Khadas Blog | How To Make An SSH Tunnel For OpenVPN
Updated: Mar 9, 2020
Turn your Khadas VIM into an OpenVPN, SSH tunnel, for your iPhone or iPad!
0. Why Tunnel OpenVPN Over SSH?
In certain parts of the world, the OpenVPN protocol is blocked, and even modifying it’s config-file to run on port 443 doesn’t help. This means that even with OpenVPN, access to the free-internet is restricted. In such cases, our only method to access the internet is through an SSH Tunnel. Popularly, Linux and Unix machines can use an app like sshuttle to route all network traffic via an SSH Tunnel.
However, devices like iPhones and iPads, don’t support SSH tunnelling, *ahem* Apple. They do however support OpenVPN. This guide will be about connecting your iPhone or iPad via OpenVPN, over an SSH tunnel hosted by your Khadas VIM SBC, that will act as a “local tunnelling proxy” on your LAN.
1. Before We Begin
This guide is for intermediate to advanced users, and assumes that you’ve already installed Ubuntu into your Khadas VIM, and know how to login to it using VNC or SSH. If you don’t know, please refer to my previous guide here: Khadas VIM Remote Control Via VNC.
You’ll also need the following tools:
Laptop with Sublime Text, so you can edit the OpenVPN config-files.
Your iPhone or iPad, with OpenVPN app.
Khadas VIM, with Ubuntu Mate installed.
2. Generate SSH Keys For Your Khadas VIM
Once logged into your Khadas VIM via VNC or SSH, generate an SSH key pair for the khadas user (ssh firstname.lastname@example.org). We will use this key-pair for logging into your Cloud Server later.
$ ssh-keygen -t rsa # leave the passphrase empty!
Once key generation is complete, you should see 3 files, id_rsa, id_rsa.pub, and known_hosts, in the directory /home/khadas/.ssh/. We will need these files so that your Khadas VIM can automatically generate an SSH tunnel with your remote OpenVPN Cloud Server when it boots up.
Next you’ll need to copy these SSH key files from the khadas user to the root user, this is because, when the system boots, root will be the one opening the SSH Tunnel, so it needs the key files too.
# login as root $ su root $ Password: khadas (default root password) # copy files to /root/.ssh/ $ cd .ssh $ ls $ cp id_rsa /root/.ssh/id_rsa $ cp id_rsa.pub /root/.ssh/id_rsa.pub $ cp known_hosts /root/.ssh/known_hosts # check that you've copied the files successfully $ cd /root/.ssh/ $ ls
3. Add Your Public SSH Key To Vultr
Open LibreOffice Writer, it can be found in Applications/Office/.
In LibreOffice Writer, go to File/Open, then switch your “Location” to /home/khadas/.ssh/.
And then select and open the id_rsa.pub key file.
Copy the entire text, which is your SSH public key.
Next, using the Chromium Browser on your Khadas VIM, login to Vultr.com and select “SSH Keys”, and then “Add SSH Key”.
Paste in your Public SSH Key, and give it a nice name, in my case, I gave it a very logical “Khadas VIM” name. Then press “Add SSH Key” to save.
4. Deploy A Cloud Server With Your Khadas’ SSH Key
Press the “+” button in the upper-right-hand corner, and deploy a $5/month, CentOS server, in any location of your choosing. I usually like Tokyo, because for some reason, that datacenter is fast. The worst is New Jersey and Miami!
Remember to add your Khadas’ public SSH key to the server!
Give your server a nice Hostname and Label, then click “Deploy Now”.
5. Install OpenVPN Into Your Cloud Server
This step is relatively straightforward, you’ll need to install OpenVPN into your Cloud Server, and configure it to run via TCP only. Remember that SSH can only forward TCP connections and not UDP connections.
Open your Mate Terminal, and SSH to email@example.com, whereby x.x.x.x is the IP-address of your deployed cloud server. Then enter yes. You will realise that it won’t ask you for a password, because it’s using your public SSH key.
$ ssh firstname.lastname@example.org $ ... (yes/no)? yes # x.x.x.x is the ip-address of your deployed cloud server!
Next navigate to the root directory, and create a bash file called install_vpn.sh, it can be any name really.
$ sudo nano install_vpn.sh
Then paste in this OpenVPN installation script, from here. Yes nobody has time for a manual install — “ain’t nobody got time for that”.
install_vpn.sh : https://pastebin.com/R4M0nSms
After saving the bash-script, run it!
$ sudo bash install_vpn.sh
The script will ask you some questions before it runs the install process, just follow the steps I’ve pasted below:
# OpenVPN Installation Script IP address: x.x.x.x (default one works fine) Protocol [1–2]: 2 (choose TCP!!!) Port: 1194 (you can try 443 if it works better for you) DNS [1–5]: 4 (I like to use 4, you can choose 3, or 5)
Give it a meaningful name, like khadas, actually the name doesn’t matter, just keep it simple, it must not have illegal characters like spaces and dashes!
# some tips for the client name Client name: khadas (this is ok) Client name: apple, orange, pearapple (these are all ok) Client name: my client (this is not ok) Client name: my-client (this is not ok)
Key generation will take a minute or two, be patient.
Once key generation is complete, it should save your OpenVPN configuration file to /root/khadas.ovpn, for example. If the file is not saved, it means that your specified file-name contains illegal characters. So it’s best to choose a simple name like khadas.
Now it’s time to logout, our work here is done.
6. Configure The SSH Tunnel On Your Khadas VIM
Finally the fun part, we get to turn your Khadas VIM into a permanent “local tunnelling proxy” via SSH for your iPhone or iPad! Run the command below to open the SSH tunnel.
# open the ssh tunnel on port 5252 (local) to 1194 (remote) $ ssh -N -f -L *:5252:localhost:1194 email@example.com
Your local port can be anything that’s unused e.g. 5252, your remote port should be either 1194 or 443, depending on what you specified earlier during installation. x.x.x.x is the ip-address of your OpenVPN Cloud Server.
Your tunnel is now opened. Next we want to configure your Khadas VIM to open this SSH tunnel everytime it boots up, so we need to edit your/etc/rc.local file.
$ sudo nano /etc/rc.local
Add the same line into your rc.local file, so its executed on boot.
# ... ssh -N -f -L *:5252:localhost:1194 firstname.lastname@example.org exit 0
Then press Control-X to save and exit /etc/rc.local.
If you find that your Khadas VIM is having trouble opening the SSH tunnel on reboot, you'll need to check your systemctl diagnostics by running the command:
$ sudo systemctl status rc.local
It will usually be an error with your SSH key files, you may not have copied them properly.
7. Download & Modify The OpenVPN Client Configuration File Created In Step 5 (.ovpn)
Using your laptop or Khadas VIM, use sftp to login to your OpenVPN Cloud Server. You may have to input your server password, if your laptop SSH keys are not registered. The password can be found from vultr.com.
$ sftp email@example.com $ (yes/no)? yes $ cd /root/ $ ls $ get khadas.ovpn
The .ovpn file, as saved to my home-directory in Mac OS X.
Open this file in Sublime Text, and edit the ip-address and port-number of the remote host.
# open your .ovpn file in Sublime Text, or VIM, or Nano, remote <your-khadas-vim-lan-IP-address> <your-local-port> # in my case, it was, remote 10.0.1.18 5252
If you still don’t know the IP address of your Khadas VIM, you really shouldn’t be reading this guide. Anyway, you can find it from:
# from MATE Terminal... $ su root $ Password: khadas #default password for root $ ifconfig wlan0 # see inet addr: x.x.x.x
Once you’ve modified and saved your .ovpn file, it’s time to load it into your iPhone or iPad. You can send it in an email to yourself, or a Whatsapp message, or even host it on an Apache server somewhere — it doesn’t matter.
For me, I simply save it to my iCloud Drive, and use the Files App on my iPhone to download it.
8. Load The OpenVPN Configuration File Into Your iPhone or iPad
Open the Files app on your iDevice.
Navigate to the folder containing your .ovpn file, and download it.
Open the file in your OpenVPN app. If you haven’t already installed it, download it from the App Store.
Press the green-coloured “+” button to add this configuration profile to the app. You’ll notice it says 10.0.1.18, which is the LAN ip-address of our Khadas VIM!
9. Connect Your iPhone to OpenVPN
Press “Connect” to start OpenVPN!
10. You’re Done! Great Work, Genius!
So that’s it really, your iPhone is connected to your Khadas VIM via OpenVPN on port 5252, and your Khadas VIM is forwarding that OpenVPN connection via SSH Tunnel to port 1194 on your remote cloud server, on Vultr.com.
11. Adding More OpenVPN Server Users
So let’s say your buddy in the office is getting jealous that you can surf the web freely, and he wants to use your OpenVPN server too, what can you do?
Well unlike running OpenVPN via UDP protocol, whereby you can use the same .ovpn configuration for multiple users, running your OpenVPN server via TCP, means you need a new configuration file for each OpenVPN user.
To do this, login to your Vultr.com cloud server via SSH, and run the install_vpn.sh file again, and then repeat steps 7 to 10.
# from MATE Terminal, or your favourite SSH client $ ssh firstname.lastname@example.org $ cd / $ bash install_vpn.sh
# install_vpn.sh bash-script Select an option [1-4]: 1 Client name: buddyuser # can be anything simple
Take note of where the .ovpn file is stored. In my case, it’s /root/buddyuser.ovpn. You’ll then need to follow steps 7 to 10, to download it and get it working on your buddy’s phone or laptop.
12. Discussions On Performance
Running OpenVPN via TCP instead of UDP is a definite performance hit, because TCP is slower than UDP. Running OpenVPN via TCP, via an SSH Tunnel, is an even larger performance hit — it’s like double encryption.
Personally, I found performance to be acceptable, whereby I had two devices stream YouTube simultaneously, with no hiccups. You can download an app to your Khadas VIM to monitor the network performance.
# how to install iftop to your Khadas VIM $ sudo apt-get install iftop $ sudo iftop -i wlan0
For the technically inclined here’s some performance data from speedtest.net.
Okay that’s all. This article was written and published via OpenVPN tunnelled through SSH using TunnelBlick for Mac (freedom)! If you liked it, do remember to share, and leave comments if you have any ways to improve it. :)
Khadas Products Used In This Post:
VIM2 Pro — $119.90