Okay. Let's pretend here for a sec that you work in an office where UDP is filtered outbound, but we really want to use UDP for mosh.
Here's the plan at a high level.
- Spin up a cloud server
- Install Docker
- Start OpenVPN Container
- Grab .ovpn config
- Modify .ovpn config to a include static route to your UDP-enabled destination
- Install Tunnelblick and enjoy your mosh goodness
We'll pretend you already have an Ubuntu 12.04 cloud server spun up at 1.1.1.1, and a server that has mosh installed spun up at 2.2.2.2.
Install Docker
curl get.docker.io | shStartup OpenVPN, don't control+c this!
CID=$(docker run -d --privileged -p 1194:1194/udp -p 443:443/tcp jpetazzo/openvpn)
docker run -t -i -p 8080:8080 --volumes-from $CID jpetazzo/openvpn serveconfigThe previous command will give you a URL to hit... Should look something like https://1.1.1.1:8080 or something. This URL is currently serving your OpenVPN config that was dynamically generated.
From a server that can reach that address and port, you need to do this to pull down a copy:
curl -k https://1.1.1.1:8080 > vpn.ovpnOnce you have that vpn.ovpn file on your laptop/mac/desktop/whatever, we're pretty much done with the server side config.
Go back to your SSH session where you have the OpenVPN config thing running, and Ctrl+C the process, that way you are no longer serving your .ovpn config to the world. Don't worry, the OpenVPN container itself will stay running.
Take steps to harden this server however you see fit, typically I change the SSH port and disable root login, etc.
Once you've done that just exit out of that ssh session. Let's modify our vpn.ovpn.
Open up your vpn.ovpn config file, it should look something like this:
client
nobind
dev tun
redirect-gateway def1
<key>
-----BEGIN RSA PRIVATE KEY-----
Blah
-----END RSA PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
Blah
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
Blah
-----END CERTIFICATE-----
</ca>
<dh>
-----BEGIN DH PARAMETERS-----
Blah
-----END DH PARAMETERS-----
</dh>
<connection>
remote 1.1.1.1 1194 udp-client
</connection>
<connection>
remote 1.1.1.1 443 tcp-client
</connection>
We need to add the following under redirect-gateway def1
; Mosh Server!!!
route 2.2.2.2 255.255.255.255
This will force our VPN Client to route all traffic destined to the 2.2.2.2/32 network over the VPN tunnel. Yay!
Note, you can also add other networks to this list if you know what you're doing. :D
Since we're also in an office that filters UDP outbound, we'll need to remove the portion about the udp-client so that our vpn client uses TCP. Delete this whole thing:
<connection>
remote 1.1.1.1 1194 udp-client
</connection>
When we're done, it should look something like this:
client
nobind
dev tun
redirect-gateway def1
; Mosh Server!!!
route 2.2.2.2 255.255.255.255
<key>
-----BEGIN RSA PRIVATE KEY-----
Blah
-----END RSA PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
Blah
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
Blah
-----END CERTIFICATE-----
</ca>
<dh>
-----BEGIN DH PARAMETERS-----
Blah
-----END DH PARAMETERS-----
</dh>
<connection>
remote 1.1.1.1 443 tcp-client
</connection>
Cool. You're done.
Go grab a copy of Tunnelblick and then import your newly modified vpn.ovpn file, click connect, and you should be good to go!
Now all traffic destined to 2.2.2.2/32 will travel over your OpenVPN tunnel.
Try mosh!
mosh user@2.2.2.2- Try traceroute-ing to your server to make sure you're going over your VPN tunnel.
- If you're using Tunnelblick, make sure that you turn off 'Validate Public IP Changes'