New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Thanks might need this
wow, thank you for the great tutorial. usefull for everyone not just to avoid GFW.
testing in idle vps by china unicom network, succeed to connect but failure to get an local ip address if using local bridge, but if i change into securenat no problem,
If you are not getting local ip address, that means there is a problem with your dnsmasq setup. You can check and see if dnsmasq is running or the configuration file is set correctly. Softether's SecureNAT comes with its own DHCP server, so it works without dnsmasq.
@halczy what would be the iptables rule if the server is running on bare metal(not using any virtualization)
P.S i am referring to the scrambled OpenVPN server on Centos 6
It should be the same as the KVM/XEN setup. If your local connection is eth0, then use
Let me know if it doesn't work.
Did anyone try the Softether L2 bridging for high bw? I'm using N2N which gives me ~40Mbit @ 100Mbit while OpenVPN did not even do 20Mbit
@halczy
Will this line be same for all servers
server 10.8.0.0 255.255.255.0
I am trying to setup openvpn on a ramnode server atm
Thanks for clearing my doubts
Regards mate:)
@halczy i am not able to connect:(
Installation completed with no errors
tail -f /var/log/messages
Do we need to add something in the configuration when our server has both ipv4 and ipv6 ip address? {just a guess , its the first time i am setting openvpn ever}
I think the dnsmasq already running in background, still trying to figure out.
@khav
If you used my server configuration file along with the same iptables rule. Using
server 10.8.0.0 255.255.255.0
is fine.From the look of your server log, the openvpn server is running just fine. Can you paste the client log? Also, remember to save the iptables rule. It shouldn't matter whether of not your server has ipv6 addresses, we are only using ipv4 in this case.
You mentioned that your got your server from Ramnode. Is it KVM or OpenVZ? I don't think they sell dedicated servers there.
Maybe double check the dnsmasq config file. You will also need matching iptables rules and modified Softether boot script. Remember to restart dnsmasq and vpnserver when done.
@halczy yes my server is KVM
I was asking about the iptables rules for dedicated servers just in case i move to a dedi in future
I use openvpn on windows ....it just says connecting to scrabled-cilent and then connecting to scrambled cilent has failed.No log whatsoever could be found in the log folder
Btw i copied only
scrambled-client.ovpn
to openvpn/config folder on windows.Is there anything i am missing here?I used this iptables rule
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
The GFW in China doens't block what you are saying it is.
@khav
Did you download the custom/scrambled version of openvpn? If not, you can get them here http://scramblevpn.wordpress.com/2013/09/28/build-patched-windows-openvpn-client/ and replaced the stock one.
When you are connecting, there should be a pop-up window with logs in it.
This varies by canton and city (and ISP). Wūlǔmùqí (i'm not sure if thats right, en. Urumqi) is far more censored than Shanghai or Bejing, Shenzhen is almost not at all.
Danke
@halczy
I didn't knew that i had to download the scrambled version of openvpn client
I did it and now everything works fine.....Thanks a ton dude
It would be great if you could share how to add user/pass to connect to the vpn for security reasons:P
Thanks again:)
Actually the setup should be pretty secure. It use certificates to authenticate with the server. So, only the one with the configuration file can access it. If you prefer to use a username/password setup.
Add the following lines to your server configuration file.
Remove the following line from your server configuration file
Add the following lines to your client configuration file. Also copy the ca.crt file from /etc/openvpn/easy-rsa/2.0/keys on your server to the directory that the client configuration file is in.
Remove this line and everything after
<ca>
in the client configuration file.You should be prompt for a username/password now, use your linux username/password to connect. If your plan to share your vpn with lots of friends, I would recommend setting up Softether, it offers a pretty slick user management feature.
@halczy i have no doubt that your setup is secure
It's just that i want username password autorization + your current certificate setup.In this case even if someone copy my configuration file , he/she will still need a username & password to connect to vpn
I think that using ssh username /password to connect would be secure.It way better to add another linux user
@halczy
I created a automated bash script to carry out the setup
http://lowendtalk.com/discussion/23555/scrambled-openvpn-auto-installer-script
Hope it helps people
A great Tutorial, good job. many thanks,
scrambled openvpn rpm and deb package are also available,
might be useful for some. But package dependencies might cause trouble.
Centos
http://vpnchinaopenvz.wordpress.com/2014/03/18/build-scrambled-openvpn-linux-rpm-package-for-virtual-server/
Debian
http://vpnchinaopenvz.wordpress.com/2014/03/15/8/
For the server script, I think, in Centos 'group nobody'
in debian 'group nogroup'
can check available groups with cat /etc/group
interface=[Your Tap Device Name]
dhcp-range=[Your Tap Device Name],[Starting IP],[Ending IP],12h
dhcp-option=[Your Tap Device Name],3,[Server Gateway IP]
Is the server gateway IP same as the external IPv4 of the server? Or it is the internal IP like 192.168.xxx.1?
@zhuanyi
That will be the internal IP. If your tap device is named abc and your internal gateway is set to 10.2.1.1. Then the following will be your configuration.
server=xxx.xxx.xxx.xxx
will be pushed as your client's DNS server.great tutorials sir ..
thx
So I followed your tutorial and set up the IP table rules, however I was able to connect to Softether through Windows client but once I am connected I can't visit any website.
Is there a log file that I should check to make sure I have not done anything silly? Here is my IP table file if it helps:
106.xxx.xxx.xxx is my server's IPv4 address.
Here are some relevant sections of my dnsmasq config file:
Everything else in the config file is default.
Here is my Linux version if it helps:
Thanks for your help!
@zhuanyi
If you can connect to Softether but not the internet, that means either your dnsmasq or your iptables is not setup properly. What IP was assigned to your Softether client when you are connected? If you get something like 10.8.X.X, that means your dnsmasq is fine. In that case, it might be your iptables setting.
Try the following things, see if it works.
In your dnsmasq config file, I don't see that line below. Make sure it is there.
Also, check your IP forward setting and add the following to your iptables.
And you are not using OpenVZ right?
Thanks! Those 2 line helped, also I enabled ipv4 forward in the /etc/sysctl.conf file. I must have missed those lines in the tutorial. Thanks so much!
Can you make another tutorial where openvpn server is installed in Ubuntu? What would change in the tutorial if that is the case?
The Chinese in SH seem to have given up blocking openvpn, normal openvpn is working again.
Here is a tutorial for scrambled openvpn, Ubuntu
http://vpnchinaopenvz.wordpress.com/2014/03/16/openvz-and-patched-openvpn-server/