Install scrambled openvpn server (using deb package) on a openVZ box running Debian or Ubuntu

# Tested working on Debian 6 32bit i386, on OpenVZ server # Tested working on Debian 7 32bit i386, on OpenVZ server


# Turn on TUN in management console, by default its usually turned off.

# When you reinstall OS system, I found I needed to turn TUN off and on again

# Start with basics, update and we need git

apt-get update

apt-get install git -y
##########################################################################

# Quick install patched openvpn deb package on Debian 6 i386

apt-get install openssl-blacklist openvpn-blacklist liblzo2-dev libpam0g-dev libpkcs11-helper1-dev  -y

wget --no-check-cert https://www.dropbox.com/s/lpw8st5q2cdnfbc/openvpn_2.3.2-scramble-debian6_i386.deb -O openvpn_2.3.2-scramble-debian6_i386.deb

dpkg -i openvpn_2.3.2-scramble-debian6_i386.deb

##########################################################################
##########################################################################

# Quick install patched openvpn deb package on Debian 7 i386

apt-get install openssl-blacklist openvpn-blacklist liblzo2-dev libpam0g-dev libpkcs11-helper1-dev  -y

wget http://ftp.us.debian.org/debian/pool/main/o/openssl/libssl0.9.8_0.9.8o-4squeeze14_i386.deb

dpkg -i libssl0.9.8_0.9.8o-4squeeze14_i386.deb

wget --no-check-cert https://www.dropbox.com/s/lpw8st5q2cdnfbc/openvpn_2.3.2-scramble-debian6_i386.deb -O openvpn_2.3.2-scramble-debian6_i386.deb

dpkg -i openvpn_2.3.2-scramble-debian6_i386.deb

##########################################################################
##########################################################################

# Quick install patched openvpn deb package on Ubuntu 12.04 32-bit Minimal

apt-get install openssl-blacklist openvpn-blacklist liblzo2-dev libpam0g-dev libpkcs11-helper1-dev libssl0.9.8 -y

wget --no-check-cert https://www.dropbox.com/s/u4pba8ip5ggwy3z/openvpn_2.3.2-scramble-ubuntu1204_i386.deb -O openvpn_2.3.2-scramble-ubuntu1204_i386.deb

dpkg -i openvpn_2.3.2-scramble-ubuntu1204_i386.deb

##########################################################################

For other, Build your own Deb package, see
https://vpnchinaopenvz.wordpress.com/2014/03/15/8/
##########################################################################
# Now we create keys and certs

# You need to make a passphrase, and confirm

# enter these commands one line at a time

mkdir $HOME/clientside

cd $HOME/clientside

git clone git://github.com/OpenVPN/easy-rsa

cd easy-rsa/easyrsa3

./easyrsa init-pki

./easyrsa gen-req client1 nopass
mkdir $HOME/serverside

cd $HOME/serverside

git clone git://github.com/OpenVPN/easy-rsa

cd easy-rsa/easyrsa3

./easyrsa init-pki

./easyrsa build-ca

./easyrsa gen-req server nopass

./easyrsa sign-req server server

openssl dhparam -out dh2048.pem 2048

/usr/sbin/openvpn --genkey --secret ta.key

./easyrsa import-req $HOME/clientside/easy-rsa/easyrsa3/pki/reqs/client1.req client1

./easyrsa sign-req client client1
 # Copy certs and keys to correct directory

cp $HOME/serverside/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn/

cp $HOME/serverside/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn/

cp $HOME/serverside/easy-rsa/easyrsa3/dh2048.pem /etc/openvpn/

cp $HOME/serverside/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn/

cp $HOME/serverside/easy-rsa/easyrsa3/ta.key /etc/openvpn/

cp $HOME/serverside/easy-rsa/easyrsa3/pki/issued/client1.crt $HOME/clientside/

cp $HOME/serverside/easy-rsa/easyrsa3/ta.key $HOME/clientside/

cp $HOME/serverside/easy-rsa/easyrsa3/pki/ca.crt $HOME/clientside/

cp $HOME/clientside/easy-rsa/easyrsa3/pki/private/client1.key $HOME/clientside/
 # Client Script

nano $HOME/clientside/client1.ovpn
client

dev tun

scramble obfuscate test

proto udp

remote change_this_to_server_address 34557

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert client1.crt

key client1.key

tls-auth ta.key 1

remote-cert-tls server

cipher AES-256-CBC

comp-lzo

verb 3

fast-io

script-security 2
# Now merge certs and keys into client script, so we only have one file to handle

cd $HOME/clientside/

wget https://www.dropbox.com/s/pdl8jyr0gzys3d6/merge.sh -O merge.sh

chmod +x merge.sh

$HOME/clientside/merge.sh
# Now transfer client script client1.ovpn

# in $HOME/clientside/ to your client PC

# Due to permissions, I had to transfer it to C:\

# Then in windows, copy the file

# to C:\Program Files (x86)\OpenVPN\config
# Below is OpenVPN server configuration 

nano /etc/openvpn/server.conf
port 34557

proto udp

dev tun

scramble obfuscate test

ca ca.crt

cert server.crt

key server.key

tls-auth ta.key 0

dh dh2048.pem

server 10.8.0.0 255.255.255.0

cipher AES-256-CBC

comp-lzo

persist-key

persist-tun

user nobody

group nogroup

status openvpn-status.log

verb 3

push "redirect-gateway def1"

push "dhcp-option DNS 208.67.222.222"

push "dhcp-option DNS 208.67.220.220"

keepalive 5 30
# uncomment to allow data redirect

nano /etc/sysctl.conf

net.ipv4.ip_forward=1
################################################################

# Comments about iptables and firewall: Seems MASQUERADE in iptables depends

# on some modules being loaded in the openvz container, no clue, what or which.

# I read in others tutorial,

# e.g. http://unixtitan.net/main/2010/09/20/openvpn-in-openvz-no-masquerade/

# they need to do the following

# OpenVZ:

sudo iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source YOUR SERVER IP

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source YOUR SERVER IP

# KVM/XEN:

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

# Save the iptables rules.

sudo service iptables save

################################################################
# These iptables settings worked for me in openvz, might not work for others, see above

# Make file for firewall setting

nano /usr/local/bin/firewall.sh
#!/bin/bash

iptables -t filter -F

iptables -t nat -F

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -s "10.8.0.0/24" -j ACCEPT

iptables -A FORWARD -j REJECT

iptables -t nat -A POSTROUTING -s "10.8.0.0/24" -j MASQUERADE
# Make firewall script executable, run it and check

chmod +x /usr/local/bin/firewall.sh

/usr/local/bin/firewall.sh

iptables --list
# add  new text line into file /etc/rc.local

# before ‘exit 0' to ensure the firewall rules are run at reboot or power up.

nano /etc/rc.local
/usr/local/bin/firewall.sh


# Now start it all, after this you can connect

sysctl -w net.ipv4.ip_forward=1

/etc/init.d/openvpn restart
# Useful Debug

# Switch TUN off and on again in management console

# check you have TUN interface 

ifconfig

# check status

/etc/init.d/openvpn status

# restart openvpn server

/etc/init.d/openvpn restart

		
	
			
			
			Share this:
Twitter
Facebook
Like Loading...


	Related

	Eno Sayo on Build scrambled openvpn (2.4.8…
	scramblevpn on Install scrambled Openvpn serv…
	Mohammad Taher on Install scrambled Openvpn serv…
	scramblevpn on Build scrambled openvpn (2.4.1…
	Polar on Build scrambled openvpn (2.4.1…

Using openVZ host for personal VPN out of China

Install scrambled openvpn server (using deb package) on a openVZ box running Debian or Ubuntu

Leave a comment Cancel reply