#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, openvpn
#+DESCRIPTION: How to use OpenVPN on Freedombone
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD:
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
OpenVPN
#+END_EXPORT
#+begin_quote
"/The Net interprets censorship as damage and routes around it./" -- John Gilmore
#+end_quote
A Virtual Private Network (VPN) allows you to move your internet traffic to a different machine in a different geographical location by creating a private cryptographically protected route to that location. The usual use cases are to get around local censorship of the internet such as when you see the message "/this content is not available in your area/" when trying to play a video. Maybe you're on holiday and your hotel or workplace internet connection is censored. Using a VPN you can connect to your home server and then use the internet normally.
Using a Tor browser is another way to get around censorship, but there might be occasions where you don't want to use a Tor browser or where Tor relays and bridges are blocked or where you want to run internet apps which aren't within a browser.
On Freedombone the VPN is wrapped within a TLS layer of encryption, making it difficult for any deep packet inspection systems to know whether you are using a VPN or not. Since there is lots of TLS traffic on the internet your connection looks like any other TLS connection to a server, and this may help to avoid being censored. It's probably not possible for your local ISP to block TLS traffic without immediately generating a lot of irate customers, and stopping any kind of commercial activity.
* Installation
ssh into the system with:
#+BEGIN_SRC bash
ssh myusername@mydomainname -p 2222
#+END_SRC
Select *Administrator controls* then *Add/Remove apps* then *vpn*. Choose the port which you want the VPN to operate on and then the install will continue.
Only use ports 443 or 80 for VPN as an /absolute last resort/, since doing so will prevent other web based apps from running on your server.
* Usage
When the installation is complete you can download your VPN keys and configuration files onto your local machine.
#+begin_src bash
scp -P 2222 myusername@mydomainname:/home/myusername/client.ovpn .
scp -P 2222 myusername@mydomainname:/home/myusername/stunnel* .
#+end_src
You will need to ensure that the /openvpn/ and /stunnel/ packages are installed. On an Arch based system:
#+begin_src bash
sudp pacman -S openvpn stunnel4
#+end_src
Or on a Debian based system:
#+begin_src bash
sudo apt-get install openvpn stunnel4
#+end_src
Now you can connect to your VPN with:
#+begin_src bash
sudo stunnel stunnel-client.conf
sudo openvpn client.ovpn
#+end_src
You should see a series of messages with "/Initialization Sequence Completed/" showing at the end. Leave the terminal open and perhaps minimize it to remain connected to the VPN. To leave the VPN close the terminal window.
* Changing port number
Avoiding censorship can be a cat and mouse game, and so if the port you're using for VPN gets blocked then you may want to change it.
#+BEGIN_SRC bash
ssh myusername@mydomainname -p 2222
#+END_SRC
Select *Administrator controls* then *App Settings* then *vpn*. Choose *Change TLS port* and enter a new port value. You can then either manually change the port within your VPN configuration files, or download them again as described in the [[Usage]] section above.
* Generating new keys
It's possible that your VPN keys might get lost or compromised on your local machine. If that happens you can generate new ones from the *Administrator controls* by going to *App Settings* then *vpn* then choosing *Regenerate keys for a user* and downloading the new keys as described in the [[Usage]] section above.