You have a perfectly running CentOS server with OpenVPN installed on it, but one day you discover that your OpenVPN connections to the server are blocked by DPI systems at the ISP level. One of the solutions is to install OpenVPN XOR PATCH on your CentOS server.
Step 1 – Create a folder on your server and download OpenVPN source files, and xor_patch
$ cd /etc/ $ mkdir openvpn_install $ cd openvpn_install $ wget http://swupdate.openvpn.org/community/releases/openvpn-2.4.6.tar.gz $ tar xvf openvpn-2.4.6.tar.gz $ cd openvpn-2.4.6 $ yum install git $ git clone https://github.com/clayface/openvpn_xorpatch $ patch -p1 < openvpn_xorpatch/openvpn_xor.patch $ yum install openssl-devel pam-devel lzo-devel $ ./configure $ make $ make install
Step 2 – Create OpenVPN config with scramble parameters
$ cd /etc/openvpn
Create OpenVPN config file and configure it to listed on UDP port 1194. Name it as openvpn@server-udp-1194.conf
Make sure to add scramble and scramble xormask parameters
local Your_Public_IP port 1194 proto udp dev tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key # This file should be kept secret dh /etc/openvpn/keys/dh2048.pem server 10.16.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 4.2.2.1" push "dhcp-option DNS 8.8.4.4" duplicate-cn keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3 client-cert-not-required scramble scramble_alphanumeric_combination_of_your_choice scramble xormask scramble_alphanumeric_combination_of_your_choice
Save
Step 3 – Configure OpenVPN to start automatically at system boot
$ systemctl enable openvpn@server-udp-1194.service
You may receive the following error message when you try to register the service through Systemd
$ ...No such file or directory
Self compiled OpenVPN sometimes can’t be registered and started through systemd
You’ll need to manually register OpenVPN service on Centos 7
Navigate to /etc/system/systemd folder
$ cd /etc/systemd/system
manually create openvpn@server-udp-1194.service, and enter the following configuration into the file
[Unit] Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I After=syslog.target network.target [Service] Type=forking PrivateTmp=true ExecStart=/usr/local/sbin/openvpn --daemon --cd /etc/openvpn/ --config /etc/openvpn/server-udp-1194.conf [Install] WantedBy=multi-user.target
Save the file and try to register the service
$ systemctl daemon-reload $ systemctl enable openvpn@server-udp-1194.service
Step 4 – Start the service
After the service was successfully registered, you may experience the problem such as newly registered OpenVPN service is refusing to start. It happens on self-compiled OpenVPN instances
$ Failed to start OpenVPN Robust And Highly Flexible Tunneling Application On client. $ openvpn@server-udp-1194.service failed $ systemd: Started Network Manager Script Dispatcher Service. $ systemd: Startup finished in 602ms (kernel) + 3.260s (initrd) + 1min 35.350s (userspace) = 1min 39.213s. $ nm-dispatcher: req:1 'down' [tun4]: new request (3 scripts) $ nm-dispatcher: req:1 'down' [tun4]: start running ordered scripts...
You’ll run into issues if you’ve IPv6 enabled, in that case, the solution won’t work because your system will run IPv6 DAD (duplicate address detection) and there’s an old bug where the IP won’t be available but the network-online.target would be fired.
Disable IPv6
$ cd /etc
and add these 2 lines to sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1
Restart the server. OpenVPN service with XOR patch should be starting successfully