Create your own VPS from Linode, GCP, Vultr, Digital Ocean or Azure. I haven't tried AWS.
Choose the operating system Ubuntu.
This guide help you setup two ways to safe surf the internet, proxy and VPN.
Both ways are good.
The proxy way gives you more options than VPN. You can make the proxy system-wide or just for individual app.
- All network traffic through the stunnel (a SSL proxy).
- Provide client side applications multiple choice to access the internet via HTTP(S) proxy, SOCKS5 proxy or VPN.
sudo apt install squid3 stunnel4 openvpn easy-rsa
sudo -s
cd /etc/stunnel
openssl genrsa -out key.pem 2048
openssl req -new -x509 -key key.pem -out cert.pem -days 3650
Set Common Name to your vps public IP or domain name
cat key.pem cert.pem >> stunnel.pem
openssl pkcs12 -export -out stunnel.p12 -inkey key.pem -in cert.pem
vi stunnel.conf
Copy the content of stunnel-server.conf
vi /etc/default/stunnel4
change the enabled line to 1: ENABLED=1
service stunnel4 restart
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j ACCEPT
iptables -A INPUT -p tcp --dport 7788 -j ACCEPT
cd /etc/openvpn
make-cadir easy-rsa
cd easy-rsa
cp openssl-1.0.0.cnf openssl.cnf
source ./vars
./clean-all
./build-ca
./build-key-server server
Set Common Name to your vps public IP or domain name
./build-key client
./build-dh
cd ..
vi server.conf
Copy the content of openvpn-server.conf, replace
<server-address>
with your VPS IP address.
service openvpn restart
vi /etc/sysctl.conf
Uncomment the line: net.ipv4.ip_forward=1
sysctl -p
ifconfig
Check network interface name. Is it eth0?
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
apt install iptables-persistent
Each time after the system restarted, if the iptables-persistent doesn't work, execute below commands manually:
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 7777 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 7788 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Use commands
sudo iptables -L
andsudo iptables -t nat -L
to see the firewall rules.
Stunnel is required. OpenVPN is optional.
-
Ubuntu
sudo apt install stunnel4
-
Mac
brew install stunnel
-
Windows
Download the setup program from https://www.stunnel.org
-
Android
InstallSSLDroid
from Google Play Store https://play.google.com/store/apps/details?id=hu.blint.ssldroid
-
Ubuntu
- Copy
/etc/stunnel/stunnel.pem
from your VPS to the same folder on your client. - Download
stunnel-client.conf
from this github repository. - Copy it to
/etc/stunnel
folder. - Modify
/etc/default/stunnel4
set ENABLED=1
- Restart stunnel
sudo service stunnel4 restart
- Copy
-
Mac
- Copy
/etc/stunnel/stunnel.pem
from your VPS to/usr/local/etc/stunnel
on your Mac. - Download
stunnel-client.conf
from this github repository. - Copy it to
/usr/local/etc/stunnel
folder.
To start the stunnel, You need to open a terminal and run command
stunnel
. - Copy
-
Windows
- Copy
/etc/stunnel/stunnel.pem
from your VPS toC:\Program Files (x86)\stunnel\config
on your Windows. - Download
stunnel-client.conf
from this github repository. - Copy it to
C:\Program Files (x86)\stunnel\config
folder.
- Copy
-
Android
- The PKCS12 file is the
stunnel.p12
generated from upon step 7.
- The PKCS12 file is the
-
Ubuntu
sudo apt install openvpn
-
Mac
Download
tunnelblick
from https://tunnelblick.net -
Windows
Download the setup program from https://openvpn.net/community-downloads
-
Android
InstallOpenVPN for Android
from Google Play Store https://play.google.com/store/apps/details?id=de.blinkt.openvpn
-
Ubuntu
- Download
openvpn-client.ovpn
from this github repository. - Edit the file.
- Replace
<server-address>
with your VPS address. - Follow the comments in the content, copy/paste the content of the CA certificate, client certificate and key content from your VPS.
- Replace
- For Ubuntu 1804, you need to fix the DNS leak.
sudo apt install openvpn-systemd-resolved
- Copy below block to
openvpn-client.ovpn
- Download
script-security 2
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre
dhcp-option DNSSEC allow-downgrade
dhcp-option DOMAIN_ROUTE .
To start the openvpn, run sudo openvpn --config <path>/openvpn-client.ovpn
-
Mac
- Download
openvpn-client.ovpn
from this github repository. - Edit the file.
- Replace
<server-address>
with your VPS address. - Follow the comments in the content, copy/paste the content of the CA certificate, client certificate and key content from your VPS.
- Replace
- Launch
tunnelblick
, importopenvpn-client.ovpn
- Download
-
Windows
- Download
openvpn-client.ovpn
from this github repository. - Edit the file.
- Replace
<server-address>
with your VPS address. - Follow the comments in the content, copy/paste the content of the CA certificate, client certificate and key content from your VPS.
- Replace
- Launch OpenVPN GUI, import
openvpn-client.ovpn
- Download
-
Android
- You must exclude the
SSLDroid
bypass the VPN in the OpenVPN settings. It is because the OpenVPN traffic need to pass via the stunnel.
- You must exclude the