This instruction demonstrates how to connect to the VPN Gate relay server using the OpenVPN client on Windows XP, 7, 8, 10, Server 2003, 2008, 2012.
1. Install the OpenVPN client application for your operating system. Run the installation file. The installation wizard will open. Follow the on-screen prompts to install the application.
2. Download and upload the OpenVPN connection configuration file (.ovpn file). This procedure is required only when setting up the connection for the first time.
You can download the configuration file (OpenVPN Config file) on the list page of open free relay servers http://www.vpngate.net/en/. Select the VPN server you want to connect to and click on the corresponding *.ovpn file to download it to your desktop or download folder.
After saving the file on your computer, it will appear as the OpenVPN icon. However, you will not be able to establish a connection by simply double-clicking on the file.
You need to move the *.ovpn file to the “config” folder of the main OpenVPN installation directory.
Open the C:\Program Files\OpenVPN\config folder and copy the *.ovpn file into it.
Right-click on the “OpenVPN GUI” icon on your desktop and select the “Run as administrator” option. Otherwise, you will not be able to establish a VPN connection.
The OpenVPN GUI icon will appear in the taskbar notification area (system tray). In some cases the icon may be hidden, click on the arrow icon to show all hidden icons.
Right-click on the OpenVPN GUI icon and click “Connect”.
The VPN connection will start. The connection status will be displayed on the screen. If you see a dialog box asking for username and password. Enter “vpn” in both fields. This window appears very rarely.
If the VPN connection is successfully established, a pop-up message will appear as in the screenshot.
4. Internet without restrictions
When the VPN connection is established, a TAP-Windows Adapter V9 virtual network adapter is created on the Windows system. This adapter will receive an IP address that starts with “ 10.211 " The virtual adapter will receive the default gateway address.
You can check your network configuration by running ipconfig /all in the Windows Command Prompt.
Once the connection is established, all network traffic will go through the VPN server. You can verify this using the tracert 8.8.8.8 command in the Windows command line.
As shown in the screenshot above, if the packets pass through "10.211.254.254", then your connection is relayed through one of the VPN Gate servers. You can also go to the main VPN Gate page to view the global IP address.
You will be able to see a location visible from the network that will be different from your actual location.
Setting up OpenVPN for MacOS
This tutorial demonstrates how to connect to a VPN Gate relay server using the Tunnelblick app. Tunnelblick is a graphical version of the OpenVPN client. for MacOS systems.
1. Install the Tunnelblick app
Download and install the latest version of the Tunnelblick application. Instructions will appear on the screen during installation.
Once the installation is complete, the following screen will appear. Select the “I have configuration files” option.
The screen will show instructions for adding the configuration to Tunnelblick.
Click OK to close the window.
2. Download and upload the OpenVPN connection configuration file (.ovpn file). This procedure is required only when setting up the connection for the first time.
A configuration file in *.ovpn format is needed to connect to the VPN Gate relay server via the OpenVPN protocol.
You can download the configuration file (OpenVPN Config file) on the list page of open free relay servers http://www.vpngate.net/en/. Select the VPN server you want to connect to and click on the corresponding *.ovpn file to download it to your Downloads folder.
To install a *.ovpn configuration file, drag it onto the Tunnelblick icon in the menu bar, or onto the list of configurations in the Configurations tab of the VPN Details window. If you need to install several configuration files at once, select them all and then drag them.
When adding, you will need to enter the username and password for your MacOS account.
Click the Tunnelblick icon on the top toolbar of MacOS and select the “Connect [configuration name]” option. The VPN connection will start.
The VPN connection status will appear as shown in the screenshot. Once the connection has been successfully established, the Tunnelblick main window will show the “Connected” status.
4. Internet without restrictions
Once the connection is established, all network traffic will go through the VPN server. You can also go to the main VPN Gate page to view the global IP address. You will be able to see a location visible from the network that will be different from your actual location.
When connected to a VPN, you will be able to visit blocked websites and play blocked games.
Found a typo? Highlight and press Ctrl + Enter
Hello anonymous.
Today I’ll tell you about 4 services that provide services VPN to hide the IP. Services will be considered Open vpn, so you will have to download the open vpn client. Of course, these sites may have other protocols, but I think this protocol is more optimal.
Access can be obtained both on a PC (Windows, Linux) and on an Android, IOS device.
Setting up Open VPN on Windows.
First, you need to download a VPN certificate (configuration file, in .opvn format) from the VPN website; each service has its own settings.
Find the downloaded archive and unpack the file or several files with the ovpn extension into the config folder where the openvpn program is located. I have it at the address "C:\Program Files\OpenVPN\config"
Next, open the program Open VPN gui, a gray program icon will appear in the tray, right-click and select the desired protocol, click connect and enter the username and password from the site, click connect. We wait if everything goes well with the connection and the icon turns green. That's it, you can use the Internet.
Everything is simple here. Go to the “Accounts” tab, you see ANONYMOUS SERVER #1 and ANONYMOUS SERVER #2 (only the first one works for me), under Open vpn there is the information we need about the login and access password (passwords change often).
For example.
Username: freevpnme
Password: Pmn48NqjE
Write down this information and download the certificates “Download Server #1 certificate Bundle” or “Download Server #2 certificate Bundle” if you selected ANONYMOUS SERVER #2. Place the certificates in the folder with the program.
Also a good site. There are 6 free VPN servers, on the main page you can see which of them are active “Server Status”. Go to the “Free VPN accounts” tab and see Open vpn.
Download the required certificate, for example - Euro1 OpenVPN Certificate Bundle. There are also passwords there. In my case now
Username: vpnbook
Password: Spupru2r.
Then you already know how to set it up.
There are many countries here. On the main page, scroll down and see a table that describes
countries where vpn etc. is located. Select the country you need and download the OpenVPN Config file certificate, then all you have to do is drop it into the config folder. Passwords are not required; they are already written into the certificates. All you have to do is connect through the tray icon.
There are 2 USA servers here, only the first one worked for me. Open the Free VPN tab, scroll the page to Free OpenVPN, download the US1 server “Download configs” certificate. There is also a login and password, in my case
Username: us_open
Password: ezptcd
It's enough. In this article I’m talking about VPN services that already have a program that you just need to download and use.
Related posts:
free firewall. protecting your computer on the Internet
I needed to connect to a computer located on the office local network from home. As options, I considered various solutions, be it Team Viewer, ssh tunnel, etc., but in the end it was decided to go with OpenVpn, due to the guaranteed security, connection reliability and friability of the software.
But to my surprise, any instruction had to be modified to one degree or another. Therefore, I decided to offer you my own version. The instructions are “dry” without much explanation of the configs, designed to allow you to set up an encrypted tunnel without going into too much detail.
To begin with, of course, download the program from the official website (http://openvpn.net/index.php/download/community-downloads.html). Next, I recommend installing it in the “c:\openvpn” directory, so that later there will be no unnecessary problems with paths. You also need to immediately create “c:\openvpn\ssl”, then we will place all our “keys” here, “c:\OpenVPN\log\openvpn.log” and “c:\OpenVPN\log\openvpn-status.log” - for recording logs.
Let's start editing all our configs. So that the office firewall does not interfere with future connections, we will configure the server part of the house on the PC, and the client part on the work one.
Setting up the server.
We create:from:\openvpn\easy-rsa\vars.bat
echo off
set path=%path%;c:\OpenVPN\bin
set HOME=c:\OpenVPN\easy-rsa
set KEY_CONFIG=openssl.cnf
set KEY_DIR=c:\OpenVPN\ssl
set KEY_SIZE=1024
set KEY_COUNTRY=RU
set KEY_PROVINCE=mycity
set KEY_CITY= mycity
set KEY_ORG=Comp
set KEY_EMAIL=admin@local
"c:\openvpn\easy-rsa\openssl.cnf"
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME=.
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
# We can add new OIDs in here for use by "ca" and "req".
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=$(testoid1).5.6
[ca]
default_ca = CA_default # The default ca section
####################################################################
[CA_default]
Dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
Certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
X509_extensions = usr_cert # The extensions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
Default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that:-)
policy = policy_match
# For the CA policy
[policy_match]
countryName = match
stateOrProvinceName = match
organizationName = match
commonName = supplied
emailAddress = optional
# For the "anything" policy
# At this point in time, you must list all acceptable "object"
# types.
[policy_anything]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[req]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix: PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr: PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
StateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
LocalityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
OrganizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
CommonName = Common Name (eg, your name or your server\"s hostname)
commonName_max = 64
EmailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# SET-ex3 = SET extension number 3
[req_attributes]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
UnstructuredName = An optional company name
# These extensions are added when "ca" signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
BasicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# JY ADDED - Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# Extensions to add to a certificate request
BasicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# Extensions for a typical CA
# PKIX recommendation.
SubjectKeyIdentifier=hash
# This is what PKIX recommends but some broken software chokes on critical
#extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where "obj" is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
#CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
Copy index.txt.start to index.txt, and serial.start to serial in the ssl folder
It's time to create certificates
Open the command line as administrator and execute sequentially:- clean-all
- build-ca
#(accept all default values by pressing Enter) - build-dh
- build-key-server SERVER_NAME(your choice)
#When prompted to enter a Common name, you must enter our SERVER_NAME again
Next, to avoid problems with creating a client certificate, clear index.txt in the ssl folder - buid-key KLIENT(your choice)
- openvpn --genkey --secret %KEY_DIR%\ta.key
Create server.ovpn in the config folder and edit it.
server.ovpn
dev tune
proto tcp-server
port 5190
tls-server
server 192.168.0.0 255.255.255.0
comp-lzo
dh C:\\OpenVPN\\ssl\\dh1024.pem
ca C:\\OpenVPN\\ssl\\ca.crt
cert C:\\OpenVPN\\ssl\\Server.crt
key C:\\OpenVPN\\ssl\\Server.key
tls-auth C:\\OpenVPN\\ssl\\ta.key 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
keepalive 10 120
status C:\\OpenVPN\\log\\openvupn-status.log
verb 3
We send CA.crt, klient.crt, klient.key, ta.key from “c:\openvpn\ssl” to our clients (we place them in the same directory “c:\openvpn\ssl”).
Client setup
On the client’s computer, you need to install the application we downloaded at the same path c:\openvpn. Create the ssl folder and the files openvpn.log, openvpn-status.logCreate clientVPN.ovpn in the c:\openvpn\config folder and edit it.
"clientVPN.ovpn"
dev tune
proto tcp
remote x.x.x.x 7777 (server address over the ip/dyndns network)
route-delay 3
client
tls-client
ns-cert-type server
ca C:\\OpenVPN\\ssl\\ca.crt
cert C:\\OpenVPN\\ssl\\client.crt
key C:\\OpenVPN\\ssl\\client.key
tls-auth C:\\OpenVPN\\ssl\\ta.key 1
comp-lzo
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping-restart 60
ping 10
status C:\\OpenVPN\\log\\openvpn-status.log
log C:\\OpenVPN\\log\\openvpn.log
verb 3
On the server, run the file server.ovpn (the “StartOpenvpn...” button in the context menu), on the client clientVPN.ovpn. If necessary, change the startup type of our service (OpenVPN Service) to “Automatic”. The tunnel is up, you can safely go to work, for example via RDP. The server address in our virtual network will be 192.168.0.1. I hope this post will reduce the time to set up OpenVpn, even for the most beginners, to just a few minutes.
Tags: openvpn
This article is not subject to comment, since its author is not yet a full member of the community. You will only be able to contact the author after he receives an invitation from someone in the community. Until this moment, his username will be hidden by an alias.
When working with cloud services, not only the speed of data processing and transmission is important - the guaranteed level of security comes first. Data stored on an external resource should under no circumstances fall into the wrong hands. On the other hand, there are constantly reports of states trying to block something. That's probably why in Lately Interest in VPN solutions has grown, and along with the already traditional IPsec/XFRM and OpenVPN, several other projects have begun to actively develop in Linux. Today, four interesting examples are waiting for you: SoftEther VPN, WireGuard, FreeLAN and GoVPN.
SoftEther VPN
SoftEther VPN is an academic project of the Japanese University of Tsukuba, distributed under the GPLv2 license. Its main feature is support for several VPN protocols compatible with original clients. This allows you to use one application to connect clients running different OSes instead of a fleet of servers from proprietary and open source solutions. And just choose the right protocol depending on the specific situation. Supported: SSL-VPN (HTTPS), IPsec, L2TP, MS-SSTP, L2TPv3, EtherIP and OpenVPN. SoftEther VPN operates in remote-access and site-to-site modes, at the L2 (Ethernet-bridging) and L3 (IP) levels. If we replace OpenVPN, we get a simpler configuration. There is an ovpn file generator for quickly connecting a VPN client. Replacing SSTP VPN allows you to stop using servers based on Win2k8/2012, which require a license. The proprietary protocol ensures the passage of Ethernet over HTTPS (hence the name of the project - Software Ethernet), and is characterized by good throughput and low latency. Its use makes it possible to transparently connect several Ethernet networks into one, that is, there is no need for additional Ethernet-over-IP solutions.
And most importantly, it is compatible with NAT and works through standard port 443, which is usually not blocked by ISP firewalls. This feature allows you to completely hide the use of a VPN: from the outside, the traffic looks like normal traffic and is not detected by Deep Packet Inspection technologies. This is actually why it has become very popular in China, where it is used to bypass the Great Firewall of China. In this case, a virtual Ethernet network adapter is implemented on the client side, and a virtual switch is implemented on the server. A big plus is the presence of NAT Traversal, enabled by default, that is, you do not need to ask the administrator to open access to the VPN server located on the internal network. But that's not all. In restricted networks where all TCP and UDP packets are blocked (for example, public Wi-Fi), you can use ICMP and DNS protocols, which are not usually blocked by a firewall, to create a VPN. Dynamic DNS is supported, allowing access with a dynamically changing IP address. For this purpose, a VPN Gate service has been implemented, called VPN Azure Cloud Service - you can organize a connection to it from the internal network and then, if necessary, freely get inside the network. The client part contains a special VPN Gate plugin that allows you to track IP changes and quickly connect to VPN Gate.
Provides high performance and a connection speed of 1 GB/s without significant restrictions on the amount of RAM and minimal processor load. Therefore, the requirements for the server part are very low. According to tests, SoftEther VPN outperforms original solutions on the same equipment. AES-256 and RSA-4096 encryption, IPv4/IPv6, traffic and event logging are supported. User authentication is local, RADIUS and Windows domain.
Account administration and security settings can be configured remotely using the Server Manager GUI (localized in English, Japanese and Chinese only), which is installed on the administrator's Win or macOS computer or using the vpncmd command line utility. Can be installed on Windows, Linux, macOS, FreeBSD and Solaris. The source code and archive with the compiled application are available. To install, you will need to select the OS, platform and component (server, client, bridge...). Linux kernels 2.4/2.6/3.x are officially supported, but it also works without problems in modern distributions with the 4.x kernel. On Linux, just unpack the archive and run the .install.sh file, then accept the license terms three times and start the server when finished:
WireGuard
WireGuard is the result of research by project author Jason A. Donenfeld, head of Edge Security. A product with built-in cryptography that is both easy to use and easy to implement (just over 4,000 lines of code), which makes it stand out from other solutions. For example, its code is easier to analyze than anything written in *Swan/IPsec or OpenVPN. The youngest review project. People started talking about it in mid-summer 2016 after an announcement was published on the Linux kernel developer mailing list, where a patch to the kernel was presented. Although the project itself has been developing for several years and has passed the cryptography review stage, that is, it can be implemented into the main kernel.
A VPN connection is initialized (handshake) by exchanging public keys and is similar to the approach used in SSH. Everything else is handled transparently by WireGuard, there is no need to worry about keys, routing, state control, etc., it's all taken care of by WireGuard. It is possible to use symmetric encryption, but this will require a little more configuration. Routing is performed using encryption keys; for this purpose, a private key is associated with each network interface. To update the keys, a handshake occurs via certain time or by a signal that the keys are out of date. The Noise Protocol Framework's Noise_IK mechanism is used instead of its own user-space daemon for key negotiation and connection, similar to maintaining authorized_keys in SSH, without the complications of x509 and ASN.1 support.
The ChaCha20 stream cipher and the Poly1305 message authentication algorithm (MAC) are used for encryption. To generate a shared secret key - the Diffie-Hellman protocol on elliptic curves in the Curve25519 implementation proposed by Daniel Bernstein. For hashing, BLAKE2s (RFC 7693) and SipHash-2-4 are used. The TAI64N timestamp allows you to avoid a replay attack; packets with a smaller timestamp are discarded.
Data transfer is carried out at the third level of ISO through encapsulation in UDP packets. IPv4 and IPv6 are supported, v4 to v6 and v6 to v4 encapsulation. Can work behind NAT and firewall. It supports changing the IP address of the VPN server without disconnecting the connection with automatic client reconfiguration.
After installation, a new network interface wg0 appears in the system, which can be configured using the standard ipconfig/ip-address and route/ip-route tools. A special wg utility allows you to set the device’s secret key and specify a list of associations for clients (its public key, resolved by IP).
To install, you will need a distribution with a Linux kernel >4.1. The package can be found in the repositories of major Linux distributions. There is a PPA for Ubuntu 16.04.
$ sudo add-apt-repository ppa:hda-me/wireguard $ sudo apt update $ sudo apt install wireguard-dkms wireguard-tools
Self-assembly from source code is also easy. We raise the interface, generate a pair of keys (for example, we save it in the privatekey and publickey files):
$ sudo ip link add dev wg0 type wireguard $ wg genkey | tee privatekey | wg pubkey > publickey
We receive the public key from the client and create a connection.
$ sudo wg set wg0 listen-port 1234 private-key ~/privatekey peer IKy1eCE9pP1w... allowed-ips 192.168.0.0/24 endpoint 1.2.3.4:9876
It is possible to use PresharedKey (generated by the wg genpsk command), which adds another layer of symmetric encryption to the existing public key encryption. For a peer, you can specify PersistentKeepalive, which allows you to maintain the connection due to NAT and a firewall. Raising the interface:
$ sudo ip address add dev wg0 192.168.0.1
Let's look at the settings:
$sudowg
For convenience, it is better to prepare a configuration file in advance containing the interface section and peer sections. The format can be seen by entering wg showconf.
$ sudo wg setconf wg0 myconfig.conf
Suitable for both small embedded devices such as smartphones and backbone routers. Tests have shown that WireGuard has approximately four times better throughput and 3.8 times more responsiveness compared to OpenVPN (256-bit AES with HMAC-SHA-2–256). It’s not just the implementation as a kernel module that plays a role here, while OpenVPN runs in userspace. The increase in performance is due to the refusal to use the CryptoAPI core, which works quite slowly. Instead, WireGuard uses its own implementations ChaCha20, Poly1305, BLAKE2s and Curve25519, which are positioned as fast and secure analogues of AES-256-CTR and HMAC; their software implementation allows for fixed execution time without hardware support.
Also, thanks to lower latency, WireGuard looks a little better in performance compared to IPsec (256-bit ChaCha20 + Poly1305 and AES-256-GCM-128), but the settings are much simpler.
For now, WireGuard is only available for Linux, but after testing it is expected to be ported to other OSes. The code is distributed under the GNU GPLv2 license.
FreeLAN
FreeLAN is a multi-platform VPN client that is distributed under the GNU GPL license and belongs to the so-called Full Mesh class, that is, it uses P2P technologies. The project is relatively young, it began to actively promote only in 2013. Its main difference from other projects is the choice of architecture: client-server (like a regular VPN, clients, depending on the settings, can or cannot exchange data with each other, the server can act as a relay), P2P (clients connect to each other directly ) and mixed (both options). Thus, you can flexibly configure a VPN for almost any conditions. For example, a server may be needed to gain access to an internal network or to control connections, in other cases it can be allowed to connect directly.
The basis is its own protocol FSCP (FreeLAN Secure Channel Protocol), based on UDP. It can work both at the Ethernet level, establishing direct Ethernet connections between nodes, and at the IPv4/IPv6 level. Authorization by secret word and X.509 certificates is provided, the minimum size of the RSA public key is 1024 bits, the recommended is 2048 bits, AES-256 is used as a symmetric key. Sessions have a limited lifespan, after which they are restarted; messages contain counters and control time, which helps to avoid replay attacks. Keep-alive messages are sent to maintain the session. The message header is signed with the private key or HMAC-SHA-256 if a pre-shared key is used. In general, the choice in settings is very large.
Win, Linux, macOS, Raspberry Pi supported. The package is available in the repositories of the main distributions, so installation is not difficult. In fact, the program is a single binary, so creating networks is very simple.
$ freelan --security.passphrase "secret"
By default, the server will open port UDP/12000 on all interfaces, the virtual interface will receive the address 9.0.0.1. Using additional parameters, they can be overridden, as well as specifying certificates. We connect to the server from another node, assign it a different internal IP:
$ freelan --security.passphrase "secret" --fscp.contact 1.2.3.4:12000 --tap_adapter.ipv4_address_prefix_length 9.0.0.2/24
For convenience, all settings can be placed in a configuration file. When installing on Ubuntu, there is already a ready-made template /etc/freelan/freelan.cfg, which will be read at startup, and therefore it is better to immediately add parameters to it. An alternative to FreeLAN is PeerVPN or Cjdns, which also use distributed technologies.
GoVPN
GoVPN is a lightweight and easy to configure VPN daemon designed to create encrypted and authenticated communication channels over UDP or TCP. The project's goals include secure code that is easy to read and analyze, security, and DPI/censorship resistance. In fact, GoVPN simply tunnels Ethernet frames - nothing more, nothing less. There are no special tools for managing IP, but you can write scripts for this yourself. Uses TAP network interfaces; you can set its name in the settings. MTUs are configured on a per-client basis. Written in Go and distributed under the GPLv3 license. To negotiate keys, a protocol is used with two-way authentication of the parties using a passphrase (PAKE DH A-EKE: Diffie - Hellman Augmented Encrypted Key Exchange). The client enters a passphrase to connect; a verifier is stored on the server side, which cannot be used on the client side, so even if the server is hacked, a hacker cannot impersonate the client.
Three operating modes are implemented:
- normal (used by default), when simply encrypted packets are sent to the network;
- noise, when packets are padded with noise to a constant length;
- CPR (constant rate) - in addition to noise, packets are sent strictly after a certain interval, if not useful information, a noise packet is sent.
In the last two modes, thanks to the generation of constant noise traffic, it is possible to hide the length of messages and the very fact of payload transmission. It has the property of zero non-disclosure, in which an offline dictionary attack is impossible, and is resistant to replay attacks through the use of a one-time message authentication code and time synchronization (optional). Session keys are rotated and heartbeats are sent to support operation through NAT or a firewall. Balloon is used for hashing passphrases (in release 6.0). In release 5.0 it was Argon2d, even earlier PBKDF2. Therefore the versions are incompatible.
There is an unencrypted mode that also ensures confidentiality and authenticity of data thanks to chaffing and winnowing technology. It allows you to bypass restrictions on the use of cryptographic tools in some countries. Instead of encryption, authentication algorithms and the transmission of many unnecessary packets are used (the recipient simply selects those that suit him). But this increases each packet by 4128 bytes, so the mode is demanding both on the processor and on unnecessary transmitted traffic.
Compatible with IPv4 and IPv6. It is possible to connect via an external HTTP proxy, and the client also has a built-in HTTP proxy mode that can be used to access the server. To obtain statistics about connected clients in real time in JSON format, the built-in HTTP server is used. Supports work on GNU/Linux and FreeBSD. The server is configured using a YAML file.
The project does not offer ready-made packages, only source codes; for assembly you will need the uml-utilities and golang packages. Although unofficial ports have already appeared in some distributions. The distribution is constantly evolving, and some of the setup instructions are no longer valid.
Conclusion
Each of the presented solutions has its advantages; it is worth taking a closer look and choosing the right one depending on the planned tasks.
And download the latest version of the program for the corresponding version of Windows:
Launch the downloaded file - click Next - I agree- and check the box “OpenVPN RSA Certificate Management Scripts” (needed to be able to generate certificates):
again Next And Install- installation will begin. During the process, the wizard may ask you to confirm the installation of the virtual network adapter - we agree (Install).
After completion, click Next- uncheck the box Show Readme - Finish.
Creating certificates
Go to the OpenVPN installation folder (by default, C:\Program Files\OpenVPN) and create a directory ssl.
Then go to the folder C:\Program Files\OpenVPN\easy-rsa, create a file vars.bat, open it for editing and bring it to the following form:
set "PATH=%PATH%;%ProgramFiles%\OpenVPN\bin"
set HOME=%ProgramFiles%\OpenVPN\easy-rsa
set KEY_CONFIG=openssl-1.0.0.cnf
set KEY_DIR=keys
set KEY_SIZE=2048
set KEY_COUNTRY=RU
set KEY_PROVINCE=Sankt-Petersburg
set KEY_CITY=Sankt-Petersburg
set KEY_ORG=Organization
set KEY_EMAIL=master@site
set KEY_CN=DMOSK
set KEY_OU=DMOSK
set KEY_NAME=server.domain.ru
set PKCS11_MODULE_PATH=DMOSK
set PKCS11_PIN=12345678
* there is already a vars.bat.sample file in the easy-rsa directory - you can rename it and use it.
** meaning HOME do not change if you leave the default program installation path; KEY_DIR— directory where certificates will be generated; KEY_CONFIG may be different - it is better to look at it in the vars.bat.sample file or by the name of the corresponding file in the easy-rsa folder; KEY_NAME it is desirable that it corresponds full name VPN servers; the remaining options can be filled in arbitrarily.
Launch the command line as administrator:
Go to the catalog easy-rsa:
cd %ProgramFiles%\OpenVPN\easy-rsa
Run vars.bat:
Cleaning directories from outdated information:
Run vars.bat again (after clean some variables are redefined):
Now we generate the certificate authority sequence:
Click on all requests Enter.
Run build-dh.bat (certificate using the Diffie-Hellman algorithm):
* the command may take a long time to execute - this is normal.
* if the process freezes (5 minutes), you can create it manually with the command openssl dhparam -out dh2048.pem 2048. Then copy the received certificate dh2048.pem to the keys directory.
Generating a certificate for the server:
build-key-server.bat cert
* Where cert— name of the certificate; click on all requests Enter. At the end, we confirm the correctness of the information twice by entering y.
Then we transfer the contents of the folder C:\Program Files\OpenVPN\easy-rsa\keys V C:\Program Files\OpenVPN\ssl.
Server Tuning
Go to the folder C:\Program Files\OpenVPN\config and create a file server.ovpn. Open it for editing and bring it to the following form:
port 443
proto udp
dev tune
dev-node "VPN Server"
dh "C:\\Program Files\\OpenVPN\\ssl\\dh2048.pem"
ca "C:\\Program Files\\OpenVPN\\ssl\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\ssl\\cert.crt"
key "C:\\Program Files\\OpenVPN\\ssl\\cert.key"
server 172.16.10.0 255.255.255.0
max-clients 32
keepalive 10 120
client-to-client
comp-lzo
persist-key
persist-tun
cipher DES-CBC
status "C:\\Program Files\\OpenVPN\\log\\status.log"
log "C:\\Program Files\\OpenVPN\\log\\openvpn.log"
verb 4
mute 20
* Where port— network port (443 will help avoid problems when using the Internet in public places, but can be any of the free ones, for example 1723, occupied ports in Windows can be viewed with the command netstat -a); dev-node— name of the network interface; server—the subnet in which both the server itself and the clients connected to it will operate.
** since some paths contain spaces, the parameter is placed in quotes.
In Windows network connections, open adapter management - rename the TAP adapter to “VPN Server” (as indicated in our configuration file, dev-node section):
