Protect your personal Internet Traffic with a VPN Provider on your Home Linux Server (with auto check and reconnect shell script)
The Goal:I will not explain in details what's the benefit of a VPN (Virtual Private Network), a quick search on the Internet will easily answer to that question :)
Anonymity, confidentiality, accessing to Internet services closed to your own country, protecting your Internet traffic from being inspected by anyone or even your ISP... There may be thousands of good reasons to need a personal VPN !
Please do not hesitate to comment if you like, hate... or see any error, update required ! :-)
What you need:First of all, you need a VPN provider.
You will find a lot of provider offers on Internet, ensure enough servers and countries are provided and also if you expect to use on a Linux Home server, ensure openvpn protocol is provided. (you may also use pptp or l2tp but i not recommend it)
Take a look on quick google research and you will what you look for, i would personally recommend :
- hidemass (my great favorite, serious, stable and performer!=)
Step 1: Prepare your system
First, you need to install openvpn and openvpn additional requirements.
On Debian and derived (Ubuntu...) systems, this will be simply achieved:
sudo apt-get install openvpn
Step 2: Get your VPN provider configuration filesYou will have to follow your provider's specific Howto to get needed configuration files.
In the case of Hidemyass as for an example, you will be able to choose between TCP or UDP configuration, i advise you to choose UDP because of the protocol itself you'll be expecting better inbound and outbound rates.
In the case of hidemyass, i recommend you to check their nice Wiki page:
And specific Linux page:
Step 3: Initiate your first connection
- In "/etc/openvpn" create a text file "passwd.txt" that will contain credential information in 2 lines:
This file will contain your password in clear, and as far as i know it's possible to hash it...
- For hidemyass (and probably any provider), you will have to extract all configuration files (including certificate files) to /etc/openvpn
- Prepare each openvpn configuration file to include access to your password file:
cd /etc/openvpn for i in `ls *.ovpn`; do echo "" >> $i && echo "auth-user-pass /etc/openvpn/passwd.txt" >> $i; done
NB: You will be able to connect without having to submit credentials
- Choose a country configuration file, and create symbolic link to openvpn.conf:
ln -s NL.ROTTERDAM4-UDP.ovpn openvpn.conf
- Initiate the connection:
sudo /etc/init.d/openvpn start
- Check connection status:
If your connection is functional, you should have a new device called "tun0"
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet adr:10.200.5.1 P-t-P:10.200.5.1 Masque:255.255.252.0 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 Packets reçus:19 erreurs:0 :0 overruns:0 frame:0 TX packets:38 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:100 Octets reçus:6751 (6.7 KB) Octets transmis:10242 (10.2 KB)
- Test your Internet access
Step 3: Implement auto connection check and auto reconnect
These 2 scripts will automatically initiate the VPN connection, check its reliability by an icmp request to google.com, in case of failure will stop it and try to reconnect.
- Copy "watch_openvpn" to /etc/init.d/watch_openvpn
- Attribute correct owner and rights:
sudo chown root:root /etc/init.d/watch_openvpn
sudo chmod 755 /etc/init.d/watch_openvpn
- Copy watch_vpn.sh to /etc/openvpn/watch_vpn.sh
- Attribute correct owner and rights:
sudo chown root:root /etc/openvpn/watch_vpn.sh
sudo chmod 755 /etc/openvpn/watch_vpn.sh
- Add it to run levels:
sudo update-rc.d watch_openvpn defaults
- Add some alias to manage your connection:
Edit ~/.bashrc and add:
alias vpnstart="sudo /etc/init.d/watch_openvpn start_vpn" alias vpnstop="sudo /etc/init.d/watch_openvpn stop_vpn" alias vpnstatus="sudo /etc/init.d/watch_openvpn status_vpn" alias watchstart="sudo /etc/init.d/watch_openvpn start" alias watchstop="sudo /etc/init.d/watch_openvpn stop" alias watchstatus="sudo /etc/init.d/watch_openvpn status"
- Optional: allow your user to manage VPN connection without providing credentials:
Adapt your username and add:
user ALL=(ALL) NOPASSWD: /etc/init.d/watch_openvpn *
Logfile will be available in /var/log/openvpn.log
Do not hesitate to adapt these scripts to your needs!
FAQ, issues and advices:
Be aware that all your outgoing Internet traffic will be routed to the VPN, that means that any outside request to your server to a service port you have opened will be lost in the VPN tunnel.
- When my Linux home server is connected to my VPN, i can't access anymore to any hosted service! (eg. ssh remote access, web traffic, etc...)
There is no "easy" solution, in my opinion the better solution is to create a virtual machine in your host (using Virtualbox as for an example) that will use a bridge connection.
Your virtual machine will be considered as a normal host on the network and any outside connection will be correctly routed to your virtual host.
Moreover, this will improve your security by avoiding any direct connection to your server and jailing it into a virtual host.
You will be able to use your virtual host as an SSH gateway and finally connect to your real host.
Also, if you need to host any web service, you can simply use apache as a reverse proxy (on your virtual host) that will request your physical host.
Example of a apache reverse proxy configuration with SSL:
<VirtualHost *:PORT> ServerName XXXXXXXXXXX ProxyRequests Off ProxyVia Off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / http://MY PHYSICAL HOST:PORT ProxyPassReverse / http://MY PHYSICAL HOST:PORT <Location /> Order allow,deny Allow from all AuthName "Access Restricted" AuthType Basic AuthUserFile "/etc/apache2/.htpasswd" Require valid-user </Location> LogLevel info CustomLog /var/log/apache2/access_xxxxxx.log combined ErrorLog /var/log/apache2/error_xxxxxxx.log SSLEngine on SSLCertificateFile /etc/apache2/server.crt SSLCertificateKeyFile /etc/apache2/server.key </VirtualHost>
- How to find the better VPN server of my VPN provider with better download and upload rates ?
Hidemyass provides a Software with the capacity to give better servers for you...but unfortunately not for Linux !
You can use a simple shell script that will connect to each *.ovpn config file in your openvpn directory, then download a sample file and log download rates:
NB: Adapt it to your needs if required
!/bin/bash # Speed test, launch as root cd /etc/openvpn > test_result.txt for i in `ls *.ovpn`; do echo "Speed test using VPN Server : $i " echo echo "Stoping VPN" /etc/init.d/watch_openvpn stop_vpn sleep 2 rm openvpn.conf ln -s $i openvpn.conf echo "Starting VPN using $i" /etc/init.d/watch_openvpn start_vpn echo "sleeping 10 seconds..." sleep 30 echo "Starting Test !" echo "Testing VPN server $i :" >> test_result.txt wget -o /tmp/wget.tmp -O /dev/null http://cachefly.cachefly.net/10mb.test grep '/dev/null' /tmp/wget.tmp >> test_result.txt echo "Test Done." >> test_result.txt done echo "Test terminated !"
Then compare results and make your choice :)