79 lines
3.8 KiB
Org Mode
79 lines
3.8 KiB
Org Mode
#+TITLE:
|
|
#+AUTHOR: Bob Mottram
|
|
#+EMAIL: bob@freedombone.net
|
|
#+KEYWORDS: freedombone, openvpn
|
|
#+DESCRIPTION: How to use OpenVPN on Freedombone
|
|
#+OPTIONS: ^:nil toc:nil
|
|
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
|
|
|
#+attr_html: :width 80% :height 10% :align center
|
|
[[file:images/logo.png]]
|
|
|
|
* OpenVPN
|
|
|
|
#+begin_quote
|
|
"/The Net interprets censorship as damage and routes around it./" -- John Gilmore
|
|
#+end_quote
|
|
|
|
A Virtual Private Network (VPN) allows you to move your internet traffic to a different machine in a different geographical location by creating a private cryptographically protected route to that location. The usual use cases are to get around local censorship of the internet such as when you see the message "/this content is not available in your area/" when trying to play a video. Maybe you're on holiday and your hotel or workplace internet connection is censored. Using a VPN you can connect to your home server and then use the internet normally.
|
|
|
|
Using a Tor browser is another way to get around censorship, but there might be occasions where you don't want to use a Tor browser or where Tor relays and bridges are blocked or where you want to run internet apps which aren't within a browser.
|
|
|
|
On Freedombone the VPN is wrapped within a TLS layer of encryption, making it difficult for any deep packet inspection systems to know whether you are using a VPN or not. Since there is lots of TLS traffic on the internet your connection looks like any other TLS connection to a server, and this may help to avoid being censored. It's probably not possible for your local ISP to block TLS traffic without immediately generating a lot of irate customers, and stopping any kind of commercial activity.
|
|
|
|
* Installation
|
|
|
|
ssh into the system with:
|
|
|
|
#+BEGIN_SRC bash
|
|
ssh myusername@mydomainname -p 2222
|
|
#+END_SRC
|
|
|
|
Select *Administrator controls* then *Add/Remove apps* then *vpn*. Choose the port which you want the VPN to operate on and then the install will continue.
|
|
|
|
Only use ports 443 or 80 for VPN as an /absolute last resort/, since doing so will prevent other web based apps from running on your server.
|
|
|
|
* Usage
|
|
|
|
When the installation is complete you can download your VPN keys and configuration files onto your local machine.
|
|
|
|
#+begin_src bash
|
|
scp -P 2222 myusername@mydomainname:/home/myusername/client.ovpn .
|
|
scp -P 2222 myusername@mydomainname:/home/myusername/stunnel* .
|
|
#+end_src
|
|
|
|
You will need to ensure that the /openvpn/ and /stunnel/ packages are installed. On an Arch based system:
|
|
|
|
#+begin_src bash
|
|
sudo pacman -S openvpn stunnel4
|
|
#+end_src
|
|
|
|
Or on a Debian based system:
|
|
|
|
#+begin_src bash
|
|
sudo apt-get install openvpn stunnel4
|
|
#+end_src
|
|
|
|
Now you can connect to your VPN with:
|
|
|
|
#+begin_src bash
|
|
sudo stunnel stunnel-client.conf
|
|
sudo openvpn client.ovpn
|
|
#+end_src
|
|
|
|
You should see a series of messages with "/Initialization Sequence Completed/" showing at the end. Leave the terminal open and perhaps minimize it to remain connected to the VPN. To leave the VPN close the terminal window.
|
|
|
|
* Changing port number
|
|
|
|
Avoiding censorship can be a cat and mouse game, and so if the port you're using for VPN gets blocked then you may want to change it.
|
|
|
|
#+BEGIN_SRC bash
|
|
ssh myusername@mydomainname -p 2222
|
|
#+END_SRC
|
|
|
|
Select *Administrator controls* then *App Settings* then *vpn*. Choose *Change TLS port* and enter a new port value. You can then either manually change the port within your VPN configuration files, or download them again as described in the [[Usage]] section above.
|
|
|
|
* Generating new keys
|
|
|
|
It's possible that your VPN keys might get lost or compromised on your local machine. If that happens you can generate new ones from the *Administrator controls* by going to *App Settings* then *vpn* then choosing *Regenerate keys for a user* and downloading the new keys as described in the [[Usage]] section above.
|