Ubuntu server 14.04 + OpenVPN + Android client

We are going to install Openvpn on Ubuntu server 14.04 and then use Android to connect to it (so you can bypass Chinese firewall for example ūüėČ

Install OpenVPN

apt-get install openvpn libssl-dev openssl

We need to allow IPv4 forwarding so the server can send out packets on the VPN‚Äôs behalf. let’s¬†nano /etc/sysctl.conf¬†and uncomment this line:

net.ipv4.ip_forward=1

Then sudo sysctl -p to reload the modified conf. Then nano /etc/default/ufw and edit this line:

DEFAULT_FORWARD_POLICY="ACCEPT"

finally nano /etc/ufw/before.rules and edit like this:

# START OPENVPN RULES

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
#END OPENVPN RULES


# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines

#OpenVPN rules
-A ufw-before-input -i tun+ -j ACCEPT
-A ufw-before-output -i tun+ -j ACCEPT
-A ufw-before-forward -s 10.8.0.0/24 -j ACCEPT
-A ufw-before-forward -d 10.8.0.0/24 -j ACCEPT

Open the openvpn port with ufw allow 1194/udp and restart ufw service ufw restart .

Create Server Keys

We will use Easy-RSA to generate the server side keys.

apt-get install easy-rsa
make-cadir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key

Now copy the server keys to the root of the openvpn directory:

cp server.crt server.key ca.crt dh2048.pem ta.key /etc/openvpn/

Create Client Certificates

cd /etc/openvpn/easy-rsa/
source vars
./pkitool client-name

Those commands will create new files int the easy-rsa/keys directory called client-name.crt and client-name.key.

/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/client-name.crt
/etc/openvpn/easy-rsa/keys/client-name.key

These 3 files need to be copied to the client, so the client software can use them to make the connection with the server.  You can use filezilla to download them on the client for example.

Tweak OpenVPN config

Server side

Copy/extract the default Openvpn conf file:

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gzip -d /etc/openvpn/server.conf.gz
nano /etc/openvpn/server.conf

nano /etc/openvpn/server.conf  and make the following changes:

;dh dh1024.pem
;change to
dh dh2048.pem

Change this so all your client traffic passes through the VPN.

;push "redirect-gateway def1 bypass-dhcp"
;change to
push "redirect-gateway def1 bypass-dhcp"

Push specific DNS address to your clients.

;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;uncomment and e3dit these as needed to:
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

Change the following to increase security so the VPN service has restricted access

;user nobody
;group nogroup
;change to
user nobody
group nogroup

Specify where to output the log of openvpn

log-append /var/log/openvpn.log

finally:

service openvpn restart

Android side

Now on your android device, download the official OpenVPN client from F-Droid market (https://f-droid.org/wiki/page/de.blinkt.openvpn), add a profile, and edit the server address in the config (your server IP or FQDN). Give the android the path to the 3 files you previously downloaded. And start the connection!

home openvpn-main-page settings

That’s it, you can enjoy Youtube & co in China.