OpenVPN - nimrody/knowledgebase GitHub Wiki
-
Setup an OpenVPN server using the instructions here
-
Creating a new certificate (need one per client)
OVPN_DATA="ovpn-data" docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
Where CLIENTNAME is some logical client name (as long as it is unique). When asked for keystore password enter 1234. All other fields should be empty.
-
Open UDP port 1194 on the VPN machine.
-
Use the following rules to transparently forward all traffic to mitmproxy
sudo iptables -t nat -A PREROUTING -i docker0 -p tcp --dport 80 -j REDIRECT --to-port 8080 sudo iptables -t nat -A PREROUTING -i docker0 -p tcp --dport 443 -j REDIRECT --to-port 8080
-
Run the proxy using
mitmproxy -T --host -
Point the browser to
mitm.itto download the MITM certificate. -
Install OpenVPN Connect on the android client.
Setup an OpenVPN NAT (so that all traffic going out of the vpn looks like it was originating from the vpn machine) but without sending ALL traffic through the vpn:
Add to /etc/openvpn/server.conf
server 172.30.30.0 255.255.254.0
push <net> <subnet>
Make sure push "redirect-gateway def1 bypass-dhcp" is commented out otherwise all traffic goes through the vpn. The 172.30.x.x address was chosen to not conflict with Dockers 172.17.x.x.
Add a file /etc/openvpn/server.sh that will be executed before openvpn starts up to setup the NAT:
#!/bin/sh
# Masquerade outgoing traffic
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
# Allow return traffic
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Forward everything
iptables -A FORWARD -j ACCEPT
# enable routing
sysctl -w net.ipv4.ip_forward=1