We are going to install Openvpn on Ubuntu server 14.04 and then use Android to connect to it (so you can bypass Chinese firewall for example 😉
Install OpenVPN
apt-get install openvpn libssl-dev openssl
We need to allow IPv4 forwarding so the server can send out packets on the VPN’s behalf. let’s nano /etc/sysctl.conf and uncomment this line:
net.ipv4.ip_forward=1
Then sudo sysctl -p to reload the modified conf. Then nano /etc/default/ufw and edit this line:
DEFAULT_FORWARD_POLICY="ACCEPT"
finally nano /etc/ufw/before.rules and edit like this:
# START OPENVPN RULES # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to eth0 -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE COMMIT #END OPENVPN RULES # Don't delete these required lines, otherwise there will be errors *filter :ufw-before-input - [0:0] :ufw-before-output - [0:0] :ufw-before-forward - [0:0] :ufw-not-local - [0:0] # End required lines #OpenVPN rules -A ufw-before-input -i tun+ -j ACCEPT -A ufw-before-output -i tun+ -j ACCEPT -A ufw-before-forward -s 10.8.0.0/24 -j ACCEPT -A ufw-before-forward -d 10.8.0.0/24 -j ACCEPT
Open the openvpn port with ufw allow 1194/udp and restart ufw service ufw restart .
Create Server Keys
We will use Easy-RSA to generate the server side keys.
apt-get install easy-rsa make-cadir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa/ source vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server server cd keys openvpn --genkey --secret ta.key
Now copy the server keys to the root of the openvpn directory:
cp server.crt server.key ca.crt dh2048.pem ta.key /etc/openvpn/
Create Client Certificates
cd /etc/openvpn/easy-rsa/ source vars ./pkitool client-name
Those commands will create new files int the easy-rsa/keys directory called client-name.crt and client-name.key.
/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/client-name.crt
/etc/openvpn/easy-rsa/keys/client-name.key
These 3 files need to be copied to the client, so the client software can use them to make the connection with the server. You can use filezilla to download them on the client for example.
Tweak OpenVPN config
Server side
Copy/extract the default Openvpn conf file:
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ gzip -d /etc/openvpn/server.conf.gz nano /etc/openvpn/server.conf
nano /etc/openvpn/server.conf and make the following changes:
;dh dh1024.pem ;change to dh dh2048.pem
Change this so all your client traffic passes through the VPN.
;push "redirect-gateway def1 bypass-dhcp" ;change to push "redirect-gateway def1 bypass-dhcp"
Push specific DNS address to your clients.
;push "dhcp-option DNS 208.67.222.222" ;push "dhcp-option DNS 208.67.220.220" ;uncomment and e3dit these as needed to: push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220"
Change the following to increase security so the VPN service has restricted access
;user nobody ;group nogroup ;change to user nobody group nogroup
Specify where to output the log of openvpn
log-append /var/log/openvpn.log
finally:
service openvpn restart
Android side
Now on your android device, download the official OpenVPN client from F-Droid market (https://f-droid.org/wiki/page/de.blinkt.openvpn), add a profile, and edit the server address in the config (your server IP or FQDN). Give the android the path to the 3 files you previously downloaded. And start the connection!
That’s it, you can enjoy Youtube & co in China.