Skip to main content

VPN Setup

Making a VPN Server

Credits to OnlyCS for the original Kajig and awsame for also helping

Prerequisites

To make a VPN server, you will need:

  • A VPS running Ubuntu 20.04 (DigitalOcean Recommended)
  • A Chromebook for testing
  • Forwarded Ports
    • 22
    • 500
    • 4500
    • 53
  • Basic Knowledge of Linux
    • Downloading files online with wget
    • Modifying files on terminal
    • SSH/SFTP
    • Installing packages with apt
    • Basic knowledge of commands like ls, cd, etc

Installing and Configuring

Make sure ports 500 and 4500 are enabled and run sudo apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins

Next, make sure to backup /etc/ipsec.conf and then open it in vim or nano

Replace the contents of the file with

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    authby=secret
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=YOUR_SERVER_IP_HERE
    leftsubnet=0.0.0.0/0
    leftauth=psk
    right=%any
    rightid=%any
    rightsourceip=10.10.10.0/24
    rightdns=YOUR_SERVER_IP_HERE
    rightauth=psk
    ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
    esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!

backup /etc/ipsec.secrets and replace its contents with:

# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

: PSK "SOME_PASSWORD1!"

Firewall & IP Routing

run these four commands:

sudo ufw allow OpenSSH
sudo ufw allow 500,4500/udp
sudo ufw allow 5
sudo ufw enable

Then run ip route show default. You should get default via [your_server_ip] dev [device] proto static

Keep note of the text where I have left device. This could be something like eth0 or wlan0

Edit /etc/ufw/before.rules above *filter, insert (replacing DEVICE_HERE with your device name):

*nat
-A POSTROUTING -s 10.10.10.0/24 -o DEVICE_HERE -m policy --pol ipsec --dir out -j ACCEPT
-A POSTROUTING -s 10.10.10.0/24 -o DEVICE_HERE -j MASQUERADE
COMMIT

*mangle
-A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o DEVICE_HERE -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT

Below the *filter section (below :ufw-not-local - [0:0]):

-A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT
-A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT

In /etc/ufw/sysctl.conf, bottom of the file

net/ipv4/ip_forward=1
net/ipv4/conf/all/accept_redirects=0
net/ipv4/conf/all/send_redirects=0
net/ipv4/ip_no_pmtu_disc=1

Restart ufw with:

sudo ufw disable
sudo ufw enable

Finally, start the VPN server

sudo systemctl enable strongswan-starter
sudo systemctl start strongswan-starter

DNS Server with Pi-Hole

First, Install Pi-Hole:

curl -sSL https://install.pi-hole.net | bash

Make 1.1.1.1 (Cloudflare's DNS) the upstream and enable the Web UI/Admin Panel

In your Browser, go to the server IP. Port 80 should be open.

Open the filter list: This is where we block URLs. Click the Regex Filter button

There are many regex filters, and they can be found here. Make sure to convert these to Regex to use them, as they are in Adguard format. Here is an example of some links in Regex format:

(\.|^)goguardian\.com$
(\.|^)securly\.com$

In the Admin Panel, go to Settings > DNS > Interface Settings. Select permit all origins. Scroll to the bottom and hit save

Troubleshooting

If you're having trouble go to discord.gg/unblock and look for the making your own VPN server kajig for assistance.

A common error that occurs is that your VPN will connect, but you will have no internet connection. In this case, try: sudo iptables -I FORWARD 1 -j ACCEPT

Connecting with a Chromebook

  1. Go to chrome://flags and enable the ikev2 VPN flag
  2. Then open network settings and add a network connection
  3. Click built in VPN
  4. Click provider, then ipsec (ikev2)
  5. Click Authentication Type > Pre-Shared Key
  6. Click server hostname, then put the IP address
  7. Click the Pre-Shared Key and put the value you added in for the password in ipsec.secrets
  8. In local identity, put your name or anything else
  9. In remote identity, put the server and click Connect.

You can now bypass web filters :D