Evade Australia's data retention laws with a VPS

First thing you need to do is realize that this isn’t a free process. You will need to locate a VPS (Virtual Private Server) reseller and get a VPS from them. Paying them either monthly or yearly for the pleasure. Most will accept paypal.

Prices charged for VPS’s vary wildly. So you need to determine how much your willing to spend to avoid data retention. The good news is that VPS prices have been steadily getting cheaper and cheaper. So there are some good deals out there.

I operate 5 VPS’s scattered around the world. I would recommend picking a VPS reseller who is located in a country that isn’t likely to allow it’s data to be legally collected. Otherwise you may as well forget the concept of avoiding data retention.


Zoom in on Image

Step 1: Purchase the VPS.

I will supply one of my affiliate URL’s HERE. You can choose to go with another VPS supplier if you wish.

I would go for the cheapest option from this supplier. (At time of writing $10 per year) Because a VPN (Virtual Private Networking) equipped VPS really doesn’t need much in the way of resources.

During the signup process you will be asked to supply a domain name. If you do not have a domain name available. Simply enter a single word. This will be the “name” of your VPS. For our purposes a domain name really isn’t required.

You will also be asked (via a drop down box) What operating system you would like to use. There are many different varieties of Linux available. Chose what version you are comfortable with. But for this tutorial I will be using Debian.

Step 2: Check your email for VPS information.

The VPS supplier will send you an email. In the email will be information about how to manage your VPS. You will be given the “root” password. (The user called root is the administrator) You will also be given the IP of the VPS.

Step 3: Download putty.

Putty is a program that allows you to connect to your VPS. Download putty for windows HERE. Once downloaded. You simply insert the IP of your VPS and click OPEN.


Zoom in on Image

Zoom in on Image

The putty terminal window will then open. Putty will connect to your VPS. Note: The first time putty connects to your VPS you will get a warning that the Host Key is not cached. Just click “YES”. Your should only ever see this prompt once. Unless the IP number of your VPS changes. Next you will see a prompt that says “login as:”. Enter root as the login. Use the password supplied to you in the email from your VPS supplier.

You will then see various pieces of information about your VPS displayed. Finally you will be presented with a ’#’ prompt. The VPS is now waiting for your input. This is where you are able to install software and perform various other maintenance on the VPS.

Step 4: Update & Upgrade the VPS.

At the ’#’ prompt enter

apt-get update

apt-get upgrade

apt-get dist-upgrade

Step 5: Check if TUN is enabled.

Use the following one-liner to verify if TUN support is enabled on the Debian system. if using a VPS (Virtual Private Server), some virtualization layers such as vServers and OpenVZ require TUN to be enabled on/from the host machine.

At the ’#’ prompt enter

test ! -c /dev/net/tun && echo openvpn requires tun support

echo tun is available

Step 6: Install OpenVPN.

At the ’#’ prompt enter

apt-get install openvpn

Step 7: Set-up Easy-RSA.

At the ’#’ prompt enter

cp -prv /usr/share/doc/openvpn/examples/easy-rsa/2.0 /root/easy-rsa

cd /root/easy-rsa

cp vars{,.orig}

Step 8: Set-up default values in Easy-RSA.

At the ’#’ prompt enter

vim ./vars

You will now be running the vim program. Vim is a text editor.

Note: ’#’ in front of a line will cause that line to be ignored.

Make the ‘active’ lines look like this..

 KEY_SIZE=2048
 KEY_COUNTRY="AU"
 KEY_PROVINCE="AU"
 KEY_CITY="Canberra"
 KEY_ORG="The Streets"
 KEY_EMAIL="webmaster@whoeverwhereever.com"
 export them

Press Esc on your keyboard. Then press “:” then press ‘w’ (writes changes)

Press Esc on your keyboard. Then press “:” then press ‘q’ (quits)

At the ’#’ prompt enter

source ./vars

this deletes any previously created certificates

At the ’#’ prompt enter

./clean-all

Step 9: Generate the CA certificate.

At the ’#’ prompt enter

./build-ca

Step 10: Generate the server certificate.

At the ’#’ prompt enter

./build-key-server myvpn

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Step 11: Generate the Diffie-Hellman PEM certificate.

At the ’#’ prompt enter

./build-dh

Step 12: Generate client certificate.

At the ’#’ prompt enter

./build-key myvpn

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Step 13: Generate (HMAC).

At the ’#’ prompt enter

openvpn --genkey --secret /root/easy-rsa/keys/ta.key

Step 14: Deploy the certificates.

Copy the required certificates to the particular machine/device (server or client)

The public ca.crt certificate is needed on all servers and clients

The private ca.key key is secret and only needed on the key generating machine

A server needs server.crt, dh2048.pem (public), server.key and ta.key (private)

A client needs client.crt (public), client.key and ta.key (private)

Step 15: Set-up certificates and keys on the server.

At the ’#’ prompt enter

mkdir -p /etc/openvpn/certs

cp -pv /root/easy-rsa/keys/{ca.{crt,key},myvpn.{crt,key},ta.key,dh2048.pem} /etc/openvpn/certs/

Step 16: Configure the OpenVPN server.

At the ’#’ prompt enter

cat > /etc/openvpn/server.conf

 port 1194
 proto udp
 dev tun
 ca /etc/openvpn/certs/ca.crt
 cert /etc/openvpn/certs/myvpn.crt
 key /etc/openvpn/certs/myvpn.key
 dh /etc/openvpn/certs/dh2048.pem
 tls-auth /etc/openvpn/certs/ta.key 0
 server 192.168.2.0 255.255.255.0
 ifconfig-pool-persist ipp.txt
 push "redirect-gateway def1 bypass-dhcp"
 push "dhcp-option DNS 8.8.8.8"
 push "dhcp-option DNS 8.8.4.4"
 client-to-client
 keepalive 1800 4000
 cipher DES-EDE3-CBC # Triple-DES
 comp-lzo
 max-clients 10
 user nobody
 group nogroup
 persist-key
 persist-tun
 log openvpn.log
 status openvpn-status.log
 verb 5
 mute 20

When finished.. Type CONTROL+Z

Step 17: Start the OpenVPN server.

At the ’#’ prompt enter

service openvpn restart

update-rc.d -f openvpn defaults

Step 18: Enable forwarding and set-up iptables.

At the ’#’ prompt enter

vim /etc/sysctl.conf

 :%s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/
 sysctl -p

set-up the following iptables rules

iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT

iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE

Note: if using openvz/vservers you may need the following instead

iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to-source <PUBLIC_VPN_IP>

iptables-save > /etc/iptables.rules

for persistent firewall rules you may want to use the iptables-persistent package or just set-up a simple script in /etc/network/if-pre-up.d/ which will load the rules in /etc/iptables.rules using iptables-restore

for example:

cat /etc/network/if-pre-up.d/iptables

  1. !/bin/bash test -e /etc/iptables.rules && iptables-restore -c /etc/iptables.rules

Step 19: Set-up OpenVPN client (on your VPS)

Deploy the generated certificates to the VPN client/device

Install OpenVPN client on the machine/device

Create the following client.conf configuration file

cat > /etc/openvpn/client.conf

 client
 remote <PUBLIC_VPN_IP>
 ca /home/d/confs/certs/vpn/ca.crt
 cert /home/d/confs/certs/vpn/blackhole.crt
 key /home/d/confs/certs/vpn/blackhole.key
 cipher DES-EDE3-CBC
 comp-lzo yes
 dev tun
 proto udp
 tls-auth /home/d/confs/certs/vpn/ta.key 1
 nobind
 auth-nocache
 script-security 2
 persist-key
 persist-tun
 user nobody
 group nogroup

CONTROL+Z (when finished)

Congratulations.. Your VPN on your VPS.. is now setup..

Step 20: Troubleshooting.

If you have any errors… like..

us=229735 myvpn4/78.156.78.132:15825 MULTI: bad source address from client [10.10.10.26], packet dropped

add following to server.conf

client-config-dir ccd

then run

mkdir /etc/openvpn/ccd

cat > /etc/openvpn/ccd/nexus4

iroute 10.10.10.0 255.255.255.0

finally restart openvpn with

service openvpn restart

Well that completes the installation and configuration of the server..

Now all you have to do is install and configure the Client on your Windows computer.














Bookmark this on Delicious

SEO-AU Links Best INFP Websites - Click here to Vote for this site!