Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Scrambled OpenVPN Auto Installer Script(2017)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Scrambled OpenVPN Auto Installer Script(2017)

khavkhav Member
edited May 2017 in Tutorials

ISPs in high authorian regimes such as in China , Iran and Pakistan can easily detect and block standard VPN traffic.This bash script automatically install OpenVPN and Obfsproxy to obsfucate openvpn traffic making it very difficult to detect and block.At the time of this writing this method successfully bypasses current firewalls and internet filters.

This script is a major upgrade from the [old one i coded in 2014].(https://www.lowendtalk.com/discussion/23555/scrambled-openvpn-auto-installer-script).

Changelog :

  • Uses a completely new method ( OpenVPN + obfsproxy) that requires no patching making it very easy to update via yum.

  • OpenVPN config has been upgraded to meet current security standards

  • Added compatibility with cloud platforms like Google Compute Engine

As always it is fully opensource and i welcome contributions via github.

Github : https://github.com/khavishbhundoo/obfsproxy-openvpn

I hope you guys will like it and use it ....

Regards,
Khav

Thanked by 10bashlyk dedicados Tom sayem314 K4Y5 chocolateshirt doghouch caracal k0nsl roykem

Comments

  • dedicadosdedicados Member

    nice, i will try it, thanks

  • askveaskve Member

    Thanks. Client add and remove option available? @khav

  • khavkhav Member

    @askve said:
    Thanks. Client add and remove option available? @khav

    Its in my todo list ....Do you mind opening an issue on github so that i can keep track of it.I also welcome pull requests so feel free to contribute

  • bashlykbashlyk Member

    Can you make a script for ubuntu/debian please? The old one did not have this option.

  • hellb0yhellb0y Member
    edited May 2017

    Installed on Google Compute Engine (Centos 7) but unfortunately is not working for me. Got few errors during install:

    **unable to write 'random state'
    Generating a 2048 bit RSA private key **

    sudo rm ~/.rnd -> fixed above error

    **getent passwd $SUDO_USER | cut -d: -f6 **

    will generate below error:

    ./vpn.sh: line 185: $HOME/details.txt: ambiguous redirect
    cat: /root: Is a directory
    cat: /bin: Is a directory
    cat: /sbin: Is a directory
    cat: /var/adm: Is a directory
    cat: /var/spool/lpd: Is a directory
    cat: /sbin: Is a directory
    cat: /sbin: Is a directory
    cat: /sbin: Is a directory
    cat: /var/spool/mail: Is a directory
    cat: /root: Is a directory
    cat: /usr/games: Is a directory
    cat: /var/ftp: Is a directory
    cat: /: Is a directory
    cat: /: Is a directory
    cat: /: Is a directory
    cat: /var/run/avahi-daemon: Is a directory
    cat: /var/lib/avahi-autoipd: Is a directory
    cat: /etc/ntp: Is a directory
    cat: /var/spool/postfix: Is a directory
    cat: /var/empty/sshd: Is a directory
    cat: /: Is a directory
    cat: /: Is a directory
    cat: /home/alien: Is a directory
    cat: /var/clamav: Is a directory
    cat: /var/spool/squid: Is a directory
    cat: /etc/openvpn: Is a directory
    cat: /var/lib/znc: Is a directory
    cat: /home/silent/details.txt: No such file or directory

    getent passwd $USER | cut -d: -f6 -> fixed above error

    I had to change tcp port in server.conf to 21194 from 443 as it is not binding on 21194 but i would get error Transport Paused, it worked only if i would set up tcp port to 21194.
    Once connected there is no traffic allowed even if firewall settings are done as per instructions.

  • khavkhav Member
    edited May 2017

    @hellb0y

    You need to open the port 21194 check here

    Can you reinstall the os again , add the firewall rule and then use the following command to launch script

    curl -so vpn.sh -L https://raw.githubusercontent.com/khavishbhundoo/obfsproxy-openvpn/master/vpn.sh && sudo su && sudo bash vpn.sh

    Notice that it has sudo su

    You will also need install and run obfsproxy on your desktop , check the github page for tutorial

    Thank you for testing the script

  • hellb0yhellb0y Member

    Port 21194 is opened as per tutorial but server.conf is binding on 443.

  • khavkhav Member

    @hellb0y that's because we are using obfsproxy
    echo "obfsproxy --log-file=obfsproxy.log --log-min-severity=info obfs3 --dest=127.0.0.1:443 server 0.0.0.0:21194" >> /etc/rc.d/rc.local

    You need to reboot the server after setup complete....i will release an update soon so that reboot isn't necessary soon.

  • khavkhav Member
    edited May 2017

    I updated the script , now reboot is no longer necessary

    Here is a video tutorial :

    Thanked by 1williclarkam
  • netomxnetomx Moderator, Veteran

    @khav said:
    @hellb0y

    You need to open the port 21194 check here

    Can you reinstall the os again , add the firewall rule and then use the following command to launch script

    curl -so vpn.sh -L https://raw.githubusercontent.com/khavishbhundoo/obfsproxy-openvpn/master/vpn.sh && sudo su && sudo bash vpn.sh

    Notice that it has sudo su

    You will also need install and run obfsproxy on your desktop , check the github page for tutorial

    Thank you for testing the script

    Why sudo su and sudo bash?

  • DNnameDNname Member
    edited May 2017

    @bashlyk said:
    Can you make a script for ubuntu/debian please? The old one did not have this option.

    vote +1 for ubuntu/debian

  • khavkhav Member

    @netomx

    I was trying to diagnose the issue @hellb0y was getting.The following work just fine

    curl -so vpn.sh -L https://raw.githubusercontent.com/khavishbhundoo/obfsproxy-openvpn/master/vpn.sh && sudo bash vpn.sh

    @DNname and @bashlyk

    I welcome a debian port from you guys.I am not very well verse with debian

    Thanked by 1netomx
  • khavkhav Member

    I just updated the script to make openvpn use lz4 compression as its much faster than lzo

  • spyworkspywork Member

    Wait for Ubuntu version :)

  • TheRealMakanTheRealMakan Member

    I ran the script and hit the same error hellb0y got with the cat $HOME/ isn't a directory. I checked /root and the .ovpn file was there. I downloaded it and tried to run it in OpenVPN client and got the following error:

    OpenVPNClient start scrambled_client_p4086: process started and then immediately exited: []

    Any help?

  • khavkhav Member
    edited May 2017

    @TheRealMakan

    You need to use the following command to get the script

    curl -so vpn.sh -L https://raw.githubusercontent.com/khavishbhundoo/obfsproxy-openvpn/master/vpn.sh && sudo bash vpn.sh

    Are you running the script on a cloud platform like GCE or AWS ?

    What you get when you run the following on your server

    sudo getent passwd $SUDO_USER | cut -d: -f6)

    Check the video to ensure you enter correct data for the certificates.

  • TheRealMakanTheRealMakan Member

    @khav Yep realized I had a bad install of Obs. Is there any way to connect to it using Android? Guessing there are no clients at the moment to do that.

  • khavkhav Member

    @TheRealMakan

    Did the script wrongly installed Obfsproxy or you already had one installed before running the script ?

    I coded the script with the assumption that people will use it on a server where openvpn or obfsproxy proxy wasn't installed

    Let me know what the issue was so that i can upgrade the script

    For android i have seen orbot

    https://proxy.sh/panel/knowledgebase/1167/Combine-OpenVPN-with-obfsproxy-for-stealth-mode-Android.html

    https://github.com/n8fr8/orbot

  • khavkhav Member

    The script has been updated to v0.1

    • Added a menu display
    • Implemented add client feature
    • Implemented remove client feature
    • Implemented user/password authentication(PAM)
    • Added automated certificates generation
    • Added multiple dns servers ( GoogleDNS and OpenDNS)
    • Prevent DNS leaks by blocking outside dns
    • Added cronjob to update OpenVPN and Obfsproxy automatically
    • Minor bug fixes

    There is two tcp ports you need to keep open 21194 and 443

    Thanked by 1williclarkam
  • ValdikSSValdikSS Member

    There's no need in obfsproxy anymore, just use --tls-crypt OpenVPN option.

  • khavkhav Member

    @ValdikSS That's interesting!

    --tls-crypt seems to be a replacement for --tls-auth.Does the --tls-crypt technique currently bypass GFW

    Thanks for the heads up:)

  • ValdikSSValdikSS Member

    @khav yes, most probably. --tls-crypt encrypts control channel where handshake and other technical data is transmitted, so GFW shouldn't be able to detect it.

  • khavkhav Member

    @ValdikSS i found some additional info with some digging

    the new tls-crypt feature adds some extra hiding of OpenVPN traffic from
    someone snooping the network. It does NOT, however, result in OpenVPN
    traffic looking the same as regular TLS/HTTPS traffic. If you scan an
    OpenVPN network connection using tcpdump/wireshark then you can see that
    it's different from a regular HTTPS connection start. Advanced firewalls
    can detect this difference and can/will block OpenVPN traffic based on
    it

    Source : http://www.mail-archive.com/[email protected]/msg03395.html

  • askveaskve Member

    How do I use it on an Android device?

  • khavkhav Member

    I just released an updated version of the script.

    11 June 2017, v0.2

    - Replace tls-auth with tls-crypt
- Added additional sanity checks for delete cilent
- Updated Easy-RSA to latest version (easy-rsa3)
- Removed deprecated options in cilent & server config
- Use ECDH instead of DH
- Improve swap generation performance with fallocate
- Fix cronjob 
- Minor bug fixes
    Thanked by 1williclarkam
Sign In or Register to comment.