This is a setup guide for the filtering circumvention system which uses iptables, stunnel, and OpenVPN to help overcome filters such as BlueCoat and return the internet into a usable state. BlueBust is undetectable and unblockable, the only way to actually block it is finding out what is the domain/address of the BlueBust instance and blocking all traffic through it. This however can only be a temporary fix as a new IP address or domain name could be used which then will allow circumvention once again.

OpenVPN provides the seamless routing of the traffic through an encrypted stream. In this case it needs to be over TCP as the SSL tunnel cannot send UDP packets. While this may seem as a hit to performance, in many real-world tests the connection actually improves overall.

Install OpenVPN on the Linux server using this command on any debian based distro.

sudo apt-get install openvpn

This file should be called something like server.conf within the /etc/openvpn folder.

server.conf

port 1194
proto tcp
dev tun

ca      /etc/openvpn/easy-rsa/keys/ca.crt    # generated keys
cert    /etc/openvpn/easy-rsa/keys/server.crt
key     /etc/openvpn/easy-rsa/keys/server.key  # keep secret
dh      /etc/openvpn/easy-rsa/keys/dh2048.pem

server 10.22.0.0 255.255.255.0 # specifies the internal IP scheme
ifconfig 10.22.0.1 10.22.0.2

ifconfig-pool-persist ipp.txt # tries to make internal IPs persistent
keepalive 10 120 # sends pings to client to keep connection open on NAT firewalls

comp-lzo # Compression - must be turned on at both ends
persist-key # make sure the key persists if permissions are downgraded
persist-tun # same thing with tunnel
push "redirect-gateway def1 bypass-dhcp" # redirect all packets except for local gateway
push "dhcp-option DNS 8.8.8.8" # push the VPN server's choice for DNS

status log/openvpn-status.log

verb 3  # verbose mode
#client-to-client # allow a hamachi like internal network

This is used if you want to have your VPN to facilitate secured LAN gaming. Simply take the above configuration but remove the “push” lines and then it will not force all traffic though the VPN. Make sure to have the client-to-client line that is at the bottom as that is what provides the ability for all devices to communicate using the internal 10.x.x.x addresses. Also for laptops and desktops not executing it from Administrator prevents all traffic from being routed through but allows the private IP to be still used. Original source

OpenVPN has a series of scripts called easy-rsa which helps manage the creation of keys for the VPN. To use this scripts copy them over from /usr/share/doc/openvpn/examples/easy-rsa/2.0 to /etc/openvpn. For the exact commands on how to do this:
Creating the easy-rsa folder

sudo mkdir /etc/openvpn/easy-rsa

Copying over the contents from the documentation

sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

Then going into root using the command

sudo su

is probably the least painful way to do the next part. This part we will go through the process of creating the keys for the CA, server, and clients so they can be distributed to where ever they need to be. Points to remember:

• Each client device should have it’s own key
• .key files should be kept secret
• .csr files don’t really matter, don’t move them
• .crt files can be submitted over plaintext

First time setup commands

1. edit the vars file to configure keys (set key size to 2048)
2. source vars
3. ./build-ca
4. ./build-key-server server
5. ./build-dh

For each client
This name should be descriptive of the device so that later it makes it easier for revocation in case it gets stolen or lost.

./build-key clientName

This part is CRUCIAL to the ability of the tunnel to be able to access the internet. To enable IP forwarding on the current running server run this as root:

echo 1 > /proc/sys/net/ipv4/ip_forward

And to make sure the ip forwarding stays persist uncomment the following line in /etc/sysctl.conf

net.ipv4.ip_forward = 1

Then issue the following commands so that iptables will route the traffic through the internet

sudo iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -s 10.22.0.0/24 -o eth0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.22.0.0/24 -o eth0 -j MASQUERADE

These rules will not be saved on their own. Only after issuing all those commands successfully then run this command to install a program which makes all the current rules persistent.

sudo apt-get install iptables-persistent

Install OpenVPN on the client computer (or OpenVPN Connect for a mobile phone), and use the following configuration but make sure to change all necessary parts.

All places marked with a double pound needs some value placed there, make sure the file has all configurations set correctly anyways.

clientName.ovpn

client
port 1194
dev tun
proto tcp
remote-cert-tls server

remote localhost 1194
nobind

persist-key
persist-tun
comp-lzo

verb 3
mute 20
# certificate authority cert
<ca>
## place CA cert here ##
</ca>
# client certificate
<cert>
## place client cert here ##
</cert>
# client key
<key>
## place client key here ##
</key>

Stunnel provides the wrapper, which bypasses the BlueCoat Deep Packet Inpsection filters, regular OpenVPN traffic will not be able to breach to the outside of the network, which makes this extra encryption a necessity.

Install stunnel

sudo apt-get install stunnel4

Create self-signed key

openssl req -new -nodes -x509 -days 3650 -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem

Next configure stunnel to listen and connect on respective ports by editing /etc/stunnel/stunnel.conf

stunnel.conf

cert = /etc/stunnel/stunnel.pem
 
[openvpn]
accept = 443
connect = 1194

Then edit the ENABLED variable to 1 in /etc/default/stunnel4

sudo vim /etc/default/stunnel4

Then restart stunnel

sudo service stunnel4 restart

Install stunnel also on the client (Windows version)

sudo apt-get install stunnel4

Then use this config

cstunnel.conf

[openvpn]
client = yes
accept = localhost:1194
connect = {ip_or_domain}:443

Then restart stunnel