Thursday, June 28, 2012

VPN - Protect your personal Internet Traffic with a VPN Provider on your Home Linux Server (with auto check and reconnect shell script)

Protect your personal Internet Traffic with a VPN Provider on your Home Linux Server (with auto check and reconnect shell script)

The Goal:

I will not explain in details what's the benefit of a VPN (Virtual Private Network), a quick search on the Internet will easily answer to that question :)

Anonymity, confidentiality, accessing to Internet services closed to your own country, protecting your Internet traffic from being inspected by anyone or even your ISP... There may be thousands of good reasons to need a personal VPN !

Please do not hesitate to comment if you like, hate... or see any error, update required ! :-) 

What you need:

First of all, you need a VPN provider.
You will find a lot of provider offers on Internet, ensure enough servers and countries are provided and also if you expect to use on a Linux Home server, ensure openvpn protocol is provided. (you may also use pptp or l2tp but i not recommend it)

Take a look on quick google research and you will what you look for, i would personally recommend :
  • vpntunnel.se
  • vyprvpn
  • hidemass (my great favorite, serious, stable and performer!=)


Step 1: Prepare your system


First, you need to install openvpn and openvpn additional requirements.
On Debian and derived (Ubuntu...) systems, this will be simply achieved:

sudo apt-get install openvpn

Step 2: Get your VPN provider configuration files

You will have to follow your provider's specific Howto to get needed configuration files.

In the case of Hidemyass as for an example, you will be able to choose between TCP or UDP configuration, i advise you to choose UDP because of the protocol itself you'll be expecting better inbound and outbound rates.

In the case of hidemyass, i recommend you to check their nice Wiki page:

http://wiki.hidemyass.com/Main_Page

And specific Linux page:

http://wiki.hidemyass.com/Linux_OpenVPN

Step 3: Initiate your first connection

  • In "/etc/openvpn" create a text file "passwd.txt" that will contain credential information in 2 lines:
login
password

This file will contain your password in clear, and as far as i know it's possible to hash it...

  • For hidemyass (and probably any provider), you will have to extract all configuration files (including certificate files) to /etc/openvpn
  • Prepare each openvpn configuration file to include access to your password file:
cd /etc/openvpn
for i in `ls *.ovpn`; do echo "" >> $i && echo "auth-user-pass /etc/openvpn/passwd.txt" >> $i; done
NB: You will be able to connect without having to submit credentials
  • Choose a country configuration file, and create symbolic link to openvpn.conf:
Example:
ln -s NL.ROTTERDAM4-UDP.ovpn openvpn.conf
  • Initiate the connection:
sudo /etc/init.d/openvpn start
  • Check connection status:
If your connection is functional, you should have a new device called "tun0"

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet adr:10.200.5.1  P-t-P:10.200.5.1  Masque:255.255.252.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          Packets reçus:19 erreurs:0 :0 overruns:0 frame:0
          TX packets:38 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:100 
          Octets reçus:6751 (6.7 KB) Octets transmis:10242 (10.2 KB)
  • Test your Internet access


Step 3: Implement auto connection check and auto reconnect

These 2 scripts will automatically initiate the VPN connection, check its reliability by an icmp request to google.com, in case of failure will stop it and try to reconnect.
  • Copy "watch_openvpn" to /etc/init.d/watch_openvpn
  • Attribute correct owner and rights:
sudo chown root:root /etc/init.d/watch_openvpn
sudo chmod 755 /etc/init.d/watch_openvpn
  • Copy watch_vpn.sh to /etc/openvpn/watch_vpn.sh
  • Attribute correct owner and rights:
sudo chown root:root /etc/openvpn/watch_vpn.sh
sudo chmod 755 /etc/openvpn/watch_vpn.sh
  • Add it to run levels:
sudo update-rc.d watch_openvpn defaults
  • Add some alias to manage your connection:
Edit ~/.bashrc and add:

alias vpnstart="sudo /etc/init.d/watch_openvpn start_vpn"
alias vpnstop="sudo /etc/init.d/watch_openvpn stop_vpn"
alias vpnstatus="sudo /etc/init.d/watch_openvpn status_vpn"
alias watchstart="sudo /etc/init.d/watch_openvpn start"
alias watchstop="sudo /etc/init.d/watch_openvpn stop"
alias watchstatus="sudo /etc/init.d/watch_openvpn status"
  • Optional: allow your user to manage VPN connection without providing credentials:
sudo visudo

Adapt your username and add:
user ALL=(ALL) NOPASSWD: /etc/init.d/watch_openvpn *

Logfile will be available in /var/log/openvpn.log

Do not hesitate to adapt these scripts to your needs!

Enjoy :-)

FAQ, issues and advices:


  • When my Linux home server is connected to my VPN, i can't access anymore to any hosted service! (eg. ssh remote access, web traffic, etc...)

Be aware that all your outgoing Internet traffic will be routed to the VPN, that means that any outside request to your server to a service port you have opened will be lost in the VPN tunnel.

There is no "easy" solution, in my opinion the better solution is to create a virtual machine in your host (using Virtualbox as for an example) that will use a bridge connection.

Your virtual machine will be considered as a normal host on the network and any outside connection will be correctly routed to your virtual host.

Moreover, this will improve your security by avoiding any direct connection to your server and jailing it into a virtual host.

You will be able to use your virtual host as an SSH gateway and finally connect to your real host.

Also, if you need to host any web service, you can simply use apache as a reverse proxy (on your virtual host) that will request your physical host.

 Example of a apache reverse proxy configuration with SSL:
<VirtualHost *:PORT>
  ServerName XXXXXXXXXXX
  ProxyRequests Off
  ProxyVia Off
    <Proxy *>
     Order deny,allow
     Allow from all
    </Proxy>
  ProxyPass / http://MY PHYSICAL HOST:PORT
  ProxyPassReverse / http://MY PHYSICAL HOST:PORT
  <Location />
    Order allow,deny
    Allow from all
    AuthName "Access Restricted"
    AuthType Basic
    AuthUserFile "/etc/apache2/.htpasswd"
    Require valid-user
  </Location>
  LogLevel info
  CustomLog /var/log/apache2/access_xxxxxx.log combined
  ErrorLog /var/log/apache2/error_xxxxxxx.log
  SSLEngine on
  SSLCertificateFile /etc/apache2/server.crt
  SSLCertificateKeyFile /etc/apache2/server.key
</VirtualHost>

  • How to find the better VPN server of my VPN provider with better download and upload rates ?
Hidemyass provides a Software with the capacity to give better servers for you...but unfortunately not for Linux !

You can use a simple shell script that will connect to each *.ovpn config file in your openvpn directory, then download a sample file and log download rates:

NB: Adapt it to your needs if required

!/bin/bash
# Speed test, launch as root

cd /etc/openvpn

> test_result.txt

for i in `ls *.ovpn`; do

echo "Speed test using VPN Server : $i "
echo

echo "Stoping VPN"

/etc/init.d/watch_openvpn stop_vpn
sleep 2
rm openvpn.conf
ln -s $i openvpn.conf

echo "Starting VPN using $i"
/etc/init.d/watch_openvpn start_vpn
echo "sleeping 10 seconds..."

sleep 30

echo "Starting Test !"
echo "Testing VPN server $i :" >> test_result.txt
wget -o /tmp/wget.tmp -O /dev/null http://cachefly.cachefly.net/10mb.test
grep '/dev/null' /tmp/wget.tmp >> test_result.txt
echo "Test Done." >> test_result.txt

done

echo "Test terminated !"

Then compare results and make your choice :)