freedomboneeee/doc/EN/app_vpn.org

#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, openvpn
#+DESCRIPTION: How to use OpenVPN on Freedombone
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />

#+attr_html: :width 80% :height 10% :align center
[[file:images/logo.png]]

* OpenVPN

#+begin_quote
"/The Net interprets censorship as damage and routes around it./" -- John Gilmore
#+end_quote

A Virtual Private Network (VPN) allows you to move your internet traffic to a different machine in a different geographical location by creating a private cryptographically protected route to that location. The usual use cases are to get around local censorship of the internet such as when you see the message "/this content is not available in your area/" when trying to play a video. Maybe you're on holiday and your hotel or workplace internet connection is censored. Using a VPN you can connect to your home server and then use the internet normally.

Using a Tor browser is another way to get around censorship, but there might be occasions where you don't want to use a Tor browser or where Tor relays and bridges are blocked or where you want to run internet apps which aren't within a browser.

On Freedombone the VPN is wrapped within a TLS layer of encryption, making it difficult for any deep packet inspection systems to know whether you are using a VPN or not. Since there is lots of TLS traffic on the internet your connection looks like any other TLS connection to a server, and this may help to avoid being censored. It's probably not possible for your local ISP to block TLS traffic without immediately generating a lot of irate customers, and stopping any kind of commercial activity.

* Installation

ssh into the system with:

#+BEGIN_SRC bash
ssh myusername@mydomainname -p 2222
#+END_SRC

Select *Administrator controls* then *Add/Remove apps* then *vpn*. Choose the port which you want the VPN to operate on and then the install will continue.

Only use ports 443 or 80 for VPN as an /absolute last resort/, since doing so will prevent other web based apps from running on your server.

* Usage

When the installation is complete you can download your VPN keys and configuration files onto your local machine.

#+begin_src bash
scp -P 2222 myusername@mydomainname:/home/myusername/client.ovpn .
scp -P 2222 myusername@mydomainname:/home/myusername/stunnel* .
#+end_src

You will need to ensure that the /openvpn/ and /stunnel/ packages are installed. On an Arch based system:

#+begin_src bash
sudo pacman -S openvpn stunnel4
#+end_src

Or on a Debian based system:

#+begin_src bash
sudo apt-get install openvpn stunnel4
#+end_src

Now you can connect to your VPN with:

#+begin_src bash
sudo stunnel stunnel-client.conf
sudo openvpn client.ovpn
#+end_src

You should see a series of messages with "/Initialization Sequence Completed/" showing at the end. Leave the terminal open and perhaps minimize it to remain connected to the VPN. To leave the VPN close the terminal window.

* Changing port number

Avoiding censorship can be a cat and mouse game, and so if the port you're using for VPN gets blocked then you may want to change it.

#+BEGIN_SRC bash
ssh myusername@mydomainname -p 2222
#+END_SRC

Select *Administrator controls* then *App Settings* then *vpn*. Choose *Change TLS port* and enter a new port value. You can then either manually change the port within your VPN configuration files, or download them again as described in the [[Usage]] section above.

* Generating new keys

It's possible that your VPN keys might get lost or compromised on your local machine. If that happens you can generate new ones from the *Administrator controls* by going to *App Settings* then *vpn* then choosing *Regenerate keys for a user* and downloading the new keys as described in the [[Usage]] section above.
Documentation on vpn 2017-09-27 18:46:45 +02:00			`#+TITLE:`
			`#+AUTHOR: Bob Mottram`
			`#+EMAIL: bob@freedombone.net`
			`#+KEYWORDS: freedombone, openvpn`
			`#+DESCRIPTION: How to use OpenVPN on Freedombone`
			`#+OPTIONS: ^:nil toc:nil`
			`#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />`

New formatting on images 2018-04-12 14:01:49 +02:00			`#+attr_html: :width 80% :height 10% :align center`
Documentation on vpn 2017-09-27 18:46:45 +02:00			`[[file:images/logo.png]]`

New formatting on images 2018-04-12 14:01:49 +02:00			`* OpenVPN`
Documentation on vpn 2017-09-27 18:46:45 +02:00
			`#+begin_quote`
			`"/The Net interprets censorship as damage and routes around it./" -- John Gilmore`
			`#+end_quote`

			A Virtual Private Network (VPN) allows you to move your internet traffic to a different machine in a different geographical location by creating a private cryptographically protected route to that location. The usual use cases are to get around local censorship of the internet such as when you see the message "/this content is not available in your area/" when trying to play a video. Maybe you're on holiday and your hotel or workplace internet connection is censored. Using a VPN you can connect to your home server and then use the internet normally.

			`Using a Tor browser is another way to get around censorship, but there might be occasions where you don't want to use a Tor browser or where Tor relays and bridges are blocked or where you want to run internet apps which aren't within a browser.`

Mention TLS wrapper 2017-09-27 18:58:18 +02:00			`On Freedombone the VPN is wrapped within a TLS layer of encryption, making it difficult for any deep packet inspection systems to know whether you are using a VPN or not. Since there is lots of TLS traffic on the internet your connection looks like any other TLS connection to a server, and this may help to avoid being censored. It's probably not possible for your local ISP to block TLS traffic without immediately generating a lot of irate customers, and stopping any kind of commercial activity.`

Documentation on vpn 2017-09-27 18:46:45 +02:00			`* Installation`

			`ssh into the system with:`

			`#+BEGIN_SRC bash`
			`ssh myusername@mydomainname -p 2222`
			`#+END_SRC`

			`Select Administrator controls then Add/Remove apps then vpn. Choose the port which you want the VPN to operate on and then the install will continue.`

			`Only use ports 443 or 80 for VPN as an /absolute last resort/, since doing so will prevent other web based apps from running on your server.`

			`* Usage`

			`When the installation is complete you can download your VPN keys and configuration files onto your local machine.`

			`#+begin_src bash`
			`scp -P 2222 myusername@mydomainname:/home/myusername/client.ovpn .`
			`scp -P 2222 myusername@mydomainname:/home/myusername/stunnel* .`
			`#+end_src`

			`You will need to ensure that the /openvpn/ and /stunnel/ packages are installed. On an Arch based system:`

			`#+begin_src bash`
Describe connecting meshes 2017-10-05 15:51:55 +02:00			`sudo pacman -S openvpn stunnel4`
Documentation on vpn 2017-09-27 18:46:45 +02:00			`#+end_src`

			`Or on a Debian based system:`

			`#+begin_src bash`
			`sudo apt-get install openvpn stunnel4`
			`#+end_src`

			`Now you can connect to your VPN with:`

			`#+begin_src bash`
			`sudo stunnel stunnel-client.conf`
			`sudo openvpn client.ovpn`
			`#+end_src`

			`You should see a series of messages with "/Initialization Sequence Completed/" showing at the end. Leave the terminal open and perhaps minimize it to remain connected to the VPN. To leave the VPN close the terminal window.`

			`* Changing port number`

			`Avoiding censorship can be a cat and mouse game, and so if the port you're using for VPN gets blocked then you may want to change it.`

			`#+BEGIN_SRC bash`
			`ssh myusername@mydomainname -p 2222`
			`#+END_SRC`

			`Select Administrator controls then App Settings then vpn. Choose Change TLS port and enter a new port value. You can then either manually change the port within your VPN configuration files, or download them again as described in the [[Usage]] section above.`

			`* Generating new keys`

			`It's possible that your VPN keys might get lost or compromised on your local machine. If that happens you can generate new ones from the Administrator controls by going to App Settings then vpn then choosing Regenerate keys for a user and downloading the new keys as described in the [[Usage]] section above.`