PDA

View Full Version : How to setup private OpenVPN on a Linux server and Windows/Android client?



Fli
01-24-2016, 09:47 PM
This tutorial should help You to
a) protect your internet communication by encryption
b) use different IP so you hide your real IP

You will need
a) Linux server (starts at less than $2/month (https://internetlifeforum.com/vps-hosting/20060-cheapest-linux-vpss-under-%242-monthly/)) and you can use it for many other tasks like website hosting server
b) to install OpenVPN software on that server and on your own home computer and/or on the Android device

ALTERNATIVES to OpenVPN: You may also skip this whole tutorial and try
A) WireGuard (https://www.wireguard.com/install/) which is faster than OpenVPN - Download and run WG installer (https://github.com/angristan/wireguard-install) on a Linux server (Dedicated server or vitual server virtualized using KVM/XEN since OpenVZ & LXC needs different approach: #1 (https://github.com/Nyr/wireguard-install) or #2 (https://web.archive.org/web/20211006101419/https://d.sb/2019/07/wireguard-on-openvz-lxc))
Here i found another tutorials for Wireguard server + Windows client:
https://web.archive.org/web/20210816050733/https://golb.hplar.ch/2019/07/wireguard-windows.html
https://web.archive.org/web/20210915091556/https://www.stavros.io/posts/how-to-configure-wireguard/
B) https://github.com/StreisandEffect/streisand but it is much more complicated, complex system.
C) free VPN like from https://tunsafe.com/vpn (TunSafe is alternative client to OpenVPN and is claimed to be much faster, though do not have GUI Linux client)

Most recent version of this tutorial is available when you run ZeroNet (https://github.com/ZeroNetX/ZeroNet/#how-to-join) and then open this page (http://127.0.0.1:43110/1LfvE91ZF18jdG3wW62Dw7NtfTZh737KPL/?Topic:1548340010_1L4dZcDF2maSKHDy788yhxpYnBWnXadU tS/How+to+setup+private+OpenVPN+on+a+Linux+server+and +Windows+Android+client).

Server side OpenVPN setup

Login to Your Linux server that you want to act as a VPN server / proxy server. If you do not have one, try Linux VPS 256MB RAM from there: https://instantcpanelhosting.com/cart.php?gid=4 (when selecting a VPS, consider its data transfer/bandwidth limits usually mentioned by the VPS seller and your current computer internet data transfer so the VPS fits) After order you will receive login details which will allow you to access your linux server command line. Following are Linux commands to run.

cat /dev/net/tun
(checking that tun/tap is available)

A) It is OK if it says "cat: /dev/net/tun: File descriptor in bad state"

B) It is bad, tun device is not available currently, it says "cat: /dev/net/tun: Operation not permitted". In case of a dedicated server, do command "modprobe tun" and then add tun into /etc/modules.conf or on RHEL into /etc/sysconfig/modules/my.modules add line "/sbin/modprobe tun". If you are on a VPS (not dedicated server), then ask your VPS provider to enable tun/tap (sometimes there is option in control panel). On OpenVZ, provider will issue command: "vzctl set CTID --devnodes net/tun:rw --capability net_admin:on --save"

Update your system and reboot, some people including me had problems due to outdated kernel:
Debian based Linux: sudo apt update;sudo apt upgrade;reboot
Redhat based Linux: yum update;yum upgrade;reboot


Then download & run Nyr's installation bash script for the Linux Debian, Ubuntu, CentOS (no centos 5.x):
wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh


NOTE: if you are on older OS (CentOS6, Debian 8), original installer above may fail. Use following command instead:
wget https://raw.githubusercontent.com/Nyr/openvpn-install/c90989a0e2dbb6316e5d048f105c8615f70c6ba9/openvpn-install.sh && bash openvpn-install.sh


Maybe worth using 443 port as it will be rarely restricted.

If the installation ends in ERROR: "Job for [email protected] failed because the control process exited with error code."
Try command: sed -i 's/LimitNPROC/#LimitNPROC/g' /lib/systemd/system/[email protected];systemctl daemon-reload;systemctl restart [email protected];systemctl status [email protected]
The VPN server then should appear as active (running) which is correct. If that is wrong, try to stop that service. Maybe other service name is used: systemctl status openvpn-server*


Disable OpenVPN server logging (after openvpn server is installed):
for f in $(find /etc/openvpn/ -name server.conf);do sed -e '/openvpn-status.log/d' -e '/verb /d' "$f" && echo -e "log /dev/null\nstatus /dev/null\nverb 0" >> "$f"; done
chkconfig openvpn on 2>/dev/null|| update-rc.d openvpn enable

Check journalctl for possible service errors: journalctl -g [email protected]|tail;echo "Time now: $(date)"
"Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/server.service.conf"?
If exist, then try: systemctl disable [email protected] && systemctl stop [email protected]
Maybe wrong service is used. is this correct?: systemctl status openvpn-server*

Initial installation wizard should have printed out the path to the openvpn configuration file ~/client.ovpn (/root/client.ovpn)
Download this file (or copy its contents) to your device from which you want to be connecting to the OpenVPN server

increase number of simultaneous connections (if you are heavy, P2P internet user):

echo "net.netfilter.nf_conntrack_max=99000" > /etc/sysctl.d/10-conntrack-max.conf;sysctl -p /etc/sysctl.d/10-conntrack-max.conf

Client side setup

Windows client

Place your .ovpn configuration file into the proper directory, C:\Program Files\OpenVPN\config, and click Connect in the GUI.

Linux client

openvpn --config ~/path/to/client.ovpn

Android client

I installed this software (https://play.google.com/store/apps/details?id=de.blinkt.openvpn&rdid=de.blinkt.openvpn). And then downloaded my .ovpn file to the phone. Then open that file in phone and select VPN client you just installed to open it. It will import the file.

---
After connection is established, the OS connections should be routed through the OpenVPN. If not, or internet fails, verify your proxy settings in InternetExplorer or in the app that fails to connect internet.

If apps still can't connect internet, try to switch to the server and discover your network interface name (usually eth0 or venet0):
route|grep default|awk '{print $8}'

Then execute command on the server:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
(i used venet0 as im on the OpenVZ VPS, to discover yours interface name, run command mentioned few lines above)

How to prevent your OS leaking real IP when OpenVPN is down?

When OpenVPN app crash or not started, computer can connect internet directly revealing your true identity and transfer data unencrypted. To prevent this, you need to configure your computer Firewall. Click here for windows (https://internetlifeforum.com/computers-technology/7393-how-force-program-use-openvpn-only-windows-firewall-comodo-linux-ufw/) and or here for Linux (http://internetlifeforum.com/security/8687-how-setup-vpn-openvpn-prevent-ip-leak-non-vpn-connections-linux-gufw/).

How to open port for P2P etc. to become active peer connectable from outside?

Also called port forwarding. Details are on this page (http://127.0.0.1:43110/1LfvE91ZF18jdG3wW62Dw7NtfTZh737KPL/?Topic:1520435905_1L4dZcDF2maSKHDy788yhxpYnBWnXadU tS/Do+i+need+to+setup+custom+port+forwarding+on+a+VPN +server+to+have+custom+port+open) (will work once you run this ZeroNet software (https://github.com/ZeroNetX/ZeroNet/#readme)).

----------------------------------------
How to setup torrent client to work with OpenVPN? https://internetlifeforum.com/security/6552-how-make-qbittorent-working-openvpn/izer (https://internetlifeforum.com/security/6552-how-make-qbittorent-working-openvpn/)

JohnnyD
02-29-2020, 01:46 PM
It can be difficult to make it work on some devices, but here is a step-by-step tutorial for OpenVPN on Android (https://www.sneakflix.com/setup/android) illustrated with screenshots. Should probably be the same method to setup VPN on all new versions of Android.