Install OpenVPN on Ubuntu, Hulu Outside the US and Network Security

Some days ago I started using Hulu, the new video star online, but, like many, I found the restriction imposed to users outside the United States, I live in Peru, rather annoying.

Hulu series and films

I started looking for solutions and found a few which I tested during one week. In this article I'll tell you about each and will guide you on setting up the one I think is the most convenient: your own VPN setup running on Ubuntu.

Your Options To Get Hulu Outside The US

Google quickly told me that using a virtual private network (VPN) with a server in the US would fit the bill for this problem. My connection would go thru the VPN and Hulu will see me as coming from a US based IP.

Hotspot Shield is perhaps the most known free VPN application for doing this these days, I tried it and it worked. Quite easy setup and I was using Hulu in just a couple of minutes.

The bad news? Hotspot Shield has a bandwidth limit per month, some say it's 10 Gb., shows ads and does not work in Linux. I really hate having to boot a Windows box just for using one application (World of Warcraft and iTunes are very special exceptions).

So, Hotspot Shield is option 1.

After a little more searching I found two paid services that offered Linux support: HotSpotVPN (afiliado) and WiTopia (both affiliate links). I tried HotSpotVPN, US$ 8.88 for one month of service, in Windows XP and it worked as advertised but they never replied to my email asking for instructions on setting up my Ubuntu laptop.

WiTopia has a US$ 39.99 per year plan, that's a really good price, but I didn't have enough funds in Paypal at the time and couldn't try. However I've read really good feedback about it.

That's option 2.

But a VPN is not good only for accessing limited-to-US-residents services like Hulu or Pandora (yeah, I missed that one too), it's much more. We'll learn about it while we review option 3: building our own VPN setup.

Ok, so let's see how to install OpenVPN on Ubuntu Gutsy.

What's a VPN

A virtual private network is a communications network tunneled through another network. In our case that other network is Internet. Setting up a VPN that uses a public network eliminates the costs of hiring dedicated private links.

But we all know that Internet is not a secure network and that's why a VPN must use authentication and content encryption to avoid packet sniffers (software or hardware that can intercept our traffic) getting in our way.

Maybe this VPS thing sounds like too much paranoia but with the increasing number of WiFi hotspots, most of them insecure, all over the world, I'm sure that many won't want their data to travel naked online.

We'll use OpenVPN, an open source application for running a VPN, on Ubuntu 7.10. These are the steps I followed to setup two of my computers in Lima, a laptop and a desktop, to one of my servers in New York and then navigate using the server's US based IP.

Even if I have more than a decade working with many kinds of networks I'm not a TCP/IP and securiy expert and can't provide support; however, I'm sure we'll have many readers aboard who will be able to help in the comments.

Install OpenVPN on Ubuntu Step by Step

Ok, we'll install OpenVPN on a client and a server, both running Ubuntu 7.10. I imagine the process is quite the same for other Linux distributions. Thanks to my buddies Javier Albarracín, Bruno Kamiche and César Villegas for the tips.

First let's make a few things clear:

  • Server: the PC accepting connections of clients thru the VPN. For my examples the server will use the public IP x.y.z.w (replace with your own public IP) and will be named servo.
  • Client: the PC connecting to the server thru the VPN. We'll call it cliento.
  • Private network: it's the network we'll create for our VPN, we'll use 10.8.0.0 and our IP's will be like 10.8.0.1, 10.8.0.2, etc.
  • All commands must be run under root or using sudo.
  • What you must type appears in bold letters.
  • To comment a line in your openvpn.conf file use # to start the line.

First let's install OpenVPN:

sudo apt-get install openvpn

OpenVPN must be installed in both client and server, the configuration file used for starting the service will define the role of each PC.

Comment all lines in /etc/default/openvpn and add:

AUTOSTART="openvpn"

This line tells OpenVPN which configuration file it should use by default when starting. Configuration files are in /etc/openvpn and use the .conf extension so the setting above points to /etc/openvpn/openvpn.conf, a file that still does not exist and we'll create.

Now we can start, stop or restart OpenVPN as usual, let's see:

Start OpenVPN:

/etc/init.d/openvpn start

Stop OpenVPN:
/etc/init.d/openvpn stop

Restart OpenVPN:
/etc/init.d/openvpn restart

Every time you change settings in /etc/openvpn/openvpn.conf you need to restart OpenVPN.

Create Keys and Certificates

Now we need to create security certificates and keys. We'll do all this in the server as root:

cd /etc/openvpn/

Copy the directory easy-rsa to /etc/openvpn:

cp -r /usr/share/doc/openvpn/examples/easy-rsa/ .

Remember we're still inside the /etc/openvpn directory. Now let's edit the file vars with our favorite editor (replace vi with yours):

vi easy-rsa/vars

Kaiman reported a change for this part after June 2008:

vi easy-rsa/2.0/vars

Comment this line:

#export D=pwd

Add this one:
export D=/etc/openvpn/easy-rsa

And modify as below:

export KEY_COUNTRY=PE
export KEY_PROVINCE=LI
export KEY_CITY=Lima
export KEY_ORG="Nombre-OpenVPN"
export KEY_EMAIL="tu-nombre@example.com"

Save and quit.

Now run:

. ./vars

Important: that's a period, a space and another period followed by /vars. This is a common confusion in many setups.

Now:
./clean-all

The next command creates your certificate authority (CA) using the parameters you just set, you should just add Common Name, I used OpenVPN-CA. For this step you'll need OpenSSL; if you don't have it in your server install it by running:

sudo apt-get install openssl

Ok, now we're ready:

./build-ca

Now let's create the keys, first the server:

./build-key-server server

This is important. When build-key-server asks for Common Name write server, the same parameter you provided to the command.

Also you'll need to answer yes to these two questions: Sign the certificate? [y/n] and 1 out of 1 certificate requests certified, commit? [y/n].

Now the key for the client:

./build-key client1

Use client1 as Common Name, the same parameter you used above for build-key.

You can repeat this step if you want to have more clients, just replace the parameter with client2, client3, etc.

Now let's create Diffie Hellman parameters:

./build-dh

There you are! Now you should have a new directory with your certificates and keys: /etc/openvpn/easy-rsa/keys. To configure your first client copy these files from servo to cliento:

ca.crt
client1.crt
client1.key

Ideally you should use a secure channel, I use scp with RSA authentication (topic for another article):

scp alexis@servo:ca.crt .
scp alexis@servo:client1.crt .
scp alexis@servo:client1.key .

These commands assume you've copied the files to the home of user alexis on the server and assigned read permissions. Then move the files to /etc/openvpn on the client.

The Configuration Files: openvpn.conf

Now go to your client and create openvpn.conf in /etc/openvpn. Write this inside:

dev tun
client
proto tcp
remote x.y.z.w 1194
resolv-retry infinite
nobind
user nobody
group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo

# Set log file verbosity.
verb 3

Replace x.y.z.w with your server's public IP.

Now in the server: create openvpn.conf in /etc/openvpn and put this:

dev tun
proto tcp
port 1194

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

user nobody
group nogroup
server 10.8.0.0 255.255.255.0

persist-key
persist-tun

#status openvpn-status.log
#verb 3
client-to-client

push "redirect-gateway def1"

#log-append /var/log/openvpn
comp-lzo

My first connections were a little slow so I disabled compression with this:

#comp-lzo

Finally, configure IP forwarding and IPTables for doing NAT on the server:

echo 1 > /proc/sys/net/ipv4/ip_forward

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

You can verify the rule was written correctly with:

sudo iptables -L -t nat

If you have a firewall you should make sure your VPN traffic can be routed.

If you made a mistake and want to remove all rules from IPTables:

sudo iptables -F -t nat

Now restart OpenVPN in both client and server and you should be set.

Running ifconfig and route -n you should see a new interface, tun0, in both PC's.

Confirm you can connect with a ping to your new tun0 interfaces, for example:

ping 10.8.0.1

Now your client is connected to your server using OpenVPN, you can navigate secure using your server's IP and say hi to Hulu and Pandora.

Good luck!

Additional Resources

<

ul>

  • OpenVPN QuickStart
  • Help for OpenVPN on Ubuntu
  • Help for IPTables on Ubuntu
  • <

    ul>

    Join the conversation

    Good Job!

    Hey Alexis,
    Your tutorial is very clear and helpful to build a VPN with Gutsy to General Purposes, but is there an option to deal with the hulu thing if I don't have a Server or a remote access PC based in US?

    cheers!

    You need a VPN provider

    Hi Hahnemann, then you should use options 1 or 2 in the article, that's using a VPN provider in the US.

    Regards!

    Alexis Bellido

    Nice one!

    Hi Alexis,

    Thanks alot for the tutorial! Sometimes its obvious, but sometimes not and then comes your tutorial in handy to build a VPN! Regards, Aislin!

    Nice Job

    Can I access Hulu if I install & configure just the OpenVPN server? From your instructions, you had to setup a client and a server (which means you used two computers), I just have one computer.

    also...

    This looks quite promising. I'm not done with it yet, but FYI as of june 2008, the
    vi easy-rsa/vars
    should be

    vi easy-rsa/2.0/vars

    Davidian, you need both a server and a client

    These instructions assume your own server hosted at the United States. If you have just one computer, which I guess it's a client, then you may need to use somebody's else VPN. Take a look at HotspotVPN service (aff).

    Kaiman, thanks for the update. I'm including it on the article.

    Alexis Bellido

    Nice guide. I was looking

    Nice guide. I was looking for something like this.

    FYI, Amarok is a great alternative for iTunes ;-) Directly from apt-get.

    Cheers

    clear

    Very clear step by step tutorial. For newbies like me, things like this keep me from getting overwhelmed sometimes :)

    There's a much easier way to

    There's a much easier way to do this with ssh tunnelling.

    Just get an shell account on a machine in the US and use ssh. The advantage is the infinitely easier set-up and that shell accounts are usually cheap or free (I'm not sure as I've never had to get one).

    Here's a tutorial:

    http://ubuntu.wordpress.com/2006/12/08/ssh-tunnel-socks-proxy-forwarding...

    And here's a list of free shell services:
    http://www.red-pill.eu/freeunix.shtml

    This guide is outdated.

    This guide is outdated. Doesn't work here at all when I try running vars etc...

    Great tutorial, all works

    Great tutorial, all works fine...

    Whats the problem?

    Does not work

    When I run the steps above (using the updated directory which is /etc/openvpn/easy-rsa/2.0) I get the following message:

    Please edit the vars script to reflect your configuration,
    then source it with "source ./vars".
    Next, to start with a fresh PKI configuration and to delete any previous certificates and keys, run "./clean-all".
    Finally, you can run this tool (pkitool) to build certificates/keys.

    I followed the above steps and just keep getting the same message over and over.

    Please help!

    Great tutorial

    Hi Alexis

    This is very well explained and guided paper. Great job. It worked for me.

    Cheers
    Jag

    very good

    it works!!!

    Question ?

    export D=pwd

    Add this one:
    export D=/etc/openvpn/easy-rsa

    What is the "D" representing

    What I had is in the vars file

    Comment this line:

    export D=pwd

    I had export EASY_RSA="pwd"

    Could you please confirm that to me.

    Thank you.
    Regards,
    Ram

    Two extra tips

    (1) You can copy the whole of the 2.0 folder to /etc/openvpn/easy-rsa

    (2) You need to be superuser -- not running coomands with sudo
    sudo su
    source vars
    ./clean-all

    Dedicated VPN needed?

    Does the VPN setup affect the use of other software on the host? I.e. can I run a web and/or mail server at the same time on it?

    Thank you

    re. There's a much easier way to do this

    .. ssh and a shell account..

    That will get you banned from shell account services quickly and their speeds aren't likely fast enough for streaming services.

    I have the same

    I have the same issue:

    lp3@intrepid:/etc/openvpn/easy-rsa/2.0$ source ./vars
    NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
    lp3@intrepid:/etc/openvpn/easy-rsa/2.0$ sudo ./clean-all
    Please source the vars script first (i.e. "source ./vars")
    Make sure you have edited it to reflect your configuration.

    This is very outdated. I

    This is very outdated. I cannot seem to get past the . ./vars step. It cant find a certain file, or I get this:

    Please edit the vars script to reflect your configuration,
    then source it with "source ./vars".
    Next, to start with a fresh PKI configuration and to delete any previous certificates and keys, run "./clean-all".
    Finally, you can run this tool (pkitool) to build certificates/keys.

    It's working! Thanx for

    It's working!
    Thanx for posting!
    Greetz Angela

    Great! Thanks for

    Great!
    Thanks for posting.
    Regards,
    Angela

    Does the vpn setup affect the

    Does the vpn setup affect the use of other software on the host?

    Not at all, running a VPN

    Not at all, running a VPN does not affect how other services, such as a web or database server, work on your host.

    My first VPN tests ran in a host with a few websites running.

    I got around this problem by

    I got around this problem by adding source ./vars to the top of each of the script files to be executed. Be sure and substitute the root of your easy-rsa folder in the vars file. In the example, it would be /etc/openvpn/easy-rsa/2.0

    Everything comes from there. I'm doing a remote access project using Ubuntu 9.04 (Jaunty) and I plan on posting chronicles of the entire process on my blog.

    I manage to 'bypass' and

    I manage to 'bypass' and watch my favourite tv show on hulu. I went to get an openvpn vpn account at smallvpn.com. Been using it for 3 months and so far so good. Quite happy with the speed & network. I think the good thing with openvpn is we get high encryption protection. Got to know it can encrypt up to 2048 bit. Most vpn provider give 128bit encryption which can easily be attack by "man-in-them-middle" aka hacker.Just my 2cent.

    -roly

    I've tried openvpn on my

    I've tried openvpn on my netbook and it is too slow to stream hulu, maybe because of heavy encryption? pptp vpn seems faster, maybe less secure but works better for me, now use http://monkeyvpn.com

    I have 2 problems which I

    I have 2 problems which I think are related. When I edit the vars file, mine does not contain "export D=pwd". So, I typed in the one you said, "export D=/etc/openvpn/easy-rsa". Then, i ran vars by typing ". ./vars" and it ran fine. however, when I ran clean-all by typing in "sudo ./clean-all" it gives me the following error.

    "Please source the vars script first (i.e. "source ./vars")
    Make sure you have edited it to reflect your configuration."

    I am so excited to get this setup and am heading off to college next week and do not want to have anything traced/sniffed so I need this. Currently I have vpn running through ssh but openvpn would be ideal.

    Thanks,
    Alex

    Why do you run WOW on a

    Why do you run WOW on a windoze machine? I have been running WOW on Ubuntu since 7.04.
    Dave

    Works a treat. I recommend

    Works a treat. I recommend you push DNS is you are behind a corporate DHCP server providing company DNS

    push "dhcp-option DNS 208.67.222.222"
    push "dhcp-option DNS 208.67.220.220"

    I would rather not worry

    I would rather not worry about maintaining my own server so I use roadwarriorvpn.com all the time. There is OpenVPN access which means it works anywhere, and unlimited bandwidth. The servers are always incredibly fast.

    Thanks, for the server can I

    Thanks, for the server can I install it and run all these commands safely from a remote ssh shell?

    Thanks, to my surprise it

    Thanks, to my surprise it worked immidiately!

    Thank you so much! This was

    Thank you so much! This was my problem all along! I tried it over and over changing parameters of the vars file, thinking that I made a mistake but all along it was the stupid user I was logged in as! Everywhere I read people were saying "oh, use sudo all the time"...well that's malarky. Thank you for the simple but very helpful tip!

    Finally I found it,.. :-)

    Finally I found it,.. :-) very good work,..
    Thanks bro,..

    Hi I'm getting the

    Hi
    I'm getting the error:
    Error: private key password verification failed
    WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

    On the client
    Any ideas?

    I would strongly recommend

    I would strongly recommend investing in a solid VPN provider that will guarantee you a valid US IP address to bypass the geographical restrictions of Hulu, Pandora, Netflix. I am paying just $55 a year to get access US sites from Europe.


    www.vpntelevision.com

    VPN has worked mircacles for

    VPN has worked mircacles for me

    These Vpns can be handy when

    These Vpns can be handy when being outside your ese-v

    Thanks for the great

    Thanks for the great tutorial. It took me some time to get it running but finally I got it working.

    In my opinion - Hotspot

    In my opinion - Hotspot shield is a waste of time since it is constantly blocked by media providers in the USA. An alternative I recommend (and I use) is VPN Television http://www.vpntelevision.com. I got a year for $55 a year. I can access ALL services with a high-speed US IP address. Later, J

    I have found a few options

    I have found a few options with bypassing the GEOIP blocks for media in US & UK (Pandora, Hulu)

    Google "Television+VPN" and you can find some tips.

    http://bit.ly/dkqnL9

    Abe

    yes i agree with Jack Wright,

    yes i agree with Jack Wright, Hotspot shield is a waste of time, don't expect to get a good bandwidth for free.

    Thanks! Works like a charm!

    Thanks! Works like a charm!

    Excellent guide thanks

    Excellent guide thanks

    hi there peoples. may i ask

    hi there peoples. may i ask if this tutorial is running in ubuntu 10.10 or 10.04?? very excited for tommorow to try it! XD. so clear/! nice job!!

    Bypassing geoip is necessary

    Bypassing geoip is necessary here to get through usually.

    Hello, i have followed all

    Hello, i have followed all the steps, I can connect to OpenVPN but I cant open any website!! any idea?

    my vps is from http://spidervpn.com thanks!

    I have updated the tutorial,

    I have updated the tutorial, it is available here: http://www.howtoforge.com/node/6289

    Keep your comments relevant, written in good English and don't spam. Let's create useful and valuable discussions. Markdown is welcome.

    Add your comment