add selfhosting tutorials

openvpn/index.md

@@ -0,0 +1,286 @@
+# VPS-Hosted OpenVPN server:
+
+![](../openvpn/logo.png)
+
+You may want a VPS hosted vpn server in case you wish to conduct activities through a trusted vpn server. (which gives you the power over the logs).
+
+![](../openvpn/openvpn.png)
+
+With this solution, you can terminate the server itself if you want after you're done. 
+    
+    
+    -DigitalOcean
+    -Droplet (Debian 10)
+    -Plan: Basic ($5/mo)
+    -Location (a region that isn't where you live)
+    -ssh keys or password
+    
+
+Once the droplet is created just log into it:
+    
+    
+    
+    	[ 192.168.122.1/24 ] [ /dev/pts/13 ] [~]
+    	→ ssh root@164.90.155.222
+    	The authenticity of host '164.90.155.222 (164.90.155.222)' can't be established.
+    	ECDSA key fingerprint is SHA256:m829SX8NOlOUnlm2fzokZJ5XMT6gxJoyNceCYOB8gms.
+    	Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+    	Warning: Permanently added '164.90.155.222' (ECDSA) to the list of known hosts.
+    	Linux debian-s-1vcpu-1gb-sfo3-01 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64
+    	
+    	The programs included with the Debian GNU/Linux system are free software;
+    	the exact distribution terms for each program are described in the
+    	individual files in /usr/share/doc/*/copyright.
+    	
+    	Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+    	permitted by applicable law.
+    	root@debian-s-1vcpu-1gb-sfo3-01:~#
+    
+
+## **Angristan's Script:**
+
+Angristan made a very powerful script that allows us to run our own vps hosted vpn server very easily, check him out [here](https://github.com/angristan):
+    
+    
+    wget https://raw.githubusercontent.com/ech1/serverside/master/ovpn/openvpn-install.sh
+    chmod +x openvpn-install.sh
+    ./openvpn-install.sh
+    
+    
+
+for starters just hit enter at everything, if you know what you're doing feel free to change options during the installation.
+
+for advanced users, i recommend trying out the openvpn on the 443 custom port to circumvent censorship in traffic restricted environments:
+    
+    
+    root@Temple:~# ./openvpn-install.sh
+    Welcome to the OpenVPN installer!
+    The git repository is available at: https://github.com/angristan/openvpn-install
+    
+    I need to ask you a few questions before starting the setup.
+    You can leave the default options and just press enter if you are ok with them.
+    
+    I need to know the IPv4 address of the network interface you want OpenVPN listening to.
+    Unless your server is behind NAT, it should be your public IPv4 address.
+    IP address: 78.141.239.68
+    
+    Checking for IPv6 connectivity...
+    
+    Your host does not appear to have IPv6 connectivity.
+    
+    Do you want to enable IPv6 support (NAT)? [y/n]: y
+    
+    What port do you want OpenVPN to listen to?
+       1) Default: 1194
+       2) Custom
+       3) Random [49152-65535]
+    Port choice [1-3]: 2
+    Custom port [1-65535]: 443
+    
+    What protocol do you want OpenVPN to use?
+    UDP is faster. Unless it is not available, you shouldn't use TCP.
+       1) UDP
+       2) TCP
+    Protocol [1-2]: 12
+    Protocol [1-2]: 2
+    
+    What DNS resolvers do you want to use with the VPN?
+       1) Current system resolvers (from /etc/resolv.conf)
+       2) Self-hosted DNS Resolver (Unbound)
+       3) Cloudflare (Anycast: worldwide)
+       4) Quad9 (Anycast: worldwide)
+       5) Quad9 uncensored (Anycast: worldwide)
+       6) FDN (France)
+       7) DNS.WATCH (Germany)
+       8) OpenDNS (Anycast: worldwide)
+       9) Google (Anycast: worldwide)
+       10) Yandex Basic (Russia)
+       11) AdGuard DNS (Anycast: worldwide)
+       12) NextDNS (Anycast: worldwide)
+       13) Custom
+    DNS [1-12]: 11
+    
+    Do you want to use compression? It is not recommended since the VORACLE attack make use of it.
+    Enable compression? [y/n]: n
+    
+    Do you want to customize encryption settings?
+    Unless you know what you're doing, you should stick with the default parameters provided by the script.
+    Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)
+    See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.
+    
+    Customize encryption settings? [y/n]: n
+    
+    Okay, that was all I needed. We are ready to setup your OpenVPN server now.
+    
+    [...]
+    
+    
+    Tell me a name for the client.
+    Use one word only, no special characters.
+    Client name: nothing
+    
+    Do you want to protect the configuration file with a password?
+    (e.g. encrypt the private key with a password)
+       1) Add a passwordless client
+       2) Use a password for the client
+    Select an option [1-2]: 2
+    ⚠️ You will be asked for the client password below ⚠️
+    
+    Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
+    Using SSL: openssl OpenSSL 1.1.1j  16 Feb 2021
+    Generating an EC private key
+    writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-4185644.tXXER0/tmp.mzvtcc'
+    Enter PEM pass phrase:
+    Verifying - Enter PEM pass phrase:
+    -----
+    Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-4185644.tXXER0/tmp.prBOSr
+    Check that the request matches the signature
+    Signature ok
+    The Subject's Distinguished Name is as follows
+    commonName            :ASN.1 12:'nothing'
+    Certificate is to be certified until Apr 13 15:51:09 2024 GMT (825 days)
+    
+    Write out database with 1 new entries
+    Data Base Updated
+    
+    Client nothing added.
+    
+    The configuration file has been written to /root/nothing.ovpn.
+    Download the .ovpn file and import it in your OpenVPN client.
+    
+
+you can even hide that it's a openvpn server on 443 tcp by using the port-sharing feature:
+    
+    
+    [ nowhere.moe ] [ /dev/pts/8 ] [/etc/openvpn]
+    → cat /etc/openvpn/server.conf | grep 443
+    port-share 127.0.0.1 443
+    
+    
+
+IF YOU'RE ON ARCH LINUX DONT FORGET TO DO THIS (as instructed [here](https://github.com/angristan/openvpn-install/issues/788)):
+    
+    
+    sudo  chown -R openvpn.network /var/log/openvpn /etc/openvpn/
+    
+    systemctl restart openvpn-server@server.service
+    
+    
+
+## **Getting the .ovpn file:**
+
+To get the ovpn file just use python's simplehttpserver module
+    
+    
+    root@debian-s-1vcpu-1gb-sfo3-01:~# ls -lash | grep ovpn
+    4.0K -rw-r--r--  1 root root 2.7K Aug 12 15:41 nothing.ovpn
+    root@debian-s-1vcpu-1gb-sfo3-01:~# python -m SimpleHTTPServer 9099
+    Serving HTTP on 0.0.0.0 port 9099 ...
+    
+    
+
+then just download it to your local machine:
+    
+    
+    [ 192.168.122.1/24 ] [ /dev/pts/7 ] [~]
+    → wget http://164.90.155.222:9099/nothing.ovpn
+    --2020-08-12 18:43:48--  http://164.90.155.222:9099/nothing.ovpn
+    Connecting to 164.90.155.222:9099... connected.
+    HTTP request sent, awaiting response... 200 OK
+    Length: 2764 (2.7K) [application/octet-stream]
+    Saving to: ‘nothing.ovpn’
+    
+    nothing.ovpn               100%[=====================================>]   2.70K  --.-KB/s    in 0s
+    
+    2020-08-12 18:43:48 (52.1 MB/s) - ‘nothing.ovpn’ saved [2764/2764]
+    
+    
+    [ 192.168.122.1/24 ] [ /dev/pts/7 ] [~]
+    → ls -lash | grep ovpn
+     12K -rw-r--r--  1 nothing nothing 9.3K Aug  3 12:18 nihilist777.ovpn
+    4.0K -rw-r--r--  1 nothing nothing 2.7K Aug 12 16:41 nothing.ovpn
+    
+
+And that's it, you may now use the .ovpn file with whatever client you wish for example openvpn or your distro's built in vpn utility:
+
+![](../openvpn/001.png)
+    
+    
+    [ 10.99.99.1/24 ] [ /dev/pts/22 ] [~]
+    → sudo openvpn nothing.ovpn
+    [sudo] password for nothing:
+    2022-01-09 16:52:42 Unrecognized option or missing or extra parameter(s) in nothing.ovpn:18: block-outside-dns (2.5.5)
+    2022-01-09 16:52:42 OpenVPN 2.5.5 [git:makepkg/869f194c23ae93c4+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 15 2021
+    2022-01-09 16:52:42 library versions: OpenSSL 1.1.1m  14 Dec 2021, LZO 2.10
+    🔐 Enter Private Key Password: *********
+    
+    
+
+Now if you want the openvpn service to start at bootup, do the following:
+    
+    
+    [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
+    → sudo vim /etc/systemd/system/vpn.service
+    
+    [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
+    → cat /etc/systemd/system/vpn.service
+    [Unit]
+    Description=VPN
+    After=network-online.target
+    Wants=network-online.target
+    
+    [Service]
+    Type=simple
+    ExecStart=/usr/sbin/openvpn /home/nothing/nothing0mainpc.ovpn
+    ExecStop=kill -9 $(pidof openvpn)
+    Restart=always
+    
+    [Install]
+    WantedBy=multi-user.target
+    
+    [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
+    → systemctl daemon-reload
+    ==== AUTHENTICATING FOR org.freedesktop.systemd1.reload-daemon ====
+    Authentication is required to reload the systemd state.
+    Authenticating as: nothing
+    Password:
+    ==== AUTHENTICATION COMPLETE ====
+    
+    
+    
+
+And then from there you can start and stop your vpn like so:
+    
+    
+    [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
+    → sudo systemctl start vpn
+    
+    [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
+    → sudo systemctl stop vpn
+    
+    
+
+And to enable it at each system bootup:
+    
+    
+    [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
+    → sudo systemctl enable vpn
+    Created symlink /etc/systemd/system/multi-user.target.wants/vpn.service → /etc/systemd/system/vpn.service.
+    
+    
+
+To avoid your vpn config from routing all traffic to the server, just add this line in the .ovpn file:
+    
+    
+    pull-filter ignore redirect-gateway
+    
+    
+
+## **Check that the ip is different:**
+
+You can check it on [ipleak.net](https://ipleak.net/):
+
+![](../openvpn/002.png)
+
+And that's it! you now have your own self hosted vpn server.
+