These instructions are for an Ubuntu Linux 18.04 server, a Windows 10 PC, and a phone or tablet running Android.

Ubuntu OpenVPN Server

Right-click on the Windows start button. Open Windows PowerShell. Since the Windows 10 update of April 2018, the OpenSSH client is installed by default and expects to find your SSH private key in your .ssh folder.

SSH into your server. As an example, if your user name on the server is ubuntu, and your server’s IP address is 3.86.252.179:

ssh ubuntu@3.86.252.179

Get your existing packages up to date:

sudo apt update
sudo apt upgrade

Configure the server firewall to allow TCP input on port 22 (for SSH), port 443 (for Stunnel), and masquerade the outgoing IP address:

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -P INPUT DROP
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Persist iptables across reboots:

sudo apt install iptables-persistent

To make the colors of PowerShell less confusing, edit your editor configuration file:

vi ~/.vimrc

Set the syntax highlighting off:

syntax off

Write the file to disk, and quit the editor.

Edit the system control configuration file:

sudo vi /etc/sysctl.conf

Allow packet forwarding by uncommenting the line:

net.ipv4.ip_forward=1

At the bottom, add two lines to implement BBR congestion control:

net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr

Write the file to disk, and quit the editor. Activate this change:

sudo sysctl -p

Install the OpenVPN packages:

sudo apt install openvpn easy-rsa

If you do not know the root password, then set it now:

sudo passwd root

Switch to the root user:

su -

In the same way as you did for your non-root user id, make the colors of PowerShell less confusing by editing root’s editor configuration file:

vi ~/.vimrc

Set the syntax highlighting off:

syntax off

Write the file to disk, and quit the editor.

Copy the Easy RSA materials into your /etc/openvpn directory:

cp -r /usr/share/easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa
cp openssl-1.0.0.cnf openssl.cnf
mkdir keys

Edit the variables file:

vi vars

Set the default distinguished name (DN) variables to your desired values, e.g.:

export KEY_COUNTRY="PL"
export KEY_PROVINCE="Mazovia"
export KEY_CITY="Warszawa"
export KEY_ORG="Polska Akademia Nauk"
export KEY_EMAIL="you@example.com"
export KEY_OU="Computer Science"

After saving the file, source the environment variables from the values in the file:

source ./vars

Create the keys and certificates for OpenVPN:

./clean-all

When you create the Certificate Authority (CA), you can just press Enter to accept your default values from above:

./build-ca

When you run the server and client scripts below, you are asked for a challenge password and an optional company name. You can leave them blank. When asked if you want to sign each certificate, enter y. When asked if you want to commit, enter y.

./build-key-server openvpn-server
./build-key openvpn-client

The last script (build-dh) can take a long time:

./build-dh

Copy the certificates and keys up into your main /etc/openvpn directory:

cp keys/.key ..
cp keys/.crt ..
cp keys/dh2048.pem ..

Generate a secret key, which OpenVPN will use to encrypt the control channel:

cd /etc/openvpn
openvpn --genkey --secret tls-crypt.key

Create your OpenVPN server configuration file.

vi server.conf

Here is one you can use as a template. Note that the OpenVPN server listens only on localhost (IP address 127.0.0.1), and that we use TCP protocol.

local 127.0.0.1
port 1194
proto tcp
dev tun
ca ca.crt
cert openvpn-server.crt
key openvpn-server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
keepalive 10 120
tls-crypt tls-crypt.key
cipher AES-256-GCM
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3

Create the client ovpn file:

vi client.ovpn

Here is one you can use as a template. You must change the example by inserting your actual certificates and keys in between the opening and closing tags. Note that the client sends traffic to localhost (IP address 127.0.0.1) port 1194, which is where the Stunnel client will be listening on the client.

client
dev tun
proto tcp
remote 127.0.0.1 1194
nobind
persist-key
persist-tun
resolv-retry infinite
<ca>
-----BEGIN CERTIFICATE-----
MIIF...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIF...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIE...
-----END PRIVATE KEY-----
</key>
remote-cert-tls server
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
21d3...
-----END OpenVPN Static key V1-----
</tls-crypt>
cipher AES-256-GCM
verb 3

Start OpenVPN:

systemctl enable openvpn@server
systemctl start openvpn@server

Ubuntu Stunnel Server

Install the package:

apt install stunnel4

Generate a stunnel server certificate and private key:

cd /etc/stunnel
openssl req -new -x509 -days 3650 -nodes -out stunnel.pem -keyout stunnel.pem

The OpenSSL script will ask you various questions for the distinguished name (DN) of the stunnel server certificate. Some sample answers:

  • Country: “PL”
  • State or Province: “Mazovia”
  • Locality: “Warszawa”
  • Organization: “Polska Akademia Nauk”
  • Organization Unit: “Computer Science”
  • Common Name (FQDN): 3.86.252.179
  • Email: “you@example.com”

Append the Diffie-Hellman parameters to the end of the file. This could take a long time:

openssl dhparam 2048 >> stunnel.pem

Configure stunnel:

vi /etc/stunnel/stunnel.conf

Insert contents:

pid = /var/run/stunnel.pid
cert = /etc/stunnel/stunnel.pem
output = /var/log/stunnel

[stunnel-to-openvpn]
accept = 443
connect = 127.0.0.1:1194

Write the file to disk. Quit the editor.

Enable automatic startup:

vi /etc/default/stunnel4

Change the ENABLED switch to turn it on:

ENABLED=1

Write the file to disk. Quit the editor.

Restart stunnel:

/etc/init.d/stunnel4 restart

Exit the root session:

exit

Exit the SSH session with the server:

exit

Securely Copy OVPN File from Server to PC

Open Windows PowerShell.

Download the OVPN file from your server to your PC:

cd Downloads
scp "ubuntu@3.86.252.179:/etc/openvpn/client.ovpn" client.ovpn

Close Windows PowerShell.

Windows Stunnel Client

On your Windows PC, open a browser. Download and save the latest stunnel-x.xx-win64-installer.exe from:

https://www.stunnel.org/downloads.html

  1. Right-click on installer executable
  2. Select Run as administrator
  3. If you are asked if you want to allow the app, click Yes
  4. Click I Agree
  5. Select the radio button Install for anyone using this computer
  6. Click Next
  7. Click Next
  8. Click Install to install to C:\Program Files (x86)\stunnel

A console window pops up. The script asks you for values for the distinguished name (DN) of the stunnel client certificate. Examples:

  • Country: “PL”
  • State or Province: “Mazovia”
  • Locality: “Warszawa”
  • Organization: “Polska Akademia Nauk”
  • Organization Unit: “Computer Science”
  • Common Name (FQDN): client.example.com
  • Email: “you@example.com”

Windows installer automatically generates a self-signed certificate. Make sure Start stunnel after installation is unchecked. Click Finish.

Now edit, as administrator, the stunnel configuration file C:\Program Files (x86)\stunnel\config\stunnel.conf.

Comment out the sections for [gmail-pop3], [gmail-imap], and [gmail-smtp]. Add a section for OpenVPN. You must replace 3.86.252.179 with your actual server IP address:

[openvpn-to-stunnel]
client = yes
accept = 127.0.0.1:1194
connect = 3.86.252.179:443

Save the configuration file.

In Windows explorer, go to C:\Program Files (x86)\stunnel\bin. Right-click on stunnel.exe. Select Run as administrator. Find the stunnel icon in the system tray, which is at the bottom right of your Windows desktop. Right-click on the icon. Choose Show Log Window. It should look something like this:

LOG5[main]: stunnel 5.50 on x64-pc-mingw32-gnu platform
LOG5[main]: Compiled/running with OpenSSL 1.1.1a  20 Nov 2018
LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI
LOG5[main]: Reading configuration from file stunnel.conf
LOG5[main]: UTF-8 byte order mark detected
LOG4[main]: Service [openvpn-to-stunnel] needs authentication to prevent MITM attacks
LOG5[main]: Configuration successful

Windows OpenVPN Client

On your Windows PC, open a browser. Download and save the OpenVPN Windows installer executable from:

In Windows Exporer, go to your Downloads folder. The OpenVPN Windows installer will have a name that looks like openvpn-install-2.4.7-I607-Win10.exe.

Double-click on the downloaded exe file to run the installer. The OpenVPN Setup Wizard walks you through the installation. You can accept all the defaults.

The installer places an OpenVPN GUI shortcut on your Windows PC desktop. Double-click on the OpenVPN GUI shortcut to launch OpenVPN.

The first time you run the OpenVPN GUI, there is no client configuration file. If you see a warning about this, just click OK.

Find the OpenVPN icon in the system tray, which is at the bottom right of your Windows desktop. Right-click on the OpenVPN icon. Select the Import file option. Select your client.ovpn file from your Downloads folder. Click Open. This validates your client configuration file. You should see a message to say your client configuration file was imported successfully. Click OK.

The OpenVPN GUI copies your client configuration file to C:\Users\YourWindowsUserName\OpenVPN\config\client\client.ovpn.

To connect, find the OpenVPN icon in the system tray again. Right-click on it. Select the Connect option. A message appears to say that the client is now connected. It tells you your assigned IP address, such as 10.8.0.6.

To disconnect, find the OpenVPN icon in the system tray. Right-click on the OpenVPN icon. Select Disconnect. Again, find the OpenVPN icon in the system tray. Right-click on the OpenVPN icon. Select Exit. Find the stunnel icon in the system tray. Right-click on the stunnel icon. Select Exit.

Securely Copy OVPN File from PC to Android

Make sure you are logged in to your Android device. Use a USB cable to connect your Android device to your computer.

On your PC, open Windows File Explorer.

Locate the Android device’s Download folder, e.g. YourPhoneName\Phone\Download or whatever name applies in your situation.

Copy the client.ovpn file from your PC to your Android.

On your Android device, check that the file is in Device Storage/Download.

Unplug the USB cable.

Android Stunnel Client

On your Android device, open Google Play Store.

Install SSLDroid by Balint Kovacs.

Open the SSLDroid app.

From the app menu, select the option Add tunnel:

  • Tunnel name: A name of your choice, e.g. Stunnel to OpenVPN
  • Local port: 1194
  • Remove host: Your actual server, e.g. 3.86.252.179
  • Remote port: 443
  • PKCS 12 file: blank
  • PKCS 12 pass: blank

Click Apply.

A green padlock icon appears at the top of your screen.

Android OpenVPN Client

Install OpenVPN for Android by Arne Schwabe. Open the OpenVPN for Android app.

Click the plus sign to add a profile.

Give it a name, e.g. OpenVPN via Stunnel.

Click the Import button.

Pick client.ovpn from your Download folder.

Press the Save button.

On the row for the client profile, click the settings icon.

  • On the Routing tab, make sure Bypass VPN for local networks is checked. Also on the Routing tab, check the box for IPv4 Use default Route, and do the same for IPv6 if you use IPv6
  • On the Advanced tab, check the box for Enable Custom Options, click Custom Options, and add a new line: route 3.86.252.179 255.255.255.255 net_gateway. Replace the sample IP address in this line with your actual server IP address
  • If your version of the app has an Allowed Apps tab, then exclude the SSLDroid app, so that it does not get into a routing loop from OpenVPN to SSLDroid and back again repeatedly

Connect OpenVPN via Stunnel. If necessary, check the box to say I trust this application, then click OK.

A white key icon shows you are connected to your VPN. You can then test to see if you have an Internet connection via the VPN:

https://www.ipchicken.com

Create your website at WordPress.com
Get started
%d bloggers like this: