DOMAIN NAME/FILENAME IS CORRECT:
cert /etc/openvpn/easy-rsa/keys/vpn.myserver.com.crt
key /etc/openvpn/easy-rsa/keys/vpn.myserver.com.key
# LEAVE THE FOLLOWING LINE COMMENTED FOR NOW:
# crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
user openvpn
group openvpn
persist-key
persist-tun
OpenVPN Client Configuration
The first step is to create a CSR on the server, or a "remote client access certificate". You do this with the following steps on the server:
All you need to do is replace with a memorable name (preferably without spaces), such as "john-laptop".cd /etc/openvpn/easy-rsa
source ./vars
./build-key-pkcs12
This will generate a file /etc/openvpn/easy-rsa/keys/.p12, ie. "john-laptop.p12", and is what you will give to the remote VPN user/client (only this file - no other keys/certificates!).
Note: Giving it an "Export" password will cause the remote OpenVPN client to ask for this password (from the user). You can leave this blank if you wish, but you should obviously be aware that this means anyone could potentially use the certificate if it fell in the wrong hands.
finally, configure IP forwarding and IPTables for doing NAT on the server:
echo 1 > /proc/sys/net/ipv4/ip_forward
You can verify the rule was written correctly with:iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
If you made a mistake and want to remove all rules from IPTables:iptables -L -t nat
Now restart OpenVPN in both client and server and you should be set.iptables -F -t nat
Now, the following OpenVPN client configuration, which is used to configure the remote user's client (thus don't do this on the server), is quite generic:/etc/init.d/openvpn restart
use notepad or a textfile to write this in opnvpn config
However, where this configuration file is stored, depends on the OS. For example, on Linux it's /etc/openvpn/.vpn.myserver.com.conf and on Windows it's C:\Program Files\OpenVPN\config\.vpn.myserver.com.ovpn.client
dev tun
proto udp
# THE IP OF THE REMOTE OPENVPN SERVER:
remote 91.12.34.56
# THE CSR FILE:
pkcs12 .p12
comp-lzo
Obviously you replace the as well as the domain name with their actual values. And another note on the filename, you don't have to name these files as such, but I'm doing it here to help you (and the VPN user) to keep tabs on what file belongs to what server & user, simply by looking at the filename.
use scp on linux or winscp on windows to move the csr file from server to client p.c .
right click on openvpn gui and click connect and you just gone off your isp's ip , now all traffic is encrypted and tunneled between your server to you. go to any site like whatismyip.com to check , it should show your server ip. change your dns to google dns or opendns if you don't want to give http info to your isp's dns servers.
looks daunting but hardly takes 15 misn to do it, if have any question feel free to ask here , there still many tweaks to it, like how to stop dns leakage plus ipv6 leakage, that i will come to later , hope it helps.
