Home / Tutorials / Configure OpenVPN and apply XOR PATCH on Centos 7
OpenVPN XOR Patch on Centos 7

Configure OpenVPN and apply XOR PATCH on Centos 7

You have a perfectly running CentOS server with OpenVPN installed on it, but one day you discover that your OpenVPN connections to the server are blocked by DPI systems at the ISP level. One of the solutions is to install OpenVPN XOR PATCH on your CentOS server.

Step 1 – Create a folder on your server and download OpenVPN source files, and xor_patch

$ cd /etc/
$ mkdir openvpn_install
$ cd openvpn_install
$ wget http://swupdate.openvpn.org/community/releases/openvpn-2.4.6.tar.gz
$ tar xvf openvpn-2.4.6.tar.gz
$ cd openvpn-2.4.6
$ yum install git
$ git clone https://github.com/clayface/openvpn_xorpatch
$ patch -p1 < openvpn_xorpatch/openvpn_xor.patch
$ yum install openssl-devel pam-devel lzo-devel
$ ./configure
$ make
$ make install

Step 2 – Create OpenVPN config with scramble parameters

$ cd /etc/openvpn

Create OpenVPN config file and configure it to listed on UDP port 1194. Name it as openvpn@server-udp-1194.conf

Make sure to add scramble and scramble xormask parameters

local Your_Public_IP
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh2048.pem
server 10.16.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 4.2.2.1"
push "dhcp-option DNS 8.8.4.4"
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
client-cert-not-required
scramble scramble_alphanumeric_combination_of_your_choice
scramble xormask scramble_alphanumeric_combination_of_your_choice

Save

Step 3 – Configure OpenVPN to start automatically at system boot

$ systemctl enable openvpn@server-udp-1194.service

You may receive the following error message when you try to register the service through Systemd

$ ...No such file or directory

Self compiled OpenVPN sometimes can’t be registered and started through systemd

You’ll need to manually register OpenVPN service on Centos 7

Navigate to /etc/system/systemd folder

$ cd /etc/systemd/system

manually create openvpn@server-udp-1194.service, and enter the following configuration into the file

[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=syslog.target network.target

[Service]
Type=forking
PrivateTmp=true
ExecStart=/usr/local/sbin/openvpn --daemon --cd /etc/openvpn/ --config /etc/openvpn/server-udp-1194.conf

[Install]
WantedBy=multi-user.target

Save the file and try to register the service

$ systemctl daemon-reload
$ systemctl enable openvpn@server-udp-1194.service

Step 4 – Start the service

After the service was successfully registered, you may experience the problem such as newly registered OpenVPN service is refusing to start. It happens on self-compiled OpenVPN instances

$ Failed to start OpenVPN Robust And Highly Flexible Tunneling Application On client.
$ openvpn@server-udp-1194.service failed
$ systemd: Started Network Manager Script Dispatcher Service.
$ systemd: Startup finished in 602ms (kernel) + 3.260s (initrd) + 1min 35.350s (userspace) = 1min 39.213s.
$ nm-dispatcher: req:1 'down' [tun4]: new request (3 scripts)
$ nm-dispatcher: req:1 'down' [tun4]: start running ordered scripts...

You’ll run into issues if you’ve IPv6 enabled, in that case, the solution won’t work because your system will run IPv6 DAD (duplicate address detection) and there’s an old bug where the IP won’t be available but the network-online.target would be fired.

Disable IPv6

$ cd /etc

and add these 2 lines to sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

Restart the server. OpenVPN service with XOR patch should be starting successfully

Check Also

Find Best 5 VPN with Free Trial 2018

Find Best 5 VPN with Free Trial 2018

Leave a Reply

Your email address will not be published. Required fields are marked *