How to set up OpenVPN Server using tunnelblicks xor patch


Not sure if this appropriate for this forum but I haven’t shared this since writing it, hopefully, it will help someone.

I am a US expat living in a country that recently switched to using DPI to block OpenVPN and many other protocols. After searching for a couple of weeks, I could not find an easy to follow guide for setting up an OpenVPN server using the xor patch. Therefore, this guide intends to provide that. These are what I think are the least number of steps for setting up an Ubuntu 16.04 server.

NOTE I take the easy button a lot in this guide.

First thing is you will need a server of some type either dedicated or VPS. I choose as my VPS provider because of the unlimited bandwidth, as I intend to run my VPN for my entire network on my firewall.

  1. Setup, a fresh VPS, using Ubuntu 16.04.
  2. SSH into server

NOTE All of the commands below will be entered as root. If you dint SSH in as root then use $ sudo –s to make your life easier with commands.

  1. apt update

  2. apt upgrade

  3. Now we need to install a patched version of OpenVPN. Either building from source or installing a precompiled .deb file. This guide will utilize precompiled deb files from

apt-get update && apt-get build-dep openvpn -y

wget --no-check-cert

dpkg -i openvpn_2.4.4-xenial0_amd64.deb

  1. The next step is to generate keys, certs, and configure the OpenVPN server. Again, we are going to take the easy button, and use and OpenVPN-install bash script. I prefer


chmod +x


Change the options as you like for your openvpn server, if you have no clue what any of it means then use the defaults when prompted.

  1. Next step we need to do is add a line to the server.conf file to enable the scramble options.

nano /etc/openvpn/server.conf

Add the following line to the file
scramble obfuscate password

Replace password with the password of your choice make sure you remember or copy the password you use as you will need to add the same line to the client ovpn file later.

  1. /etc/init.d/openvpn restart

  2. Now we will add the same line to the client.ovpn file that was created with the bash script.

nano ~/client.ovpn

Add the following to the file
NOTE This should be the same password that you used in the last step.

scramble obfuscate password

  1. The only thing left to do is to use your preferred method for pulling the client.ovpn file from the server. My method is to use FileZilla to connect to the server via SFTP with port 22 and pull the file that way. Once you have the file you can configure your preferred client can connect to your new scrambled OpenVPN server.