Thoughts, stories and ideas.

I prefer to route all of my home internet traffic out over a OpenVPN server that I manage myself. This has been working great for years until recently my ISP started throttling OpenVPN traffic by using Deep Packet Inspection. Causing two things happen.

  1. Internet unsable while on OpenVPN
  2. All Geo restricted content restricted again.

To top off the situation, this started the day we had a house guest arrive. Not the most ideal time to deal with a problem like this.

Hey! nice to see you, right well I'll be parked in front of the computer for the next couple a days.

Needless to say, this got researched late at night and after our guest left.

I figured that this would be a good time to upgrade my home network as well. I have been lustfully eyeing the Ubiquiti unifi product line. Our Villa has very thick concrete walls, and I figured it would be a more reliable WiFi solution......Plus it would be freaking cool.

Below is a diagram of my how my network was setup before upgrading.

I restructured my network with three major changes.

  1. OPNsense firewall - This a fork of pfSense and little more finicky than Pfsense
  2. UNIFI 16 port PoE switch - Managed network switch that provides power over ethernet and other cool things that managed switches can provide like bonding.
  3. UNIFI ap AC-pro - Enterprise level wireless access points that pull power from the switch. So they only need an ethernet cable run to them.

Why did I switch from pfSense to OPNsense?

I think it is safe to say that pfSense is the leading open source firewall, currently available. So why would I want to switch? Looking at my main problem, DIP slowing OpenVPN. I wanted to solve this with the simplest solution the problem. With a little searching, it appears that there are two well-known options for OpenVPN obfuscation

  1. Obfsproxy - A tor subproject that can obfuscate just about any traffic you which including OpenVPN.
  2. Tunnelblicks XOR patch - Changes to the OpenVPN source code that adds scramble options to OpenVPN that scrambles each buffer of traffic before it is sent between the OpenVPN client and server.

Having used pfsense for years, I had my configuration dialed in, and I was very comfortable with its reliability. But only Obfsproxy would be kind of supported with pfsense and no support at all for the XOR patch. I ruled out Obfsproxy because of reported performance issues, another point of failure, and more software to keep updated. I figured that since I own my VPN server, I could easily build a patched version of OpenVPN. Leaving only figuring out the client side of the XOR patch. It was during my research of both of these methods that I stumbled across the existence of OPNsense. Which by stumbling across this fork of pfSense I accidentally solved the client side of the problem, because OPNsense builds OpenVPN with tunnelblicks XOR patch.

Problem effectively solved......Only thing left to do was redo my VPS with the XOR patch.

Some notes about OPNsense

  1. It's not as stable and pfSense
  2. The GUI isn't not as polished
  3. CPU seems to run warmer
  4. Even though this a fork of pfSense there is no clear migration path from one platform to the other. I tried importing some rules and interfaces through config restore....save yourself some hair pulling and just start from scratch. I know this is a Pain in the ass depending on your configuration.
  5. Its is Buggy something like port forwarding and NAT rules took a bit of messing with to get working reliable. Even still when I simply rebooted the device after it was "working" something changed in the config. But it has been running for a few months now with little to no issue once I had to

All and all I am happy with the OPNsense platform once I got used to the new menu layout and some of the finicky things.

How I set up OpenVPN server using tunnelblicks xor patch.

I think I am like most people inherently LAZY cough,slackers-r-us.com, cough. Therefore, the intent of this guide is to provide what I think are the least amount of steps for setting up an Ubuntu 16.04 server OpenVPN server with Tunnelblick's XOR patch

I choose OVH.com as my VPS provider because of the unlimited bandwidth, as I intend to run my VPN for my entire home network through the OpenVPN server.

  1. Setup, a fresh VPS, using Ubuntu 16.04.

2. SSH into server

**NOTE** All of the commands below will be entered as root. If not SSH as root then use $ sudo –s to make your life easier with commands.

# apt update
# apt upgrade

3. Now we need to install a patched version of openvpn. Either building from source or installing a precompiled .deb file. This guide will utilize precompiled deb files from https://vpnchinaopenvz.wordpress.com/

# apt-get update && apt-get build-dep openvpn -y

# wget --no-check-cert https://www.dropbox.com/s/peuvr57kamtl4u0/openvpn_2.4.4-xenial0_amd64.deb

# dpkg -i openvpn_2.4.4-xenial0_amd64.deb

4. The next step is to generate keys and certs and configure the openvpn server. Again, we are going to take the easy method, use, and OpenVPN-install bash script. I prefer https://github.com/Angristan/OpenVPN-install

# wget https://raw.githubusercontent.com/Angristan/OpenVPN-install/master/openvpn-install.sh

# chmod +x openvpn-install.sh

# ./openvpn-install.sh

**NOTE ** Change the options as you like for your VPN if you have no clue what any of it means then use the defaults when prompted.

5. Now the last thing we need to do is add a line to the server.conf file to enable the scramble options.

#nano /etc/openvpn/server.conf

Add the following to the file
scramble obfuscate password

#/etc/init.d/openvpn restart

Replace password with the password of your choice make sure you remember or copy the password you use as you will need to add the same line to the client ovpn file in the next step.

6. Now we will add a line to the client.ovpn file

# nano ~/client.ovpn

Add the following to the file
scramble obfuscate password

NOTE this should be the same password that you used in the last step.

7. The only thing left to do is use your preferred method for pulling the ovpn file from the server. My method is to use FileZilla to connect to the server via SFTP with port 22 and pull the file that way.

I doubt anyone will read this, but it will serve me well when I need to get another server setup.