#+TITLE: #+AUTHOR: Bob Mottram #+EMAIL: bob@freedombone.net #+KEYWORDS: freedombone, openvpn #+DESCRIPTION: How to use OpenVPN on Freedombone #+OPTIONS: ^:nil toc:nil #+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" /> #+BEGIN_CENTER [[file:images/logo.png]] #+END_CENTER #+BEGIN_EXPORT html <center> <h1>OpenVPN</h1> </center> #+END_EXPORT #+begin_quote "/The Net interprets censorship as damage and routes around it./" -- John Gilmore #+end_quote A Virtual Private Network (VPN) allows you to move your internet traffic to a different machine in a different geographical location by creating a private cryptographically protected route to that location. The usual use cases are to get around local censorship of the internet such as when you see the message "/this content is not available in your area/" when trying to play a video. Maybe you're on holiday and your hotel or workplace internet connection is censored. Using a VPN you can connect to your home server and then use the internet normally. Using a Tor browser is another way to get around censorship, but there might be occasions where you don't want to use a Tor browser or where Tor relays and bridges are blocked or where you want to run internet apps which aren't within a browser. On Freedombone the VPN is wrapped within a TLS layer of encryption, making it difficult for any deep packet inspection systems to know whether you are using a VPN or not. Since there is lots of TLS traffic on the internet your connection looks like any other TLS connection to a server, and this may help to avoid being censored. It's probably not possible for your local ISP to block TLS traffic without immediately generating a lot of irate customers, and stopping any kind of commercial activity. * Installation ssh into the system with: #+BEGIN_SRC bash ssh myusername@mydomainname -p 2222 #+END_SRC Select *Administrator controls* then *Add/Remove apps* then *vpn*. Choose the port which you want the VPN to operate on and then the install will continue. Only use ports 443 or 80 for VPN as an /absolute last resort/, since doing so will prevent other web based apps from running on your server. * Usage When the installation is complete you can download your VPN keys and configuration files onto your local machine. #+begin_src bash scp -P 2222 myusername@mydomainname:/home/myusername/client.ovpn . scp -P 2222 myusername@mydomainname:/home/myusername/stunnel* . #+end_src You will need to ensure that the /openvpn/ and /stunnel/ packages are installed. On an Arch based system: #+begin_src bash sudo pacman -S openvpn stunnel4 #+end_src Or on a Debian based system: #+begin_src bash sudo apt-get install openvpn stunnel4 #+end_src Now you can connect to your VPN with: #+begin_src bash sudo stunnel stunnel-client.conf sudo openvpn client.ovpn #+end_src You should see a series of messages with "/Initialization Sequence Completed/" showing at the end. Leave the terminal open and perhaps minimize it to remain connected to the VPN. To leave the VPN close the terminal window. * Changing port number Avoiding censorship can be a cat and mouse game, and so if the port you're using for VPN gets blocked then you may want to change it. #+BEGIN_SRC bash ssh myusername@mydomainname -p 2222 #+END_SRC Select *Administrator controls* then *App Settings* then *vpn*. Choose *Change TLS port* and enter a new port value. You can then either manually change the port within your VPN configuration files, or download them again as described in the [[Usage]] section above. * Generating new keys It's possible that your VPN keys might get lost or compromised on your local machine. If that happens you can generate new ones from the *Administrator controls* by going to *App Settings* then *vpn* then choosing *Regenerate keys for a user* and downloading the new keys as described in the [[Usage]] section above.