In the past, there were various ways to avoid carrier data charges, known as “free data,” but the major carriers were not sitting ducks. They also used technical means to filter and block these methods, which meant that a large portion of these “free data” techniques only worked in certain situations—for example, QQ and WeChat chatting might work, but Youku video would not.
Then recently, a new kind of “free data” technique appeared, called “cloud free data.” It sounds very high-end, but the principle is actually very simple.
To make it convenient for users to check data usage, pay bills, and perform other operations, the major carriers set things up so that when users browse some of the carriers’ own websites, no data is consumed. However, problems arose when the carriers tried to identify whether the URL a user was visiting belonged to that set of sites, resulting in misidentification—mainly due to issues with this X-Online-Host field.
When a user uses OpenVPN for free data access, a tunnel is established between your VPS and mobile device, and all your network requests first pass through OpenVPN to the VPS. After the VPS retrieves what you requested, it sends it back through OpenVPN. The key to free data access is that before each network request is initiated through OpenVPN, the request headers must be disguised by adding the X-Online-Host field, making the carrier think you are requesting one of the carrier’s own zero-rated websites.
Once you understand the principle, it becomes easy. The first step is to set up the OpenVPN server on a VPS. For speed considerations, a domestic VPS is best.
Installing OpenVPN
Here Ubuntu 14.04 is used as an example.
First install OpenVPN and easy-rsa.
sudo apt-get -y install openvpn libssl-dev openssl easy-rsa
After the installation is complete, check the OpenVPN version.
openvpn –version
The highest version currently available in the official repository is 2.3.2. It is recommended that you remember this version number. After confirming the version is correct, we can start creating the required certificate files.
Creating the CA Certificate
First, create the easy-rsa folder under /etc/openvpn/.
sudo mkdir /etc/openvpn/easy-rsa/
Then copy all files from the /usr/share/easy-rsa/ directory to /etc/openvpn/easy-rsa/.
sudo cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
Of course, we can also create the relevant certificates directly in /usr/share/easy-rsa, but for easier certificate management later, we still placed easy-rsa in OpenVPN’s startup directory. In addition, since we are currently using the Ubuntu system, we must switch to the root user to create the relevant certificates; otherwise, easy-rsa will report an error. If it is a CentOS system, this issue does not exist.
sudo su
Before starting to create the CA certificate, we also need to edit the vars file.
sudo vi /etc/openvpn/easy-rsa/vars
export KEY_COUNTRY=”Country CN”
export KEY_PROVINCE=”Province BJ”
export KEY_CITY=”City Beijing”
export KEY_ORG=”Organization Random”
export KEY_EMAIL=”Your email [email protected]”
export KEY_OU=”Name Tink”
export KEY_NAME=”vpntink”
The vars file is mainly used to set the organizational information related to the certificate. The specific content can be modified according to your actual situation. In particular, remember export
KEY_NAME=”vpntink”, because we will use it below when creating the server-side certificate.
Then use the source vars command to make it take effect.
source vars
Start creating the CA certificate.
./clean-all (Running the clean-all command will delete the keys folder in the current directory.)
./build-ca
Just keep pressing Enter all the way. After it is finished, we can check the keys directory.
ll keys/
If the above operations were performed correctly, you should be able to see that two files, ca.crt and ca.key, have already been generated. Among them, ca.crt is the CA certificate we need. At this point, the CA certificate has been created. Now copy the ca.crt file of that CA certificate to OpenVPN’s startup directory, /etc/openvpn.
cp keys/ca.crt /etc/openvpn/
Create the Server certificate
After creating the CA certificate, we can now start creating the Server certificate.
./build-key-server vpntink(Here, vpntink is the KEY_NAME set in the vars file earlier)
ll keys/
Just keep pressing Enter all the way. If everything above was done correctly, you should see three generated files: vpntink.crt, vpntink.key, and vpntink.csr. Among them, vpntink.crt and vpntink.key are the two files we need. Next, generate the Diffie-Hellman file for the server’s encryption key exchange.
./build-dh
ll keys/
Just keep pressing Enter all the way. Under normal circumstances, you should see that the dh2048.pem file has been generated.
After completing the above steps, copy vpntink.crt, vpntink.key, and dh2048.pem to the /etc/openvpn/ directory.
cp keys/vpntink.crt keys/vpntink.key keys/dh2048.pem /etc/openvpn/
At this point, the Server certificate has been created.
Create the Client certificate
After creating the Server certificate, we can now start creating the Client certificate.
./build-key tinksvpn
ll keys/
Just keep pressing Enter all the way through. In the command above, tinksvpn is the name of the client certificate. This can be customized.
Under normal circumstances, you should see that the three files tinksvpn.csr, tinksvpn.crt, and tinksvpn.key have been generated. Of these, the two files tinksvpn.crt and tinksvpn.key are the ones we need to use.
At this point, the client-side certificate has been created.
Configure the Server Side
After all certificates have been created, we can now start configuring the server side. The files required for configuring the server side can be copied from the templates that come with openvpn.
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
cd /etc/openvpn/
gzip -d server.conf.gz
Now let’s modify the server.conf file. Below is my server-side configuration (key lines only).
vi /etc/openvpn/server.conf
port 1194
proto tcp
dev tun
ca ca.crt
cert vpntink.crt
key vpntink.key
dh dh2048.pem
server 10.18.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 114.114.114.114”
push “dhcp-option DNS 114.114.115.115”
duplicate-cn
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
Next, configure traffic forwarding.
iptables -t nat -A POSTROUTING -s 10.18.0.0/24 -o eth0 -j MASQUERADE (eth0modify according to your network interface)
echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
After modifying the configuration file, we can try starting OpenVPN.
/etc/init.d/openvpn start
If there are no errors, then the server side is already OK.
Configure the Client Side
Use any method to copy these three files to your local computer, for example by starting a temporary web service with python, or transferring them back with scp.
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/tinksvpn.crt
/etc/openvpn/easy-rsa/keys/tinksvpn.key
Open these three files separately with Notepad, then create a new client.ovpn with the following content.
client
dev tun
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3remote server IP 1194
<ca>
Copy the contents of ca.crt here
</ca>
<cert>
Copy the contents of tinksvpn.crt here
</cert>
<key>
Copy the contents of tinksvpn.key here
</key>########Free Internet Code########
http-proxy-option EXT1 “POST
http://rd.go.10086.cn”
http-proxy-option EXT1 “GET
http://rd.go.10086.cn”
http-proxy-option EXT1 “X-Online-Host:
rd.go.10086.cn”
http-proxy-option EXT1 “POST
http://rd.go.10086.cn”
http-proxy-option EXT1 “X-Online-Host:
rd.go.10086.cn”
http-proxy-option EXT1 “POST
http://rd.go.10086.cn”
http-proxy-option EXT1 “Host:
rd.go.10086.cn”
http-proxy-option EXT1 “GET
http://rd.go.10086.cn”
http-proxy-option EXT1 “Host:
rd.go.10086.cn”
http-proxy 10.0.0.172 80
########Free Internet Code########
You need to change the server IP to your own server IP, and the contents of ca, cert, and key need to be completely copied from the three files above. Free Internet codes vary by region and carrier, so you need to keep testing to find the one that works best for your area.
Below are some commonly used Free Internet codes.
#China Unicom
http-proxy-retry
http-proxy 10.0.0.172 80
http-proxy-option EXT1 “X-Online-Host:
wap.10010.com”
http-proxy-option EXT2 “Host: wap.10010.com”
#China Telecom
http-proxy-retry
http-proxy 10.0.0.200 80
http-proxy-option EXT1 “X-Online-Host:
ltetp.tv189.com”
http-proxy-option EXT2 “Host: ltetp.tv189.com”
#Mobile – Default
http-proxy-retry
http-proxy 10.0.0.172 80
http-proxy-option EXT1 “POST
http://rd.go.10086.cn”
http-proxy-option EXT1 “GET
http://rd.go.10086.cn”
http-proxy-option EXT1 “X-Online-Host:
rd.go.10086.cn”
http-proxy-option EXT1 “POST
http://rd.go.10086.cn”
http-proxy-option EXT1 “X-Online-Host:
rd.go.10086.cn”
http-proxy-option EXT1 “POST
http://rd.go.10086.cn”
http-proxy-option EXT1 “Host:
rd.go.10086.cn”
http-proxy-option EXT1 “GET
http://rd.go.10086.cn”
http-proxy-option EXT1 “Host: rd.go.10086.cn”
#Mobile – MMS
http-proxy-retry
http-proxy 10.0.0.172 80
http-proxy-option EXT1 “POST
http://mmsc.monternet.com”
http-proxy-option EXT1 “GET
http://mmsc.monternet.com”
http-proxy-option EXT1 “X-Online-Host:
mmsc.monternet.com”
http-proxy-option EXT1 “CMCC:
mmsc.monternet.com”
At this point, the Client-side configuration file is complete.
Finally, you need to download and install the Android or iOS version of OpenVPN on your phone (the iOS version requires a US Apple ID), then import this client.ovpn into your phone, open it with OpenVPN, and connect.
Zero-Rating Verification and Speed Test
Mobile internet speed depends on two factors: one is your current mobile network, such as 3G/4G; the other is the uplink bandwidth of your VPS. Since my OpenVPN server is running on the NAS at home, it is limited by my home uplink bandwidth, with a maximum of only 20MBps. The image below shows a test under 3G, because there is no China Unicom 4G signal at my home…
The image below shows the detailed internet usage query after zero-rating worked successfully:
China Telecom (entries marked with “iTing” indicate the zero-rating effect)
China Unicom (China Unicom works better here; basically everything is zero-rated)