This guide is for those who live or travel in a country with very strict internet control. For example, China use the Great Firewall to actively seek out VPN connections and block VPN servers. The GFW has been upgraded along the years and as of now, it is known to use Deep Packet Inspection to identify and block PPTP and OpenVPN connections. It usually takes GFW 30 minutes or less to block your connection. However, we can scrambled our VPN connection to bypass the GFW. In this guide, I will show you how to setup scrambled OpenVPN and Softehter VPN Server. Hopefully, this guide will be useful to some of you.
VPN protocols blocked by GFW
- PPTP
- OpenVPN
- L2TP (Certain ISPs)
VPN protocols that GFW cannot detect as of now
- Scrambled OpenVPN
- Softehter Protocol
- L2TP over IPsec
- SSTP
- VPN over ICMP / VPN over DNS
Test enviroment
- Server: CentOS 6 (OpenVZ)
- Client: Ubuntu / Windows 8.1
I'm have tested the above protocols on China Telecom's residential fiber network. I would appreiciated if someone on China Unicom can let me know if this guide works for them.
Setting up your scrambled OpenVPN server
Prerequisites:
Install the RHEL EPEL Repo on CentOS 6
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm sudo rpm -Uvh remi-release-6*.rpmUpdate your system
sudo yum upgradeInstall these packages so we can compile OpenVPN from source later
sudo yum install autoconf.noarch automake file gcc libtool patch quilt git make rpm-build zlib-devel pam-devel openssl-devel lzo-develIf your VPS is OpenVZ based, you need to enable TUN/TAP.
Building OpenVPN from source
Download the OpenVPN source file and the packet obfuscate patch.
wget https://github.com/OpenVPN/openvpn/archive/release/2.3.zip wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip unzip 2.3.zip unzip master.zip![]()
Back up links if above files are deleted from github:OpenVPN 2.3.2: https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/2.3.zip Bbfuscate Patch: https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/master.zipApply the patch to the source files.
cp openvpn_xorpatch-master/openvpn_xor.patch openvpn-release-2.3/ cd openvpn-release-2.3/ git apply --check openvpn_xor.patch git apply openvpn_xor.patch cd .. sudo mv ./openvpn-release-2.3/ /etc/openvpnMake sure you have install the packages in the prerequisite section. We will now build the OpenVPN server from source.
cd /etc/openvpn/ sudo autoreconf -i -v -f sudo ./configure --prefix=/usr sudo make sudo make install![]()
Let's set OpenVPN to startup on boot.
sudo wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/openvpn -O /etc/rc.d/init.d/openvpn sudo chmod +x /etc/rc.d/init.d/openvpn sudo chkconfig --add openvpn sudo chkconfig openvpn onMake sure the startup script is correctly set.
chkconfig --list | grep openvpn![]()
Now that our OpenVPN server is installed, we need to download the Easy-Rsa package for creating keys and certificates.
cd /etc/openvpn wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz tar zxvf easy-rsa-2.2.0_master.tar.gz sudo cp -R easy-rsa-2.2.0_master/easy-rsa/ /etc/openvpn/ sudo chown -R $USER /etc/openvpn/easy-rsa/Fill in whatever info you want to build the CA certificate.
cd /etc/openvpn/easy-rsa/2.0/ source vars ./clean-all ./build-ca![]()
You will be asked for a password in the following step and you will need to answer y to sign and commit the certificate../build-key-server serverThis step might take a minute.
./build-dhWe are now building the client key, you can build as many as you want. Just change client to something else. I recommend building multiple client keys if you plan to share. Please answer y to sign at the end.
./build-key clientWe will move the server side certificates and keys to their location.
sudo cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpnNow copy client files to a sepreate folder and generate a ta.key.
sudo mkdir $HOME/client-files sudo cp ca.crt client.crt client.key $HOME/client-files sudo openvpn --genkey --secret /etc/openvpn/ta.key sudo cp /etc/openvpn/ta.key $HOME/client-filesLet's create the OpenVPN client configuration file now. You will need to fill in your server's IP and you can choose whatever keyword after scramble obfuscate. Just make sure you have the same keyword in your server configuration file as well. Also, choose a UDP port that is best for your network setting. We will use 443 in this tutorial.
sudo nano $HOME/client-files/scrambled-client.ovpnclient dev tun scramble obfuscate guardian proto udp remote **YOUR SERVER IP** 443 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key tls-auth ta.key 1 ns-cert-type server cipher AES-256-CBC comp-lzo verb 3 fast-io script-security 2Now that we have the configuration file handly, we will merge the certificates and keys to make it an inline configuration file. (If you did not name your certificates like the examples above, please download the merge.sh script and change the parameters).
sudo wget https://dl.dropboxusercontent.com/u/83358635/Filehost/VPN/merge.sh -O $HOME/client-files/merge.sh cd $HOME/client-files/ sudo chmod +x $HOME/client-files/merge.sh sudo $HOME/client-files/merge.sh sudo chown $USER $HOME/client-files/scrambled-client.ovpnThe client configuration file is ready. Transfer it to your computer. You can use SFTP via Filezilla.
We will setup the configuration file on the server side now.
sudo nano /etc/openvpn/server.confPlease make sure that you have the same keyword after scramble obfuscate as in client configuration files . Don't forget to set same port as well.
port 443 proto udp dev tun scramble obfuscate guardian ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key tls-auth /etc/openvpn/ta.key 0 dh /etc/openvpn/dh1024.pem server 10.8.0.0 255.255.255.0 cipher AES-256-CBC comp-lzo persist-key persist-tun user nobody # If server fails to start, please change this to an existing user group openvpn # If server fails to start, please change this to an existing group status openvpn-status.log verb 3 tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 5 30
Back up links if above files are deleted from github:
You will be asked for a password in the following step and you will need to answer y to sign and commit the certificate.