Creating a “island of network freedom” based on VPS in 30 minutes

In connection with the entry into force of the sensational law 149-FZ, many people in Habravchan had a question: what will happen next? Is it possible that an analogue of the Great China Firewall will appear in Russia, which will block everything and everyone? In this tutorial, I would like to consider one of the most effective and secure ways to ensure your freedom of information - your own VPS server, located far abroad and connected to you using an encrypted VPN tunnel. Unlike tor or i2p, the confidentiality of the transmitted information is guaranteed, it is unlikely that anyone will try to decrypt your data or organize a raid on a foreign server (unless of course you are not a world-class hacker).

Which VPS to choose?

Free :) Strangely enough, but there are such, for example, a list of free VPS hosting sites that I use. Basically, these are all trial options for a period of 1 month, but nothing prevents you from choosing another trial service in a month, since the list is large. But no one guarantees anything; if you need guaranteed confidentiality, choose paid servers in the Netherlands, the Czech Republic, Egypt and other safe countries. But I chose the American server, firstly it was the most convenient of the freebies, and secondly, all this was started not only for security, but also for buying Nexus 7 through the Play Store (another useful application).
You also need to look at the presence of a “white” IP address and the way of server virtualization. The latter is not so important in the method I chose, but if with servers with an isolated kernel (for example KVM) problems with the missing modules usually do not occur, then if the kernel is common and unmodifiable (for example, OpenVZ), you need to contact technical support (see below). And when registering, it is better to choose a debian-like system, it is simpler and the instructions below are written for it. The rest is up to you.

Installation and configuration

It took you about 15 minutes to read the first two paragraphs, search and register a VPS, the same number remained. After you received / paid for the vps server, you need to do something with it, namely, to raise the VPN on it. For this, I used OpenVPN - free, safe and quick to set up. If you choose a VPS based on the popular OpenVZ - rather, write to the TP, so that you will have modules for iptables, NAT and tun enabled, the first two most likely already exist, but it is unlikely that tun. While technical support is working (I hope it will not be so fast and will not restart the VPS at a critical moment, I personally was lucky), we will connect to it, install and configure OpenVPN:
')
apt-get install openvpn

Then there are two ways: fast and reliable.

Quick way

This method uses a static key-password, but it is not secure. We generate the key:

cd /etc/openvpn
openvpn --genkey --secret static.key

Save it to your computer (cat + Ctrl-V) and create the /etc/openvpn/tun0.conf config:

 /etc/openvpn/tun0.conf: dev tun0 ifconfig 192.168.1.1 192.168.1.2 secret /etc/openvpn/static.key 

Reliable way

This method enables TLS / SSL encryption on the server, but it is longer to configure. Copy the kitchen to create keys and certificates in the folder with openvpn:

cd /etc/openvpn
mkdir easy-rsa
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* easy-rsa/
chmod -R +x easy-rsa/

Initialize the script:

cd easy-rsa/
source ./vars
./clean-all

We will create a CA certificate and key, we will be asked to enter data about the certificate, we will enter any, albeit dummy:

./build-ca

Create a certificate / key for the server

./build-key-server server

Generate keys for encrypting an SSL / TSL connection

./build-dh

And create the keys for yourself:

./build-key myname

The folder / etc / openvpn / easy-rsa / keys now has all the necessary keys, for authorization we need only myname.crt, myname.key (our own certificate with key) and ca.crt (CA certificate)

Create and edit your favorite text editor /etc/openvpn/tun.conf configuration file:

 port 1194 proto udp #     ,  proto tcp dev tun ca /etc/openvpn/easy-rsa/keys/ca.crt #   cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key #    dh /etc/openvpn/easy-rsa/keys/dh1024.pem server 192.168.1.0 255.255.255.0 #   ,     ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo #  ,       persist-key persist-tun status /var/log/openvpn-status.log #   log /var/log/openvpn.log verb 3 #    push "dhcp-option DNS 8.8.8.8" #    DNS    

Check

Now you can run the OpenVPN server:

service openvpn start

If everything is successful, then we will be able to connect to the server using the certificates and keys downloaded above (do not forget LZO compression on the client, if enabled on the server!). And if not, then the logs are likely to be something like
Note: Cannot open TUN / TAP dev / dev / net / tun: No such file or directory
This means that technical support does not work well and did not include the tun module. And if everything is good, we will be able to ping VPS, but the Internet will not exist yet, for this we need NAT:

echo 1 > /proc/sys/net/ipv4/ip_forward
echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o venet0 -j SNAT --to-source SERVER_IP

If you selected a different subnet, then specify it instead of 192.168.1.0/24. Instead of venet0, specify the interface (hello ifconfig), which looks to the Internet, and instead of SERVER_IP, specify the external IP address of the VPS. Now you can save iptables settings:

iptables-save > /etc/iptables.rules

In /etc/rc.local:

iptables-restore < /etc/iptables.rules

Put on openvpn autoload and restart openvpn server:

update-rc.d openvpn defaults
service openvpn restart

Everything! I told you that we will manage in 30 minutes?