Recommended VPS Complete list of best VPS hosting providers.

How to Install Scrambled OpenVPN on CentOS VPS

Scrambled OpenVPN For Dummies: How to Install on CentOS VPS – Why did I call it for dummies? Simply because I try to make this tutorial crystal clear so even dummies can follow all steps outlined below so they can build their own Scrambled OpenVPN server to avoid Internet blocking in some strict countries (you name it) where common OpenVPN-based VPN connection can be detected and shut down. Yeah there is such kind of technology that can actively look for VPN connections and block VPN servers. Call it Great Firewall (GFW), it is known to use Deep Packet Inspection to identify and block PPTP and OpenVPN connections.

So how to bypass such technology? Simply use unusual VPN technology that GFW can not detect it (as for know) like: Scrambled OpenVPN, Softehter Protocol, L2TP over IPsec, SSTP and VPN over ICMP / VPN over DNS.

In this tutorial I’ll show you a guide (with pics) to install, build, and setup undetected scrambled OpenVPN server that works on low end vps (tested on Iniz 128MB box – my favorite after RamNode). Credit to original guide at LET.

Step 0 – ONLY for OpenVZ users, login to your VPS control panel (usually SolusVM) and enable TUN/TAP option.

2014-03-29_205643

Step 1 – Login to your server as root or as a user with root privilege. I chose as root to void using “sudo” in every command I have to issue then set secondary user later as basic and common security practice (read: Basic CentOS server setup).

login as root

Step 2 – Now download and install RHEL EPEL Repo for CentOS 6:

# For RHEL/CentOS 6 32-Bit #
wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

# For RHEL/CentOS 6 64-Bit #
wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Now install that repo using this command:

## For RHEL/CentOS 6 32-Bit ##
rpm -ivh epel-release-6-8.noarch.rpm

## For RHEL/CentOS 6 64-Bit ##
rpm -ivh epel-release-6-8.noarch.rpm

Pic (click for larger version):

2014-03-29_212542

Step 3 – Next, you may also want to update and upgrade your VPS. Issue these two command syntax:

yum update -y
yum upgrade

Sorry I gave no screenshot for that. It’s long and boring and it should be very understandable.

Step 4 – As we want to install OpenVPS from source, we’ll need some dependencies to compile it. So install them using this command:

yum install autoconf.noarch automake file gcc libtool patch quilt git make rpm-build zlib-devel pam-devel openssl-devel lzo-devel

pic:

2014-03-29_213641

You may need to hit Y if asked for confirmation.

Step 5 – Now, this is the very important step. We gonna download OpenVPN package and a special obfuscate patch file:

wget https://github.com/OpenVPN/openvpn/archive/release/2.3.zip

pic:

2014-03-29_214342

then unzip /extract it:

unzip 2.3.zip

pic (it’s a bit long but at the end you should see something like this):

2014-03-29_214555

Downloading patch file:

wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip

pic:

2014-03-29_215108

then unzip it:

unzip master.zip

pic:

2014-03-29_215306

Backup download links:

OpenVPN 2.3.2: https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/2.3.zip
Abfuscate Patch: https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/master.zip

Step 6 – Apply the patch to the source files. To do that, issue each command below line by line:

copying the patch file to OpenVPN folder

cp openvpn_xorpatch-master/openvpn_xor.patch openvpn-release-2.3/

Going in to extracted OpenVPN folder
cd openvpn-release-2.3/

Applying the patch:

git apply --check openvpn_xor.patch
git apply openvpn_xor.patch

pic:

2014-03-29_220759

Now go back to upper directory:

cd ..

then move extracted OpenVPN folder to /etc/openvpn:

mv ./openvpn-release-2.3/ /etc/openvpn

pic:

2014-03-29_221202

Step 7 – It’s building time. As long as you’ve installed all required packages before (step 4 above), the process should complete successfully. First, we need to go to /etc/openvpn

cd /etc/openvpn

Now issue this command:

autoreconf -i -v -f

pic:

2014-03-29_222332

Now configure it:

./configure --prefix=/usr

pic:

2014-03-29_222546

Step 8 – Now we’ve configured all necessary things, it’s time to really build it with simple “make” command:

make
make install

The process is a bit long so I took what I can (pic):

2014-03-29_223235

Step 9 – At this point you’ve installed OpenVPN. Before we run and configure it, it is better to make it automatically run on boot:

But download this required startup script file at first:

wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/openvpn -O /etc/rc.d/init.d/openvpn

Now this command:

chmod +x /etc/rc.d/init.d/openvpn
chkconfig --add openvpn
chkconfig openvpn on

pic:

2014-03-29_224131

Configuring and Using Scrambled OpenVPN

Now that our OpenVPN server is installed, but we still need to setup some configurations before using it, including to install Easy-Rsa package for creating keys and certificates and so on and so on.

Step 1 – Download Easy-Rsa package for creating keys and certificates. Issue these few lines of command:

cd /etc/openvpn
wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz

pic :

2014-03-29_225548

Then extract it and copy the files:

tar zxvf easy-rsa-2.2.0_master.tar.gz
cp -R easy-rsa-2.2.0_master/easy-rsa/ /etc/openvpn/
chown -R $USER /etc/openvpn/easy-rsa/

pic:

2014-03-29_225818

Step 2 – Now lets build the CA certificate needed to use OpenVPN server:

cd /etc/openvpn/easy-rsa/2.0/
source vars
./clean-all

pic:

2014-03-29_230436

The magic command, enter whatever info you want to build the CA certificate.

./build-ca

pic:

2014-03-29_230630

Step 3 – Building the key server. You will be asked for a password and you will need to answer y to sign and commit the certificate.

./build-key-server server

pic:
2014-03-29_231341

Step 4 – Now issue command below to build Diffie Hellman:

./build-dh

pic:

2014-03-29_231612

Step 5 – Next, lets build the client key, you can build as many as you want. Just change client to something else like user, yourname, user001, etc. Again, you will be asked for a password in the following step and you will need to answer y to sign and commit the certificate.

./build-key client

pic:

2014-03-29_232055

Step 6- Now copy the server side certificates and keys to appropriate location:

cd keys
cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn

pic:

2014-03-29_232622

Step 7 – Next copy client files to a folder where you can download it:

mkdir $HOME/client-files
sudo cp ca.crt client.crt client.key $HOME/client-files

change client.crt and client.key with the name you defined in step 5.

pic:

2014-03-29_233040

Step 8 – Now generate a ta.key and copy it to the separate folder where we can later download it:

openvpn --genkey --secret /etc/openvpn/ta.key
cp /etc/openvpn/ta.key $HOME/client-files

pic:

2014-03-29_233321

Step 9 – Another crucial step, create the OpenVPN client configuration file. You will need to fill in your server’s IP and you can choose whatever keyword after scramble obfuscate. Just make sure you have the same keyword in your server configuration file as well. Also, choose a UDP port that is best for your network setting. I use 443 in this tutorial.

nano $HOME/client-files/scrambled-client.ovpn

now fill in this lines to that file, again, replace **YOUR SERVER IP** with the real IP of your vps:

client
dev tun
scramble obfuscate servermom
proto udp
remote **YOUR SERVER IP** 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3
fast-io
script-security 2

Hit Control+O to save then Control+X to exit Nano editor.

pic:

2014-03-29_233953

Step 10 – Now merge the certificates and keys to make it an inline configuration file.

wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/merge.sh -O $HOME/client-files/merge.sh

You may need to firstly edit merge.sh and adjust the configuration (like renaming client.crt and client.key to the ones you defined – you can use nano).

Next, issue this command:

cd $HOME/client-files/
chmod +x $HOME/client-files/merge.sh
$HOME/client-files/merge.sh
chown $USER $HOME/client-files/scrambled-client.ovpn

Pic:

2014-03-29_235239

Step 11 – Final configuration on your server, setup the configuration file on the server side (server.conf):

Again, we’ll use Nano editor:

nano /etc/openvpn/server.conf

then put these lines there:

port 443
proto udp
dev tun
scramble obfuscate servermom
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
tls-auth /etc/openvpn/ta.key 0
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
user nobody        # If server fails to start, please change this to an existing user
group openvpn    # If server fails to start, please change this to an existing group
status openvpn-status.log
verb 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30

Hit Control+O then Control+X to save and exit.

Step 12 – Now you can download client configuration file to your computer to use with OpenVPN client app. For this, you can use FileZilla, simply enter your server IP, username, password and use port 22 (default SSH port if you haven’t change it yet)

2014-03-30_000125

Go to client-files directory and grab the config file

2014-03-30_000256

Step 13 – That’s it. Copy that file to the OpenVPN’s Client config folders in your computer Now open your OpenVPN client app and use it as usual.

2014-03-30_000802

Enjoy…

14 Comments

Add a Comment

Your email address will not be published. Required fields are marked *

Get more stuff like this
in your inbox

Subscribe and get interesting stuff plus faster updates to your email.