VPN Tutorials

Set up VPN to bypass censorship (Server)

(As of 2019, this technique does work to bypass the GFW in China - I tested it myself.)

This guide will show you how to set up a VPN server with V2Ray (Shadowsocks and VMess) , WireGuard, IPSec, and OpenVPN.

1. Initial Server Setup

Reference: this guide

  • Install Debian 9 / Ubuntu 18.04. Other distros might work but these instructions are only for recent apt based distros.

  • Add:

net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr

at the end of sysctl.conf and then do sysctl -p

  • (Optional) Set network firewall to only allow ports 80,443,8443,22,51820,8080, if you are willing and able to.

2. Install & Setup Nginx

  • Install Nginx - apt install nginx

  • Set the server_name in /etc/nginx/sites-enabled/default to domain name of server

  • Install Certbot for Nginx - apt install python-certbot-nginx

  • Get a certificate - certbot --nginx. Make sure to select yes for redirect.

  • Optionally add autorenew to crontab - @monthly certbot renew

  • Add reverse proxy snippet below to the first server block in default

  • Reload nginx - nginx -s reload

3. Install & Setup V2Ray

  • Install V2Ray bash <(curl -L -s https://install.direct/go.sh)

  • SAVE THE ID in /etc/v2ray/config.json

  • Replace the /etc/v2ray/config.json with config.json below, replacing id with your ID

  • Start v2ray - systemctl start v2ray

3a. (Optional) Shadowsocks-obfs

⚠️ Currently not working

  • Build & install simple-obfs using the guide here

  • Run obfs-server in a screen like this: obfs-server -s server_ip -p 443 --obfs tls -r 127.0.0.1:8443 --failover 127.0.0.1:443 replacing server_ip with the server IP

  • Use the systemd unit file below to auto start it.

4. Install & Setup WireGuard

  • Just use Algo! Use the config.cfg below. You can select everything else yourself but you should do a local installation. When it asks for a public IP, USE A PUBLIC IP not a hostname!

  • Answer the questions in the installer as you would like. If you use Apple devices, you should answer yes to the questions about generating mobileconfig files.

  • If you have a network firewall: Make IPTables accept all input by doing iptables -P INPUT ACCEPT because the network firewall will handle security. This should also be set in iptables-persistent.

5. Install & Setup OpenVPN

  • Use Angristan's script!
  • His script is very well documented, and you can just follow the instructions in the README.
  • Copy (using a protocol such as scp) the .ovpn files to your client devices.
scp root@your.ip:/root/*.ovpn /local/folder/on/computer
  • To allow clients to access resources in your LAN, you can add push "route your.lan.ip.range net.mask" to /etc/openvpn/openvpn.conf and then restart OpenVPN.

6. Access LAN Resources

  • By default, for security reasons, two discrete subnets are not able to access each other. To allow VPN clients to access resources on the LAN of the VPN server, do some IPTables trickery:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -d 192.168.0.0/16 -j SNAT --to 192.168.0.106

Where 10.8.0.0 is the subnet in which VPN clients are allocated IPs, where 192.168.0.0 is the LAN subnet, and where 192.168.0.106 is the LAN IP of the VPN server.


Once you have completed this guide, configure your clients by using this guide: Client Setup.

Set up VPN to bypass censorship (Client)

Setup of clients to connect via several different protocols to the server you set up here.

1. V2Ray

All of these commands should be run on the client, not the server.

  • Choose one of the clients here depending on your OS.

  • If you chose a GUI client, you can simply fill in the requested details from your server config file, or import a json file. Unfortunately, there are too many clients to provide accurate and timely support for each :(

  • To import a json file: Copy the correct client json from below to your config.json in your V2ray folder (either Shadowsocks or VMess), replacing the blank values with your server's information (hostnames, etc).

  • Set your system's proxy settings to the SOCKS proxy defined. By default, this should be localhost:10808.

  • Alternatively, it is possible to use the Shadowsocks client to connect to the V2ray Shadowsocks interface (this allows the use of obfs). However, that is outside the scope of this guide.

2. WireGuard & IPSec (Algo)

The guys at Trail of Bits have already created a fantastic guide for this. Instead of typing it all out, here's a link.

3. OpenVPN

  • Download an OpenVPN client, such as Pritunl or the Official OpenVPN client.

  • Copy the .ovpn files from your home directory on your server to your client device, and import it to your OpenVPN client.