BlueBust
This is a setup guide for the filtering circumvention system which uses iptables, stunnel, and OpenVPN to help overcome filters such as BlueCoat and return the internet into a usable state. BlueBust is undetectable and unblockable, the only way to actually block it is finding out what is the domain/address of the BlueBust instance and blocking all traffic through it. This however can only be a temporary fix as a new IP address or domain name could be used which then will allow circumvention once again.
OpenVPN Setup
OpenVPN provides the seamless routing of the traffic through an encrypted stream. In this case it needs to be over TCP as the SSL tunnel cannot send UDP packets. While this may seem as a hit to performance, in many real-world tests the connection actually improves overall.
Server
Install OpenVPN on the Linux server using this command on any debian based distro.
sudo apt-get install openvpn
This file should be called something like server.conf within the /etc/openvpn folder.
- server.conf
-
port 1194 proto tcp dev tun ca /etc/openvpn/easy-rsa/keys/ca.crt # generated keys cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key # keep secret dh /etc/openvpn/easy-rsa/keys/dh2048.pem server 10.22.0.0 255.255.255.0 # specifies the internal IP scheme ifconfig 10.22.0.1 10.22.0.2 ifconfig-pool-persist ipp.txt # tries to make internal IPs persistent keepalive 10 120 # sends pings to client to keep connection open on NAT firewalls comp-lzo # Compression - must be turned on at both ends persist-key # make sure the key persists if permissions are downgraded persist-tun # same thing with tunnel push "redirect-gateway def1 bypass-dhcp" # redirect all packets except for local gateway push "dhcp-option DNS 8.8.8.8" # push the VPN server's choice for DNS status log/openvpn-status.log verb 3 # verbose mode #client-to-client # allow a hamachi like internal network
Create a Hamachi-like network
This is used if you want to have your VPN to facilitate secured LAN gaming. Simply take the above configuration but remove the “push” lines and then it will not force all traffic though the VPN. Make sure to have the client-to-client line that is at the bottom as that is what provides the ability for all devices to communicate using the internal 10.x.x.x addresses. Also for laptops and desktops not executing it from Administrator prevents all traffic from being routed through but allows the private IP to be still used. Original source
Creating keys
OpenVPN has a series of scripts called easy-rsa which helps manage the creation of keys for the VPN. To use this scripts copy them over from /usr/share/doc/openvpn/examples/easy-rsa/2.0 to /etc/openvpn. For the exact commands on how to do this:
Creating the easy-rsa folder
sudo mkdir /etc/openvpn/easy-rsa
Copying over the contents from the documentation
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
Then going into root using the command
sudo su
is probably the least painful way to do the next part. This part we will go through the process of creating the keys for the CA, server, and clients so they can be distributed to where ever they need to be. Points to remember:
-
Each client device should have it’s own key
-
.key files should be kept secret
-
.csr files don’t really matter, don’t move them
-
.crt files can be submitted over plaintext
First time setup commands
-
edit the vars file to configure keys (set key size to 2048)
-
source vars
-
./build-ca
-
./build-key-server server
-
./build-dh
For each client
This name should be descriptive of the device so that later it makes it easier for revocation in case it gets stolen or lost.
./build-key clientName
Setting up routing
This part is CRUCIAL to the ability of the tunnel to be able to access the internet. To enable IP forwarding on the current running server run this as root:
echo 1 > /proc/sys/net/ipv4/ip_forward
And to make sure the ip forwarding stays persist uncomment the following line in /etc/sysctl.conf
net.ipv4.ip_forward = 1
Then issue the following commands so that iptables will route the traffic through the internet
sudo iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT sudo iptables -A FORWARD -s 10.22.0.0/24 -o eth0 -j ACCEPT sudo iptables -t nat -A POSTROUTING -s 10.22.0.0/24 -o eth0 -j MASQUERADE
These rules will not be saved on their own. Only after issuing all those commands successfully then run this command to install a program which makes all the current rules persistent.
sudo apt-get install iptables-persistent
Client
Install OpenVPN on the client computer (or OpenVPN Connect for a mobile phone), and use the following configuration but make sure to change all necessary parts.
Client config
All places marked with a double pound needs some value placed there, make sure the file has all configurations set correctly anyways.
- clientName.ovpn
-
client port 1194 dev tun proto tcp remote-cert-tls server remote localhost 1194 nobind persist-key persist-tun comp-lzo verb 3 mute 20 # certificate authority cert <ca> ## place CA cert here ## </ca> # client certificate <cert> ## place client cert here ## </cert> # client key <key> ## place client key here ## </key>
Stunnel setup
Stunnel provides the wrapper, which bypasses the BlueCoat Deep Packet Inpsection filters, regular OpenVPN traffic will not be able to breach to the outside of the network, which makes this extra encryption a necessity.
Server
Install stunnel
sudo apt-get install stunnel4
Create self-signed key
openssl req -new -nodes -x509 -days 3650 -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem
Next configure stunnel to listen and connect on respective ports by editing /etc/stunnel/stunnel.conf
- stunnel.conf
-
cert = /etc/stunnel/stunnel.pem [openvpn] accept = 443 connect = 1194
Then edit the ENABLED variable to 1 in /etc/default/stunnel4
sudo vim /etc/default/stunnel4
Then restart stunnel
sudo service stunnel4 restart
Client
Install stunnel also on the client (Windows version)
sudo apt-get install stunnel4
Then use this config
- cstunnel.conf
-
[openvpn] client = yes accept = localhost:1194 connect = {ip_or_domain}:443
Then restart stunnel