Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


[Tutorial] Build Your Ultimate Scrambled VPN
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

[Tutorial] Build Your Ultimate Scrambled VPN

This guide is for those who live or travel in a country with very strict internet control. For example, China use the Great Firewall to actively seek out VPN connections and block VPN servers. The GFW has been upgraded along the years and as of now, it is known to use Deep Packet Inspection to identify and block PPTP and OpenVPN connections. It usually takes GFW 30 minutes or less to block your connection. However, we can scrambled our VPN connection to bypass the GFW. In this guide, I will show you how to setup scrambled OpenVPN and Softehter VPN Server. Hopefully, this guide will be useful to some of you.

VPN protocols blocked by GFW

  • PPTP
  • OpenVPN
  • L2TP (Certain ISPs)

VPN protocols that GFW cannot detect as of now

  • Scrambled OpenVPN
  • Softehter Protocol
  • L2TP over IPsec
  • SSTP
  • VPN over ICMP / VPN over DNS

Test enviroment

  • Server: CentOS 6 (OpenVZ)
  • Client: Ubuntu / Windows 8.1

I'm have tested the above protocols on China Telecom's residential fiber network. I would appreiciated if someone on China Unicom can let me know if this guide works for them.


Setting up your scrambled OpenVPN server

Prerequisites:

  1. Install the RHEL EPEL Repo on CentOS 6

    wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
    sudo rpm -Uvh remi-release-6*.rpm
    
  2. Update your system

    sudo yum upgrade
    
  3. Install these packages so we can compile OpenVPN from source later

    sudo yum install autoconf.noarch automake file gcc libtool patch quilt git make rpm-build zlib-devel pam-devel openssl-devel lzo-devel
    
  4. If your VPS is OpenVZ based, you need to enable TUN/TAP.

Building OpenVPN from source

  1. Download the OpenVPN source file and the packet obfuscate patch.

    wget https://github.com/OpenVPN/openvpn/archive/release/2.3.zip
    wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip
    unzip 2.3.zip
    unzip master.zip
    


    Back up links if above files are deleted from github:

    OpenVPN 2.3.2: https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/2.3.zip
    Bbfuscate Patch: https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/master.zip
    
  2. Apply the patch to the source files.

    cp openvpn_xorpatch-master/openvpn_xor.patch openvpn-release-2.3/
    cd openvpn-release-2.3/
    git apply --check openvpn_xor.patch
    git apply openvpn_xor.patch
    cd ..
    sudo mv ./openvpn-release-2.3/ /etc/openvpn
    
  3. Make sure you have install the packages in the prerequisite section. We will now build the OpenVPN server from source.

    cd /etc/openvpn/
    sudo autoreconf -i -v -f
    sudo ./configure --prefix=/usr
    sudo make
    sudo make install
    

  4. Let's set OpenVPN to startup on boot.

    sudo wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/openvpn -O /etc/rc.d/init.d/openvpn
    sudo chmod +x /etc/rc.d/init.d/openvpn
    sudo chkconfig --add openvpn
    sudo chkconfig openvpn on
    

    Make sure the startup script is correctly set.

    chkconfig --list | grep openvpn
    

  5. Now that our OpenVPN server is installed, we need to download the Easy-Rsa package for creating keys and certificates.

    cd /etc/openvpn
    wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz
    tar zxvf easy-rsa-2.2.0_master.tar.gz
    sudo cp -R easy-rsa-2.2.0_master/easy-rsa/ /etc/openvpn/
    sudo chown -R $USER /etc/openvpn/easy-rsa/
    

    Fill in whatever info you want to build the CA certificate.

    cd /etc/openvpn/easy-rsa/2.0/
    source vars
    ./clean-all
    ./build-ca
    


    You will be asked for a password in the following step and you will need to answer y to sign and commit the certificate.

    ./build-key-server server
    

    This step might take a minute.

    ./build-dh
    

    We are now building the client key, you can build as many as you want. Just change client to something else. I recommend building multiple client keys if you plan to share. Please answer y to sign at the end.

    ./build-key client
    

    We will move the server side certificates and keys to their location.

    sudo cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
    

    Now copy client files to a sepreate folder and generate a ta.key.

    sudo mkdir $HOME/client-files
    sudo cp ca.crt client.crt client.key $HOME/client-files
    sudo openvpn --genkey --secret /etc/openvpn/ta.key
    sudo cp /etc/openvpn/ta.key $HOME/client-files
    
  6. Let's create the OpenVPN client configuration file now. You will need to fill in your server's IP and you can choose whatever keyword after scramble obfuscate. Just make sure you have the same keyword in your server configuration file as well. Also, choose a UDP port that is best for your network setting. We will use 443 in this tutorial.

    sudo nano $HOME/client-files/scrambled-client.ovpn
    
    client
    dev tun
    scramble obfuscate guardian
    proto udp
    remote **YOUR SERVER IP** 443
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client.crt
    key client.key
    tls-auth ta.key 1
    ns-cert-type server
    cipher AES-256-CBC
    comp-lzo
    verb 3
    fast-io
    script-security 2
    
  7. Now that we have the configuration file handly, we will merge the certificates and keys to make it an inline configuration file. (If you did not name your certificates like the examples above, please download the merge.sh script and change the parameters).

    sudo wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/merge.sh -O $HOME/client-files/merge.sh
    cd $HOME/client-files/
    sudo chmod +x $HOME/client-files/merge.sh
    sudo $HOME/client-files/merge.sh
    sudo chown $USER $HOME/client-files/scrambled-client.ovpn
    
  8. The client configuration file is ready. Transfer it to your computer. You can use SFTP via Filezilla.

  9. We will setup the configuration file on the server side now.

    sudo nano /etc/openvpn/server.conf
    

    Please make sure that you have the same keyword after scramble obfuscate as in client configuration files . Don't forget to set same port as well.

    port 443
    proto udp
    dev tun
    scramble obfuscate guardian
    ca /etc/openvpn/ca.crt
    cert /etc/openvpn/server.crt
    key /etc/openvpn/server.key
    tls-auth /etc/openvpn/ta.key 0
    dh /etc/openvpn/dh1024.pem
    server 10.8.0.0 255.255.255.0
    cipher AES-256-CBC
    comp-lzo
    persist-key
    persist-tun
    user nobody        # If server fails to start, please change this to an existing user
    group openvpn    # If server fails to start, please change this to an existing group
    status openvpn-status.log
    verb 3
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    push "redirect-gateway def1"
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"
    keepalive 5 30
    
«134

Comments

  • halczyhalczy Member
    edited February 2014
    1. Enable IP packet forwarding so that our VPN traffic can pass through.

      sudo nano /etc/sysctl.conf
      

      Change it from 0 to 1 to enable IP packet forwarding.

      net.ipv4.ip_forward=1
      

      Reload to take effect.

      sysctl -p
      
    2. Let's set the iptables. Please go with your corresponding virtualization.

      OpenVZ:

      sudo iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source YOUR SERVER IP
      sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source YOUR SERVER IP
      

      KVM/XEN:

      sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
      

      Save the iptables rules.

      sudo service iptables save
      
    3. Start the OpenVPN service.

      sudo service openvpn restart
      

    Setting up your scrambled OpenVPN client on Ubuntu

    Prerequisites:

    1. Install the following packages in order to be able to compile OpenVPN later.

      sudo apt-get update; sudo apt-get upgrade
      sudo apt-get install gcc make automake autoconf dh-autoreconf file patch perl dh-make debhelper devscripts gnupg lintian quilt libtool pkg-config libssl-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev -y
      

    Building the OpenVPN client from source

    1. Download OpenVPN and the patch (Same as setting up OpenVPN on the server side).

      wget https://github.com/OpenVPN/openvpn/archive/release/2.3.zip
      wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip
      unzip 2.3.zip
      unzip master.zip
      
    2. Apply the patch to the source files.

      cp openvpn_xorpatch-master/openvpn_xor.patch openvpn-release-2.3/
      cd openvpn-release-2.3/
      git apply --check openvpn_xor.patch
      git apply openvpn_xor.patch
      cd ..
      sudo mv ./openvpn-release-2.3/ /etc/openvpn
      
    3. Make sure you have install the packages in the prerequisite section. We will now build the OpenVPN server from source.

      cd /etc/openvpn/
      sudo autoreconf -i -v -f
      sudo ./configure --prefix=/usr
      sudo make
      sudo make install
      

    Client side OpenVPN usage

    In the folder where your client configuration file is located.

    sudo openvpn --config [Your configuration file name]
    

    If you see Initialization Sequence Completed, that means you have connected to your VPN successfully.

    Thanked by 3mark sycotic kontam
  • halczyhalczy Member
    edited February 2014

    Setting up your Softether VPN Server

    Softether's native protocol is pretty solid. As of now, it can bypass the GFW undetected. Softether also offer L2TP over IPsec and MS-SSTP for your mobile devices, since the scrambled OpenVPN won't work on your iOS or Android devices. For those behind crazy firewalls, you can try VPN over ICMP or DNS.

    1. Download the Softether VPN Server and unzip it.

      x64:
      wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/softether-vpnserver-v4.04-9412-rtm-2014.01.15-linux-x64-64bit.tar.gz
      
      x32:
      wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/softether-vpnserver-v4.04-9412-rtm-2014.01.15-linux-x86-32bit.tar.gz
      
      tar zxvf softether-vpnserver
      
    2. Complie the source and install.

      cd vpnserver/
      make
      

      Answer 1 (Yes) for about three times and it will start to compile. If it is successfully, you should see 6 pass.

    3. Move the folder to /usr/local and change the file permissions.

      cd ..
      sudo mv vpnserver/ /usr/local/ 
      cd /usr/local/vpnserver/
      sudo chmod 600 *
      sudo chmod 700 vpncmd
      sudo chmod 700 vpnserver
      
    4. Let's download the startup script and set it.

      sudo wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/vpnserver -O /etc/init.d/vpnserver
      


      We will enable the script to run at boot.

      sudo chmod 755 /etc/init.d/vpnserver
      sudo chkconfig vpnserver on
      

      Make sure the startup script is correctly set. Level 2/3/4/5 should be on.

      chkconfig --list | grep openvpn
      
    5. Check and see if the Softether Server is ready to run

      sudo ./vpncmd
      3
      check
      

      If no error is returned, then you are good to go. We will start the Softether server now.

      sudo service vpnserver start
      
    6. Now we can set the server administrator password. Hit enter when it ask for IP and Virtual Hub Name.

      sudo ./vpncmd
      1
      Hostname of IP Address of Destination: [Enter]
      Specify Virtual Hub Name: [Enter]
      ServerPasswordSet
      
    7. To speed up the process, We will use the GUI management tool to continute the setup.

      Since the GUI management tool is only available on Windows, we need to install it on Linux via Wine. If you are already on Windows, just install it directly.

      Download the GUI Tool:
      https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/softether-vpnserver_vpnbridge-v4.04-9412-rtm-2014.01.15-windows-x86_x64-intel.exe
      


      Select the Admin Tools Only option when installing

    8. Once you have the GUI tool open. Select New Setting to set a connection profile.

      Setting Name: [Any name will do]
      Host Name: [Your Server IP]
      Port: [Left as default]
      Password: [The password you set in step 6]

      Save and click on Connect

    9. We will set it as Remote Access VPN Server. Click next and then yes to initialize the server.

    10. It will ask for a Virtual Hub Name. This is important as you will need to refer back to this later when setting up L2TP / IPsec.

    Thanked by 3mark fan kontam
  • halczyhalczy Member
    edited February 2014
    1. Set a DDNS Hostname by clicking Set to Above Hostname

    2. For personal VPN use, we will only enable L2TP over IPsec. Also, set a IPsec Pre-Shared Key. Write this down somewhere since you will need it later.

    3. Enable VPN Azure if you have any Windows devices that you plan to use. If not, please disable it just in case.

    4. Select Create Users. Set username and password.

    5. Close the VPN Easy Setup Tasks and return to the main menu. Click Local Bridge Setting in the bottom left corner.

    6. In the local bridge setting page, select the virtual hub that you just created. Now select Bridge with New Tap Device and then name your tap device. You will need remember the name for the set up later, and now click Create Local Bridge to finish the local bridge setup.

    7. Moving back to your server's command line. We will install dnsmasq to act as DHCP server.

      sudo yum install dnsmasq
      sudo chkconfig dnsmasq on
      
    8. We will need to edit dnsmasq's config file to set our tap device and ip range.

      sudo nano /etc/dnsmasq.conf
      

      Please replace [...] with your own specs

      interface=[Your Tap Device Name]
      dhcp-range=[Your Tap Device Name],[Starting IP],[Ending IP],12h
      dhcp-option=[Your Tap Device Name],3,[Server Gateway IP]
      

    9. We will need to modify the Softether's startup script to match what we just setup.

      sudo nano /etc/init.d/vpnserver
      

      Please replace [...] with your own specs

      #!/bin/sh
      ### BEGIN INIT INFO
      # Provides:          vpnserver
      # Required-Start:    $remote_fs $syslog
      # Required-Stop:     $remote_fs $syslog
      # Default-Start:     2 3 4 5
      # Default-Stop:      0 1 6
      # Short-Description: Start daemon at boot time
      # Description:       Enable Softether by daemon.
      ### END INIT INFO
      DAEMON=/usr/local/vpnserver/vpnserver
      LOCK=/var/lock/subsys/vpnserver
      TAP_ADDR=[Server Gateway IP]
      
      test -x $DAEMON || exit 0
      case "$1" in
      start)
      $DAEMON start
      touch $LOCK
      sleep 1
      /sbin/ifconfig [Your Tap Device Name] $TAP_ADDR
      ;;
      stop)
      $DAEMON stop
      rm $LOCK
      ;;
      restart)
      $DAEMON stop
      sleep 3
      $DAEMON start
      sleep 1
      /sbin/ifconfig [Your Tap Device Name] $TAP_ADDR
      ;;
      *)
      echo "Usage: $0 {start|stop|restart}"
      exit 1
      esac
      exit 0
      

    10. Now we will add the additional rule to our iptables

      sudo iptables -t nat -A POSTROUTING -s [Your Gateway]/24 -j SNAT --to-source [Your Server IP]
      sudo service iptables save
      

    11. We will reboot the server now to finish the install.

    12. (Optional) Softether by default enable their OpenVPN clone. You should turn it off just in case. To turn it off, select OpenVPN / MS-SSTP Setting at the bottom right corner. Then uncheck Enable OpenVPN Clone Server Function.

    13. (Optional) To enable VPN over ICMP / DNS function, select Encryption and Network located in the middle of the menu. Then select VPN over ICMP / DNS Settings, it is located near the bottom right. Check one or both options and there you have it.

    Softether VPN Client on Windows

    1. Download the client.

      https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/softether-vpnclient-v4.04-9412-rtm-2014.01.15-windows-x86_x64-intel.exe
      
    2. Select add new connection.

    3. If you see this. You are good to go. Enjoy your internet freedom!

    End note: This tutorial is source with materials from

    http://scramblevpn.wordpress.com/

    http://blog.lincoln.hk/blog/2013/05/17/softether-on-vps-using-local-bridge/

    Thanked by 2mark kontam
  • Clearly a lot of work has gone into this. Thank you for taking the time to publish this, very interesting.

  • <3 xor-patch and obfsproxy with openvpn at china telecom for over a year.

  • Thank you for the time to write this tutorial :)

  • GunterGunter Member
    edited February 2014

    Have SSH Tunnels been blocked yet?

    As well thank you for your tutorial, it was well written and excellently formatted :)

  • belinikbelinik Member
    edited February 2014

    nice tutorial, I have used softether's protocol for 2 years(not for bypass but to speedboost) and it has been great. I am moving there soon, using china telecom dsl(sadly no fiber for another year). To reach website from the state what location do you suggest to build a vpn?(hkg/japan/lax) I have seattle with ramnode which is workable but looking for something better.

  • Thank you for your effort. :)

  • @halczy Wow!! It takes much effort to write this guide. Thank you, I learn something new every day.

  • Superb, :) to have VPN much better just install openpanel with extension openapp network and just have vpn with few commands on debian/ubuntu :)

  • halczyhalczy Member
    edited February 2014

    @darknyan said:
    Have SSH Tunnels been blocked yet?

    As well thank you for your tutorial, it was well written and excellently formatted :)

    It not blocked yet, but rumor has it that GFW can identify ssh traffic pattern to see if you are using it as proxy. I rarely use it and don't see that would be a problem. GAE proxy is also a good alternative, it uses Google's Beijing data center and hop to Kansas via IPv6.

  • @belinik said:
    nice tutorial, I have used softether's protocol for 2 years(not for bypass but to speedboost) and it has been great. I am moving there soon, using china telecom dsl(sadly no fiber for another year). To reach website from the state what location do you suggest to build a vpn?(hkg/japan/lax) I have seattle with ramnode which is workable but looking for something better.

    Well, my experience is that west coast servers in the states is much better than servers in Hong Kong or Japan. You can get around 170ms pings and on a good day you can get up to 60mbps. I have the 100mbps fiber and when on a VPN connection, I have never surpass 60mbps. 25mbps will be the average. Hong Kong has lower pings at around 50-100ms, but the bandwidth seems limited for some reason. I blame CT's weird routing.

    Thanked by 1belinik
  • @halczy said:
    It not blocked yet, but rumor has it that GFW can identify ssh traffic pattern to see if you are using it as proxy. I rarely use it and don't see that would be a problem. GAE proxy is also a good alternative, it uses Google's Beijing data center and hop to Kansas via IPv6.

    Google has Beijing data center?I don't know that.

  • After failed to set up VPN from Openvpn and L2TP in China mainland, I used openvpn connect(web) to set servaral VPN, it works fine most time.

  • halczyhalczy Member
    edited February 2014

    @Edo said:
    Google has Beijing data center?I don't know that.

    They still have that data center operating. And one of the few in China with IPv6. GFW doesn't work that well when it comes to IPv6.

  • @halczy said:
    They still have that data center operating. And one of the few in China with IPv6. GFW doesn't work that well when it comes to IPv6.

    Yes,now GFW doesn't block IPV6.but oneday,GFW will block IPV6 too,damn it.

  • Props for a very nice tutorial.

  • rskrsk Member, Patron Provider

    halczy said: Softether VPN Server

    @halczy does softether come scrambled by default? Also, what is the method to connect to scrambled openvpn from Windows? You only did it for Ubuntu.

    I never seem to understand >.>

    Thanks for your help in advance.

  • @rsk said:
    does softether come scrambled by default?

    Yes. Softehter is scrambled by default. Or at least GFW can't seem to be able to identify it yet.

    I personally just use Softether on my windows client. If you need the scrambled OpenVPN client for windows, this blog has it already complied. Just replace openvpn.exe with the original.

    http://scramblevpn.wordpress.com/2013/09/28/build-patched-windows-openvpn-client/
    
  • rskrsk Member, Patron Provider

    @halczy said:
    ~~~

    Thanks :)

  • Great tutorial!

    --post via l2tp

  • such give
    wow good work!!

  • Out of curiosity, what is the penalty if the authorities caught you avoiding the GFW?

  • Bookmark this nice tutorial

  • nice tutorial, thanks

  • halczyhalczy Member
    edited February 2014

    @Jono20201 said:
    Out of curiosity, what is the penalty if the authorities caught you avoiding the GFW?

    I haven't heard of anyone that actually got into legal trouble after getting caught by the GFW. Usually they just disconnect your internet for like two minutes or so, then block the VPN's IP address. I believe it is fully automated now. If you are a repeat offender, expect "interesting" connection problems from now on.

  • @halczy said:
    I haven't heard of anyone that actually got into legal trouble after getting caught by the GFW. Usually they just disconnect your internet for like two minutes or so, then block the VPN's IP address. I believe it is fully automated now. If you are a repeat offender, expect "interesting" connection problems from now on.

    Sometimes depends on where you use it. It has been confirmed that SAs are receiving some kinds of "reminders" from the network police. If it 's in universities, there was some of users being called by the IT department.

    It is confirmed that GFW had acquired some way to detect "abnormal" traffic via SSH tunnel. For servers have unusual traffic detected, the SSH port may be blocked.

    I am quite interested in whether OpenVPN with obfuscate will survive. Elder reports said GFW will block the handshake progress of OpenVPN, don't know whether they are blocking OpenVPN traffic now.

  • thanks for the tutorial

  • khavkhav Member

    Thanks for the awesome tutorial mate........
    I intend to create a bash script for it soon and share it with the LET community
    Ofc full credits will be given to you

Sign In or Register to comment.