How to Install Scrambled OpenVPN on CentOS VPS
| |Scrambled OpenVPN For Dummies: How to Install on CentOS VPS – Why did I call it for dummies? Simply because I try to make this tutorial crystal clear so even dummies can follow all steps outlined below so they can build their own Scrambled OpenVPN server to avoid Internet blocking in some strict countries (you name it) where common OpenVPN-based VPN connection can be detected and shut down. Yeah there is such kind of technology that can actively look for VPN connections and block VPN servers. Call it Great Firewall (GFW), it is known to use Deep Packet Inspection to identify and block PPTP and OpenVPN connections.
So how to bypass such technology? Simply use unusual VPN technology that GFW can not detect it (as for know) like: Scrambled OpenVPN, Softehter Protocol, L2TP over IPsec, SSTP and VPN over ICMP / VPN over DNS.
In this tutorial I’ll show you a guide (with pics) to install, build, and setup undetected scrambled OpenVPN server that works on low end vps (tested on Iniz 128MB box – my favorite after RamNode). Credit to original guide at LET.
Step 0 – ONLY for OpenVZ users, login to your VPS control panel (usually SolusVM) and enable TUN/TAP option.
Step 1 – Login to your server as root or as a user with root privilege. I chose as root to void using “sudo” in every command I have to issue then set secondary user later as basic and common security practice (read: Basic CentOS server setup).
Step 2 – Now download and install RHEL EPEL Repo for CentOS 6:
# For RHEL/CentOS 6 32-Bit # wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm # For RHEL/CentOS 6 64-Bit # wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Now install that repo using this command:
## For RHEL/CentOS 6 32-Bit ## rpm -ivh epel-release-6-8.noarch.rpm ## For RHEL/CentOS 6 64-Bit ## rpm -ivh epel-release-6-8.noarch.rpm
Pic (click for larger version):
Step 3 – Next, you may also want to update and upgrade your VPS. Issue these two command syntax:
yum update -y yum upgrade
Sorry I gave no screenshot for that. It’s long and boring and it should be very understandable.
Step 4 – As we want to install OpenVPS from source, we’ll need some dependencies to compile it. So install them using this command:
yum install autoconf.noarch automake file gcc libtool patch quilt git make rpm-build zlib-devel pam-devel openssl-devel lzo-devel
pic:
You may need to hit Y if asked for confirmation.
Step 5 – Now, this is the very important step. We gonna download OpenVPN package and a special obfuscate patch file:
wget https://github.com/OpenVPN/openvpn/archive/release/2.3.zip
pic:
then unzip /extract it:
unzip 2.3.zip
pic (it’s a bit long but at the end you should see something like this):
Downloading patch file:
wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip
pic:
then unzip it:
unzip master.zip
pic:
Backup download links:
OpenVPN 2.3.2: https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/2.3.zip Abfuscate Patch: https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/master.zip
Step 6 – Apply the patch to the source files. To do that, issue each command below line by line:
copying the patch file to OpenVPN folder
cp openvpn_xorpatch-master/openvpn_xor.patch openvpn-release-2.3/ Going in to extracted OpenVPN folder
cd openvpn-release-2.3/
Applying the patch:
git apply --check openvpn_xor.patch git apply openvpn_xor.patch
pic:
Now go back to upper directory:
cd ..
then move extracted OpenVPN folder to /etc/openvpn:
mv ./openvpn-release-2.3/ /etc/openvpn
pic:
Step 7 – It’s building time. As long as you’ve installed all required packages before (step 4 above), the process should complete successfully. First, we need to go to /etc/openvpn
cd /etc/openvpn
Now issue this command:
autoreconf -i -v -f
pic:
Now configure it:
./configure --prefix=/usr
pic:
Step 8 – Now we’ve configured all necessary things, it’s time to really build it with simple “make” command:
make make install
The process is a bit long so I took what I can (pic):
Step 9 – At this point you’ve installed OpenVPN. Before we run and configure it, it is better to make it automatically run on boot:
But download this required startup script file at first:
wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/openvpn -O /etc/rc.d/init.d/openvpn
Now this command:
chmod +x /etc/rc.d/init.d/openvpn chkconfig --add openvpn chkconfig openvpn on
pic:
Configuring and Using Scrambled OpenVPN
Now that our OpenVPN server is installed, but we still need to setup some configurations before using it, including to install Easy-Rsa package for creating keys and certificates and so on and so on.
Step 1 – Download Easy-Rsa package for creating keys and certificates. Issue these few lines of command:
cd /etc/openvpn wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz
pic :
Then extract it and copy the files:
tar zxvf easy-rsa-2.2.0_master.tar.gz cp -R easy-rsa-2.2.0_master/easy-rsa/ /etc/openvpn/ chown -R $USER /etc/openvpn/easy-rsa/
pic:
Step 2 – Now lets build the CA certificate needed to use OpenVPN server:
cd /etc/openvpn/easy-rsa/2.0/ source vars ./clean-all
pic:
The magic command, enter whatever info you want to build the CA certificate.
./build-ca
pic:
Step 3 – Building the key server. You will be asked for a password and you will need to answer y to sign and commit the certificate.
./build-key-server server
Step 4 – Now issue command below to build Diffie Hellman:
./build-dh
pic:
Step 5 – Next, lets build the client key, you can build as many as you want. Just change client to something else like user, yourname, user001, etc. Again, you will be asked for a password in the following step and you will need to answer y to sign and commit the certificate.
./build-key client
pic:
Step 6- Now copy the server side certificates and keys to appropriate location:
cd keys cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
pic:
Step 7 – Next copy client files to a folder where you can download it:
mkdir $HOME/client-files sudo cp ca.crt client.crt client.key $HOME/client-files
change client.crt and client.key with the name you defined in step 5.
pic:
Step 8 – Now generate a ta.key and copy it to the separate folder where we can later download it:
openvpn --genkey --secret /etc/openvpn/ta.key cp /etc/openvpn/ta.key $HOME/client-files
pic:
Step 9 – Another crucial step, create the OpenVPN client configuration file. You will need to fill in your server’s IP and you can choose whatever keyword after scramble obfuscate. Just make sure you have the same keyword in your server configuration file as well. Also, choose a UDP port that is best for your network setting. I use 443 in this tutorial.
nano $HOME/client-files/scrambled-client.ovpn
now fill in this lines to that file, again, replace **YOUR SERVER IP** with the real IP of your vps:
client dev tun scramble obfuscate servermom proto udp remote **YOUR SERVER IP** 443 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key tls-auth ta.key 1 ns-cert-type server cipher AES-256-CBC comp-lzo verb 3 fast-io script-security 2
Hit Control+O to save then Control+X to exit Nano editor.
pic:
Step 10 – Now merge the certificates and keys to make it an inline configuration file.
wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/merge.sh -O $HOME/client-files/merge.sh
You may need to firstly edit merge.sh and adjust the configuration (like renaming client.crt and client.key to the ones you defined – you can use nano).
Next, issue this command:
cd $HOME/client-files/ chmod +x $HOME/client-files/merge.sh $HOME/client-files/merge.sh chown $USER $HOME/client-files/scrambled-client.ovpn
Pic:
Step 11 – Final configuration on your server, setup the configuration file on the server side (server.conf):
Again, we’ll use Nano editor:
nano /etc/openvpn/server.conf
then put these lines there:
port 443 proto udp dev tun scramble obfuscate servermom ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key tls-auth /etc/openvpn/ta.key 0 dh /etc/openvpn/dh1024.pem server 10.8.0.0 255.255.255.0 cipher AES-256-CBC comp-lzo persist-key persist-tun user nobody # If server fails to start, please change this to an existing user group openvpn # If server fails to start, please change this to an existing group status openvpn-status.log verb 3 tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 5 30
Hit Control+O then Control+X to save and exit.
Step 12 – Now you can download client configuration file to your computer to use with OpenVPN client app. For this, you can use FileZilla, simply enter your server IP, username, password and use port 22 (default SSH port if you haven’t change it yet)
Go to client-files directory and grab the config file
Step 13 – That’s it. Copy that file to the OpenVPN’s Client config folders in your computer Now open your OpenVPN client app and use it as usual.
Enjoy…
Hi Mom 🙂
This OpenVPN’s Client config can be used to connect the vpn using Android or I need to generate other kind of Client config?
Thanks for your guide, is awesome!
It should be able to use on Android. Simply install OpenVPN client app on Android (https://play.google.com/store/apps/details?id=de.blinkt.openvpn) and use generated client config (download it to your PC then copy it to your device)
Thank you for this post. I’ve gone through your instructions and have the OpenVPN server up and running, but unfortunately the OpenVPN Android client (https://play.google.com/store/apps/details?id=de.blinkt.openvpn) doesn’t recognize the scramble option in the config file and just exits. Do you have any suggestions?
Nice post! Will this work for watching Hulu outside of the US as well? These media services are now cracking down on people using proxy and detecting some types of VPN. I guess will have to try and post back the results.
Error:
Connecting to scrambled-client has failed
upon “service openvpn start”
Starting openvpn failed..
My VPS is Virtuzzo container &
parallels power panel
make sure TUN/TAP device is allowed in your container. Refer to http://download.swsoft.com/virtuozzo/virtuozzo4.0/docs/en/lin/VzLinuxUG/6186.htm to enable it
I’m getting “process started and then immediately exited”
Options error: Unrecognized option or missing parameter(s) in stdin:3: scramble (2.1.1oOAS)
Use –help for more information.
Openvpn windows client. Please help? Feel free to email me.
Hello servermom(Sawiyati) i have a problem when i reach Configuring and Using Scrambled OpenVPN
“cd /etc/openvpn
wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz”
it says unable to established SSL connection ..Terimah kasih
THIS WILL EXPLAIN MORE http://f13.wapkafiles.com/download/9/1/9/370196_9191d60e807d5caa830865e8.PNG/d92ee99c86e01d9aa890/sas.PNG
Hi… please update this guide… not working
get an error “connecting to scrambled client has failed”
OpenVPN service is started after changing the username and usergroup in server configuration… still not able to connect using openvpn….
Hello servermom(Sawiyati) i have a problem when i run autoreconf -i -v -f
get an error”autoconf: configure.ac or configure.in is required “. How to resolve this problem.
Hi… Thanks for this tutorial.
when I want Connect , i See this error in OpenVPN GUI:
Sun Mar 15 12:06:22 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Mar 15 12:06:22 2015 TLS Error: TLS handshake failed
another my question is how can i radius openvpn?
thanks.
Hey
thanks for your post but there is problem.
i did all of above inst
hey
thanks fro your great post but i got a problem.
i did all of above instructions but when i setup in android client i got this error :
OpenVpn core error : Polar SSL :cert certificate in undefined.
what should i do ?
thanks