VPN stands for Virtual Private Network. It is a technology that creates a virtual secure channel (or tunnel) between your device (computer / smartphone / tablet) and the Internet.
VPN is a kind of service that usually runs on a remote machine (server).
Why you need a VPN
VPNs are usually used by different enterprises and organizations to combine different branches of it or remote users that are physically far from each other into one network. But that's not what we are interested in.
VPN allows you to connect to the network from a user with a different IP address, possibly from another country, which makes it possible to bypass various kinds of blocking or use resources that are available only to users of certain countries (for example, there is a website that is only available to users in Germany).
Also, if your ISP does not provide you with a static IP address, a VPN can be used to create such a dedicated IP.
For us, a VPN is an excellent means of anonymizing and protecting our traffic from the provider.
The VPN will hide the resources you visit from your ISP. And from the resources you visit, the VPN will hide your real IP address.
VPN is often used as a means of hiding Tor traffic from your ISP, because by launching VPN, and then Tor Browser, your traffic has a VPN -> Tor chain, which means that the fact of using Tor is hidden from the provider, your real IP address is not burnt in front of the first (entrance) node of the Tor network.
VPN protocols
There are many different VPN protocols.
OpenVPN is an open source protocol using the OpenSSL library - it supports a large number of ciphers, is very secure, flexible enough to configure, can work on any port, and is fast in speed. To work, you need third-party software (OpenVPN clients for different OS, more on that below). Ovpn client file can be used on any OS, including mobile. Everywhere I recommend OpenVPN to you.
IKEv2 - Also a very good protocol with a very high degree of protection, fast in speed. One of the few protocols that supports Blackberry devices, but supports few platforms by itself. This protocol is not often found in VPN services, unlike OpenVPN or L2TP. The source code is not open, which is potentially unsafe.
PPTP - This protocol is quite old, one of the very first. Fast in speed and easy to configure, it is supported by almost all operating systems, however, it is very vulnerable and completely insecure. He was hacked several times by the special services. This protocol is highly discouraged except in cases where you do not need protection. It is not necessary to use it in any case!
L2TP / IPsec - Better than PPTP. L2TP is also supported by many operating systems, including mobile ones, and is also quite easy to configure. IPsec provides stronger encryption than PPTP. However, L2TP / IPsec is slower than PPTP or OpenVPN. Does not bypass Firewalls.
SSTP - Protocol from Microsoft. SSTP with good, strong encryption, available only for Windows operating systems. Like OpenVPN, it lets you bypass the Firewall. Easier to set up than OpenVPN. No open source, so OpenVPN is better.
Conclusion: if possible, use only OpenVPN, due to open source, security and relative speed. IKEv2 is a good protocol, secure, fast, stable, but closed source. L2TP / IPsec can be used instead of PPTP, but I do not recommend using PPTP at all. SSTP is only available for Windows, I don't really recommend it either.
Free VPN vs Your VPN vs Purchased VPN
If you need a VPN urgently, quickly, here and now and you do not have a subscription to some VPN service, and even more so, you do not have your own server - then you can use free VPNs. But the idea, of course, is dubious.
We go to the sites, download the OpenVPN configuration file or get instructions on how to connect if you are using a different VPN protocol.
The OpenVPN configuration file (with the .ovpn extension) needs to be "fed" to your OpenVPN client (I wrote about the clients below).
What is the advantage of free VPNs?
Obviously, being free in itself is a plus. Also, the fact that such servers are used by a large number of people adds anonymity. This is where its benefits end.
VPN data is very volatile. Fall off often. Very slow. I would recommend using them only if you need it urgently for something and there are no other possibilities. But it is better that you do not have such situations. It is possible that logs are kept on such servers. And what is STILL happening on these servers - nobody knows.
For long-term use and for important matters, I highly do not recommend using it.
You can use your own VPN. You just need to buy a server on the Internet, go to it and raise OpenVPN there according to the instructions.
Compared to paid VPN services, having your own VPN comes out even cheaper. You can rent a VPS (Virtual Private Server) for almost $ 2-3 / month on the Internet. Which, in my opinion, is cheap enough - you just need to search.
Of course, having a VPN has other benefits as well. For example, you will have root access to the server, so you can disable logging and be 100% sure that no logging is being done. Unlike not your VPN (free or paid), where you do not have root access, which means that you cannot be sure that logging is disabled, no matter how convinced you are by these services. You are your own master on the server. This is your VPN.
Unlike free VPNs, your server will work much faster and more stable. This is a very significant plus.
Also, since you will have your own server, you can attach something besides OpenVPN, some other service. For example, a web server and host a small website there. Or you can make it a Tor node if your provider allows it. Tor relay is allowed more often than Tor Exit Node.
However, there is a problem that you and only you will be on the server (unless, of course, you will not let a couple of hundred people use your VPN, but then the server will also need more power). Free or paid VPNs don't have this problem.
Another disadvantage is that not everyone is able to raise their own VPN. Someone may not be well versed in IT and these instructions will seem completely wild and incomprehensible to him. And someone will not understand at all what he is doing in general, this is also not good. In general, I highly recommend using.
You can use paid VPN services, which are also relatively inexpensive (on average $ 5-12 / month).
Such services should be looked for, of course, on the Internet. Most of them accept Bitcoin for payment, which is undoubtedly cool. Many have their own OpenVPN client for some operating system, but using their clients is not highly recommended for security reasons.
Register and pay for a month (or a year, which is cheaper), download the OpenVPN configuration file (.ovpn), feed it to your OpenVPN client and that's it, you will have a VPN. If you do not have OpenVPN, then read the instructions on the website of the service for connecting with a different protocol. Fortunately, on these sites they have good instructions and everything is extremely simple and clear.
One of the advantages is that each service offers servers in many different countries that are available to you. You can switch between these countries, manually with .ovpn configs, or somehow automatically, if this feature is implemented in their client. Whereas on your own server you are tied to one country, one IP address. I didn’t like one country - we switched to another.
I think it is unnecessary to say that these servers are much more stable, reliable and faster compared to the "free" solution. Trust in paid services is also somehow greater than in free VPNs, although there are still no guarantees.
Compared to your own server, you do not have root access, therefore, you cannot control the processes that take place inside. This means that you have no guarantees that logging is disabled.
When you choose a VPN service or VPS for yourself, pay attention to where the company representing the VPN is registered, as well as in which countries their servers are located. The VPS choice is the same.
The legal aspect in this matter is important, but here I am not your assistant.
I can only say that using a VPN located in the country where you are committing a crime is not a big idea. So, if you are working against Russia, ordering servers in this country or using the services of the Russian VPN service is EXTREMELY illogical.
Choose a service or VPS - see where the servers are located, where the service or hoster is registered, read the privacy policy.
We search and rent VPS for Bitcoin
In order to raise our own OpenVPN, we suddenly need our own server (hereinafter referred to as VPS). You need to buy a VPS, log into it using SSH, perform the initial server configuration (optional) and raise OpenVPN.
Problems when buying a VPS anonymously
Many foreign hosting companies accept Bitcoin for payment. The same cannot be said about Russian services offering VPS rent. Although it can be found among the Russian ones with payment in this cryptocurrency.
However, even taking into account the fact that the "white" hoster accepts anonymous cryptocurrency for payment, many of them still do not like anonymous clients. Therefore, when registering, you are required to enter data such as name, country, city, residence address, e-mail, mobile phone (not always). Also, during registration and subsequent visits to your personal account, your IP address is logged. There are more loyal hosters, there are less. So it is not always possible to buy a VPS simply and anonymously.
It would seem that when registering, you can drive in the left data, and the problem of logging IP is solved by proxies or the Tor Browser. BUT NO! The fact is that many of these "white" hosters have special anti-fraud systems on their websites that fight fraudulent transactions. Actually, this is protection primarily from carders, but it also works successfully against overly anonymous clients.
The anti-fraud system calculates the risk of a fraudulent transaction or a "strange" client based on many factors that are long and useless to list in this article. Here are some basic factors to consider in a nutshell:
1) IP address. It should be more or less clean and not be in the base of the anti-fraud system like a proxy and so on. This is the most important factor. As you understand, Tor's IP address is on all lists, and if the hoster has the worst anti-fraud and wants to fight anonymous clients, then it will not be possible to register the mch through Tor.
You can use good proxies or VPNs. In general, you will figure it out.
2) A person must correspond to reality. To drive in the full name 'ksdjfsjd skdfkk skdgs "something like this - it is not necessary.
3) The address must also be real. There is no need to write Lenin Street, in the city of Zalupins in Afghanistan. OK? Also, if your IP is Russian, then the address must also be Russian.
4) It is desirable that the address corresponds to the Zip Code (index). I mean, he should belong to him.
5) Phone. Should have a different look depending on the country. Foreign companies (this applies, by the way, not only to hosters), very rarely send an SMS code to a phone number to confirm registration or something else, in contrast to Russian companies.
In general, everything should be as believable as possible, as if a real, normal, not anonymous client is ordering. But even these measures in some cases may not help, since anti-fraud systems are different and are configured in different ways.
VPS with Bitcoin rental
VPS rental is offered by many hosters. We do not need large capacities, so the weakest servers with OpenVZ virtualization technology (but KVM or Xen are better) with low processor power and a small amount of RAM (256-512 mb) will do. Such servers can cost an average of $ 2-5 per month. And if you try to search, you can find it for $ 12-18 for a whole year.
By the way, if you find a VPS that does not accept Bitcoin for payment or you simply do not have them, but you have Qiwi or Yandex Money, then you can try to pay for the server with a Virtual Credit Card (VCC). These cards can be issued on the Qiwi and Yandex Money websites, respectively. In this case, naturally, Kiwi and YAD should be left-handed. But it's better to pay with Bitcoins.
To raise OpenVPN, we need our VPS to support TUN / TAP.
Usually almost all VPS providers provide this feature. Somewhere it is immediately turned on as soon as the VPS is created, somewhere you have to turn it on through the control panel on the site (if OpenVZ), somewhere you need to ask for technical support to enable TUN / TAP for you (but this is rare).
To find a VPS, you need to enter the correct query in Google. It is better to make requests in English. language to issue foreign hosters (if necessary). Requests may look like this: "buy vps", "buy cheap vps", "cheapest vps", "cheap openvz vps", "cheap vps <country>" and the like.
There are also various sites where you can find reasonably cheap VPS.
Cheap VPS
We rent VPS anonymously for Bitcoin
And so we found a VPS with TUN / TAP support, now we need to rent it. I will be showing a VPS rental from one of the VPS providers listed above.
My connection at the moment is this: on the Host. VPN + virtual machine Whonix. Since I wrote above about the problems of renting a VPS through Tor, I need a white (not Tor) IP at the exit.
I go to vpngate.net, find France in the list, download the OpenVPN TCP config (TCP, because this VPN comes after Tor, and it only has TCP). I run VPN on my Linux (openvpn --config <config.ovpn>).
Since I chose France VPN, with a French IP, this means that my "virtual client" will also be from France. And his name will not be Vasya Ivanov, and he will not live in Krasnoyarsk.
I go to whoer.net to make sure the IP is indeed from France. The following information was also shown there: IP of France, and also the city was indicated - Audincourt.
You can also use a free VPN or good proxies / SSH. In my case, it so happened that this is France.
On the provider's website, I choose the service I need, in my case it's a VPS for $ 3 / month. I press "Buy" or "Order" and I am taken to the page with the server configuration.
So we enter some information about the server: Hostname, NS prefixes, root password, select the operating system.
Hostname - enter anything, for example site.test
NS prefixes are anything you like, for example ns1.site.test, ns1.site.test
Password from root - we enter more securely.
Choosing an OS - choose Better Debian or Ubuntu (Better Debian).
Better 64 bits. And the most recent versions available. I chose Debian 8 x64. If you know how to work with a distribution, such as CentOS, then choose whatever you want. I will show everything using Debian as an example.
The page at the configuration stage may differ from provider to provider. Therefore, do not be surprised, for example, that you will not be prompted to enter the password from the root - it means that they will generate it themselves and send it to the mail.
After that, I press Contunue, then Checkout and get to the page where I need to drive in data about myself:
Name, surname (we invent it ourselves, just not John Doe)
Email (we register with a new one or use it if available, preferably Gmail, yahoo.com, Hotmail, outlook, or something else, YOU MUST HAVE ACCESS TO IT)
Telephone
The address
Zip code
Country (you know the country by IP)
Region (a drop-down list of the regions into which the country is divided)
City (city may be displayed on the same whoer.net or other similar services, or may not be displayed)
Account password
How do I generate this data? After all, it's one thing when you have a Russian IP, and another when another country, such as France. With Russia or Ukraine in this regard, it is somehow easier, everything is clear here.
In order to find the address (region of the country in which the city is located, address, phone number, zip code), I will use google maps.
Namely, I open Google Maps and enter into the search the name of the city that I have displayed - Audincourt. Me approaches the city and the maps highlight its borders. I zoom in a little closer to the map and look for some OBJECT (cafe, school, pizzeria, restaurant or something else). I press the mouse on this object and information about it is displayed to me, namely:
Full address and Zip Code, telephone (not always).
In order to determine the region / state / region / province that this city corresponds to - I just google the name of the city and information will be needed on 1-2 pages.
I copy all the information and modify it a bit. For example, I change the house number of the address and possibly the last couple of digits on the phone. I come up with a name and surname, I register an email or use an existing one, preferably. At the same time, you must have access to the mail, since the necessary information will be sent there by letter. See screenshot.
I choose Bitcoin payment, agree with their rules and press Checkout or a similar button. At this stage, the anti-fraud system begins to work, which, based on the factors above (IP, browser, entered information), calculates the so-called Risk Score or Fraud Score, and determines whether you can go further or not.
In my case, everything went smoothly (usually it does) and I was thrown to a page with information for paying for bitcoin.
There will be: the number of bitcoins to be paid + the wallet where to pay. In addition, this Payment gateway of Coinfy allows you to pay not only with Bitcoin, but also with other cryptocurrencies. For everything about everything, you have 15 minutes (no confirmation, you just need to send bitcoin). - We go to your bitcoin wallet, copy the wallet for payment, copy how many bitcoins to transfer and transfer. After that, almost instantly, a page with inf. for payment will change its appearance. - Like, everything is fine, the cue ball is coming, and it will transfer you back to the site, to the so-called Order Confirmation page.
Another Order Confirmation will be sent to your email. In addition, a "confirmation" email may fall on the email - a letter with a link, upon clicking on which, you confirm your email. So check it out.
The process of creating a server has begun. It usually does not last long. Maybe 15 minutes, maybe an hour. Well, a maximum of 2. If during this time the server has not been created, then write to technical support, creating a ticket.
When the VPS is created, you will receive an email with all the necessary information for connecting to SSH: VPS IP address, root password.
Or this information will be in your personal account on the site.
Or part there, part on email.
Also, not everywhere and not always, the provider provides access to the VPS Contol Panel. In my case, it provides. The letter contains info for login.
We go to the server via SSH
After all the data for connection have been sent to you by mail or you have found them in your personal account, then for the connection to the server you have all the data, namely:
IP address.
Login: root.
Root password: either you specified when creating the server, or it was generated.
In order to connect via SSH on Windows, you need to use third-party programs. Download your choice: Putty or Kitty. It is quite simple to work with these programs.
It's easier on Linux and MacOS.
In the terminal, enter:
where: ip is the IP address of the VPS.
user - username of the user. At the first connection / in our case - root.
After pressing enter, at the very first connection, you will get a message:
Are you sure you want to continue connecting (yes / no)?
manually enter yes, then you will be prompted to enter the root password, which you also have. If all is well, then you are connected to the VPS and command line control will be transferred to you.
You can copy and paste in the terminal like this:
If Linux, then ctrl + shift + v paste in terminal (ctrl + shift + c copy from terminal).
If Windows and you are using Putty / Kitty, then you can insert it into the console by clicking on the right mouse button.
This happens, but sometimes the distribution of the created server does not match the one you chose when you made your order. Therefore, if you logged into the server via SSH and entered the command
And you got an error stating that apt-get does not have such a command, and at the same time typing, for example
And some process started, which means that instead of Debian / Ubuntu, you have CentOS installed. There is no need to be afraid.
To do this, you simply need to reinstall the OS. This can be done from the VPS Control Panel, the data about which came all in the same letter, if the provider provides this feature, or from the personal account on the provider's website. We look for something like "Reinstall OS" or "Rebuild" there and reinstall, if necessary, on Debian / Ubuntu.
I'll show you the VPS Control Panel as an example, because I have just such a case when the wrong distribution was installed.
I go to the site, enter my username and password (all this is in the mail)
Find Reinstall, click, select the OS, enter the new root password (or the old one), and reinstall. Everything is automatic.
After that, the server will turn off and the OC reinstallation will begin. It will take 5-10 minutes. The new connection data will be sent to the mail: the IP will be the same, the root login, only the password will change if you entered a new one.
Checking TUN / TAP on VPS
To begin with, if we will raise OpenVPN, which, as I wrote above, requires TUN / TAP, then you need to check whether it is enabled or not. To do this, enter the following command in the terminal:
And if it gives you:
This means that it is turned on and you can continue to work. And if the output is like this:
That is off. So we need to turn it on. This is done in the VPS control panel or in the personal account on the provider's website. Or, upon request in those. support.
I go to the VPS Control Panel, entering my username and password, looking for the desired button, in my case it is VPS Configuration.
Then I check the Enable TUN / TAP checkbox.
The server will then reboot. Connect to it in a new way and enter:
Should output:
If so, then everything is fine. If not, then you did something wrong.
Initial VPS setup
Further, before raising OpenVPN directly, it would be nice to make some initial configuration on the server: update packages - install the necessary packages, disable unnecessary services, create a user, configure sshd_config (change the port, disable the connection from root).
Since I am showing with an example of a Debian distribution, the commands you enter will be for that distribution and for Debian based distributions (Ubuntu).
Updating packages:
We put the necessary packages:
Where:
nano is a console editor. Usually worth it initially, but not always.
htop is a console task manager.
openvpn - the openvpn package. Needed to raise OpenVPN.
easy-rsa - scripts for easy key generation. Needed to raise OpenVPN.
git - you will need it if you start OpenVPN with a script (later in the article).
You can also install the following packages, but not necessarily:
Next, we need to create a user:
Where:
useradd is a command that creates a user.
-m - creates the user's home folder (along the path / home / <username> /), by default has the same name as the username
-s - specifies which shell to use
pp-ruloh is the username.
After creating a user, you MUST create a password for him, because we will use this user to connect via ssh, so we enter the command:
You will be prompted to enter the password twice. Will not be displayed as you type. How to embed in the terminal I wrote came out.
Next, you need to disable unnecessary services. We enter the command:
In order to see what services are running. At this point, ideally only sshd should be running. Since I have Debian-minimal installed, I also have the command
Only gives me
But usually some web server, mail-server, something else can be running ... I do not know what is running on you, so enter the following commands in turn:
This should disable what is usually started when the server was created.
Next, you can configure sshd. For security reasons, we will change the port from standard to non-standard and disable the connection from root.
Edit the / etc / ssh / sshd_config file using nano:
I will briefly tell you the main hotkeys when working with the nano console editor.
nano <path to file> - open the file in nano.
Ctrl + O - save. Write changes to file. Press Ctrl + O, then Enter.
Ctrl + X - exit nano.
Ctrl + K - cut a whole line. Will be copied to the clipboard.
Ctrl + U - paste the cut line that is in the clipboard.
Ctrl + W - search by file. Search in the editor, enter what you need -> press inter.
If we want to copy part of the text, in the editor itself, select the desired text with the mouse and press the combination Ctrl + Shift + C. Copy it.
In order to paste the text that is now in the clipboard, press the Ctrl + Shift + V combination.
Remember to type sudo nano if you are editing a file to which you do not have write permissions.
We are looking for the Port line (it will be somewhere at the top), and change its value to something other than 22, in the range from 1024 to 64000.
Next, look for the PermitRootLogin line and change its value from yes to no:
We look for the line PermitEmptyPasswords and check that there is no:
It is also possible, but not necessary, to deny the connection to all users via SSH except for the one we created above. To do this, somewhere in the file, for example below, we write the following:
After AllowUsers username.
We carefully check, remember the port, save, close. It is important to do everything normally, because if you mess up somewhere in this file, for example, write one port, and then forget it, or prohibit the login from root, and you do not have another user, then you simply will not be able to connect to the server ...
Usually, this problem is solved in your personal account, where you can connect via SSH, then log in under the root and change everything you need in the file. As a last resort, reinstall.
After all the manipulations in the / etc / ssh / sshd_config file, restart:
or
The changes will apply.
Your next SSH connection will look like this:
Where:
-p 1488 is the SSH port that you specified in / etc / ssh / sshd_config
user is a non-root user. You will not be able to connect under the root.
If you have Windows, then in PUTTY / KITTY you also change the port. Now you will be connecting via SSH to the server through this user. He has almost no rights, he is not even a superuser. Therefore, in order to perform some manipulations on the server, you need to log in under the root. To do this, under a regular user, enter:
And enter the password as root. That's it - you can do whatever you want. To get out of the root, enter exit.
Raising OpenVPN manually
So, in fact, we raise OpenVPN-server.
Let's start by installing some packages. You may have already installed some of them if you made the initial setup from the section above.
Let's update the system:
And three main packages:
After installing the packages, unzip the example configuration file into the / etc / openvpn / folder:
The /etc/openvpn/server.conf file is the main server configuration file for OpenVPN.
Now let's edit it a bit:
The file is long, with a large number of comments (everything that comes in the line after the # symbol is a comment). Lines that start with a character; in this file - also comments.
Partial analysis of the config will be below in the article.
Editing. At the very top, there will immediately be port:
I'll change the port to something completely non-standard:
(Range is 0 to 65000), I chose randomly. Do not occupy the port that another service is listening to, for example, in my case, sshd is 1488.
Move on. Choosing a protocol - a couple of lines below:
And we see that it is not commented out in any way. Because by default OpenVPN will run over UDP. If you need TCP, there is a line proto tcp above - uncomment it, remove the symbol; at the start of the line, and comment out proto udp by adding the # symbol. Both are not allowed, or one or the other. I will show using UDP as an example, so I leave it as it is.
We go down below in the config and find the line:
Change to dh3048.pem:
Go below and find the commented out line:
Let's uncomment:
Just below we find two uncommented lines next to each other:
This is what DNS will be used. By default, OpenDNS servers are registered, but we can register Google public servers:
You can leave OpenDNS as well.
Go ahead and stumble upon a line
Let's just uncomment:
Scroll down and find the line:
This is encryption. Let's uncomment the line and redo it to AES-256-CBC:
Just below in the file we find two commented lines:
Let's uncomment them:
Further, below we find the line that begins with the word status and redo it into the following form:
Commented out.
A little lower, we find the line that begins with the word log, and give it the following form:
Not commented out. These are logs. It is impossible to disable OpenVPN logging in the usual sense, because if you comment out a line, then by default it will write to the syslog file (/ var / log / syslog).
String
do not touch
A little lower, change verb 3 to:
Save, close. We will come back to this file later.
Now enable packet forwarding, enter the command:
Then:
If it returns one, then everything is OK.
Now you need to make the changes even when you restart the server, so let's edit the /etc/sysctl.conf file:
We are looking for the line:
Let's uncomment it:
If there is no such line in the file at all, add it manually.
Configuring Firewall
We installed the ufw package earlier. Now we need to add some rules. First, we need to enable SSH traffic. I enter:
Since my sshd is listening on port 1488, if you have not changed and your sshd is listening on port 22, then enter:
Next, we need to allow traffic to the port that OpenVPN will listen to, in my case it is port 16122, because I changed it in the config. file (above):
Since OpenVPN will listen on the UDP port, I added / udp at the end. If your OpenVPN is configured not for UDP, but for TCP, without a slash at the end (or / tcp).
If you have not changed anything in the config, then you have UDP port 1194 listening, which means:
Now you need to change the Forward Policy, edit the / etc / default / ufw file:
We are looking for the line:
And change its value to:
Now we need to deal with the network interfaces, enter the command:
The command will list your interfaces. There will be a lo interface and some other interface, such as eth0 or venet0. In my case, the interface is called venet0 (for OpenVZ). I have this conclusion:
You need an interface that shows your external IP. It is clear from the code above that venet0 shows the external IP. (inet MY IP)
Next, you need to edit the /etc/ufw/before.rules file:
And somewhere upstairs, insert the following:
where instead of <YOUR INTERFACE> we write the interface, in my case it is venet0 and it turned out like this:
After all this, turn on ufw:
Let's look at our rules:
The output will show the rules that you created above, for me like this:
where 1488 is for SSH and 16122 is UDP openvpn.
You can disable ufw like this:
We generate keys for the server. We previously installed the easy-rsa package. Now copy the folder with easy-rsa scripts to the openvpn folder:
inside the easy-rsa folder, create a keys folder:
Now let's generate a Diffie-Hellman with a length of 2048 and place it in / etc / openvpn:
Let's also generate a ta.key file in the / etc / openvpn folder, for tls-auth:
Further...
Go to the easy-rsa folder:
There is a vars file with some variables, edit it:
Scroll down until we come across a block:
In the first 6 lines, you can change the values, you can leave it as it is. I'll leave it as it is. Don't care. The main thing is not to leave them empty.
But specifically here we are interested in the line
Here we change the value to server, so that it would be like this:
You can change it to any other, but don't fuck your brain and change it like me, because otherwise you will have to change the values in server.conf.
If you gave a name other than server, remember it.
Like this. Save, close the file.
Next, enter the following:
Next, we enter:
Will offer to enter some values, but we changed them (or did not change) in the vars file. We just press Enter everywhere and that's it. In this case, reaching the Name item, pressing Enter will be the name that you specified earlier in the KEY_NAME, for me this is server.
The next step is to enter:
where: <NAME IN KEY_NAME> is the name you gave in the vars file. If nothing was given, then by default there was Easy-RSA. I was giving the name server, so:
In the same way, we press Enter everywhere. Even where it prompts you to enter 'A challenge password', press enter.
Then we enter the symbol y twice, where it asks:
Sign the certificate? [y / n]: y
1 out of 1 certificate requests certified, commit? [y / n] y
At the end you will see:
Write out database with 1 new entries.
Data Base Updated.
Now we need to move all the generated keys and certificates to the / etc / openvpn folder.
All the good stuff is in the / etc / oepnvpn / easy-rsa / keys folder. We are interested in 3 files (excluding dh3048.pem and ta.key, which we generated earlier) - ca.crt, server.crt, server.key, where files server.crt and server.key - have the name that you specified in KEY_NAME, I specified server, remember yes.
We move them as follows:
Let's go back to the openvpn folder:
We enter ls to the console and see what files are. At the moment there should be the following files: ca.crt, dh3048.pem (which we generated earlier), server.conf (main config), server.crt, server.key and ta.key There may also be an update-resolv-conf file ...
Now we start openvpn:
or
Check if it started:
or
It should burn green (lol), you will see the inscription:
Check if the port is listening:
Should output one service that is listening on the port you specified.
My output is this:
We checked everything, well done. Now let's stop:
or
We make a client, generate keys.
First, we need to copy the example config. file for the client.
Copy it to the / etc / openvpn / easy-rsa / keys folder and rename it (we give the .ovpn extension):
Editing the client file:
Scroll down the file, stumble upon a line
where: my-server-1 is the IP address of your server. The one that came to your mail or look at the command ip addr | grep inet and search. 1194 - The port on which OpenVPN is listening on your server, in my case it is 16122.
Change this line, I change:
Scrolling down below, we find the line:
we erase it and change it to:
Just below the line:
Change the encryption to the one you specified in server.conf. I was specifying AES-256-CBC:
If you did not specify anything in server.conf, then leave this line alone.
Everything. Save and close.
Now you need to generate keys and certificates for the client.
Let's go to the easy-rsa folder:
We generate:
where: client1 is the name of the client. It can be anything. I made client1.
In the same way as with the servo, press Enter everywhere. And we agree by pressing y where it is needed.
The client config consists of:
.ovpn file. In my case, this is client.ovpn.
file ca.crt - which is common for the server and all clients.
the ta.key file is also common for the server and client. This is for tls-auth, which is optional.
files client1.crt and client1.key - which are individual for each client.
The fact is that all these files are needed by the .ovpn config, without them it will not work. But we will not carry them everywhere together! Therefore, it is possible to build all these files in the .ovpn config, so that there is one single file and that's it.
We need to do some manipulations, so for convenience we create the client1 folder:
You need to copy the .ovpn config file there and all the certificates and keys,
by analogy with the server, the client1.crt and client1.key files have specific names, depending on what you specified the client name when executing the command above. I named client1 that's why they are called that way for me.
We copy:
Copy client.ovpn for one thing (it can be called anything, even xuy.ovpn):
And don't forget about ta.key, which is in the openvpn folder:
Go to the client1 folder:
At the moment there are 5 files there:
Now you need to be more careful! Especially with filenames.
We embed the contents of the necessary files into our .ovpn config.
In turn, in the order in which I have it, we execute the following commands.
For ca.crt:
where client.ovpn is the name of the config file.
Now for client1.crt:
where client1.crt is cert. file that generated above.
Now for client1.key:
Now for ta.key, you need for tls-auth:
This way, all keys and certificates are now in one .ovpn file and it can work on its own.
Now you need to edit the client.ovpn file a little more:
We scroll until we come across a block:
We don't need this, so let's comment them out:
Actually, the client config is ready. It will work if you run it on your device's OpenVPN client.
We can run OpenVPN:
or
After any manupulations in the server.conf file, in order for the changes to apply, you need to restart OpenVPN:
or
But I still want to make some modifications on server.conf and client.ovpn
To begin with, I would like to bring both configs into a more readable and simpler form, namely, remove all comments and blank lines.
This is easy to do. But first, just in case, let's make a backup:
and client.ovpn:
now, with one command, we delete all comments (# and; at the beginning of the line) and empty lines:
And both of our configs will take on a more readable form.
Open server.conf
And somewhere in the middle, let's add the following:
And on the client.
Somewhere in the config, before the start of certificates and keys:
So my server.conf looks like this:
And client.ovpn is like this (Without keys and certificates):
You can use these configs.
Let's take a look at the config.
Which protocol to use, TCP or UDP?
UDP is usually faster.
TCP is more reliable, stable, better bypasses the firewall - for example, you can use port 443.
UDP can also be hung on a port that is usually not blocked - 53.
If you are not blocked, then I think UDP is better. I use UDP myself. The server and client must have the same protocol specified.
What port to hang on? Better on a non-standard one, like mine. Or disguise as some kind of service - 443 / ssl for tcp and 53 / dns for udp
What kind of encryption should I use?
Use AES-256-CBC or AES-128-CBC. If not explicitly specified, Blowfish (cipher BF-CBC) will be used by default.
This parameter must be present on both the server and the client. If it is on the server, not on the client, or they are different, it may not be legitimate.
If not set, auth SHA1 will be used. Use auth SHA512 or auth SHA256. This parameter must be present on both the server and the client. If it is on the server, not on the client, or they are different, it may not be legitimate.
By default, it will write to a file of some kind which clients are currently online. To not write anything, you need to comment out the line. I also WHY wrote / dev / null 2> & 1 ...
This is the very OpenVPN logging that is better to turn off for security. The fact is that you cannot turn it off, and if you comment it out, then the logs will be written to / var / log / syslog
Therefore, I uncommented and told to write to / dev / null.
What DNS to use?
Use public DNS from Google (8.8.8.8 and 8.8.4.4.) Or from OpenDNS (208.67.222.222 and 208.67.220.220).
DNS leak under Windows and Linux
If you will use this config on Windows, add the following line to the config:
Yes, it's that simple. Under MacOS with Tunnelblick, everything is fine.
And under Linux there is an update-resolv-conf file, which is located in the / etc / openvpn folder on the client machine. The file can be named either update-resolv-conf or update-resolv-conf.sh. Therefore, on client Linux, enter in the terminal:
And find out the name of the file.
Next, you need to insert the following lines into the .ovpn config:
where update-resolv-conf is the filename you got above.
We transfer the .ovpn config from the server to the client.
You can just open the client config, copy everything completely and paste it on your machine, okda.
If you created a user and denied ssh connection from root, then the first step is to place the .ovpn config in the home folder of the created user. I had it pp-ruloh
Change file permissions:
Linux. We will use sftp.
where 1488 is the port on which sshd listens.
As it is, we will already be in the pp-ruloh home folder. We can look at the files - enter ls.
copy the config:
Windows, linux, MacOS: download the FTP program - FileZilla
and connect to the server via sftp. You will need to specify the port sftp (I have 1488), the user (pp-ruloh, because the root was paid). Copy the file wherever we want and rejoice. You will figure out how to use the program yourself.
We raise OpenVPN with a script
Can't you manually raise OpenVPN? Don't despair, I have good news for you!
There is an Open Source script on Github that allows you to quickly and easily set up an OpenVPN server on your VPS. The script is called openvpn-install and here is a link toGithub. And this script has a bunch of forks that you can look into.
You can view the source code here. Let's get started. We work as root or superuser.
First, let's update the system:
If you have already tried to raise OpenVPN manually, but you failed, then you must first completely demolish it. Remove openvpn:
delete the folder:
turn off ufw:
and install the required packages:
Download the script to the root home folder:
We go there:
Run the script:
And you will be taken to the so-called Installer. Where you will need to answer questions or write something down. Press Enter to proceed to the next stage of the installation.
First of all, it will offer to enter the external IP address, but most likely the script will determine it by itself:
The next step is to choose a protocol. I press 1 and choose UDP. Next, choose a port. I will put, for example, 14000. Then it will offer to select the DNS server. The choice will be from Google, OpenDNS or current ones, which are on VPS and some others. I select OpenDNS, press 3. After that, it prompts me to enter the client's name. I will enter "pp-ruloh". Next, the download and installation of packages, the generation of keys, certificates and configuration files will begin. when it's over, it will put the config. to the home folder of the user on whose behalf the script was launched. That is, now the config is located at:
Actually, this is where the OpenVPN configuration is completed by the script. You can already take a new config and use it. I wonder what he generated there for you, let's look at the pp-ruloh.ovpn config:
(without keys and certificates)
Everything seems to be fine, but it is better to explicitly specify auth SHA512. So let's add
Like this:
Please note that the script has already pushed the feature to prevent DNS leak under the Windows client:
If you have Linux or MacOS - it is better to comment out this line.
Now let's look at the server config server.conf:
Here we also add auth SHA512 (otherwise it will not work if it is specified on the client and not on the server), we do verb 0. You also need to do the following. You need to comment out the line.
And add log:
Somewhere above I wrote why it is needed. It turned out like this:
We take the client config file and place it on your device. I wrote about this above.
When you run the script again from under the root:
The script will offer to create a new client, delete an existing one (it will no longer be able to connect) or delete OpenVPN.
OpenVPN clients for different operating systems
Since OpenVPN is not built into any popular OS by default, you need to install third-party software - the OpenVPN client.
Windows
There is an official client for Windows, called OpenVPN GUI.
You can download it off. website OpenVPN. Download, install. A shortcut to the slave will appear. desktop, after launch - the tray icon.
Next, place your .ovpn file in the config folder in the installed OpenVPN folder. In general, if you install OpenVPN GUI by default in the Program Files folder, then the address is:
We throw .ovpn configs into this folder. Then you can launch VPN from the tray. Everything is simple enough.
Linux
On Linux, in your distribution's repositories, the package will most likely be called "openvpn" (maybe openvpn-client), and installed as follows:
If you have Debian-like distributions (Debian, Ubuntu, Mint). If you have a distribution kit of a different line, you yourself will figure out how to install.
It works as follows. You have an .ovpn file, then you enter the command in the terminal:
where <path to the .ovpn file> is actually the path to the .ovpn file.
Or you can feed the file to network-manager.
MacOS
On MacOS, I only know Tunnelblick from OpenVPN clients. You can download it here. Installation is simple, requires superuser rights. Ovpn files will be opened by default. There will be an icon in the tray, we will connect there. You can configure it to connect to OpenVPN immediately at system boot. When the VPN connection is dropped, the internet is lost. In this case, you need to manually disconnect from the VPN.
Android
The official OpenVPN Connect client for Android is available for download at Google play
iOS
For iOS, download the client from AppStore...
Clients provided by a VPN provider. Some providers provide their own OpenVPN client for different operating systems and platforms. Use them or not, it's up to you. But this is potentially not very secure.
Banning all non-OpenVPN traffic on the client
Iptables rules. For Adepts of Lunix only. What to do if VPN suddenly disconnects? Or did you forget to turn it on altogether? Usually, when you suddenly discover that the traffic is not going through a VPN, and at the same time you are not using Whonix, then after 3 seconds you realize that your pants are full of shit. What do you need to do to explicitly limit all traffic?
And here are the rules themselves:
In the end:
Has been changed to:
We have rules, what next? Now open a terminal in your Linux
And create a file called vpn.rules:
Let's put all the rules there:
At the very top of the file, we write:
Next, the rules from the code above. Copy - paste, change
where VPN_IP is on the IP of your server (specified in the .ovpn config).
Save - close.
Run the script from root or sudo:
Now we have the rules applied. You can check - the Internet won't work without VPN. This script can be run every time. Or you can save the rules:
And make the iptables service autostart on system boot:
That's all.
Fighting OpenVPN Detection
A VPN can be detected by a finite resource (for example, a website) in some cleverly fucked up ways. To get started, you can read the article on habr
We go to browserleaks.com
And we look at the line "TCP / IP OS Fingerprinting"
What to do?
If you, like me, have a UDP config, then you can do the following. It helps me if you prescribe
On the .ovpn client and the server.conf server
VPN is a kind of service that usually runs on a remote machine (server).
Why you need a VPN
VPNs are usually used by different enterprises and organizations to combine different branches of it or remote users that are physically far from each other into one network. But that's not what we are interested in.
VPN allows you to connect to the network from a user with a different IP address, possibly from another country, which makes it possible to bypass various kinds of blocking or use resources that are available only to users of certain countries (for example, there is a website that is only available to users in Germany).
Also, if your ISP does not provide you with a static IP address, a VPN can be used to create such a dedicated IP.
For us, a VPN is an excellent means of anonymizing and protecting our traffic from the provider.
The VPN will hide the resources you visit from your ISP. And from the resources you visit, the VPN will hide your real IP address.
VPN is often used as a means of hiding Tor traffic from your ISP, because by launching VPN, and then Tor Browser, your traffic has a VPN -> Tor chain, which means that the fact of using Tor is hidden from the provider, your real IP address is not burnt in front of the first (entrance) node of the Tor network.
VPN protocols
There are many different VPN protocols.
OpenVPN is an open source protocol using the OpenSSL library - it supports a large number of ciphers, is very secure, flexible enough to configure, can work on any port, and is fast in speed. To work, you need third-party software (OpenVPN clients for different OS, more on that below). Ovpn client file can be used on any OS, including mobile. Everywhere I recommend OpenVPN to you.
IKEv2 - Also a very good protocol with a very high degree of protection, fast in speed. One of the few protocols that supports Blackberry devices, but supports few platforms by itself. This protocol is not often found in VPN services, unlike OpenVPN or L2TP. The source code is not open, which is potentially unsafe.
PPTP - This protocol is quite old, one of the very first. Fast in speed and easy to configure, it is supported by almost all operating systems, however, it is very vulnerable and completely insecure. He was hacked several times by the special services. This protocol is highly discouraged except in cases where you do not need protection. It is not necessary to use it in any case!
L2TP / IPsec - Better than PPTP. L2TP is also supported by many operating systems, including mobile ones, and is also quite easy to configure. IPsec provides stronger encryption than PPTP. However, L2TP / IPsec is slower than PPTP or OpenVPN. Does not bypass Firewalls.
SSTP - Protocol from Microsoft. SSTP with good, strong encryption, available only for Windows operating systems. Like OpenVPN, it lets you bypass the Firewall. Easier to set up than OpenVPN. No open source, so OpenVPN is better.
Conclusion: if possible, use only OpenVPN, due to open source, security and relative speed. IKEv2 is a good protocol, secure, fast, stable, but closed source. L2TP / IPsec can be used instead of PPTP, but I do not recommend using PPTP at all. SSTP is only available for Windows, I don't really recommend it either.
Free VPN vs Your VPN vs Purchased VPN
If you need a VPN urgently, quickly, here and now and you do not have a subscription to some VPN service, and even more so, you do not have your own server - then you can use free VPNs. But the idea, of course, is dubious.
We go to the sites, download the OpenVPN configuration file or get instructions on how to connect if you are using a different VPN protocol.
The OpenVPN configuration file (with the .ovpn extension) needs to be "fed" to your OpenVPN client (I wrote about the clients below).
What is the advantage of free VPNs?
Obviously, being free in itself is a plus. Also, the fact that such servers are used by a large number of people adds anonymity. This is where its benefits end.
VPN data is very volatile. Fall off often. Very slow. I would recommend using them only if you need it urgently for something and there are no other possibilities. But it is better that you do not have such situations. It is possible that logs are kept on such servers. And what is STILL happening on these servers - nobody knows.
For long-term use and for important matters, I highly do not recommend using it.
You can use your own VPN. You just need to buy a server on the Internet, go to it and raise OpenVPN there according to the instructions.
Compared to paid VPN services, having your own VPN comes out even cheaper. You can rent a VPS (Virtual Private Server) for almost $ 2-3 / month on the Internet. Which, in my opinion, is cheap enough - you just need to search.
Of course, having a VPN has other benefits as well. For example, you will have root access to the server, so you can disable logging and be 100% sure that no logging is being done. Unlike not your VPN (free or paid), where you do not have root access, which means that you cannot be sure that logging is disabled, no matter how convinced you are by these services. You are your own master on the server. This is your VPN.
Unlike free VPNs, your server will work much faster and more stable. This is a very significant plus.
Also, since you will have your own server, you can attach something besides OpenVPN, some other service. For example, a web server and host a small website there. Or you can make it a Tor node if your provider allows it. Tor relay is allowed more often than Tor Exit Node.
However, there is a problem that you and only you will be on the server (unless, of course, you will not let a couple of hundred people use your VPN, but then the server will also need more power). Free or paid VPNs don't have this problem.
Another disadvantage is that not everyone is able to raise their own VPN. Someone may not be well versed in IT and these instructions will seem completely wild and incomprehensible to him. And someone will not understand at all what he is doing in general, this is also not good. In general, I highly recommend using.
You can use paid VPN services, which are also relatively inexpensive (on average $ 5-12 / month).
Such services should be looked for, of course, on the Internet. Most of them accept Bitcoin for payment, which is undoubtedly cool. Many have their own OpenVPN client for some operating system, but using their clients is not highly recommended for security reasons.
Register and pay for a month (or a year, which is cheaper), download the OpenVPN configuration file (.ovpn), feed it to your OpenVPN client and that's it, you will have a VPN. If you do not have OpenVPN, then read the instructions on the website of the service for connecting with a different protocol. Fortunately, on these sites they have good instructions and everything is extremely simple and clear.
One of the advantages is that each service offers servers in many different countries that are available to you. You can switch between these countries, manually with .ovpn configs, or somehow automatically, if this feature is implemented in their client. Whereas on your own server you are tied to one country, one IP address. I didn’t like one country - we switched to another.
I think it is unnecessary to say that these servers are much more stable, reliable and faster compared to the "free" solution. Trust in paid services is also somehow greater than in free VPNs, although there are still no guarantees.
Compared to your own server, you do not have root access, therefore, you cannot control the processes that take place inside. This means that you have no guarantees that logging is disabled.
When you choose a VPN service or VPS for yourself, pay attention to where the company representing the VPN is registered, as well as in which countries their servers are located. The VPS choice is the same.
The legal aspect in this matter is important, but here I am not your assistant.
I can only say that using a VPN located in the country where you are committing a crime is not a big idea. So, if you are working against Russia, ordering servers in this country or using the services of the Russian VPN service is EXTREMELY illogical.
Choose a service or VPS - see where the servers are located, where the service or hoster is registered, read the privacy policy.
We search and rent VPS for Bitcoin
In order to raise our own OpenVPN, we suddenly need our own server (hereinafter referred to as VPS). You need to buy a VPS, log into it using SSH, perform the initial server configuration (optional) and raise OpenVPN.
Problems when buying a VPS anonymously
Many foreign hosting companies accept Bitcoin for payment. The same cannot be said about Russian services offering VPS rent. Although it can be found among the Russian ones with payment in this cryptocurrency.
However, even taking into account the fact that the "white" hoster accepts anonymous cryptocurrency for payment, many of them still do not like anonymous clients. Therefore, when registering, you are required to enter data such as name, country, city, residence address, e-mail, mobile phone (not always). Also, during registration and subsequent visits to your personal account, your IP address is logged. There are more loyal hosters, there are less. So it is not always possible to buy a VPS simply and anonymously.
It would seem that when registering, you can drive in the left data, and the problem of logging IP is solved by proxies or the Tor Browser. BUT NO! The fact is that many of these "white" hosters have special anti-fraud systems on their websites that fight fraudulent transactions. Actually, this is protection primarily from carders, but it also works successfully against overly anonymous clients.
The anti-fraud system calculates the risk of a fraudulent transaction or a "strange" client based on many factors that are long and useless to list in this article. Here are some basic factors to consider in a nutshell:
1) IP address. It should be more or less clean and not be in the base of the anti-fraud system like a proxy and so on. This is the most important factor. As you understand, Tor's IP address is on all lists, and if the hoster has the worst anti-fraud and wants to fight anonymous clients, then it will not be possible to register the mch through Tor.
You can use good proxies or VPNs. In general, you will figure it out.
2) A person must correspond to reality. To drive in the full name 'ksdjfsjd skdfkk skdgs "something like this - it is not necessary.
3) The address must also be real. There is no need to write Lenin Street, in the city of Zalupins in Afghanistan. OK? Also, if your IP is Russian, then the address must also be Russian.
4) It is desirable that the address corresponds to the Zip Code (index). I mean, he should belong to him.
5) Phone. Should have a different look depending on the country. Foreign companies (this applies, by the way, not only to hosters), very rarely send an SMS code to a phone number to confirm registration or something else, in contrast to Russian companies.
In general, everything should be as believable as possible, as if a real, normal, not anonymous client is ordering. But even these measures in some cases may not help, since anti-fraud systems are different and are configured in different ways.
VPS with Bitcoin rental
VPS rental is offered by many hosters. We do not need large capacities, so the weakest servers with OpenVZ virtualization technology (but KVM or Xen are better) with low processor power and a small amount of RAM (256-512 mb) will do. Such servers can cost an average of $ 2-5 per month. And if you try to search, you can find it for $ 12-18 for a whole year.
By the way, if you find a VPS that does not accept Bitcoin for payment or you simply do not have them, but you have Qiwi or Yandex Money, then you can try to pay for the server with a Virtual Credit Card (VCC). These cards can be issued on the Qiwi and Yandex Money websites, respectively. In this case, naturally, Kiwi and YAD should be left-handed. But it's better to pay with Bitcoins.
To raise OpenVPN, we need our VPS to support TUN / TAP.
Usually almost all VPS providers provide this feature. Somewhere it is immediately turned on as soon as the VPS is created, somewhere you have to turn it on through the control panel on the site (if OpenVZ), somewhere you need to ask for technical support to enable TUN / TAP for you (but this is rare).
To find a VPS, you need to enter the correct query in Google. It is better to make requests in English. language to issue foreign hosters (if necessary). Requests may look like this: "buy vps", "buy cheap vps", "cheapest vps", "cheap openvz vps", "cheap vps <country>" and the like.
There are also various sites where you can find reasonably cheap VPS.
Cheap VPS
- LowEndBox - a site where you can see cheap VPS providers.
- LowEndTalk- this site exists as an addition to the previous one. There are many users on it, there is an active discussion of various VPS providers. This site is very useful. On it you can find many small and not so entrepreneurs who sell VPS. There is also a lot of useful information, reviews of various hosters, and more. Sometimes I read it myself.
- LowEndStock - different cheap VPS hosters are presented here in the table.
- VPS-List.Cryto - a site similar to the previous one.
- CompareVPS - another similar site with a table, in my opinion, is worse than LowEndStock.
- PoiskVPS.ru- Russian site for the selection of VPS. You can select it according to various parameters, for example, such as the country where the server is located or the method of payment (you can filter it for bitcoin, qiwi, or whatever is convenient for you). Useful site. Mostly Russian hosters are here. The price for VPS starts from 70 rubles / month.
- Crypto.net- and on this site, following the link, the author has collected and periodically updates the list of VPS providers that accept Bitcoin for payment. Previously, this was more relevant, but now a very large number of providers accept Bitcoin.
- FreeVPS.us- this site may be interesting too. You can find some cheap VPS providers. You can find both free or with a free trial period - this site is dedicated to.
- WebHostingTalk.comp- in addition. A large forum discussing VPS / VDS providers, and hosting.
We rent VPS anonymously for Bitcoin
And so we found a VPS with TUN / TAP support, now we need to rent it. I will be showing a VPS rental from one of the VPS providers listed above.
My connection at the moment is this: on the Host. VPN + virtual machine Whonix. Since I wrote above about the problems of renting a VPS through Tor, I need a white (not Tor) IP at the exit.
I go to vpngate.net, find France in the list, download the OpenVPN TCP config (TCP, because this VPN comes after Tor, and it only has TCP). I run VPN on my Linux (openvpn --config <config.ovpn>).
Since I chose France VPN, with a French IP, this means that my "virtual client" will also be from France. And his name will not be Vasya Ivanov, and he will not live in Krasnoyarsk.
I go to whoer.net to make sure the IP is indeed from France. The following information was also shown there: IP of France, and also the city was indicated - Audincourt.
You can also use a free VPN or good proxies / SSH. In my case, it so happened that this is France.
On the provider's website, I choose the service I need, in my case it's a VPS for $ 3 / month. I press "Buy" or "Order" and I am taken to the page with the server configuration.
So we enter some information about the server: Hostname, NS prefixes, root password, select the operating system.
Hostname - enter anything, for example site.test
NS prefixes are anything you like, for example ns1.site.test, ns1.site.test
Password from root - we enter more securely.
Choosing an OS - choose Better Debian or Ubuntu (Better Debian).
Better 64 bits. And the most recent versions available. I chose Debian 8 x64. If you know how to work with a distribution, such as CentOS, then choose whatever you want. I will show everything using Debian as an example.
The page at the configuration stage may differ from provider to provider. Therefore, do not be surprised, for example, that you will not be prompted to enter the password from the root - it means that they will generate it themselves and send it to the mail.
After that, I press Contunue, then Checkout and get to the page where I need to drive in data about myself:
Name, surname (we invent it ourselves, just not John Doe)
Email (we register with a new one or use it if available, preferably Gmail, yahoo.com, Hotmail, outlook, or something else, YOU MUST HAVE ACCESS TO IT)
Telephone
The address
Zip code
Country (you know the country by IP)
Region (a drop-down list of the regions into which the country is divided)
City (city may be displayed on the same whoer.net or other similar services, or may not be displayed)
Account password
How do I generate this data? After all, it's one thing when you have a Russian IP, and another when another country, such as France. With Russia or Ukraine in this regard, it is somehow easier, everything is clear here.
In order to find the address (region of the country in which the city is located, address, phone number, zip code), I will use google maps.
Namely, I open Google Maps and enter into the search the name of the city that I have displayed - Audincourt. Me approaches the city and the maps highlight its borders. I zoom in a little closer to the map and look for some OBJECT (cafe, school, pizzeria, restaurant or something else). I press the mouse on this object and information about it is displayed to me, namely:
Full address and Zip Code, telephone (not always).
In order to determine the region / state / region / province that this city corresponds to - I just google the name of the city and information will be needed on 1-2 pages.
I copy all the information and modify it a bit. For example, I change the house number of the address and possibly the last couple of digits on the phone. I come up with a name and surname, I register an email or use an existing one, preferably. At the same time, you must have access to the mail, since the necessary information will be sent there by letter. See screenshot.
I choose Bitcoin payment, agree with their rules and press Checkout or a similar button. At this stage, the anti-fraud system begins to work, which, based on the factors above (IP, browser, entered information), calculates the so-called Risk Score or Fraud Score, and determines whether you can go further or not.
In my case, everything went smoothly (usually it does) and I was thrown to a page with information for paying for bitcoin.
There will be: the number of bitcoins to be paid + the wallet where to pay. In addition, this Payment gateway of Coinfy allows you to pay not only with Bitcoin, but also with other cryptocurrencies. For everything about everything, you have 15 minutes (no confirmation, you just need to send bitcoin). - We go to your bitcoin wallet, copy the wallet for payment, copy how many bitcoins to transfer and transfer. After that, almost instantly, a page with inf. for payment will change its appearance. - Like, everything is fine, the cue ball is coming, and it will transfer you back to the site, to the so-called Order Confirmation page.
Another Order Confirmation will be sent to your email. In addition, a "confirmation" email may fall on the email - a letter with a link, upon clicking on which, you confirm your email. So check it out.
The process of creating a server has begun. It usually does not last long. Maybe 15 minutes, maybe an hour. Well, a maximum of 2. If during this time the server has not been created, then write to technical support, creating a ticket.
When the VPS is created, you will receive an email with all the necessary information for connecting to SSH: VPS IP address, root password.
Or this information will be in your personal account on the site.
Or part there, part on email.
Also, not everywhere and not always, the provider provides access to the VPS Contol Panel. In my case, it provides. The letter contains info for login.
We go to the server via SSH
After all the data for connection have been sent to you by mail or you have found them in your personal account, then for the connection to the server you have all the data, namely:
IP address.
Login: root.
Root password: either you specified when creating the server, or it was generated.
In order to connect via SSH on Windows, you need to use third-party programs. Download your choice: Putty or Kitty. It is quite simple to work with these programs.
It's easier on Linux and MacOS.
In the terminal, enter:
Code:
ssh use r @ ipuser - username of the user. At the first connection / in our case - root.
After pressing enter, at the very first connection, you will get a message:
Are you sure you want to continue connecting (yes / no)?
manually enter yes, then you will be prompted to enter the root password, which you also have. If all is well, then you are connected to the VPS and command line control will be transferred to you.
You can copy and paste in the terminal like this:
If Linux, then ctrl + shift + v paste in terminal (ctrl + shift + c copy from terminal).
If Windows and you are using Putty / Kitty, then you can insert it into the console by clicking on the right mouse button.
This happens, but sometimes the distribution of the created server does not match the one you chose when you made your order. Therefore, if you logged into the server via SSH and entered the command
Code:
apt - get updateAnd you got an error stating that apt-get does not have such a command, and at the same time typing, for example
Code:
yum updateAnd some process started, which means that instead of Debian / Ubuntu, you have CentOS installed. There is no need to be afraid.
To do this, you simply need to reinstall the OS. This can be done from the VPS Control Panel, the data about which came all in the same letter, if the provider provides this feature, or from the personal account on the provider's website. We look for something like "Reinstall OS" or "Rebuild" there and reinstall, if necessary, on Debian / Ubuntu.
I'll show you the VPS Control Panel as an example, because I have just such a case when the wrong distribution was installed.
I go to the site, enter my username and password (all this is in the mail)
Find Reinstall, click, select the OS, enter the new root password (or the old one), and reinstall. Everything is automatic.
After that, the server will turn off and the OC reinstallation will begin. It will take 5-10 minutes. The new connection data will be sent to the mail: the IP will be the same, the root login, only the password will change if you entered a new one.
Checking TUN / TAP on VPS
To begin with, if we will raise OpenVPN, which, as I wrote above, requires TUN / TAP, then you need to check whether it is enabled or not. To do this, enter the following command in the terminal:
Code:
cat / dev / net / tunAnd if it gives you:
Code:
root @ ppVPS : ~ # cat / dev / net / tun
cat : / dev / net / tun : File descriptor in bad stateThis means that it is turned on and you can continue to work. And if the output is like this:
Code:
root @ ppVPS : ~ # cat / dev / net / tun
cat : / dev / net / tun : No such file or directoryThat is off. So we need to turn it on. This is done in the VPS control panel or in the personal account on the provider's website. Or, upon request in those. support.
I go to the VPS Control Panel, entering my username and password, looking for the desired button, in my case it is VPS Configuration.
Then I check the Enable TUN / TAP checkbox.
The server will then reboot. Connect to it in a new way and enter:
Code:
cat / dev / net / tunShould output:
Code:
cat : / dev / net / tun : File descriptor in bad stateIf so, then everything is fine. If not, then you did something wrong.
Initial VPS setup
Further, before raising OpenVPN directly, it would be nice to make some initial configuration on the server: update packages - install the necessary packages, disable unnecessary services, create a user, configure sshd_config (change the port, disable the connection from root).
Since I am showing with an example of a Debian distribution, the commands you enter will be for that distribution and for Debian based distributions (Ubuntu).
Updating packages:
Code:
apt - get update & amp ; & amp ; apt - get dist - upgrade - yWe put the necessary packages:
Code:
apt - get install - y nano sudo htop curl perl python wget git openvpn openssl easy - rsa iptables ca - certificates ufwWhere:
nano is a console editor. Usually worth it initially, but not always.
htop is a console task manager.
openvpn - the openvpn package. Needed to raise OpenVPN.
easy-rsa - scripts for easy key generation. Needed to raise OpenVPN.
git - you will need it if you start OpenVPN with a script (later in the article).
You can also install the following packages, but not necessarily:
Code:
apt - get install build - essential make automake autoconf pkg - configNext, we need to create a user:
Code:
useradd - m - s / bin / bash pp - rulohWhere:
useradd is a command that creates a user.
-m - creates the user's home folder (along the path / home / <username> /), by default has the same name as the username
-s - specifies which shell to use
pp-ruloh is the username.
After creating a user, you MUST create a password for him, because we will use this user to connect via ssh, so we enter the command:
Code:
passwd pp - rulohYou will be prompted to enter the password twice. Will not be displayed as you type. How to embed in the terminal I wrote came out.
Next, you need to disable unnecessary services. We enter the command:
Code:
netstat - tulpnIn order to see what services are running. At this point, ideally only sshd should be running. Since I have Debian-minimal installed, I also have the command
Code:
netstat - tulpnOnly gives me
Code:
Active Internet connections ( only servers ) Proto Recv - Q Send - Q Local Address Foreign Address State PID / Program name
tcp 0 0 0.0 . 0.0 : 22 0.0 . 0.0 : * LISTEN 204 / sshd
tcp6 0 0 ::: 22 ::: * LISTEN 204 / sshdBut usually some web server, mail-server, something else can be running ... I do not know what is running on you, so enter the following commands in turn:
Code:
/ etc / init . d / apache2 stop
update - rc . d apache2 disable
/ etc / init . d / postfix stop
update - rc . d postfix disable
/ etc / init . d / nginx stop
update - rc . d nginx disable
/ etc / init . d / exim4 stop
update - rc . d exim4 disable
/ etc / init . d / rpcbind stop
update - rc . d rpcbind disable
/ etc / init . d / nfs - common stop
update - rc . d nfs - common disable
/ etc / init . d / rsyslog stop
update - rc . d rsyslog disableThis should disable what is usually started when the server was created.
Next, you can configure sshd. For security reasons, we will change the port from standard to non-standard and disable the connection from root.
Edit the / etc / ssh / sshd_config file using nano:
Code:
nano / etc / ssh / sshd_configI will briefly tell you the main hotkeys when working with the nano console editor.
nano <path to file> - open the file in nano.
Ctrl + O - save. Write changes to file. Press Ctrl + O, then Enter.
Ctrl + X - exit nano.
Ctrl + K - cut a whole line. Will be copied to the clipboard.
Ctrl + U - paste the cut line that is in the clipboard.
Ctrl + W - search by file. Search in the editor, enter what you need -> press inter.
If we want to copy part of the text, in the editor itself, select the desired text with the mouse and press the combination Ctrl + Shift + C. Copy it.
In order to paste the text that is now in the clipboard, press the Ctrl + Shift + V combination.
Remember to type sudo nano if you are editing a file to which you do not have write permissions.
We are looking for the Port line (it will be somewhere at the top), and change its value to something other than 22, in the range from 1024 to 64000.
Code:
Port 1488Next, look for the PermitRootLogin line and change its value from yes to no:
Code:
PermitRootLogin noWe look for the line PermitEmptyPasswords and check that there is no:
Code:
PermitEmptyPasswords noIt is also possible, but not necessary, to deny the connection to all users via SSH except for the one we created above. To do this, somewhere in the file, for example below, we write the following:
Code:
AllowUsers pp - rulohWe carefully check, remember the port, save, close. It is important to do everything normally, because if you mess up somewhere in this file, for example, write one port, and then forget it, or prohibit the login from root, and you do not have another user, then you simply will not be able to connect to the server ...
Usually, this problem is solved in your personal account, where you can connect via SSH, then log in under the root and change everything you need in the file. As a last resort, reinstall.
After all the manipulations in the / etc / ssh / sshd_config file, restart:
Code:
systemctl restart sshd
Code:
service sshd restartYour next SSH connection will look like this:
Code:
ssh - p 1488 user @ ip-p 1488 is the SSH port that you specified in / etc / ssh / sshd_config
user is a non-root user. You will not be able to connect under the root.
If you have Windows, then in PUTTY / KITTY you also change the port. Now you will be connecting via SSH to the server through this user. He has almost no rights, he is not even a superuser. Therefore, in order to perform some manipulations on the server, you need to log in under the root. To do this, under a regular user, enter:
Code:
su -And enter the password as root. That's it - you can do whatever you want. To get out of the root, enter exit.
Raising OpenVPN manually
So, in fact, we raise OpenVPN-server.
Let's start by installing some packages. You may have already installed some of them if you made the initial setup from the section above.
Let's update the system:
Code:
apt - get update & amp ; & amp ; apt - get dist - upgrade - y
apt - get install - y sudo nano htop curl perl python wget git openssl ca - certificates iptablesAnd three main packages:
Code:
apt - get install - y openvpn easy - rsa ufwAfter installing the packages, unzip the example configuration file into the / etc / openvpn / folder:
Code:
gunzip - c / usr / share / doc / openvpn / examples / sample - config - files / server . conf . gz & gt ; / etc / openvpn / server . confThe /etc/openvpn/server.conf file is the main server configuration file for OpenVPN.
Now let's edit it a bit:
Code:
nano / etc / openvpn / server . confThe file is long, with a large number of comments (everything that comes in the line after the # symbol is a comment). Lines that start with a character; in this file - also comments.
Partial analysis of the config will be below in the article.
Editing. At the very top, there will immediately be port:
Code:
port 1194I'll change the port to something completely non-standard:
Code:
port 16122Move on. Choosing a protocol - a couple of lines below:
Code:
proto udpAnd we see that it is not commented out in any way. Because by default OpenVPN will run over UDP. If you need TCP, there is a line proto tcp above - uncomment it, remove the symbol; at the start of the line, and comment out proto udp by adding the # symbol. Both are not allowed, or one or the other. I will show using UDP as an example, so I leave it as it is.
We go down below in the config and find the line:
Code:
dh dh1024 . pemChange to dh3048.pem:
Code:
dh dh3048 . pemGo below and find the commented out line:
Code:
; push "redirect-gateway def1 bypass-dhcp"Let's uncomment:
Code:
push "redirect-gateway def1 bypass-dhcp"Just below we find two uncommented lines next to each other:
Code:
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"This is what DNS will be used. By default, OpenDNS servers are registered, but we can register Google public servers:
Code:
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"Go ahead and stumble upon a line
Code:
; tls - auth ta . key 0 # This file is secretLet's just uncomment:
Code:
tls - auth ta . key 0 # This file is secretScroll down and find the line:
Code:
; cipher AES - 128 - CBC # AESThis is encryption. Let's uncomment the line and redo it to AES-256-CBC:
Code:
cipher AES - 256 - CBCJust below in the file we find two commented lines:
Code:
; user nobody
; group nogroupLet's uncomment them:
Code:
user nobody
group nogroupFurther, below we find the line that begins with the word status and redo it into the following form:
Code:
#status / dev / null 2 & gt; & amp; 1Commented out.
A little lower, we find the line that begins with the word log, and give it the following form:
Code:
log / dev / null 2 & gt ; & amp ; oneNot commented out. These are logs. It is impossible to disable OpenVPN logging in the usual sense, because if you comment out a line, then by default it will write to the syslog file (/ var / log / syslog).
String
Code:
; log - appendA little lower, change verb 3 to:
Code:
verb 0Now enable packet forwarding, enter the command:
Code:
echo 1 & gt ; / proc / sys / net / ipv4 / ip_forwardThen:
Code:
cat / proc / sys / net / ipv4 / ip_forwardIf it returns one, then everything is OK.
Now you need to make the changes even when you restart the server, so let's edit the /etc/sysctl.conf file:
Code:
nano / etc / sysctl . confWe are looking for the line:
Code:
# net.ipv4.ip_forward = 1Let's uncomment it:
Code:
net . ipv4 . ip_forward = 1If there is no such line in the file at all, add it manually.
Configuring Firewall
We installed the ufw package earlier. Now we need to add some rules. First, we need to enable SSH traffic. I enter:
Code:
ufw allow 1488Since my sshd is listening on port 1488, if you have not changed and your sshd is listening on port 22, then enter:
Code:
ufw allow sshNext, we need to allow traffic to the port that OpenVPN will listen to, in my case it is port 16122, because I changed it in the config. file (above):
Code:
ufw allow 16122 / udpSince OpenVPN will listen on the UDP port, I added / udp at the end. If your OpenVPN is configured not for UDP, but for TCP, without a slash at the end (or / tcp).
If you have not changed anything in the config, then you have UDP port 1194 listening, which means:
Code:
ufw allow 1194 / udpNow you need to change the Forward Policy, edit the / etc / default / ufw file:
Code:
nano / etc / default / ufwWe are looking for the line:
Code:
DEFAULT_FORWARD_POLICY = "DROP"And change its value to:
Code:
DEFAULT_FORWARD_POLICY = "ACCEPT"Now we need to deal with the network interfaces, enter the command:
Code:
ip addrThe command will list your interfaces. There will be a lo interface and some other interface, such as eth0 or venet0. In my case, the interface is called venet0 (for OpenVZ). I have this conclusion:
Code:
1 : lo : & lt ; LOOPBACK , UP , LOWER_UP & gt ; mtu 65536 qdisc noqueue state UNKNOWN
link / loopback 00 : 00 : 00 : 00 : 00 : 00 brd 00 : 00 : 00 : 00 : 00 : 00
inet 127.0 . 0.1 / 8 scope host lo
Code:
2 : venet0 : & lt ; BROADCAST , POINTOPOINT , NOARP , UP , LOWER_UP & gt ; mtu 1500 qdisc noqueue state UNKNOWN
link / void
inet 127.0 . 0.2 / 32 scope host venet0
inet MY IP / 32 brd MY IP scope global venet0 : 0Next, you need to edit the /etc/ufw/before.rules file:
Code:
nano / etc / ufw / before . rulesAnd somewhere upstairs, insert the following:
Code:
# START * nat
: POSTROUTING ACCEPT [ 0 : 0 ] - A POSTROUTING - s 10.8 . 0.0 / 8 - o & lt ; YOUR INTERFACE & gt ; - j MASQUERADE
COMMIT
# END
Code:
# START * nat
: POSTROUTING ACCEPT [ 0 : 0 ] - A POSTROUTING - s 10.8 . 0.0 / 8 - o venet0 - j MASQUERADE
COMMIT
# ENDAfter all this, turn on ufw:
Code:
ufw enableLet's look at our rules:
Code:
ufw statusThe output will show the rules that you created above, for me like this:
Code:
root @ ppVPS : ~ # ufw status
Status : active
To Action From - ------ ---- 1488 ALLOW Anywhere 16122 / udp ALLOW Anywhere 1488 ALLOW Anywhere ( v6 ) 16122 / udp ALLOW Anywhere ( v6 )You can disable ufw like this:
Code:
ufw disableWe generate keys for the server. We previously installed the easy-rsa package. Now copy the folder with easy-rsa scripts to the openvpn folder:
Code:
cp - r / usr / share / easy - rsa / / etc / openvpninside the easy-rsa folder, create a keys folder:
Code:
mkdir / etc / openvpn / easy - rsa / keysNow let's generate a Diffie-Hellman with a length of 2048 and place it in / etc / openvpn:
Code:
openssl dhparam - out / etc / openvpn / dh3048 . pem 2048Let's also generate a ta.key file in the / etc / openvpn folder, for tls-auth:
Code:
openvpn - genkey - secret / etc / openvpn / ta . keyFurther...
Go to the easy-rsa folder:
Code:
cd / etc / openvpn / easy - rsaThere is a vars file with some variables, edit it:
Code:
nano varsScroll down until we come across a block:
Code:
export KEY_COUNTRY = "US" export KEY_PROVINCE = "CA" export KEY_CITY = "SanFrancisco" export KEY_ORG = "Fort-Funston" export KEY_EMAIL = " [email protected] " export KEY_OU = "MyOrganizationalUnit"
# X509 Subject Field export KEY_NAME = "EasyRSA"In the first 6 lines, you can change the values, you can leave it as it is. I'll leave it as it is. Don't care. The main thing is not to leave them empty.
But specifically here we are interested in the line
Code:
export KEY_NAME = "EasyRSA"Here we change the value to server, so that it would be like this:
Code:
export KEY_NAME = "server"You can change it to any other, but don't fuck your brain and change it like me, because otherwise you will have to change the values in server.conf.
If you gave a name other than server, remember it.
Like this. Save, close the file.
Next, enter the following:
Code:
source varsNext, we enter:
Code:
... / clean-all & amp; & amp; ./ build - caWill offer to enter some values, but we changed them (or did not change) in the vars file. We just press Enter everywhere and that's it. In this case, reaching the Name item, pressing Enter will be the name that you specified earlier in the KEY_NAME, for me this is server.
The next step is to enter:
Code:
./ build - key - server & lt ; NAME IN KEY_NAME & gt ;
Code:
./ build - key - server serverIn the same way, we press Enter everywhere. Even where it prompts you to enter 'A challenge password', press enter.
Then we enter the symbol y twice, where it asks:
Sign the certificate? [y / n]: y
1 out of 1 certificate requests certified, commit? [y / n] y
At the end you will see:
Write out database with 1 new entries.
Data Base Updated.
Now we need to move all the generated keys and certificates to the / etc / openvpn folder.
All the good stuff is in the / etc / oepnvpn / easy-rsa / keys folder. We are interested in 3 files (excluding dh3048.pem and ta.key, which we generated earlier) - ca.crt, server.crt, server.key, where files server.crt and server.key - have the name that you specified in KEY_NAME, I specified server, remember yes.
We move them as follows:
Code:
the cp / etc / openvpn / the easy - rsa / keys / { ca . crt , server . crt , server . key } / etc / openvpn /Let's go back to the openvpn folder:
Code:
cd / etc / openvpnWe enter ls to the console and see what files are. At the moment there should be the following files: ca.crt, dh3048.pem (which we generated earlier), server.conf (main config), server.crt, server.key and ta.key There may also be an update-resolv-conf file ...
Code:
@ ppVPS root : / etc / openvpn # the ls
ca . crt dh3048 . pem easy - rsa server . conf server . crt server . key update - resolv - confNow we start openvpn:
Code:
systemctl start openvpn
Code:
/ etc / init . d / openvpn startCheck if it started:
Code:
systemctl status openvpn
Code:
/ etc / init . d / openvpn statusIt should burn green (lol), you will see the inscription:
Code:
Active : active ( exited ) sinceCheck if the port is listening:
Code:
netstat - tulpn | grep vpnShould output one service that is listening on the port you specified.
My output is this:
Code:
udp 0 0 0.0 . 0.0 : 16122 0.0 . 0.0 : * 484 / openvpnWe checked everything, well done. Now let's stop:
Code:
systemctl stop openvpn
Code:
/ etc / init . d / openvpn stopWe make a client, generate keys.
First, we need to copy the example config. file for the client.
Copy it to the / etc / openvpn / easy-rsa / keys folder and rename it (we give the .ovpn extension):
Code:
cp / usr / share / doc / openvpn / examples / sample - config - files / client . conf / etc / openvpn / easy - rsa / keys / client . ovpnEditing the client file:
Code:
nano / etc / openvpn / easy - rsa / keys / client . ovpnScroll down the file, stumble upon a line
Code:
remote my - server - 1 1194Change this line, I change:
Code:
remote 111.222 . 111.222 16122Scrolling down below, we find the line:
Code:
ns - cert - type serverwe erase it and change it to:
Code:
remote - cert - tls serverJust below the line:
Code:
; cipher xChange the encryption to the one you specified in server.conf. I was specifying AES-256-CBC:
Code:
cipher AES - 256 - CBCIf you did not specify anything in server.conf, then leave this line alone.
Everything. Save and close.
Now you need to generate keys and certificates for the client.
Let's go to the easy-rsa folder:
Code:
cd / etc / openvpn / easy - rsaWe generate:
Code:
./ build - key client1In the same way as with the servo, press Enter everywhere. And we agree by pressing y where it is needed.
The client config consists of:
.ovpn file. In my case, this is client.ovpn.
file ca.crt - which is common for the server and all clients.
the ta.key file is also common for the server and client. This is for tls-auth, which is optional.
files client1.crt and client1.key - which are individual for each client.
The fact is that all these files are needed by the .ovpn config, without them it will not work. But we will not carry them everywhere together! Therefore, it is possible to build all these files in the .ovpn config, so that there is one single file and that's it.
We need to do some manipulations, so for convenience we create the client1 folder:
Code:
mkdir / etc / openvpn / easy - rsa / keys / client1You need to copy the .ovpn config file there and all the certificates and keys,
by analogy with the server, the client1.crt and client1.key files have specific names, depending on what you specified the client name when executing the command above. I named client1 that's why they are called that way for me.
We copy:
Code:
the cp / etc / openvpn / the easy - rsa / keys / { ca . crt , client1 . crt , client1 . key } / etc / openvpn / easy - rsa / keys / client1Copy client.ovpn for one thing (it can be called anything, even xuy.ovpn):
Code:
cp / etc / openvpn / easy - rsa / keys / client . ovpn / etc / openvpn / easy - rsa / keys / client1And don't forget about ta.key, which is in the openvpn folder:
Code:
cp / etc / openvpn / ta . key / etc / openvpn / easy - rsa / keys / client1 /Go to the client1 folder:
Code:
cd / etc / openvpn / easy - rsa / keys / client1At the moment there are 5 files there:
Code:
ca . crt client . ovpn (config file) client1 . crt client1 . key ta . keyNow you need to be more careful! Especially with filenames.
We embed the contents of the necessary files into our .ovpn config.
In turn, in the order in which I have it, we execute the following commands.
For ca.crt:
Code:
echo '' & gt ; & gt ; client . ovpn
ca cat . crt & gt ; & gt ; client . ovpn
echo '' & gt ; & gt ; client . ovpnNow for client1.crt:
Code:
echo '' & gt ; & gt ; client . ovpn
cat client1 . crt & gt ; & gt ; client . ovpn
echo '' & gt ; & gt ; client . ovpnNow for client1.key:
Code:
echo '' & gt ; & gt ; client . ovpn
cat client1 . key & gt ; & gt ; client . ovpn
echo '' & gt ; & gt ; client . ovpnNow for ta.key, you need for tls-auth:
Code:
echo 'key-direction 1' & gt ; & gt ; client . ovpn
echo '' & gt ; & gt ; client . ovpn
cat ta . key & gt ; & gt ; client . ovpn
echo '' & gt ; & gt ; client . ovpnThis way, all keys and certificates are now in one .ovpn file and it can work on its own.
Now you need to edit the client.ovpn file a little more:
Code:
nano client . ovpnWe scroll until we come across a block:
Code:
ca ca . crt
cert client . crt
key client . keyWe don't need this, so let's comment them out:
Code:
#ca ca.crt #cert client.crt #key client.keyActually, the client config is ready. It will work if you run it on your device's OpenVPN client.
We can run OpenVPN:
Code:
systemctl start openvpn
Code:
/ etc / init . d / openvpn startAfter any manupulations in the server.conf file, in order for the changes to apply, you need to restart OpenVPN:
Code:
systemctl restart openvpn
Code:
/ etc / init . d / openvpn restartBut I still want to make some modifications on server.conf and client.ovpn
To begin with, I would like to bring both configs into a more readable and simpler form, namely, remove all comments and blank lines.
This is easy to do. But first, just in case, let's make a backup:
Code:
server . conf
cp / etc / openvpn / server . conf / etc / openvpn / server . conf . bakand client.ovpn:
Code:
cp / etc / openvpn / easy - rsa / keys / client1 / client . ovpn / etc / openvpn / easy - rsa / keys / client1 / client . ovpn . baknow, with one command, we delete all comments (# and; at the beginning of the line) and empty lines:
Code:
server . conf
sed - i '/ ^ [#;] \ | ^ $ / d' / etc / openvpn / server . conf
client . ovpn
sed - i '/ ^ [#;] \ | ^ $ / d' / etc / openvpn / easy - rsa / keys / client1 / client . ovpnAnd both of our configs will take on a more readable form.
Open server.conf
Code:
nano / etc / openvpn / server . confAnd somewhere in the middle, let's add the following:
Code:
sndbuf 0
rcvbuf 0
topology subnet
auth SHA512And on the client.
Code:
nano / etc / openvpn / easy - rsa / keys / client1 / client . ovpnSomewhere in the config, before the start of certificates and keys:
Code:
sndbuf 0
rcvbuf 0
keepalive 10 120
auth SHA512So my server.conf looks like this:
Code:
port 16122
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca . crt
cert server . crt
key server . key # This file should be kept secret
dh dh3048 . pem
tls - auth ta . key 0
topology subnet
server 10.8 . 0.0 255.255 . 255.0
ifconfig - pool - persist ipp . txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES - 256 - CBC
auth SHA512
comp - lzo
persist - key
persist - tun
log / dev / null 2 & gt ; & amp ; 1
verb 0And client.ovpn is like this (Without keys and certificates):
Code:
client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote 111.222 . 111.222 14500
resolv - retry infinite
nobind
persist - key
persist - tun
remote - cert - tls server
cipher AES - 256 - CBC
auth SHA512
keepalive 10 120
comp - lzo
verb 3You can use these configs.
Let's take a look at the config.
Code:
proto udpWhich protocol to use, TCP or UDP?
UDP is usually faster.
TCP is more reliable, stable, better bypasses the firewall - for example, you can use port 443.
UDP can also be hung on a port that is usually not blocked - 53.
If you are not blocked, then I think UDP is better. I use UDP myself. The server and client must have the same protocol specified.
Code:
Port 16122What port to hang on? Better on a non-standard one, like mine. Or disguise as some kind of service - 443 / ssl for tcp and 53 / dns for udp
Code:
cipher AES - 256 - CBCWhat kind of encryption should I use?
Use AES-256-CBC or AES-128-CBC. If not explicitly specified, Blowfish (cipher BF-CBC) will be used by default.
This parameter must be present on both the server and the client. If it is on the server, not on the client, or they are different, it may not be legitimate.
Code:
auth SHA512If not set, auth SHA1 will be used. Use auth SHA512 or auth SHA256. This parameter must be present on both the server and the client. If it is on the server, not on the client, or they are different, it may not be legitimate.
Code:
#status / dev / null 2 & gt; & amp; 1By default, it will write to a file of some kind which clients are currently online. To not write anything, you need to comment out the line. I also WHY wrote / dev / null 2> & 1 ...
Code:
log / dev / null 2 & gt ; & amp ; oneThis is the very OpenVPN logging that is better to turn off for security. The fact is that you cannot turn it off, and if you comment it out, then the logs will be written to / var / log / syslog
Therefore, I uncommented and told to write to / dev / null.
Code:
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"What DNS to use?
Use public DNS from Google (8.8.8.8 and 8.8.4.4.) Or from OpenDNS (208.67.222.222 and 208.67.220.220).
DNS leak under Windows and Linux
If you will use this config on Windows, add the following line to the config:
Code:
setenv opt block - outside - dnsYes, it's that simple. Under MacOS with Tunnelblick, everything is fine.
And under Linux there is an update-resolv-conf file, which is located in the / etc / openvpn folder on the client machine. The file can be named either update-resolv-conf or update-resolv-conf.sh. Therefore, on client Linux, enter in the terminal:
Code:
ls / etc / openvpn | grep updateAnd find out the name of the file.
Next, you need to insert the following lines into the .ovpn config:
Code:
script - security 2
up / etc / openvpn / update - resolv - conf
down / etc / openvpn / update - resolv - confWe transfer the .ovpn config from the server to the client.
You can just open the client config, copy everything completely and paste it on your machine, okda.
If you created a user and denied ssh connection from root, then the first step is to place the .ovpn config in the home folder of the created user. I had it pp-ruloh
Code:
cp / etc / openvpn / easy - rsa / keys / client1 / client . ovpn / home / pp - rulohChange file permissions:
Code:
chown pp - ruloh : pp - ruloh / home / pp - ruloh / client . ovpnLinux. We will use sftp.
Code:
sftp - P 1488 pp - ruloh @ ipAs it is, we will already be in the pp-ruloh home folder. We can look at the files - enter ls.
copy the config:
Code:
get client . ovpn ~ /Windows, linux, MacOS: download the FTP program - FileZilla
and connect to the server via sftp. You will need to specify the port sftp (I have 1488), the user (pp-ruloh, because the root was paid). Copy the file wherever we want and rejoice. You will figure out how to use the program yourself.
We raise OpenVPN with a script
Can't you manually raise OpenVPN? Don't despair, I have good news for you!
There is an Open Source script on Github that allows you to quickly and easily set up an OpenVPN server on your VPS. The script is called openvpn-install and here is a link toGithub. And this script has a bunch of forks that you can look into.
You can view the source code here. Let's get started. We work as root or superuser.
First, let's update the system:
Code:
apt - get update & amp ; & amp ; apt - get dist - upgrade - yIf you have already tried to raise OpenVPN manually, but you failed, then you must first completely demolish it. Remove openvpn:
Code:
apt - get remove - purge openvpndelete the folder:
Code:
rm - rf / etc / openvpn /turn off ufw:
Code:
ufw disableand install the required packages:
Code:
apt - get install - y sudo nano curl perl python wget git iptables openvpn openssl ca - certificatesDownload the script to the root home folder:
Code:
git clone https : //github.com/Nyr/openvpn-install.git ~ / nyr-openvpnWe go there:
Code:
cd ~ / nyr-openvpn /Run the script:
Code:
bash openvpn - install . shAnd you will be taken to the so-called Installer. Where you will need to answer questions or write something down. Press Enter to proceed to the next stage of the installation.
First of all, it will offer to enter the external IP address, but most likely the script will determine it by itself:
Code:
IP address : 111.222 . 111.222The next step is to choose a protocol. I press 1 and choose UDP. Next, choose a port. I will put, for example, 14000. Then it will offer to select the DNS server. The choice will be from Google, OpenDNS or current ones, which are on VPS and some others. I select OpenDNS, press 3. After that, it prompts me to enter the client's name. I will enter "pp-ruloh". Next, the download and installation of packages, the generation of keys, certificates and configuration files will begin. when it's over, it will put the config. to the home folder of the user on whose behalf the script was launched. That is, now the config is located at:
Code:
/ root /Actually, this is where the OpenVPN configuration is completed by the script. You can already take a new config and use it. I wonder what he generated there for you, let's look at the pp-ruloh.ovpn config:
Code:
nano ~ / pp - ruloh . ovpn(without keys and certificates)
Code:
client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote 111.222 . 111.222 14000
resolv - retry infinite
nobind
persist - key
persist - tun
remote - cert - tls server
cipher AES - 256 - CBC
comp - lzo
setenv opt block - outside - dns
key - direction 1
verb 3Everything seems to be fine, but it is better to explicitly specify auth SHA512. So let's add
Code:
auth SHA512Like this:
Code:
client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote 111.222 . 111.222 14000
resolv - retry infinite
nobind
persist - key
persist - tun
remote - cert - tls server
cipher AES - 256 - CBC
auth SHA512
comp - lzo
setenv opt block - outside - dns
key - direction 1
verb 3Please note that the script has already pushed the feature to prevent DNS leak under the Windows client:
Code:
setenv opt block - outside - dnsIf you have Linux or MacOS - it is better to comment out this line.
Now let's look at the server config server.conf:
Code:
nano / etc / openvpn / server . conf
port 14000
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca . crt
cert server . crt
key server . key
dh dh . pem
tls - auth ta . key 0
topology subnet
server 10.8 . 0.0 255.255 . 255.0
ifconfig - pool - persist ipp . txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
cipher AES - 256 - CBC
comp - lzo
user nobody
group nogroup
persist - key
persist - tun
status openvpn - status . log
verb 3
crl - verify crl . pemHere we also add auth SHA512 (otherwise it will not work if it is specified on the client and not on the server), we do verb 0. You also need to do the following. You need to comment out the line.
Code:
status openvpn - status . logAnd add log:
Code:
log / dev / null 2 & gt ; & amp ; oneSomewhere above I wrote why it is needed. It turned out like this:
Code:
port 14000
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca . crt
cert server . crt
key server . key
dh dh . pem
tls - auth ta. key 0
topology subnet
server 10.8 . 0.0 255.255 . 255.0
ifconfig - pool - persist ipp . txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
cipher AES - 256 - CBC
auth SHA512
comp- lzo
user nobody
group nogroup
persist- key
persist - tun
#status openvpn-status.log
log / dev / null 2 & gt ; & amp ; 1
verb 0
crl - verify crl . pemWe take the client config file and place it on your device. I wrote about this above.
When you run the script again from under the root:
Code:
bash / root / nyr - openvpn / openvpn - install . shThe script will offer to create a new client, delete an existing one (it will no longer be able to connect) or delete OpenVPN.
OpenVPN clients for different operating systems
Since OpenVPN is not built into any popular OS by default, you need to install third-party software - the OpenVPN client.
Windows
There is an official client for Windows, called OpenVPN GUI.
You can download it off. website OpenVPN. Download, install. A shortcut to the slave will appear. desktop, after launch - the tray icon.
Next, place your .ovpn file in the config folder in the installed OpenVPN folder. In general, if you install OpenVPN GUI by default in the Program Files folder, then the address is:
Code:
C : \ Program Files \ OpenVPN \ configWe throw .ovpn configs into this folder. Then you can launch VPN from the tray. Everything is simple enough.
Linux
On Linux, in your distribution's repositories, the package will most likely be called "openvpn" (maybe openvpn-client), and installed as follows:
Code:
sudo apt - get install openvpnIf you have Debian-like distributions (Debian, Ubuntu, Mint). If you have a distribution kit of a different line, you yourself will figure out how to install.
It works as follows. You have an .ovpn file, then you enter the command in the terminal:
Code:
sudo openvpn - config & lt ; path to file . ovpn & gt ;Or you can feed the file to network-manager.
MacOS
On MacOS, I only know Tunnelblick from OpenVPN clients. You can download it here. Installation is simple, requires superuser rights. Ovpn files will be opened by default. There will be an icon in the tray, we will connect there. You can configure it to connect to OpenVPN immediately at system boot. When the VPN connection is dropped, the internet is lost. In this case, you need to manually disconnect from the VPN.
Android
The official OpenVPN Connect client for Android is available for download at Google play
iOS
For iOS, download the client from AppStore...
Clients provided by a VPN provider. Some providers provide their own OpenVPN client for different operating systems and platforms. Use them or not, it's up to you. But this is potentially not very secure.
Banning all non-OpenVPN traffic on the client
Iptables rules. For Adepts of Lunix only. What to do if VPN suddenly disconnects? Or did you forget to turn it on altogether? Usually, when you suddenly discover that the traffic is not going through a VPN, and at the same time you are not using Whonix, then after 3 seconds you realize that your pants are full of shit. What do you need to do to explicitly limit all traffic?
And here are the rules themselves:
Code:
# deny all incoming and outgoing
iptables - P INPUT DROP
iptables - P OUTPUT DROP
# allow already established connections and localhost
iptables - A INPUT - i lo - j ACCEPT
iptables - A OUTPUT - o lo - j ACCEPT
iptables - A INPUT - m state - state ESTABLISHED , RELATED - j ACCEPT
iptables - A OUTPUT - m state - state ESTABLISHED , RELATED - j ACCEPT
# allow connections to VPN (replace VPN_IP with the ip of your VPN server)
iptables - A OUTPUT - d VPN_IP - j ACCEPT
# allow any VPN connections
iptables - A OUTPUT - o tun + - j ACCEPTIn the end:
Code:
# allow any VPN connections
iptables - A OUTPUT - i tun + - j ACCEPTHas been changed to:
Code:
# allow any VPN connections
iptables - A OUTPUT - i tun + - j ACCEPTWe have rules, what next? Now open a terminal in your Linux
And create a file called vpn.rules:
Code:
touch ~ / vpn - rules . shLet's put all the rules there:
Code:
nano ~ / vpn - rules . shAt the very top of the file, we write:
Code:
#! / bin / shNext, the rules from the code above. Copy - paste, change
Code:
# allow connections to VPN (replace VPN_IP with the ip of your VPN server)
iptables - A OUTPUT - d VPN_IP - j ACCEPTwhere VPN_IP is on the IP of your server (specified in the .ovpn config).
Save - close.
Run the script from root or sudo:
Code:
sudo sh ~ / vpn - rules . shNow we have the rules applied. You can check - the Internet won't work without VPN. This script can be run every time. Or you can save the rules:
Code:
sudo iptables - save & gt ; / etc / iptables / iptables . rulesAnd make the iptables service autostart on system boot:
Code:
systemctl enable iptablesThat's all.
Fighting OpenVPN Detection
A VPN can be detected by a finite resource (for example, a website) in some cleverly fucked up ways. To get started, you can read the article on habr
We go to browserleaks.com
And we look at the line "TCP / IP OS Fingerprinting"
What to do?
If you, like me, have a UDP config, then you can do the following. It helps me if you prescribe
Code:
mssfix 0On the .ovpn client and the server.conf server
