SSH Tunneling - A Guide for OpenVPN

Comments · 85 Views

Discover how SSH tunneling can safeguard your OpenVPN connection against ISP blocks and enhance your online privacy effectively.

http://ssvpn.fp.guinfra.com/file/67805da01b5e71ba3812d2903WTPRgPm03


SSH Tunneling for OpenVPN

After successfully setting up your VPN server with OpenVPN on an Amazon EC2 instance, you might have faced an unexpected roadblock: your connection gets blocked.


This could happen if your instance's IP address changes after a reboot or if your ISP, workplace, or government is actively restricting OpenVPN traffic.


Firewalls generally block traffic based on the specific port and destination IP, but advanced firewalls utilize deep packet inspection (DPI) and stateful packet inspection (SPI) to identify various encryption methods and VPN protocols. Consequently, they can recognize OpenVPN traffic and flag it for blocking.


To bypass such restrictions, there are three main methods: using an obfuscation proxy, SSL tunneling, or SSH tunneling. This guide will focus on SSH tunneling.


SSH tunneling encapsulates your existing encrypted connection in an additional layer of encryption, preventing the firewall from making any distinctions between different types of traffic. This technique is effective against both DPI and SPI firewalls, commonly implemented by businesses or countries with strict censorship laws.


However, using OpenVPN over SSH does come with its drawbacks. The primary concern is the potential decrease in performance due to the added layer of encryption. Additionally, while SSH tunneling obscures OpenVPN's fingerprint, some firewalls might also restrict SSH traffic. This is a common issue with streaming services like Netflix, which block any encrypted proxy connections. In such situations, opting for obfsproxy is advisable. Obfsproxy disguises encrypted traffic as regular, unencrypted data, making it more effective, albeit more complex to configure.


Currently, it's important to note that obfsproxy combined with OpenVPN is primarily functional on desktop platforms. Conversely, SSH tunneling remains a viable option for mobile devices, whether Android or iOS.Before we begin, ensure that you have a functioning OpenVPN server in place and can connect to it through the OpenVPN GUI or the OpenVPN Connect app.


Additionally, you should have SSH access to your server, which is possible using a terminal on a Mac, or using PuTTY or any of its alternatives on a Windows PC. For this guide, we will utilize PuTTY as our SSH client.


If you haven’t already completed these setups, please check our previous tutorial for guidance.


In our earlier discussions, we covered setting up a basic SSH proxy and advanced to creating a full VPN server. This tutorial will blend both methods, so you should have all the prerequisites ready to go.


To start, open PuTTY and load your VPN server configuration.


Next, in the sidebar, navigate to the following path: Connection > SSH > Tunnels.


Ensure that port 8080 is listed in the configurations. If it’s not present, enter 8080 in the “Source Port” field, then select the options for Auto and Dynamic. Click on "Add" to create your tunnel.


Now, you’ve set up an SSH proxy on port 8080. If you wish, you can save this configuration as a distinct session on the session tab within the navigation tree for future use.


http://ssvpn.fp.guinfra.com/file/67805da1061a019897fcb4f3VivwVHCl03


Access your server by clicking open and logging in.
For those using the latest Amazon Linux AMI, the default username is “ec2-user.”


Next, navigate to the OpenVPN configuration file.
You can do this by executing the following commands:


cd /etc/openvpn
cat openvpn.conf


This will display the contents of your OpenVPN server's configuration file.
You should see something similar to this:


port 1194
proto tcp-server
dev tun1
ifconfig 10.4.0.1 10.4.0.2
status server-tcp.log
verb 3
secret ovpn.key


http://ssvpn.fp.guinfra.com/file/67805da4badb3ffb4b6e48a9Xmdi9X7q03


To effectively conceal your OpenVPN traffic using an SSH tunnel, start by ensuring your configuration file is set to use TCP instead of UDP. You can modify this setting with the following command:


sudo nano openvpn.conf


After making the necessary changes, save the file by pressing Ctrl + O (the letter “o”) and exit the editor with Ctrl + X.


Next, locate your OpenVPN client configuration files on your local system. If you installed OpenVPN using default settings, you will find these files in the directory: C:/Program Files/OpenVPN/config.


You can either duplicate your previous OpenVPN config file from the last tutorial or create a new one entirely. Use Notepad or any plain text editor, ensuring to run it as an administrator. Your new configuration file should resemble the following:


proto tcp-clientremote localhost 1194port 1194dev tun1secret ovpn.keyredirect-gateway def1ifconfig 10.4.0.2 10.4.0.1socks-proxy-retrysocks-proxy 127.0.0.1 8080


Take note that the second “remote” line specifies localhost rather than the OpenVPN server's IP address, and additional lines configure OpenVPN to utilize a SOCKS proxy, while other settings remain unchanged.


Once done, save this new configuration in the OpenVPN config folder.


The final step involves configuring your applications to route through the proxy on port 8080. This process is akin to the SSH proxy setup discussed previously. Many applications provide proxy configuration options within their settings, and some may automatically detect the proxy settings. If manual configuration is necessary, you will need the following details:


  • Host: 127.0.0.1
  • Port: 8080
  • Proxy Type: SOCKS5 (or SOCKS v5)

For Firefox users:


  • Navigate to Tools > Options > Advanced > Network > Connection > Settings > Manual Proxy Configuration.
  • Enter 127.0.0.1 for the SOCKS host and 8080 for the port.
  • Click OK to save your settings.

For Chrome users, after installing the Switchy extension, a setup page will appear. Alternatively, click the extension icon in the upper-right corner of Chrome and select options to configure your proxy settings.* Choose a name for your profile as you prefer.


  • In the manual configuration section, input the SOCKS host as 127.0.0.1 and set the port to 8080, or any port you designated for the tunnel in PuTTY.


  • Keep the remaining fields empty.


  • After saving your settings, click on the icon once more to select your newly created proxy profile.


http://ssvpn.fp.guinfra.com/file/67805da641168b2e845a5fcbabS6EQeT03


To begin, establish a connection to your server using Putty with the previously configured settings.


Once connected, proceed to initiate your VPN utilizing the new configuration file we prepared earlier.


Congratulations! You are now surfing the web with OpenVPN tunneled through SSH.


Next, let's delve into how you can set up your OpenVPN and SSH tunnel for Android devices, keeping in mind that the process for iOS is quite similar.


However, there are some important points to consider. This approach is primarily effective for web browsing. Unlike desktop systems, standard Android or iOS devices do not allow you to open ports freely. As a result, the ports used by various applications will not be routed through the SSH proxy.


If you wish to bypass this limitation, consider rooting your Android device or jailbreaking your iOS device. You can then utilize applications such as Proxydroid or Cydia’s Unix apps to configure your proxy settings, but that is a topic for another day.


For now, let’s focus on how to set this up on stock Android using Firefox. You will need to download the following applications:


  • OpenVPN for Android (ensure you choose this over OpenVPN Connect, as it has stricter authentication requirements)


  • ConnectBot or any similar SSH terminal application (JuiceSSH is a good option, though it requires payment for port forwarding)


  • A file manager app, like File Commander


  • Firefox or another browser that allows proxy configuration


Additionally, you will need a method to transfer files from your computer to your mobile device. A USB cable works perfectly; I personally used the sync folder feature in iBackup.


To set up, find your ovpn.key file along with the .ovpn configuration file saved on your desktop and transfer them to your phone’s internal storage or SD card.


You will also need to move the .pem key file provided by your server host. This file is typically found alongside the .ppk file used for Putty authentication. If you cannot locate it, you will need to generate a new one through the Amazon EC2 dashboard or whichever hosting service you are using.


For additional convenience, you may want to obtain the standard .ovpn configuration file that you typically use for connecting without SSH. This allows you to utilize your VPN across all apps, not just your browser, and can be beneficial for troubleshooting purposes.


SSH and OpenVPN Setup Guide

Launch ConnectBot on your mobile device.
Tap the three vertical dots located in the upper right corner and select "Manage Pubkeys."
On the subsequent screen, tap the dots again and choose "Import."
This action will open the file manager app you have installed.
Locate the .pem file that you transferred to your phone and select it.
Once imported, it should be listed among your public keys, marked with a red lock.
Tap the red lock icon to change it to green.
Finally, press the back button to navigate back to ConnectBot's main interface.


http://ssvpn.fp.guinfra.com/file/67805da8351bb40bd523e9732IrdwzGh03


In the terminal window next to "ssh," enter your SSH information formatted like this:


ec2-user@:22


Make sure to substitute with the actual IP address of your OpenVPN server. Press the Enter key to establish the SSH connection. This configuration should be saved for future use, but you might need to adjust the public key settings later.


Once you are connected, click on the three dots again to disconnect. Your connection profile will now appear on the home screen of ConnectBot. To modify it, long press on the profile to access a context menu, then select "edit port forwards." On the new page, tap the three dots and choose "add port forward."


You can name this port forward anything you prefer. Set the type to dynamic (socks) and specify the source port as 8080 (or the one indicated in the socks-proxy line of your OpenVPN configuration file). Finally, click "create port forward."


Now your ConnectBot is configured, but before you make a connection, let's set up OpenVPN.


Launch the OpenVPN application for Android.


In the upper right corner, click the square icon with a down arrow to import a profile. Find and select your .ovpn configuration file. On the subsequent screen, press the button labeled "select."


http://ssvpn.fp.guinfra.com/file/67805daa2d3ae81a9a7f3f02TaPdW6Fi03


Begin by locating your ovpn.key file and selecting it.


Once selected, click the yellow save button located in the bottom right corner.


Your newly created profile should now be visible on the app's home screen.


Before proceeding to connect, we need to verify the server's firewall settings.


Log into your AWS account, navigate to the instances, and highlight the OpenVPN server.


In the security groups section, click on the relevant group associated with this instance.


Right-click and choose “edit inbound rules.”


Here, add custom TCP rules for ports 22, 1194, and 8080, making any necessary adjustments based on your specific configuration.


With the firewall settings confirmed, it’s time to initiate the connection.


First, open the ConnectBot application and tap on the profile you just created to establish an SSH connection to your server.


Ensure that the public key option is enabled, as failing to do so will result in a password error.


After successfully connecting via SSH, switch over to the OpenVPN application and tap on your profile to connect.


http://ssvpn.fp.guinfra.com/file/67805dacbef8c7f64accb3ddGbZyMUrl03


Once you establish a connection with OpenVPN, check the log for a confirmation message indicating “connected, success” at the bottom.


Keep in mind that the .pem and .key files utilized for this connection can only be active on a single device at any given time. Therefore, ensure that you are not connected on your desktop when attempting to connect another device. If you need to access OpenVPN on multiple devices at once, you will have to create separate credentials (.key and .pem) for each device.


Next, we will need to set up Firefox to utilize the proxy settings. Unlike Chrome and Safari on mobile devices, which lack proxy configuration options, Firefox supports this feature. While you can attempt to configure the proxy through the Wi-Fi settings, this method requires adjustments each time you want to connect without the proxy.


http://ssvpn.fp.guinfra.com/file/67805dade9feeb2541f3fdc8NsTOGGrj03


To start, open Firefox and navigate to the URL bar.


Enter "about:config" to access the configuration settings.


In the search box, type "network.proxy" to find the relevant fields for proxy settings.


You need to adjust the following parameters:


  • For "network.proxy.socks," set the value to 127.0.0.1.


  • Next, for "network.proxy.socks_port," enter 8080, or the port number specified in your OpenVPN configuration and ConnectBot settings.


  • Finally, adjust "network.proxy.type" to 1.


Once these settings are applied, your Firefox browser will direct traffic through both OpenVPN and the SSH tunnel.


This setup allows you to browse securely from a mobile device without the risk of deep packet inspection.


If you prefer to use the SSH proxy independently of OpenVPN, simply connect to your server using ConnectBot without launching OpenVPN.


Alternatively, you can also use a standard non-SSH .ovpn configuration file by importing it into the OpenVPN app and connecting without the SSH proxy.


What is a Netflix VPN and How to Get One

A Netflix VPN is a virtual private network used to access region-restricted content on Netflix by connecting to servers in different countries. By choosing a reliable VPN provider that supports streaming, users can download the VPN application, connect to a server in the desired region, and log in to Netflix to enjoy content that may not be available in their current location. This allows for a broader viewing experience, enabling access to movies and shows exclusive to certain countries.


Why Choose SafeShell as Your Netflix VPN?

If people want to access region-restricted content by using a Netflix VPN, they may want to consider the SafeShell VPN . One of the standout benefits of SafeShell VPN is its high-speed servers optimized for Netflix streaming, ensuring seamless access to your favorite shows and movies without buffering interruptions. These servers are engineered with cutting-edge technology, providing lightning-fast connection speeds that allow for high-definition streaming. Additionally, SafeShell VPN enables you to connect multiple devices at once, accommodating up to five devices simultaneously on platforms like Windows, macOS, iOS, Android, Apple TV, Android TV, and Apple Vision Pro. This means you can enjoy your favorite Netflix content on any device without experiencing the all-too-common issue of a netflix vpn not working .


Furthermore, SafeShell VPN includes an exclusive App Mode feature that allows you to unlock and enjoy content from multiple regions at the same time. This gives you access to a diverse range of streaming services and libraries, expanding your entertainment options significantly. SafeShell VPN also boasts lightning-fast speeds with no bandwidth limitations, ensuring smooth streaming, downloading, and browsing experiences. Beyond speed, SafeShell VPN prioritizes your online privacy with its proprietary "ShellGuard" VPN protocol, offering top-level security through advanced encryption and robust features. This ensures your data remains protected, allowing you to surf the web and access Netflix content from anywhere in the world with peace of mind.


A Step-by-Step Guide to Watch Netflix with SafeShell VPN

To enjoy Netflix content from different regions using SafeShell Netflix VPN , follow these steps:


  • Subscribe to SafeShell VPN: Visit the SafeShell VPN website at https://www.safeshellvpn.com / and select a plan that suits your needs. Click the "Subscribe Now" button to complete your subscription.


  • Download and Install SafeShell VPN: Navigate to the SafeShell VPN website, select your device type (Windows, macOS, iOS, Android, etc.), and download the appropriate software or app.


  • Choose Your Mode: Open the SafeShell VPN app and log in to your account. For an optimized Netflix experience, select the APP mode.


  • Choose Your VPN Server: Browse through the available server list within the SafeShell VPN app. Select a server from the region whose Netflix content you want to access, such as the US, UK, or Canada. Click "Connect" to establish a connection.


  • Open Netflix: Launch the Netflix app or visit the Netflix website. Log in to your Netflix account and enjoy streaming the content available in your selected region.


Comments