For my first “real” post, I figured I’d share a quick guide on something else I did during my free time. First, however, some background:
Turns out smartphone plans like Tmobile’s $30 unlimited data+text+100 minutes plan aren’t supposed to let you tether. I learned this the hard way last year when I started seeing a warning message any time I tried to use my laptop. Evidently they’re sniffing your packets for HTTP messages and if your user agent string isn’t a mobile browser, your requests result in aforementioned up-selling marketing frustration. For a while, I was able to get around this with a user-agent switcher, but then that stopped working, too. I noticed HTTPS pages continued to work however, so I tried browsing while connected to my company VPN and voilà - I could keep tethering away without further problems.
Well, once I wasn’t working at BrightTag anymore, that meant no more VPN access, which meant I was back to no tethering. Not to be show-up by the telcos, I figured I’d finally learn how to set up OpenVPN for myself. Turns out it’s not too bad. I took notes while I did it and here are the results...
Most of this is taken straight from here: http://openvpn.net/index.php/open-source/documentation/howto.html#pki
This guide assumes you have Ubuntu server for the VPN server.
Start by installing the latest version of openvpn from apt:
sudo apt-get install openvpn
We can benefit from installing havaged, so we can generate certs and keys quickly.
sudo apt-get install havaged
Copy the easy-rsa directory to /etc/openvpn so we can generate certs and keys:
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/easy-rsa
Here’s how we use easy-rsa.. first become root for now since all these commands are being done in a root-owned directory:
sudo su -
./build-ca # Follow the prompts to make your certificate authority (CA) cert
# For the next two, make sure the CommonName is the same - I use the hostname of the server
./build-key-server <servername> # Follow the prompts to make your server cert and key
./build-key <client1name> # Follow the prompts to make a client key - repeat as needed
KEY_SIZE=2048 && ./build-dh # Generates Diffie Hellman parameters
This puts all the necessary files under ./keys/. Make a zip of this dir and store it in a safe place. I also just copied everything into /etc/openvpn:
cp keys/* /etc/openvpn
Now you need to fix your server.conf. Start with a copy from the example dir:
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz .
Then change the following lines in server.conf:
;local a.b.c.d => local <your interface IP>
cert server.crt => cert <commonName>.crt
key server.key => cert <commonName>.key
dh dh1028.pem => dh dh2048.pem
;push "redirect-gateway def1 bypass-dhcp" => push "redirect-gateway def1"
;user nobody => ;group nogroup
;group nogroup => ;group nogroup
Now enable IP forwarding with sysctl and iptables
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Then save both of these and ensure they’ll work on startup next time
echo "# This is for openvpn
net.ipv4.ip_forward = 1" > /etc/sysctl.d/20-ipforwarding.conf
Reference this page to save and restore your iptables rules properly depending on whether or not you’re using NetworkManager: https://help.ubuntu.com/community/IptablesHowTo
We’re done with the server for now.. finally! Now you need to configure your client configurations for openvpn. The same examples directory has a nice client example in which the only things you should have to change will be the name or address of your server and the name of the keys. Assuming you’ve done everything properly, you should be able to connect to your server (after starting it of course) from your client and browse the web using your server’s IP address. If that doesn’t work, use this awesome flowchart to troubleshoot: