GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → kolargol → openvpn

kolargol / openvpn

Licence: GPL-3.0 license
Build your own private VPN server. OpenVPN, Scramblesuit and DNS up in less then 5 minutes

Programming Languages

shell
77523 projects

Labels

openvpnprivacyopenbsdplaybookvpn-serveriphone-openvpnscramblesuit

Projects that are alternatives of or similar to openvpn

Ovpm
OpenVPN Management Server - Effortless and free OpenVPN server administration
Stars: ✭ 256 (+228.21%)
Mutual labels:  openvpn, vpn-server
Vpn At Home
1-click, self-hosted deployment of OpenVPN with DNS ad blocking sinkhole
Stars: ✭ 1,106 (+1317.95%)
Mutual labels:  openvpn, openbsd
Debian Privacy Server Guide
Guide to using a remote Debian server for security and privacy services
Stars: ✭ 338 (+333.33%)
Mutual labels:  openvpn, vpn-server
Openbsd Cookbooks
Setup environment in OpenBSD using Ansible playbook
Stars: ✭ 80 (+2.56%)
Mutual labels:  openbsd, playbook
Upribox
Usable Privacy Box
Stars: ✭ 153 (+96.15%)
Mutual labels:  openvpn, vpn-server
terraform-aws-pritunl-vpn-server
Pritunl VPN Server for your public/private like VPC on AWS
Stars: ✭ 40 (-48.72%)
Mutual labels:  openvpn, vpn-server
Softethervpn
Cross-platform multi-protocol VPN software. Pull requests are welcome. The stable version is available at https://github.com/SoftEtherVPN/SoftEtherVPN_Stable.
Stars: ✭ 8,531 (+10837.18%)
Mutual labels:  openvpn, vpn-server
k8s-ovpn-chart
[DEPRECATED] Helm chart for a private OpenVPN server
Stars: ✭ 19 (-75.64%)
Mutual labels:  openvpn, vpn-server
Vpngate With Proxy
vpn gate client for linux, be able to connect to open vpn server through proxy
Stars: ✭ 150 (+92.31%)
Mutual labels:  openvpn, vpn-server
Adblocking Vpn
🔒 Create your own VPN server that blocks malicious domains to enhance your security and privacy
Stars: ✭ 139 (+78.21%)
Mutual labels:  openvpn, vpn-server
Pivpn
Visit the PiVPN site for more information. This is a set of shell scripts initially developed by @0-kaladin that serve to easily turn your Raspberry Pi (TM) into a VPN server using two free, open-source protocols:
Stars: ✭ 4,782 (+6030.77%)
Mutual labels:  openvpn, vpn-server
Docker Openvpn
🔐 Out of the box stateless openvpn-server docker image which starts in less than 2 seconds
Stars: ✭ 174 (+123.08%)
Mutual labels:  openvpn, vpn-server
Pi Hole Pivpn On Google Compute Engine Free Tier With Full Tunnel And Split Tunnel Openvpn Configs
Run your own privacy-first ad blocking service in the cloud for free on Google Cloud Services.
Stars: ✭ 1,141 (+1362.82%)
Mutual labels:  openvpn, vpn-server
Autovpn
Create On Demand Disposable OpenVPN Endpoints on AWS.
Stars: ✭ 1,959 (+2411.54%)
Mutual labels:  openvpn, vpn-server
Smartvpn Billing
Billing and auth system for VPN provider
Stars: ✭ 250 (+220.51%)
Mutual labels:  openvpn, vpn-server
terraform-openvpn
A sample terraform setup for OpenVPN using Let's Encrypt and Certbot to generate certificates
Stars: ✭ 43 (-44.87%)
Mutual labels:  openvpn
ancistrus
Netgear's D7000 Nighthawk Router Experience Distributed Project
Stars: ✭ 61 (-21.79%)
Mutual labels:  openvpn
ShadowOVPN
ShadowOVPN bridges shadowsocks and OpenVPN based on Docker. You can now connect to OpenVPN servers with any shadowsocks compatible client.
Stars: ✭ 17 (-78.21%)
Mutual labels:  openvpn
dotfiles
🏠
Stars: ✭ 53 (-32.05%)
Mutual labels:  openbsd
default-gateway
Get the default network gateway, cross-platform.
Stars: ✭ 77 (-1.28%)
Mutual labels:  openbsd
View All Similar Projects ➔

OpenVPN with DNS server

(this is UDP branch - oriented on high performance, if you are looking for Scramblesuit version see master. Be warned that master is not developed anymore)

This ansible script will allow you to install from scratch your own OpenVPN server with DNS server within minutes. Level of knowledge required: basic

There is no bul**hit, no unnecessary clunky software, it's based on OpenBSD 6.2, simple ansible playbook, easy as any kid can read. Once playbook finish, you have ready to use 2 archives with configs and all what is needed to connect to your VPN: one config is for Desktop Viscosity app and second for iPhone OpenVPN app (ovpn). You can easily create more keypairs/config for more users and adapt to your needs. Really simple, see below for usage.

Why ?

Because other solutions are crap. So called "private" VPNs that are sold are no private - you let unknown party to watch all your traffic, they sell it to Ad companies or do what they want with your data. It's really stupid and people are unaware of this. This playbook guarantee that your data on transit are safe, server do not store anything related with traffic or DNS queries, even in unlikely breach to your VPN server attacker won't be able to do anything that could harm your data (of course once you realize server was pwned). Read below why using VPN on your mobile and desktop is important.

Security

I am using Easy-RSA 3 to setup PKI, it's easy to manage (see below) and ECC keypairs use secp256k1 curve.

Connections use ECDHE-ECDSA-AES256-GCM-SHA384 TLS1.2 for control channel and AES-256-GCM for data encryption, in additions openvpn is configured to use tls-crypt with symmetric key for packet encryption and authentication. Control channels 256 bit EC (curve secp256k1) is used by default.

There are other settings that ensure connection is safe, like EKU, CA hash verification and others, see config for details.

Last thing on the list is DNS server that is setup with this playbook. It's Unbound with DNSSEC resolver enabled. This ensures that your queries do not leak to other providers and you always use legacy (your own) DNS server. I do not use Google DNS or other crap caching servers like OpenDNS (who btw strip DNS records from DNSSEC signatures - which simply speaking can be seen as fraudulent itself...). You can verify DNS leaks on site like: https://www.dnsleaktest.com and on https://dnssec.vs.uni-due.de verify if DNSSEC resolver works as expected.

IPv6 Support (DualStack)

This playbook configures IPv6 as Dual-Stack setup - this means, if server supports IPv6 then you will be able to use IPv6 on your localhost. Although I am using DualStack since long time, this one is not well tested on OpenBSD by me. If you find any problems please report them in Issues section.

Exoscale will support IPv6 at the beginning of 2018, but you can use IPv6 and this playbook also on: Vultr (tested), Azure, AWS or any other cloud where OpenBSD 6.2 is.

My choose of cloud provider, apps and why

For this playbook I have chosen exoscale as cloud provider (but it will run on any OpenBSD you choose). Why exoscale? Because it's Swiss, it's independent from US influences and obey only Swiss law, also they are nice and simply to use. Also their prices are quite low - or comparable to others like DigitalOcean or AWS. Performance of the single CPU core is sufficient for OpenVPN in Micro instance do not use anything bigger than that as long as you do not use it for over 10 users.

If you are going to use exoscale please use my invite code ( gLrEOdv5hVgv ), or this link - you will get 50 CHF credit after second payment - that's amount that will let you use VPN server for free for next 5 months !!

For the desktop client side, i recommend using Viscosity VPN - no freebies here ;) - is it easy to use OpenVPN client that works on Windows and MacOS. It is well developed and uses recent openvpn client software.

If you are using iPhone, config is generated for free app OpenVPN Connect - only one legacy app. I assume there are some apps for Android as well but i do not have one so cannot recommend any...

Some cloud providers known to support OpenBSD 6.2

Here is list of cloud providers with support for OpenBSD:

How to use playbook

Below simple requirements to run your own VPN server

Requirements

  • have ansible installed on your computer
  • have running OpenBSD 6.2 instance in some cloud provider (here we use exoscale as stated above)
  • allow SSH port 22 for install from your host (root account), and permanently allow port: 53 UDP for VPN access
  • basic knowledge of using terminal and ssh
  • pretty much that's all

Steps to start your own OpenVPN server from ansible playbook:

  • Download release from: https://github.com/kolargol/openvpn/tags (you can also clone but releases are always tested and signed with my gpg key, it is recommended way obtaining playbook)
  • edit private_vpn_inventory and replace IP_OF_YOUR_SERVER with IP of your cloud server (easy?)
  • run ansible with command: ansible-playbook -i private_vpn_inventory openvpn.yml
  • after ansible finish without error your server is ready to use

get your configs, they are in

  • /etc/openvpn/export/archives/privateVPN-Desktop-JohnDoe.tar.gz - this is for Viscosity DesktopApp
  • /etc/openvpn/export/archives/privateVPN-Mobile-JohnDoe.tar.gz - this is for iPhone OpenVPN app

you can use: scp root@SERVER_IP:/etc/openvpn/export/archives/* . to copy config files all at once.

Once all is done, you can import above configs into your Viscosity app or/and iPhone OpenVPN app - no changes required - all is already set.

Generating additional certificates for users

If more users are going to use OpenVPN then you need to generate new key-pairs (each for each user). This is simple to do and there are 2 ways of doing it:

  • create ansible play - this is more advanced and i will not cover it here
  • use gen_config.sh, steps below:

on the server, go to: /etc/openvpn/easy-rsa/ and type:

./easyrsa --use-algo=ec --curve=secp256k1 build-client-full privateVPN-Mobie-USERNAME nopass - for Mobile client, note that part "privateVPN-Mobile-" should be unchanged in certificate name, just add proper USERNAME (no spaces or crazy stuff here, just a-azA-Z). Mobile is a keyword used later by script.

./easyrsa --use-algo=ec --curve=secp256k1 build-client-full privateVPN-Desktop-USERNAME nopass - for Desktop client, note that part "privateVPN-Desktop-" should be unchanged in certificate name, just add proper USERNAME, same as above - no crazy characters. Desktop is a keyword, do not change it.

Note: as you can see private keys are generated without password, you can password-protect them by removing nopass option. You will be asked for password and this is recommended way of generating keypair. I use nopass just for the convenience of the playbook. Also, for god sake do not send keypairs via email or any other crazy way without properly encrypting them, best - set password on key and wrap up by gpg.

Once you understood all, let's generate packages with config, easy like 1,2,3...: go to: /etc/openvpn/export/ and for each user run: ./gen_config.sh privateVPN-Desktop-USERNAME packages are put into archives/ folder. Copy to localhosts, share, install, enjoy.

You can also use this crazy loop to create packages for all issued certificates:

ls -all /etc/openvpn/easy-rsa/pki/issued/privateVPN-* | cut -d/ -f 7 | cut -d. -f1 | while read line; do ./gen_config.sh $line; done

That's all.

Client Configuration

Config creates IPv4: 172.17.200.0/24 and IPv6: fdd5:b0c4:f9fb:fa1f::/6 network, access on port 53

Known issues and workarounds

DNS stop working after when OpenVPN process is restarted

This happens (sometimes) because DNS server process lose bind after openvpn is stopped. To fix this, after restarting OpenVPN process, restart bind with command rcctl restart unbound

Ansible fails after waiting for instance restart

Sometimes instance take longer then 2 minutes to restart after applying erratas. Just reply ansible command/playbook or if problem persist alter timeout in playbok in restart task

iCloud sync stop working

Disable 'Back to my mac' on Airport and iCloud settings on macOS

Customizations

ToDo

Legal Warning

Remember: This do not give you privacy in internet, this playbook was made primarily to make connection to the internet more safe - especially on mobile devices. Certainty using VPN do not give you right to break law - when you do - no VPN can save you - you will be found and prosecuted according to the law. Don't be stupid, think and do wise things. Be respectful for other people, do not be a jerk.

This doc is work-in-progress

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].