Set up VPN to bypass censorship (Server)

(As of 2019, this technique does work to bypass the GFW in China - I tested it myself.)

This guide will show you how to set up a VPN server with V2Ray (Shadowsocks and VMess) , WireGuard, IPSec, and OpenVPN.

1. Initial Server Setup

Reference: this guide

  • Install Debian 9 / Ubuntu 18.04. Other distros might work but these instructions are only for recent apt based distros.

  • Add:

net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr

at the end of sysctl.conf and then do sysctl -p

  • (Optional) Set network firewall to only allow ports 80,443,8443,22,51820,8080, if you are willing and able to.

2. Install & Setup Nginx

  • Install Nginx - apt install nginx

  • Set the server_name in /etc/nginx/sites-enabled/default to domain name of server

  • Install Certbot for Nginx - apt install python-certbot-nginx

  • Get a certificate - certbot --nginx. Make sure to select yes for redirect.

  • Optionally add autorenew to crontab - @monthly certbot renew

  • Add reverse proxy snippet below to the first server block in default

  • Reload nginx - nginx -s reload

3. Install & Setup V2Ray

  • Install V2Ray bash <(curl -L -s https://install.direct/go.sh)

  • SAVE THE ID in /etc/v2ray/config.json

  • Replace the /etc/v2ray/config.json with config.json below, replacing id with your ID

  • Start v2ray - systemctl start v2ray

3a. (Optional) Shadowsocks-obfs

⚠️ Currently not working

  • Build & install simple-obfs using the guide here

  • Run obfs-server in a screen like this: obfs-server -s server_ip -p 443 --obfs tls -r 127.0.0.1:8443 --failover 127.0.0.1:443 replacing server_ip with the server IP

  • Use the systemd unit file below to auto start it.

4. Install & Setup WireGuard

  • Just use Algo! Use the config.cfg below. You can select everything else yourself but you should do a local installation. When it asks for a public IP, USE A PUBLIC IP not a hostname!

  • Answer the questions in the installer as you would like. If you use Apple devices, you should answer yes to the questions about generating mobileconfig files.

  • If you have a network firewall: Make IPTables accept all input by doing iptables -P INPUT ACCEPT because the network firewall will handle security. This should also be set in iptables-persistent.

5. Install & Setup OpenVPN

  • Use Angristan's script!
  • His script is very well documented, and you can just follow the instructions in the README.
  • Copy (using a protocol such as scp) the .ovpn files to your client devices.
scp root@your.ip:/root/*.ovpn /local/folder/on/computer
  • To allow clients to access resources in your LAN, you can add push "route your.lan.ip.range net.mask" to /etc/openvpn/openvpn.conf and then restart OpenVPN.

6. Access LAN Resources

  • By default, for security reasons, two discrete subnets are not able to access each other. To allow VPN clients to access resources on the LAN of the VPN server, do some IPTables trickery:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -d 192.168.0.0/16 -j SNAT --to 192.168.0.106

Where 10.8.0.0 is the subnet in which VPN clients are allocated IPs, where 192.168.0.0 is the LAN subnet, and where 192.168.0.106 is the LAN IP of the VPN server.


Once you have completed this guide, configure your clients by using this guide: Client Setup.
Back to top