-
Notifications
You must be signed in to change notification settings - Fork 2
/
openvpn-obfs4.html
155 lines (131 loc) · 10.4 KB
/
openvpn-obfs4.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>OpenVPN + Obfs4</title>
<link rel="stylesheet" href="css/style.css">
<meta property="og:title" content="OpenVPN + Obfs4">
<meta property="og:description" content="How to obfuscate OpenVPN using the Tor Project's obfs4 obfuscator">
<meta property="og:type" content="website">
<meta property="og:image" content="https://computerscot.github.io/img/computerscot.png">
<meta property="og:url" content="https://computerscot.github.io/openvpn-obfs4.html">
</head>
<body>
<div id="bar">
<div class="wrapper">
<p><a href="https://computerscot.github.io">computerscot.github.io</a></p>
</div>
</div>
<div class="wrapper">
<h1>OpenVPN + Obfs4</h1>
<p><em>August 23, 2023</em></p>
<p>In this post you obfuscate OpenVPN using the Tor Project's obfs4 obfuscator.</p>
<p>References:</p>
<ul>
<li><a href="https://www.ivpn.net/knowledgebase/linux/linux-obfs3-and-obfs4-obfuscation-with-obfsproxy-to-circumvent-censorship">https://www.ivpn.net/knowledgebase/linux/linux-obfs3-and-obfs4-obfuscation-with-obfsproxy-to-circumvent-censorship</a></li>
<li><a href="https://hamy.io/post/000d/how-to-hide-obfuscate-any-traffic-using-obfs4">https://hamy.io/post/000d/how-to-hide-obfuscate-any-traffic-using-obfs4</a></li>
</ul>
<h2>Ubuntu server</h2>
<p>It is assumed that you are using Ubuntu 22.04 and logged in as <code>root</code>.</p>
<h3>1. Open firewall</h3>
<p>Choose a port on which <code>obfs4</code> will accept input. We will use <code>8443</code> in our examples.</p>
<p>Open this port (e.g. <code>tcp/8443</code>) in your server firewall.</p>
<h3>2. Install and configure OpenVPN</h3>
<p>Install OpenVPN:</p>
<blockquote><code>apt update && apt upgrade -y</code></blockquote>
<blockquote><code>curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh</code></blockquote>
<blockquote><code>chmod +x openvpn-install.sh</code></blockquote>
<blockquote><code>./openvpn-install.sh</code></blockquote>
<p>The script prompts you to answer various questions. You can accept the defaults except:</p>
<ul>
<li>When you are asked for the IP address, enter the public IP address of your server.</li>
<li>You can use port <code>1194</code> for OpenVPN, since traffic will pass through <code>obfs4</code> before it reaches the OpenVPN server.</li>
<li><strong>Use TCP mode.</strong></li>
</ul>
<p>At the end of the script's run, you are prompted to choose a name for the client, e.g. <code>xxxxxxxx</code>. The script then generates a client configuration file named, for example, <code>xxxxxxxx.ovpn</code>.</p>
<h3>3. Install obfs4</h3>
<p>Install the prerequisite package for <code>obfs4</code>:</p>
<blockquote><code>apt install -y apt-transport-https</code></blockquote>
<p>Create a new file <code>/etc/apt/sources.list.d/tor.list</code>. Since Ubuntu 22.04 is <code>jammy</code>, insert these entries:
<blockquote><code>deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org jammy main</code></blockquote>
<blockquote><code>deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org jammy main</code></blockquote>
<p>Download the gpg key used to sign the packages:</p>
<blockquote><code>wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null</code></blockquote>
<p>Install the package for <code>obfs4</code>:</p>
<blockquote><code>apt update</code></blockquote>
<blockquote><code>apt install -y obfs4proxy</code></blockquote>
<p>The program is installed to <code>/usr/bin/obfs4proxy</code>.</p>
<h3>4. Set environment variables</h3>
<blockquote><code>mkdir /root/pt_state</code></blockquote>
<blockquote><code>export TOR_PT_MANAGED_TRANSPORT_VER="1"</code></blockquote>
<blockquote><code>export TOR_PT_STATE_LOCATION="/root/pt_state"</code></blockquote>
<blockquote><code>export TOR_PT_SERVER_TRANSPORTS="obfs4"</code></blockquote>
<blockquote><code>export TOR_PT_SERVER_TRANSPORT_OPTIONS="obfs4:iat-mode=0"</code></blockquote>
<blockquote><code>export TOR_PT_SERVER_BINDADDR="obfs4-0.0.0.0:8443"</code></blockquote>
<blockquote><code>export TOR_PT_ORPORT="127.0.0.1:1194"</code></blockquote>
<h3>5. Launch obfs4</h3>
<blockquote><code>screen -S obfs4</code></blockquote>
<blockquote><code>printenv | grep TOR</code></blockquote>
<blockquote><code>obfs4proxy</code></blockquote>
<p>The <code>cert</code> and <code>iat-mode</code> are displayed, but we will redisplay them in a moment.</p>
<p>Do <strong>Ctrl</strong>+<strong>a</strong> then <strong>d</strong> to detach from the <code>screen</code> session. You can reattach the <code>screen</code> session at any time by issuing the command <code>screen -r obfs4</code>.</p>
<h3>6. Redisplay bridge line</h3>
<blockquote><code>cat /root/pt_state/obfs4_bridgeline.txt</code></blockquote>
<p>Make a note of the value of <code>cert</code>, as you will need it on the client. Example:</p>
<blockquote><code>Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=KQ7p0ARAzAx0Rm+5PhvxRrPWHS7ekk7IDXmtkBnnpe2A9Fl/rK5d2e08cfAiS1UsfFFVbQ iat-mode=0</code></blockquote>
<p>This is the end of the server work for now:</p>
<blockquote><code>exit</code></blockquote>
<h2>Windows client</h2>
<p>Our client in this tutorial runs Windows.</p>
<h3>1. Install OpenVPN</h3>
<p>Install the OpenVPN client from <a href="https://openvpn.net/community-downloads">https://openvpn.net/community-downloads</a>. For Windows you get an installer named <code>OpenVPN-2.6.6-I001-amd64.msi</code>, which you must run to install the Windows OpenVPN GUI client. There is no problem if you get a warning at the end to say that there are no connection profiles (configuration files) yet.</p>
<h3>2. Download client configuration</h3>
<p>Download the OpenVPN client configuration file that you generated on the server with the PowerShell command:</p>
<blockquote><code>scp [email protected]:xxxxxxxx.ovpn Downloads</code></blockquote>
<p>Do not import the client configuration file into the Windows OpenVPN GUI client just yet. You have to make a few changes to it. We will do that toward the end of the client set-up.</p>
<h3>3. Download obfs</h3>
<p>Download Tor Expert Bundle for Windows from <a href="https://www.torproject.org/download/tor">https://www.torproject.org/download/tor</a>.</p>
<p>Use <a href="https://www.7-zip.org">7-Zip</a> to extract <code>tor-expert-bundle-12.5.2-windows-x86_64.tar.gz</code> to <code>tor-expert-bundle-12.5.2-windows-x86_64.tar</code>.</p>
<p>Then extract the <code>.tar</code> file to give <code>data</code> and <code>tor</code> folders.</p>
<p>Inside <code>tor\pluggable_transports</code> you will see <code>lyrebird.exe</code>, which is the new name for the <code>obfs4</code> program.</p>
<p>To make it easier to find, copy <code>lyrebird.exe</code> up to your <code>Downloads</code> folder (<code>C:\Users\YOURUSERNAME\Downloads</code>).</p>
<h3>4. Start obfs4</h3>
<p>Open a Command Prompt window.</p>
<p>Issue these commands, replacing <code>YOURUSERNAME</code> by your actual Windows username.</p>
<blockquote><code>set TOR_PT_MANAGED_TRANSPORT_VER=1</code></blockquote>
<blockquote><code>set TOR_PT_STATE_LOCATION=C:\Users\YOURUSERNAME\Downloads\pt_state</code></code></blockquote>
<blockquote><code>set TOR_PT_CLIENT_TRANSPORTS=obfs4</code></blockquote>
<blockquote><code>cd Downloads</code></blockquote>
<blockquote><code>set | findstr TOR</code></blockquote>
<blockquote><code>lyrebird.exe -enableLogging -logLevel WARN</code></blockquote>
<p>Keep it running (i.e. do not close the terminal window).</p>
<p>Make a note of the randomly generated listening port number. We'll designate it by <code>YYYYY</code>. You will need it in a moment for the OpenVPN configuration. Example:</p>
<pre>VERSION 1
CMETHOD obfs4 socks5 127.0.0.1:51045
CMETHODS DONE</pre>
<h3>5. Create socks5_auth file</h3>
<p>Use Notepad to create a new file. It has precisely two lines. Example:</p>
<pre>cert=KQ7p0ARAzAx0Rm+5PhvxRrPWHS7ekk7IDXmtkBnnpe2A9Fl/rK5d2e08cfAiS1UsfFFVbQ;
iat-mode=0</pre>
<p>Save the file as <code>C:\Users\YOURUSERNAME\Downloads\socks5_auth</code>. Make sure Notepad does not add an extraneous <code>.txt</code> at the end of the file name.</p>
<h3>6. Edit OpenVPN configuration</h3>
<p>Edit your downloaded OpenVPN client configuration file <code>xxxxxxxx.ovpn</code> to include the following. Replace <code>YYYYY</code> by your actual obfs4 (<code>lyrebird.exe</code>) local listening port number. Replace <code>YOURUSERNAME</code> by your actual Windows username. </p>
<blockquote><code>socks-proxy 127.0.0.1 YYYYY C:\\Users\\YOURUSERNAME\\Downloads\\socks5_auth</code></blockquote>
<p>Change the apparent destination port on the <code>remote</code> line to <code>tcp/8443</code>, replacing <code>XX.XX.XX.XX</code> by your server's public IP address:</p>
<blockquote><code>remote XX.XX.XX.XX 8443</code></blockquote>
<p>Also add this line, replacing <code>XX.XX.XX.XX</code> by your server's public IP address:</p>
<blockquote><code>route XX.XX.XX.XX 255.255.255.255 net_gateway</code></blockquote>
<p>And add these lines:</p>
<blockquote><code>tls-timeout 4</code></blockquote>
<blockquote><code>connect-retry-max 3</code></blockquote>
<p>Save the revised file <code>xxxxxxxx.ovpn</code>.</p>
<h3>7. Import OpenVPN configuration</h3>
<p>In the OpenVPN GUI, <strong>Import</strong> the OpenVPN client configuration file <code>xxxxxxxx.ovpn</code>.</p>
<h3>8. End-to-end connect</h3>
<p>In the OpenVPN GUI, <strong>Connect</strong> the client to the server.</p>
<p>Open a browser and test your connection.</p>
</div>
<!-- Cloudflare Web Analytics --><script defer src='https://static.cloudflareinsights.com/beacon.min.js' data-cf-beacon='{"token": "94e45ea74d58413395c468ebe6bab324"}'></script><!-- End Cloudflare Web Analytics -->
</body>
</html>