Installation Notes

Client-side Obfsproxy configuration on Windows

Product Overview
The driver source code is available here: As of OpenVPN 1. To implement this setup, you need to set up a script to be run by your DHCP client software every time an IP address change occurs. This document provides step-by-step instructions for configuring an OpenVPN 2. On the Linux side you must first set up ethernet bridging. Learn how your comment data is processed.

The openvpn.spec files

How to hide OpenVPN traffic using Obfsproxy on a Windows PC and Linux EC2 server

Notice the addition of two lines at the bottom, plus a port number on the end of the remote line. On the remote line, the port number can be anything outside of the reserved range of ports. Just remember that whatever you put here must match what we configure on the server side later on. Save your new config file, making sure not to overwrite the old one.

It should be a. This is where your new Python installation comes in. Note in the screenshot I forgot to type in my own password on the first attempt. You will have to navigate to the Scripts directory first command , enter the Obfsproxy command last command , and leave your command prompt open whenever you want to use Obfsproxy.

Otherwise, Netflix will be set to the incorrect region. The last thing we need to do on the client side is set up a proxy connection. This differs for each application. You can set it up in the Windows Internet settings, but I prefer to do it on an app-by-app basis. On native apps that use the internet, you can usually set up a proxy somewhere in the settings. On a browser, the easiest way to set this up is with a proxy extension.

In the ProxySwitchy settings, create a new profile. With Manual Configuration selected, type in the above settings as pictured below. Name it whatever you like. Under Network and Security, go to Security Groups.

Here you can choose to create a new security group and add it to your server or modify an existing one. Under Type, select all TCP traffic note: If you made a new security group, click Instances in the left sidebar, right click your VPN instance, scroll down to Networking, and click Change Security Groups. Check your new security group and hit Save. Run OpenVPN using this command:. In the PuTTy terminal, enter the following commands one line at a time, and hit enter after each:.

You should see a similar message on this terminal as on your command prompt, indicating that server is listening on port for obfsproxy traffic. You are set to connect. Right click it and connect using your new config. If you want to watch Netflix or some other geo-blocked content, enable the proxy settings in your applications.

For Proxy Switchy on Chrome, click the icon in the top right corner and select the profile you created in the optional section above. You may also add the proxy in the Windows Internet settings.

As you might have concluded, running obfsproxy on the client-side every time you want to use it can get a bit tedious. To automate the process, one user has created a Windows installer that runs Obfsproxy as a service that starts on boot.

You can download it and find instructions here. If you have connection problems, make sure to set a rule on your server's firewall allowing incoming traffic on UDP port Consult your router's documentation for details on this.

To set up port forwarding, you will likely need to set up the server with a static local IP address instead of the default dynamic changing IP. Make sure to choose a static IP address that is not in the range your router might assign as a dynamic IP, but is within the router's subnet usually Your server will need to have a static internet IP or Domain Name to be accessible over the long term. When signing up you will determine the static Domain Name of your server.

This will cause packet loss across the network. Powered by Trac 1. Visit the Trac open source project at http: Install OpenVPN on each client. This step can be skipped for now and done at any convenient time Certificates and Keys Preparatory Steps Navigate to the C: Don't leave any of these parameters blank.

The final command build-ca will build the certificate authority CA certificate and key by invoking the interactive openssl command:. Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars. The only parameter which must be explicitly entered is the Common Name. As in the previous step, most parameters can be defaulted.

When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? If you would like to password-protect your client keys, substitute the build-key-pass script. Remember that for each client, make sure to type the appropriate Common Name when prompted, i.

Always use a unique common name for each client. Now we will find our newly-generated keys and certificates in the keys subdirectory.

Here is an explanation of the relevant files:. The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel. Now wait, you may say. Shouldn't it be possible to set up the PKI without a pre-existing secure channel? The answer is ostensibly yes. In the example above, for the sake of brevity, we generated all private keys in the same place.

With a bit more effort, we could have done this differently. For example, instead of generating the client certificate and keys on the server, we could have had the client generate its own private key locally, and then submit a Certificate Signing Request CSR to the key-signing machine. In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client. This could have been done without ever requiring that a secret.

It's best to use the OpenVPN sample configuration files as a starting point for your own configuration. These files can also be found in. On Windows they are named server. The sample server configuration file is an ideal starting point for an OpenVPN server configuration.

Before you use the sample configuration file, you should first edit the ca , cert , key , and dh parameters to point to the files you generated in the PKI section above. At this point, the server configuration file is usable, however you still might want to customize it further:. If you want to run multiple OpenVPN instances on the same machine, each using a different configuration file, it is possible if you:.

The sample client configuration file client. To simplify troubleshooting, it's best to initially start the OpenVPN server from the command line or right-click on the. As in the server configuration, it's best to initially start the OpenVPN server from the command line or on Windows, by right-clicking on the client. A normal client startup on Windows will look similar to the server output above, and should end with the Initialization Sequence Completed message.

Now, try a ping across the VPN from the client. If you are using routing i. If you are using bridging i.

If the ping failed or the OpenVPN client initialization failed to complete, here is a checklist of common symptoms and their solutions:. See the access policies section below. You have a one-way connection from client to server. The server to client direction is blocked by a firewall, usually on the client side. The firewall can either be a a personal software firewall running on the client, or b the NAT router gateway for the client.

Modify the firewall to allow returning UDP packets from the server to reach the client. See the FAQ for additional troubleshooting information. When executed, the initscript will scan for. The Windows installer will set up a Service Wrapper, but leave it turned off by default.

This will configure the service for automatic start on the next reboot. Use the writepid directive to write the OpenVPN daemon's PID to a file, so that you know where to send the signal if you are starting openvpn with an initscript , the script may already be passing a --writepid directive on the openvpn command line. While most configuration changes require you to restart the server, there are two directives in particular which refer to files which can be dynamically updated on-the-fly, and which will take immediate effect on the server without needing to restart the server process.

Files in this directory can be updated on-the-fly, without restarting the server. Note that changes in this directory will only take effect for new connections, not existing connections. If you would like a client-specific configuration file change to take immediate effect on a currently connected client or one which has disconnected, but where the server has not timed-out its instance object , kill the client instance object by using the management interface described below.

This will cause the client to reconnect and use the new client-config-dir file. If you would like to kill a currently connected client whose certificate has just been added to the CRL, use the management interface described below.

You can use the management interface directly, by telneting to the management interface port, or indirectly by using an OpenVPN GUI which itself connects to the management interface. To enable the management interface on either an OpenVPN server or client, add this to the configuration file:. This tells OpenVPN to listen on TCP port for management interface clients port is an arbitrary choice -- you can use any free port.

Once OpenVPN is running, you can connect to the management interface using a telnet client. Once the VPN is operational in a point-to-point capacity between client and server, it may be desirable to expand the scope of the VPN so that clients can reach multiple machines on the server network, rather than only the server machine itself.

For the purpose of this example, we will assume that the server-side LAN uses a subnet of First, you must advertise the This can easily be done with the following server-side config file directive:. One of the benefits of using ethernet bridging is that you get this for free without needing any additional configuration. In a typical road-warrior or remote access scenario, the client machine connects to the VPN as a single machine.

But suppose the client machine is a gateway for a local LAN such as a home office , and you would like each machine on the client LAN to be able to route through the VPN. For this example, we will assume that the client LAN is using the Next, we will deal with the necessary configuration changes on the server side.

If the server configuration file does not currently reference a client configuration directory, add one now:. In the above directive, ccd should be the name of a directory which has been pre-created in the default directory where the OpenVPN server daemon runs. When a new client connects to the OpenVPN server, the daemon will check this directory for a file which matches the common name of the connecting client.

If a matching file is found, it will be read and processed for additional configuration file directives to be applied to the named client. The next step is to create a file called client2 in the ccd directory. This file should contain the line:. This will tell the OpenVPN server that the Why the redundant route and iroute statements, you might ask?

Next, ask yourself if you would like to allow network traffic between client2's subnet If so, add the following to the server config file. This will cause the OpenVPN server to advertise client2's subnet to other connecting clients.

The last step, and one that is often forgotten, is to add a route to the server's LAN gateway which directs The outgoing ping would probably reach the machine, but then it wouldn't know how to route the ping reply, because it would have no idea how to reach This requires a more complex setup maybe not more complex in practice, but more complicated to explain in detail:. For example, suppose you would like connecting clients to use an internal DNS server at Add this to the OpenVPN server configuration:.

To test this feature on Windows, run the following from a command prompt window after the machine has connected to an OpenVPN server:. Suppose we are setting up a company VPN, and we would like to establish separate access policies for 3 different classes of users:. The basic approach we will take is a segregate each user class into its own virtual IP address range, and b control access to machines by setting up firewall rules which key off the client's virtual IP address.

In our example, suppose that we have a variable number of employees, but only one system administrator, and two contractors. Our IP allocation approach will be to put all employees into an IP address pool, and then allocate fixed IP addresses for the system administrator and contractors.

Note that one of the prerequisites of this example is that you have a software firewall running on the OpenVPN server machine which gives you the ability to define specific firewall rules. For our example, we will assume the firewall is Linux iptables. Next, let's translate this map into an OpenVPN server configuration. First of all, make sure you've followed the steps above for making the First, define a static unit number for our tun interface, so that we will be able to refer to it later in our firewall rules:.

Because we will be assigning fixed IP addresses for specific System Administrators and Contractors, we will use a client configuration directory:. Now place special configuration files in the ccd subdirectory to define the fixed IP address for each non-Employee VPN client. Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints.

Specifically, the last octet in the IP address of each endpoint pair must be taken from this set:. This completes the OpenVPN configuration. The final step is to add firewall rules to finalize the access policy.

For this example, we will use firewall rules in the Linux iptables syntax:. To use this authentication method, first add the auth-user-pass directive to the client configuration. Next, configure the server to use an authentication plugin, which may be a script, shared object, or DLL. The authentication plugin can control whether or not the OpenVPN server allows the client to connect by returning a failure 1 or success 0 value. Script plugins can be used by adding the auth-user-pass-verify directive to the server-side configuration file.

See the description of auth-user-pass-verify in the manual page for more information. For real-world PAM authentication, use the openvpn-auth-pam shared object plugin described below. To use it, add this to the server-side config file:. For real-world production use, it's better to use the openvpn-auth-pam plugin, because it has several advantages over the auth-pam.

Note that client-cert-not-required will not obviate the need for a server certificate, so a client connecting to a server which uses client-cert-not-required may remove the cert and key directives from the client configuration file, but not the ca directive, because it is necessary for the client to verify the server certificate.

Dual-factor authentication is a method of authentication that combines two elements: Something you have should be a device that cannot be duplicated; such a device can be a cryptographic token that contains a private secret key. This private key is generated inside the device and never leaves it. If a user possessing this token attempts to access protected services on a remote network, the authorization process which grants or denies network access can establish, with a high degree of certainty, that the user seeking access is in physical possession of a known, certified token.

Something you know can be a password presented to the cryptographic device. Without presenting the proper password you cannot access the private secret key. Another feature of cryptographic devices is to prohibit the use of the private secret key if the wrong password had been presented more than an allowed number of times. This behavior ensures that if a user lost his device, it would be infeasible for another person to use it.

Cryptographic devices are commonly called "smart cards" or "tokens", and are used in conjunction with a PKI Public Key Infrastructure. The VPN server can examine a X. Since the device cannot be duplicated and requires a valid password, the server is able to authenticate the user with a high degree of confidence. Dual-factor authentication is much stronger than password-based authentication, because in the worst-case scenario, only one person at a time can use the cryptographic token.

Passwords can be guessed and can be exposed to other users, so in the worst-case scenario an infinite number of people could attempt to gain unauthorized access when resources are protected using password-only authentication. If you store the secret private key in a file, the key is usually encrypted by a password. Unlike when using a cryptographic device, the file cannot erase itself automatically after several failed decryption attempts. This standard specifies an API, called Cryptoki, to devices which hold cryptographic information and perform cryptographic functions.

Cryptoki, pronounced "crypto-key" and short for cryptographic token interface, follows a simple object-based approach, addressing the goals of technology independence any kind of device and resource sharing multiple applications accessing multiple devices , presenting to applications a common, logical view of the device called a cryptographic token. To summarize, PKCS 11 is a standard that can be used by application software to access cryptographic tokens such as smart cards and other devices.

Most device vendors provide a library that implements the PKCS 11 provider interface -- this library can be used by applications in order to access these devices.

PKCS 11 is a cross-platform, vendor-independent free standard. The first thing you need to do is to find the provider library, it should be installed with the device drivers. Each vendor has its own library.

A configured token is a token that has a private key object and a certificate object, where both share the same id and label attributes. A simple enrollment utility is Easy-RSA 2. Each PKCS 11 provider can support multiple devices.

Table of contents

Leave a Reply

Download Latest Stable Release Support Tunnelblick is a free, open source graphic user interface for OpenVPN ® on OS X and macOS. It provides easy control of OpenVPN client and/or server connections. It comes as a ready-to-use application with all necessary binaries and drivers (including OpenVPN, easy-rsa, and tun/tap drivers). Easy Windows Guide. This page contains a no-frills guide to getting OpenVPN up and running on a Windows server and client(s). For a more detailed understanding of setting up OpenVPN and its advanced features, see the HOWTO page.. Table of contents. OpenVPN is a full-featured open source Secure Socket Layer (SSL) VPN solution that accommodates a wide range of configurations. In this tutorial, we'll set up an OpenVPN server on a Droplet and then configure access to it from Windows, OS X, iOS and A.