All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
[Tutorial] Build Your Ultimate Scrambled VPN
This guide is for those who live or travel in a country with very strict internet control. For example, China use the Great Firewall to actively seek out VPN connections and block VPN servers. The GFW has been upgraded along the years and as of now, it is known to use Deep Packet Inspection to identify and block PPTP and OpenVPN connections. It usually takes GFW 30 minutes or less to block your connection. However, we can scrambled our VPN connection to bypass the GFW. In this guide, I will show you how to setup scrambled OpenVPN and Softehter VPN Server. Hopefully, this guide will be useful to some of you.
VPN protocols blocked by GFW
- PPTP
- OpenVPN
- L2TP (Certain ISPs)
VPN protocols that GFW cannot detect as of now
- Scrambled OpenVPN
- Softehter Protocol
- L2TP over IPsec
- SSTP
- VPN over ICMP / VPN over DNS
Test enviroment
- Server: CentOS 6 (OpenVZ)
- Client: Ubuntu / Windows 8.1
I'm have tested the above protocols on China Telecom's residential fiber network. I would appreiciated if someone on China Unicom can let me know if this guide works for them.
Setting up your scrambled OpenVPN server
Prerequisites:
Install the RHEL EPEL Repo on CentOS 6
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm sudo rpm -Uvh remi-release-6*.rpm
Update your system
sudo yum upgrade
Install these packages so we can compile OpenVPN from source later
sudo yum install autoconf.noarch automake file gcc libtool patch quilt git make rpm-build zlib-devel pam-devel openssl-devel lzo-devel
If your VPS is OpenVZ based, you need to enable TUN/TAP.
Building OpenVPN from source
Download the OpenVPN source file and the packet obfuscate patch.
wget https://github.com/OpenVPN/openvpn/archive/release/2.3.zip wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip unzip 2.3.zip unzip master.zip
Back up links if above files are deleted from github:OpenVPN 2.3.2: https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/2.3.zip Bbfuscate Patch: https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/master.zip
Apply the patch to the source files.
cp openvpn_xorpatch-master/openvpn_xor.patch openvpn-release-2.3/ cd openvpn-release-2.3/ git apply --check openvpn_xor.patch git apply openvpn_xor.patch cd .. sudo mv ./openvpn-release-2.3/ /etc/openvpn
Make sure you have install the packages in the prerequisite section. We will now build the OpenVPN server from source.
cd /etc/openvpn/ sudo autoreconf -i -v -f sudo ./configure --prefix=/usr sudo make sudo make install
Let's set OpenVPN to startup on boot.
sudo wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/openvpn -O /etc/rc.d/init.d/openvpn sudo chmod +x /etc/rc.d/init.d/openvpn sudo chkconfig --add openvpn sudo chkconfig openvpn on
Make sure the startup script is correctly set.
chkconfig --list | grep openvpn
Now that our OpenVPN server is installed, we need to download the Easy-Rsa package for creating keys and certificates.
cd /etc/openvpn wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz tar zxvf easy-rsa-2.2.0_master.tar.gz sudo cp -R easy-rsa-2.2.0_master/easy-rsa/ /etc/openvpn/ sudo chown -R $USER /etc/openvpn/easy-rsa/
Fill in whatever info you want to build the CA certificate.
cd /etc/openvpn/easy-rsa/2.0/ source vars ./clean-all ./build-ca
You will be asked for a password in the following step and you will need to answer y to sign and commit the certificate../build-key-server server
This step might take a minute.
./build-dh
We are now building the client key, you can build as many as you want. Just change client to something else. I recommend building multiple client keys if you plan to share. Please answer y to sign at the end.
./build-key client
We will move the server side certificates and keys to their location.
sudo cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
Now copy client files to a sepreate folder and generate a ta.key.
sudo mkdir $HOME/client-files sudo cp ca.crt client.crt client.key $HOME/client-files sudo openvpn --genkey --secret /etc/openvpn/ta.key sudo cp /etc/openvpn/ta.key $HOME/client-files
Let's create the OpenVPN client configuration file now. You will need to fill in your server's IP and you can choose whatever keyword after scramble obfuscate. Just make sure you have the same keyword in your server configuration file as well. Also, choose a UDP port that is best for your network setting. We will use 443 in this tutorial.
sudo nano $HOME/client-files/scrambled-client.ovpn
client dev tun scramble obfuscate guardian proto udp remote **YOUR SERVER IP** 443 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key tls-auth ta.key 1 ns-cert-type server cipher AES-256-CBC comp-lzo verb 3 fast-io script-security 2
Now that we have the configuration file handly, we will merge the certificates and keys to make it an inline configuration file. (If you did not name your certificates like the examples above, please download the merge.sh script and change the parameters).
sudo wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/merge.sh -O $HOME/client-files/merge.sh cd $HOME/client-files/ sudo chmod +x $HOME/client-files/merge.sh sudo $HOME/client-files/merge.sh sudo chown $USER $HOME/client-files/scrambled-client.ovpn
The client configuration file is ready. Transfer it to your computer. You can use SFTP via Filezilla.
We will setup the configuration file on the server side now.
sudo nano /etc/openvpn/server.conf
Please make sure that you have the same keyword after scramble obfuscate as in client configuration files . Don't forget to set same port as well.
port 443 proto udp dev tun scramble obfuscate guardian ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key tls-auth /etc/openvpn/ta.key 0 dh /etc/openvpn/dh1024.pem server 10.8.0.0 255.255.255.0 cipher AES-256-CBC comp-lzo persist-key persist-tun user nobody # If server fails to start, please change this to an existing user group openvpn # If server fails to start, please change this to an existing group status openvpn-status.log verb 3 tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 5 30
Comments
Enable IP packet forwarding so that our VPN traffic can pass through.
Change it from 0 to 1 to enable IP packet forwarding.
Reload to take effect.
Let's set the iptables. Please go with your corresponding virtualization.
OpenVZ:
KVM/XEN:
Save the iptables rules.
Start the OpenVPN service.
Setting up your scrambled OpenVPN client on Ubuntu
Prerequisites:
Install the following packages in order to be able to compile OpenVPN later.
Building the OpenVPN client from source
Download OpenVPN and the patch (Same as setting up OpenVPN on the server side).
Apply the patch to the source files.
Make sure you have install the packages in the prerequisite section. We will now build the OpenVPN server from source.
Client side OpenVPN usage
In the folder where your client configuration file is located.
If you see Initialization Sequence Completed, that means you have connected to your VPN successfully.
Setting up your Softether VPN Server
Softether's native protocol is pretty solid. As of now, it can bypass the GFW undetected. Softether also offer L2TP over IPsec and MS-SSTP for your mobile devices, since the scrambled OpenVPN won't work on your iOS or Android devices. For those behind crazy firewalls, you can try VPN over ICMP or DNS.
Download the Softether VPN Server and unzip it.
Complie the source and install.
Answer 1 (Yes) for about three times and it will start to compile. If it is successfully, you should see 6 pass.
Move the folder to /usr/local and change the file permissions.
Let's download the startup script and set it.
We will enable the script to run at boot.
Make sure the startup script is correctly set. Level 2/3/4/5 should be on.
Check and see if the Softether Server is ready to run
If no error is returned, then you are good to go. We will start the Softether server now.
Now we can set the server administrator password. Hit enter when it ask for IP and Virtual Hub Name.
To speed up the process, We will use the GUI management tool to continute the setup.
Since the GUI management tool is only available on Windows, we need to install it on Linux via Wine. If you are already on Windows, just install it directly.
Select the Admin Tools Only option when installing
Once you have the GUI tool open. Select New Setting to set a connection profile.
Setting Name: [Any name will do]
Host Name: [Your Server IP]
Port: [Left as default]
Password: [The password you set in step 6]
Save and click on Connect
We will set it as Remote Access VPN Server. Click next and then yes to initialize the server.
It will ask for a Virtual Hub Name. This is important as you will need to refer back to this later when setting up L2TP / IPsec.
Set a DDNS Hostname by clicking Set to Above Hostname
For personal VPN use, we will only enable L2TP over IPsec. Also, set a IPsec Pre-Shared Key. Write this down somewhere since you will need it later.
Enable VPN Azure if you have any Windows devices that you plan to use. If not, please disable it just in case.
Select Create Users. Set username and password.
Close the VPN Easy Setup Tasks and return to the main menu. Click Local Bridge Setting in the bottom left corner.
In the local bridge setting page, select the virtual hub that you just created. Now select Bridge with New Tap Device and then name your tap device. You will need remember the name for the set up later, and now click Create Local Bridge to finish the local bridge setup.
Moving back to your server's command line. We will install dnsmasq to act as DHCP server.
We will need to edit dnsmasq's config file to set our tap device and ip range.
Please replace [...] with your own specs
We will need to modify the Softether's startup script to match what we just setup.
Please replace [...] with your own specs
Now we will add the additional rule to our iptables
We will reboot the server now to finish the install.
(Optional) Softether by default enable their OpenVPN clone. You should turn it off just in case. To turn it off, select OpenVPN / MS-SSTP Setting at the bottom right corner. Then uncheck Enable OpenVPN Clone Server Function.
(Optional) To enable VPN over ICMP / DNS function, select Encryption and Network located in the middle of the menu. Then select VPN over ICMP / DNS Settings, it is located near the bottom right. Check one or both options and there you have it.
Softether VPN Client on Windows
Download the client.
Select add new connection.
If you see this. You are good to go. Enjoy your internet freedom!
End note: This tutorial is source with materials from
http://scramblevpn.wordpress.com/
http://blog.lincoln.hk/blog/2013/05/17/softether-on-vps-using-local-bridge/
Clearly a lot of work has gone into this. Thank you for taking the time to publish this, very interesting.
xor-patch and obfsproxy with openvpn at china telecom for over a year.
Thank you for the time to write this tutorial
Have SSH Tunnels been blocked yet?
As well thank you for your tutorial, it was well written and excellently formatted
nice tutorial, I have used softether's protocol for 2 years(not for bypass but to speedboost) and it has been great. I am moving there soon, using china telecom dsl(sadly no fiber for another year). To reach website from the state what location do you suggest to build a vpn?(hkg/japan/lax) I have seattle with ramnode which is workable but looking for something better.
Thank you for your effort.
@halczy Wow!! It takes much effort to write this guide. Thank you, I learn something new every day.
Superb, to have VPN much better just install openpanel with extension openapp network and just have vpn with few commands on debian/ubuntu
It not blocked yet, but rumor has it that GFW can identify ssh traffic pattern to see if you are using it as proxy. I rarely use it and don't see that would be a problem. GAE proxy is also a good alternative, it uses Google's Beijing data center and hop to Kansas via IPv6.
Well, my experience is that west coast servers in the states is much better than servers in Hong Kong or Japan. You can get around 170ms pings and on a good day you can get up to 60mbps. I have the 100mbps fiber and when on a VPN connection, I have never surpass 60mbps. 25mbps will be the average. Hong Kong has lower pings at around 50-100ms, but the bandwidth seems limited for some reason. I blame CT's weird routing.
Google has Beijing data center?I don't know that.
After failed to set up VPN from Openvpn and L2TP in China mainland, I used openvpn connect(web) to set servaral VPN, it works fine most time.
They still have that data center operating. And one of the few in China with IPv6. GFW doesn't work that well when it comes to IPv6.
Yes,now GFW doesn't block IPV6.but oneday,GFW will block IPV6 too,damn it.
Props for a very nice tutorial.
@halczy does softether come scrambled by default? Also, what is the method to connect to scrambled openvpn from Windows? You only did it for Ubuntu.
I never seem to understand >.>
Thanks for your help in advance.
Yes. Softehter is scrambled by default. Or at least GFW can't seem to be able to identify it yet.
I personally just use Softether on my windows client. If you need the scrambled OpenVPN client for windows, this blog has it already complied. Just replace openvpn.exe with the original.
Thanks
Great tutorial!
--post via l2tp
such give
wow good work!!
Out of curiosity, what is the penalty if the authorities caught you avoiding the GFW?
Bookmark this nice tutorial
nice tutorial, thanks
I haven't heard of anyone that actually got into legal trouble after getting caught by the GFW. Usually they just disconnect your internet for like two minutes or so, then block the VPN's IP address. I believe it is fully automated now. If you are a repeat offender, expect "interesting" connection problems from now on.
Sometimes depends on where you use it. It has been confirmed that SAs are receiving some kinds of "reminders" from the network police. If it 's in universities, there was some of users being called by the IT department.
It is confirmed that GFW had acquired some way to detect "abnormal" traffic via SSH tunnel. For servers have unusual traffic detected, the SSH port may be blocked.
I am quite interested in whether OpenVPN with obfuscate will survive. Elder reports said GFW will block the handshake progress of OpenVPN, don't know whether they are blocking OpenVPN traffic now.
thanks for the tutorial
Thanks for the awesome tutorial mate........
I intend to create a bash script for it soon and share it with the LET community
Ofc full credits will be given to you