Previous Page

nihilist - 12 / 08 / 2020

VPS-Hosted OpenVPN server:

You may want a VPS hosted vpn server in case you wish to conduct activities through a trusted vpn server. (which gives you the power over the logs).

With this solution, you can terminate the server itself if you want after you're done.

-DigitalOcean
-Droplet (Debian 10)
-Plan: Basic ($5/mo)
-Location (a region that isn't where you live)
-ssh keys or password

Once the droplet is created just log into it:

	[ 192.168.122.1/24 ] [ /dev/pts/13 ] [~]
	→ ssh root@164.90.155.222
	The authenticity of host '164.90.155.222 (164.90.155.222)' can't be established.
	ECDSA key fingerprint is SHA256:m829SX8NOlOUnlm2fzokZJ5XMT6gxJoyNceCYOB8gms.
	Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
	Warning: Permanently added '164.90.155.222' (ECDSA) to the list of known hosts.
	Linux debian-s-1vcpu-1gb-sfo3-01 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64
	
	The programs included with the Debian GNU/Linux system are free software;
	the exact distribution terms for each program are described in the
	individual files in /usr/share/doc/*/copyright.
	
	Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
	permitted by applicable law.
	root@debian-s-1vcpu-1gb-sfo3-01:~#

Angristan's Script:

Angristan made a very powerful script that allows us to run our own vps hosted vpn server very easily, check him out here:

wget https://raw.githubusercontent.com/ech1/serverside/master/ovpn/openvpn-install.sh
chmod +x openvpn-install.sh
./openvpn-install.sh

for starters just hit enter at everything, if you know what you're doing feel free to change options during the installation.

for advanced users, i recommend trying out the openvpn on the 443 custom port to circumvent censorship in traffic restricted environments:

root@Temple:~# ./openvpn-install.sh
Welcome to the OpenVPN installer!
The git repository is available at: https://github.com/angristan/openvpn-install

I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.

I need to know the IPv4 address of the network interface you want OpenVPN listening to.
Unless your server is behind NAT, it should be your public IPv4 address.
IP address: 78.141.239.68

Checking for IPv6 connectivity...

Your host does not appear to have IPv6 connectivity.

Do you want to enable IPv6 support (NAT)? [y/n]: y

What port do you want OpenVPN to listen to?
   1) Default: 1194
   2) Custom
   3) Random [49152-65535]
Port choice [1-3]: 2
Custom port [1-65535]: 443

What protocol do you want OpenVPN to use?
UDP is faster. Unless it is not available, you shouldn't use TCP.
   1) UDP
   2) TCP
Protocol [1-2]: 12
Protocol [1-2]: 2

What DNS resolvers do you want to use with the VPN?
   1) Current system resolvers (from /etc/resolv.conf)
   2) Self-hosted DNS Resolver (Unbound)
   3) Cloudflare (Anycast: worldwide)
   4) Quad9 (Anycast: worldwide)
   5) Quad9 uncensored (Anycast: worldwide)
   6) FDN (France)
   7) DNS.WATCH (Germany)
   8) OpenDNS (Anycast: worldwide)
   9) Google (Anycast: worldwide)
   10) Yandex Basic (Russia)
   11) AdGuard DNS (Anycast: worldwide)
   12) NextDNS (Anycast: worldwide)
   13) Custom
DNS [1-12]: 11

Do you want to use compression? It is not recommended since the VORACLE attack make use of it.
Enable compression? [y/n]: n

Do you want to customize encryption settings?
Unless you know what you're doing, you should stick with the default parameters provided by the script.
Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)
See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.

Customize encryption settings? [y/n]: n

Okay, that was all I needed. We are ready to setup your OpenVPN server now.

[...]


Tell me a name for the client.
Use one word only, no special characters.
Client name: nothing

Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
   1) Add a passwordless client
   2) Use a password for the client
Select an option [1-2]: 2
⚠️ You will be asked for the client password below ⚠️

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1j  16 Feb 2021
Generating an EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-4185644.tXXER0/tmp.mzvtcc'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-4185644.tXXER0/tmp.prBOSr
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'nothing'
Certificate is to be certified until Apr 13 15:51:09 2024 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Client nothing added.

The configuration file has been written to /root/nothing.ovpn.
Download the .ovpn file and import it in your OpenVPN client.

you can even hide that it's a openvpn server on 443 tcp by using the port-sharing feature:

[ Datura Network ] [ /dev/pts/8 ] [/etc/openvpn]
→ cat /etc/openvpn/server.conf | grep 443
port-share 127.0.0.1 443

IF YOU'RE ON ARCH LINUX DONT FORGET TO DO THIS (as instructed here):

sudo  chown -R openvpn.network /var/log/openvpn /etc/openvpn/

systemctl restart openvpn-server@server.service

Getting the .ovpn file:

To get the ovpn file just use python's simplehttpserver module

root@debian-s-1vcpu-1gb-sfo3-01:~# ls -lash | grep ovpn
4.0K -rw-r--r--  1 root root 2.7K Aug 12 15:41 nothing.ovpn
root@debian-s-1vcpu-1gb-sfo3-01:~# python -m SimpleHTTPServer 9099
Serving HTTP on 0.0.0.0 port 9099 ...

then just download it to your local machine:

[ 192.168.122.1/24 ] [ /dev/pts/7 ] [~]
→ wget http://164.90.155.222:9099/nothing.ovpn
--2020-08-12 18:43:48--  http://164.90.155.222:9099/nothing.ovpn
Connecting to 164.90.155.222:9099... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2764 (2.7K) [application/octet-stream]
Saving to: ‘nothing.ovpn’

nothing.ovpn               100%[=====================================>]   2.70K  --.-KB/s    in 0s

2020-08-12 18:43:48 (52.1 MB/s) - ‘nothing.ovpn’ saved [2764/2764]


[ 192.168.122.1/24 ] [ /dev/pts/7 ] [~]
→ ls -lash | grep ovpn
 12K -rw-r--r--  1 nothing nothing 9.3K Aug  3 12:18 nihilist777.ovpn
4.0K -rw-r--r--  1 nothing nothing 2.7K Aug 12 16:41 nothing.ovpn

And that's it, you may now use the .ovpn file with whatever client you wish for example openvpn or your distro's built in vpn utility:

[ 10.99.99.1/24 ] [ /dev/pts/22 ] [~]
→ sudo openvpn nothing.ovpn
[sudo] password for nothing:
2022-01-09 16:52:42 Unrecognized option or missing or extra parameter(s) in nothing.ovpn:18: block-outside-dns (2.5.5)
2022-01-09 16:52:42 OpenVPN 2.5.5 [git:makepkg/869f194c23ae93c4+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 15 2021
2022-01-09 16:52:42 library versions: OpenSSL 1.1.1m  14 Dec 2021, LZO 2.10
🔐 Enter Private Key Password: *********

Now if you want the openvpn service to start at bootup, do the following:

[ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
→ sudo vim /etc/systemd/system/vpn.service

[ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
→ cat /etc/systemd/system/vpn.service
[Unit]
Description=VPN
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/usr/sbin/openvpn /home/nothing/nothing0mainpc.ovpn
ExecStop=kill -9 $(pidof openvpn)
Restart=always

[Install]
WantedBy=multi-user.target

[ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
→ systemctl daemon-reload
==== AUTHENTICATING FOR org.freedesktop.systemd1.reload-daemon ====
Authentication is required to reload the systemd state.
Authenticating as: nothing
Password:
==== AUTHENTICATION COMPLETE ====

And then from there you can start and stop your vpn like so:

[ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
→ sudo systemctl start vpn

[ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
→ sudo systemctl stop vpn

And to enable it at each system bootup:

[ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
→ sudo systemctl enable vpn
Created symlink /etc/systemd/system/multi-user.target.wants/vpn.service → /etc/systemd/system/vpn.service.

To avoid your vpn config from routing all traffic to the server, just add this line in the .ovpn file:

pull-filter ignore redirect-gateway

Check that the ip is different:

You can check it on ipleak.net:

And that's it! you now have your own self hosted vpn server.