How to Install Scrambled OpenVPN on CentOS VPS
Scrambled OpenVPN For Dummies: How to Install on CentOS VPS – Why did I call it for dummies? Simply because I try to make this tutorial crystal clear so even dummies can follow all steps outlined below so they can build their own Scrambled OpenVPN server to avoid Internet blocking in some strict countries (you name it) where common OpenVPN-based VPN connection can be detected and shut down. Yeah there is such kind of technology that can actively look for VPN connections and block VPN servers. Call it Great Firewall (GFW), it is known to use Deep Packet Inspection to identify and block PPTP and OpenVPN connections.
So how to bypass such technology? Simply use unusual VPN technology that GFW can not detect it (as for know) like: Scrambled OpenVPN, Softehter Protocol, L2TP over IPsec, SSTP and VPN over ICMP / VPN over DNS.
In this tutorial I’ll show you a guide (with pics) to install, build, and setup undetected scrambled OpenVPN server that works on low end vps (tested on Iniz 128MB box – my favorite after RamNode). Credit to original guide at LET.
Step 0 – ONLY for OpenVZ users, login to your VPS control panel (usually SolusVM) and enable TUN/TAP option.
Step 1 – Login to your server as root or as a user with root privilege. I chose as root to void using “sudo” in every command I have to issue then set secondary user later as basic and common security practice (read: Basic CentOS server setup).
Step 2 – Now download and install RHEL EPEL Repo for CentOS 6:
# For RHEL/CentOS 6 32-Bit # wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm # For RHEL/CentOS 6 64-Bit # wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Now install that repo using this command:
## For RHEL/CentOS 6 32-Bit ## rpm -ivh epel-release-6-8.noarch.rpm ## For RHEL/CentOS 6 64-Bit ## rpm -ivh epel-release-6-8.noarch.rpm
Pic (click for larger version):
Step 3 – Next, you may also want to update and upgrade your VPS. Issue these two command syntax:
yum update -y yum upgrade
Sorry I gave no screenshot for that. It’s long and boring and it should be very understandable.
Step 4 – As we want to install OpenVPS from source, we’ll need some dependencies to compile it. So install them using this command:
yum install autoconf.noarch automake file gcc libtool patch quilt git make rpm-build zlib-devel pam-devel openssl-devel lzo-devel
You may need to hit Y if asked for confirmation.
Step 5 – Now, this is the very important step. We gonna download OpenVPN package and a special obfuscate patch file:
then unzip /extract it:
pic (it’s a bit long but at the end you should see something like this):
Downloading patch file:
then unzip it:
Backup download links:
OpenVPN 2.3.2: https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/2.3.zip Abfuscate Patch: https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/master.zip
Step 6 – Apply the patch to the source files. To do that, issue each command below line by line:
copying the patch file to OpenVPN folder
cp openvpn_xorpatch-master/openvpn_xor.patch openvpn-release-2.3/ Going in to extracted OpenVPN folder
Applying the patch:
git apply --check openvpn_xor.patch git apply openvpn_xor.patch
Now go back to upper directory:
then move extracted OpenVPN folder to /etc/openvpn:
mv ./openvpn-release-2.3/ /etc/openvpn
Step 7 – It’s building time. As long as you’ve installed all required packages before (step 4 above), the process should complete successfully. First, we need to go to /etc/openvpn
Now issue this command:
autoreconf -i -v -f
Now configure it:
Step 8 – Now we’ve configured all necessary things, it’s time to really build it with simple “make” command:
make make install
The process is a bit long so I took what I can (pic):
Step 9 – At this point you’ve installed OpenVPN. Before we run and configure it, it is better to make it automatically run on boot:
But download this required startup script file at first:
wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/openvpn -O /etc/rc.d/init.d/openvpn
Now this command:
chmod +x /etc/rc.d/init.d/openvpn chkconfig --add openvpn chkconfig openvpn on
Configuring and Using Scrambled OpenVPN
Now that our OpenVPN server is installed, but we still need to setup some configurations before using it, including to install Easy-Rsa package for creating keys and certificates and so on and so on.
Step 1 – Download Easy-Rsa package for creating keys and certificates. Issue these few lines of command:
cd /etc/openvpn wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz
Then extract it and copy the files:
tar zxvf easy-rsa-2.2.0_master.tar.gz cp -R easy-rsa-2.2.0_master/easy-rsa/ /etc/openvpn/ chown -R $USER /etc/openvpn/easy-rsa/
Step 2 – Now lets build the CA certificate needed to use OpenVPN server:
cd /etc/openvpn/easy-rsa/2.0/ source vars ./clean-all
The magic command, enter whatever info you want to build the CA certificate.
Step 3 – Building the key server. You will be asked for a password and you will need to answer y to sign and commit the certificate.
Step 4 – Now issue command below to build Diffie Hellman:
Step 5 – Next, lets build the client key, you can build as many as you want. Just change client to something else like user, yourname, user001, etc. Again, you will be asked for a password in the following step and you will need to answer y to sign and commit the certificate.
Step 6- Now copy the server side certificates and keys to appropriate location:
cd keys cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
Step 7 – Next copy client files to a folder where you can download it:
mkdir $HOME/client-files sudo cp ca.crt client.crt client.key $HOME/client-files
change client.crt and client.key with the name you defined in step 5.
Step 8 – Now generate a ta.key and copy it to the separate folder where we can later download it:
openvpn --genkey --secret /etc/openvpn/ta.key cp /etc/openvpn/ta.key $HOME/client-files
Step 9 – Another crucial step, create the OpenVPN client configuration file. You will need to fill in your server’s IP and you can choose whatever keyword after scramble obfuscate. Just make sure you have the same keyword in your server configuration file as well. Also, choose a UDP port that is best for your network setting. I use 443 in this tutorial.
now fill in this lines to that file, again, replace **YOUR SERVER IP** with the real IP of your vps:
client dev tun scramble obfuscate servermom proto udp remote **YOUR SERVER IP** 443 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key tls-auth ta.key 1 ns-cert-type server cipher AES-256-CBC comp-lzo verb 3 fast-io script-security 2
Hit Control+O to save then Control+X to exit Nano editor.
Step 10 – Now merge the certificates and keys to make it an inline configuration file.
wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/merge.sh -O $HOME/client-files/merge.sh
You may need to firstly edit merge.sh and adjust the configuration (like renaming client.crt and client.key to the ones you defined – you can use nano).
Next, issue this command:
cd $HOME/client-files/ chmod +x $HOME/client-files/merge.sh $HOME/client-files/merge.sh chown $USER $HOME/client-files/scrambled-client.ovpn
Step 11 – Final configuration on your server, setup the configuration file on the server side (server.conf):
Again, we’ll use Nano editor:
then put these lines there:
port 443 proto udp dev tun scramble obfuscate servermom ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key tls-auth /etc/openvpn/ta.key 0 dh /etc/openvpn/dh1024.pem server 10.8.0.0 255.255.255.0 cipher AES-256-CBC comp-lzo persist-key persist-tun user nobody # If server fails to start, please change this to an existing user group openvpn # If server fails to start, please change this to an existing group status openvpn-status.log verb 3 tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 push "redirect-gateway def1" push "dhcp-option DNS 184.108.40.206" push "dhcp-option DNS 220.127.116.11" keepalive 5 30
Hit Control+O then Control+X to save and exit.
Step 12 – Now you can download client configuration file to your computer to use with OpenVPN client app. For this, you can use FileZilla, simply enter your server IP, username, password and use port 22 (default SSH port if you haven’t change it yet)
Go to client-files directory and grab the config file
Step 13 – That’s it. Copy that file to the OpenVPN’s Client config folders in your computer Now open your OpenVPN client app and use it as usual.
Hi Mom 🙂
This OpenVPN’s Client config can be used to connect the vpn using Android or I need to generate other kind of Client config?
Thanks for your guide, is awesome!