Setting up OpenVPN for free Internet access in airports, hotels, and cafes
Note: All this information is currently undergoing testing, and these instructions may be deleted or revised based on the outcome of this testing.
When you go to a airport, hotel, or cafe, frequently you will need to pay for net access, but DNS requests (port 53 UDP) are allowed. You can (potentially) use this to get free (but slow) internet access. You need to set this up before finding yourself in this situation, so it's probably only worth it if you travel frequently.
Contents
Requirements
You'll need:
- A Linux machine that's permanently connected to the internet, with a static IP address. We'll call this the server.
- A Linux machine (almost always a laptop) that wants internet access, and which can connect to a wifi or wired network, but which can only use port 53 UDP for free. We'll call this the client.
- You, who wants internet access, usually for something small, like checking your email or reading a web page, for which paying $20 for 10 minutes of use strikes you as somewhat exorbitant.
You can test whether you have port 53 UDP by pinging something, e.g.:
ping google.com
.. and if you get an IP address back for google.com, then you've most probably got port 53 UDP traffic allowed.
Setup beforehand
Install openvpn on the server and client:
sudo aptitude install openvpn
Then, generate a static key on the server, and copy this key to the laptop:
cd /etc/openvpn/ openvpn --genkey --secret static.key rsync /etc/openvpn/static.key laptop:/etc/openvpn/
Do on both server and client:
sudo mkdir /var/log/openvpn sudo chown nobody.nogroup /var/log/openvpn
Do on the server to allow forwarding traffic:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
On the client do:
sudo nano /etc/openvpn/rA.example.net.conf
... and paste in these contents:
# openvpn config for client p2p # clientp2p.conf # # address of the server remote server.whatever.org 53 # set the door of communication on the door 1194 proto udp port 53 # assign to client 10.8.0.2 and to server the ip 10.8.0.1 ifconfig 10.8.0.2 10.8.0.1 # level of detail for the log verb 5 # assign tun like device for the vpn dev tun0 # authentication file secret /etc/openvpn/static.key # creates a file of log log-append /var/log/openvpn/openvpn.log # compression comp-lzo # other options - no pinging, persistence, and user nobody for security: ping-restart 0 nobind user nobody group nogroup persist-key persist-tun # make this our default gateway when it is running. redirect-gateway def1
... and replace "server.whatever.org" with the domain name or IP address of your server machine, and save.
For the server, do this:
sudo nano /etc/openvpn/server.whatever.org.conf
... and paste in these contents:
port 53 proto udp dev tun0 comp-lzo # assign to server the ip 10.8.0.1 and to client 10.8.0.2 ifconfig 10.8.0.1 10.8.0.2 # authentication file secret /etc/openvpn/static.key push "redirect-gateway def1" ping-restart 0 user nobody group nobody persist-key persist-tun # the type of detail of the log verb 5 # logging status /var/log/openvpn/rB.example.net.log log-append /var/log/openvpn/rB.example.net.log
... and save.
Then on the server, start this service and leave it running permanently:
sudo /etc/init.d/openvpn restart
Testing if it works correctly
First check the logs on the server:
cat /var/log/openvpn/rB.example.net.log
... and check that there are no serious looking errors, and rectify these if there are any.
Then on the client, an easy way to test if it's working is compare a traceroute before and after. So do this on the client:
sudo tracert telstra.com
On the client do:
sudo /etc/init.d/openvpn start
Then see the "after" results:
sudo tracert telstra.com
... if it's working then the after will be different from the before - in particular, the first line will show "10.8.0.1" (i.e. our internet traffic is going via this IP address), and secondly the route will be longer (e.g. my tracert was 18 instead of 13 hops, i.e. the openvpn adds 5 extra hops).
Once it's working, stop openvpn on the client:
sudo /etc/init.d/openvpn start
When you want to use it
On the client, do this when you're in your airport, hotel, or cafe:
sudo /etc/init.d/openvpn start
When you are finished, and want your networking to go back to normal, do this on the client:
sudo /etc/init.d/openvpn stop