How To Set Up Your Own OpenVPN Stealth VPN Server On CentOS 7

These days many college/university or work networks tend to block OpenVPN by default – some hardware firewalls can now detect OpenVPN and block it reasonably quickly. However, there is a patch you can apply to help bypass most of these detection methods, and it’s pretty easy to use in a few short steps.

First, update your OS software by running the below command.

yum update all -y

Now let’s install some dependencies you will need to compile OpenVPN and OpenSSL.

yum install wget git gcc perl pcre-devel zlib-devel openssl-devel lzo-devel pam-devel -y

The first thing we need to do to install OpenVPN version 2.5.8, the latest version compatible with this patch, is to update your system’s version of OpenSSL. To do that, run the following commands one after another in order from top to bottom:

wget https://ftp.openssl.org/source/old/1.1.1/openssl-1.1.1.tar.gz
tar xvf openssl-1.1.1.tar.gz
cd openssl-1.1.1/
./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic
make
make install
export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64
echo "export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64" >> ~/.bashrc

If all those commands finished without issues, check your OpenSSL version:

openssl version

It should now show as below:

OpenSSL 1.1.1  11 Sep 2018

Now let’s proceed with compiling OpenVPN. Download the sources from OpenVPN:

wget https://build.openvpn.net/downloads/releases/openvpn-2.5.8.tar.gz

Decompress the package and move to its directory:

tar xf openvpn-2.5.8.tar.gz
cd openvpn-2.5.8

Configure the package:

./configure

Now the critical part, download the stealth patch files to apply to your OpenVPN package:

wget https://repo.premiervpn.net/patch/ovpn/02-tunnelblick-openvpn_xorpatch-a.diff
wget https://repo.premiervpn.net/patch/ovpn/03-tunnelblick-openvpn_xorpatch-b.diff
wget https://repo.premiervpn.net/patch/ovpn/04-tunnelblick-openvpn_xorpatch-c.diff
wget https://repo.premiervpn.net/patch/ovpn/05-tunnelblick-openvpn_xorpatch-d.diff
wget https://repo.premiervpn.net/patch/ovpn/06-tunnelblick-openvpn_xorpatch-e.diff

Apply those patches by running the git commands below:

git apply 02-tunnelblick-openvpn_xorpatch-a.diff
git apply 03-tunnelblick-openvpn_xorpatch-b.diff
git apply 04-tunnelblick-openvpn_xorpatch-c.diff
git apply 05-tunnelblick-openvpn_xorpatch-d.diff
git apply 06-tunnelblick-openvpn_xorpatch-e.diff

You should see no output after applying the patches; this is a good sign and means they applied without error – now proceed to compile OpenVPN running the commands below in order:

make
make install

Once the installation is complete, create the OpenVPN directory and move to this folder:

mkdir /etc/openvpn
cd /etc/openvpn/

Now you must create your OpenVPN config, preferably running it over port 443 TCP or UDP. Here is an example config below:

port 443
proto udp6
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
verify-client-cert none
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.0.0.1"
push "dhcp-option DNS 1.1.1.1"
push "redirect-gateway def1 bypass-dhcp"
server-ipv6 xxxxxxxxxxxxxxxxxx
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_YYGb.crt
key server_YYGb.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
scramble obfuscate 4453ch6456h54hv
verb 3

The difference in this config is that we can now add the scramble line, which obfuscates OpenVPN:

scramble obfuscate 4453ch6456h54hv

I recommend that you change the password; for example, you can change 4453ch6456h54hv to something more complicated and much longer:

scramble obfuscate fh54%^&Gj67^%&*^I^*G5

Once you have created your OpenVPN config file and added your scramble line, you can quickly test and see if your config works OK:

cd /etc/openvpn/
openvpn server.conf

Change server.conf to match the name of your own config, it should output the config debug and should end with the below line:

Initialization Sequence Completed

This means everything is good to go 🙂

Remember that the patch needs to be supported on both the client and the server with the same scramble line and password in the config for it to work.

Different options can be used with this patch that varies in how well it works in specific networks; see below:

Scramble Option Syntax

Note: The “scramble” option and parameters in the server and client configuration files must match.

scramble xor_string
scramble xormask xor_string
These options XOR the bytes in each buffer with xor_string.

scramble reverse
The “reverse” option reverses order of the bytes in each buffer (except that the first byte is unchanged). So “abcde” becomes “aedcb”.

scramble xorptrpos
The “xorptrpos” option XORs each byte of the buffer of traffic with the position in the buffer.

scramble obfuscate password
The “obfuscate” option performs several of the above steps, using password as the xor_string in one of the steps.

On How To Set Up Your Own OpenVPN Stealth VPN Server On CentOS 7

Leave a reply:

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.