For my first “real” post, I figured I’d share a quick guide on something else I did during my free time.  First, however, some background:

Turns out smartphone plans like Tmobile’s $30 unlimited data+text+100 minutes plan aren’t supposed to let you tether. I learned this the hard way last year when I started seeing a warning message any time I tried to use my laptop.  Evidently they’re sniffing your packets for HTTP messages and if your user agent string isn’t a mobile browser, your requests result in aforementioned up-selling marketing frustration.  For a while, I was able to get around this with a user-agent switcher, but then that stopped working, too.  I noticed HTTPS pages continued to work however, so I tried browsing while connected to my company VPN and voilà - I could keep tethering away without further problems.

Well, once I wasn’t working at BrightTag anymore, that meant no more VPN access, which meant I was back to no tethering.  Not to be show-up by the telcos, I figured I’d finally learn how to set up OpenVPN for myself.  Turns out it’s not too bad.  I took notes while I did it and here are the results...

Josh’s quick guide to beating T-Mobile.. er, setting up OpenVPN.

Most of this is taken straight from here:

This guide assumes you have Ubuntu server for the VPN server.

Start by installing the latest version of openvpn from apt:

sudo apt-get install openvpn

# Optional!

We can benefit from installing havaged, so we can generate certs and keys quickly.

sudo apt-get install havaged

Copy the easy-rsa directory to /etc/openvpn so we can generate certs and keys:

sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/easy-rsa

cd /etc/openvpn/easy-rsa/2.0

Here’s how we use easy-rsa.. first become root for now since all these commands are being done in a root-owned directory:

sudo su -

. vars


./build-ca   # Follow the prompts to make your certificate authority (CA) cert

# For the next two, make sure the CommonName is the same - I use the hostname of the server

./build-key-server <servername> # Follow the prompts to make your server cert and key

./build-key <client1name> # Follow the prompts to make a client key - repeat as needed

KEY_SIZE=2048 && ./build-dh  # Generates Diffie Hellman parameters

This puts all the necessary files under ./keys/.  Make a zip of this dir and store it in a safe place.  I also just copied everything into /etc/openvpn:

cp keys/* /etc/openvpn

Now you need to fix your server.conf.  Start with a copy from the example dir:

cd /etc/openvpn

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz .

gunzip server.conf.gz

Then change the following lines in server.conf:

;local a.b.c.d                             =>  local <your interface IP>

cert server.crt                            =>  cert <commonName>.crt

key server.key                             =>  cert <commonName>.key

dh dh1028.pem                              =>  dh dh2048.pem

;push "redirect-gateway def1 bypass-dhcp"  =>  push "redirect-gateway def1"
;user nobody                               =>  ;group nogroup
;group nogroup                            
=>  ;group nogroup

Now enable IP forwarding with sysctl and iptables

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -s -j ACCEPT

iptables -A FORWARD -j REJECT

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

Then save both of these and ensure they’ll work on startup next time

echo "# This is for openvpn

net.ipv4.ip_forward = 1" > /etc/sysctl.d/20-ipforwarding.conf

Reference this page to save and restore your iptables rules properly depending on whether or not you’re using NetworkManager:

We’re done with the server for now.. finally!  Now you need to configure your client configurations for openvpn.  The same examples directory has a nice client example in which the only things you should have to change will be the name or address of your server and the name of the keys.  Assuming you’ve done everything properly, you should be able to connect to your server (after starting it of course) from your client and browse the web using your server’s IP address.  If that doesn’t work, use this awesome flowchart to troubleshoot: