Thursday, June 28, 2012

VPN - Protect your personal Internet Traffic with a VPN Provider on your Home Linux Server (with auto check and reconnect shell script)

Protect your personal Internet Traffic with a VPN Provider on your Home Linux Server (with auto check and reconnect shell script)

The Goal:

I will not explain in details what's the benefit of a VPN (Virtual Private Network), a quick search on the Internet will easily answer to that question :)

Anonymity, confidentiality, accessing to Internet services closed to your own country, protecting your Internet traffic from being inspected by anyone or even your ISP... There may be thousands of good reasons to need a personal VPN !

Please do not hesitate to comment if you like, hate... or see any error, update required ! :-) 

What you need:

First of all, you need a VPN provider.
You will find a lot of provider offers on Internet, ensure enough servers and countries are provided and also if you expect to use on a Linux Home server, ensure openvpn protocol is provided. (you may also use pptp or l2tp but i not recommend it)

Take a look on quick google research and you will what you look for, i would personally recommend :
  • vpntunnel.se
  • vyprvpn
  • hidemass (my great favorite, serious, stable and performer!=)


Step 1: Prepare your system


First, you need to install openvpn and openvpn additional requirements.
On Debian and derived (Ubuntu...) systems, this will be simply achieved:

sudo apt-get install openvpn

Step 2: Get your VPN provider configuration files

You will have to follow your provider's specific Howto to get needed configuration files.

In the case of Hidemyass as for an example, you will be able to choose between TCP or UDP configuration, i advise you to choose UDP because of the protocol itself you'll be expecting better inbound and outbound rates.

In the case of hidemyass, i recommend you to check their nice Wiki page:

http://wiki.hidemyass.com/Main_Page

And specific Linux page:

http://wiki.hidemyass.com/Linux_OpenVPN

Step 3: Initiate your first connection

  • In "/etc/openvpn" create a text file "passwd.txt" that will contain credential information in 2 lines:
login
password

This file will contain your password in clear, and as far as i know it's possible to hash it...

  • For hidemyass (and probably any provider), you will have to extract all configuration files (including certificate files) to /etc/openvpn
  • Prepare each openvpn configuration file to include access to your password file:
cd /etc/openvpn
for i in `ls *.ovpn`; do echo "" >> $i && echo "auth-user-pass /etc/openvpn/passwd.txt" >> $i; done
NB: You will be able to connect without having to submit credentials
  • Choose a country configuration file, and create symbolic link to openvpn.conf:
Example:
ln -s NL.ROTTERDAM4-UDP.ovpn openvpn.conf
  • Initiate the connection:
sudo /etc/init.d/openvpn start
  • Check connection status:
If your connection is functional, you should have a new device called "tun0"

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet adr:10.200.5.1  P-t-P:10.200.5.1  Masque:255.255.252.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          Packets reçus:19 erreurs:0 :0 overruns:0 frame:0
          TX packets:38 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:100 
          Octets reçus:6751 (6.7 KB) Octets transmis:10242 (10.2 KB)
  • Test your Internet access


Step 3: Implement auto connection check and auto reconnect

These 2 scripts will automatically initiate the VPN connection, check its reliability by an icmp request to google.com, in case of failure will stop it and try to reconnect.
  • Copy "watch_openvpn" to /etc/init.d/watch_openvpn
  • Attribute correct owner and rights:
sudo chown root:root /etc/init.d/watch_openvpn
sudo chmod 755 /etc/init.d/watch_openvpn
  • Copy watch_vpn.sh to /etc/openvpn/watch_vpn.sh
  • Attribute correct owner and rights:
sudo chown root:root /etc/openvpn/watch_vpn.sh
sudo chmod 755 /etc/openvpn/watch_vpn.sh
  • Add it to run levels:
sudo update-rc.d watch_openvpn defaults
  • Add some alias to manage your connection:
Edit ~/.bashrc and add:

alias vpnstart="sudo /etc/init.d/watch_openvpn start_vpn"
alias vpnstop="sudo /etc/init.d/watch_openvpn stop_vpn"
alias vpnstatus="sudo /etc/init.d/watch_openvpn status_vpn"
alias watchstart="sudo /etc/init.d/watch_openvpn start"
alias watchstop="sudo /etc/init.d/watch_openvpn stop"
alias watchstatus="sudo /etc/init.d/watch_openvpn status"
  • Optional: allow your user to manage VPN connection without providing credentials:
sudo visudo

Adapt your username and add:
user ALL=(ALL) NOPASSWD: /etc/init.d/watch_openvpn *

Logfile will be available in /var/log/openvpn.log

Do not hesitate to adapt these scripts to your needs!

Enjoy :-)

FAQ, issues and advices:


  • When my Linux home server is connected to my VPN, i can't access anymore to any hosted service! (eg. ssh remote access, web traffic, etc...)

Be aware that all your outgoing Internet traffic will be routed to the VPN, that means that any outside request to your server to a service port you have opened will be lost in the VPN tunnel.

There is no "easy" solution, in my opinion the better solution is to create a virtual machine in your host (using Virtualbox as for an example) that will use a bridge connection.

Your virtual machine will be considered as a normal host on the network and any outside connection will be correctly routed to your virtual host.

Moreover, this will improve your security by avoiding any direct connection to your server and jailing it into a virtual host.

You will be able to use your virtual host as an SSH gateway and finally connect to your real host.

Also, if you need to host any web service, you can simply use apache as a reverse proxy (on your virtual host) that will request your physical host.

 Example of a apache reverse proxy configuration with SSL:
<VirtualHost *:PORT>
  ServerName XXXXXXXXXXX
  ProxyRequests Off
  ProxyVia Off
    <Proxy *>
     Order deny,allow
     Allow from all
    </Proxy>
  ProxyPass / http://MY PHYSICAL HOST:PORT
  ProxyPassReverse / http://MY PHYSICAL HOST:PORT
  <Location />
    Order allow,deny
    Allow from all
    AuthName "Access Restricted"
    AuthType Basic
    AuthUserFile "/etc/apache2/.htpasswd"
    Require valid-user
  </Location>
  LogLevel info
  CustomLog /var/log/apache2/access_xxxxxx.log combined
  ErrorLog /var/log/apache2/error_xxxxxxx.log
  SSLEngine on
  SSLCertificateFile /etc/apache2/server.crt
  SSLCertificateKeyFile /etc/apache2/server.key
</VirtualHost>

  • How to find the better VPN server of my VPN provider with better download and upload rates ?
Hidemyass provides a Software with the capacity to give better servers for you...but unfortunately not for Linux !

You can use a simple shell script that will connect to each *.ovpn config file in your openvpn directory, then download a sample file and log download rates:

NB: Adapt it to your needs if required

!/bin/bash
# Speed test, launch as root

cd /etc/openvpn

> test_result.txt

for i in `ls *.ovpn`; do

echo "Speed test using VPN Server : $i "
echo

echo "Stoping VPN"

/etc/init.d/watch_openvpn stop_vpn
sleep 2
rm openvpn.conf
ln -s $i openvpn.conf

echo "Starting VPN using $i"
/etc/init.d/watch_openvpn start_vpn
echo "sleeping 10 seconds..."

sleep 30

echo "Starting Test !"
echo "Testing VPN server $i :" >> test_result.txt
wget -o /tmp/wget.tmp -O /dev/null http://cachefly.cachefly.net/10mb.test
grep '/dev/null' /tmp/wget.tmp >> test_result.txt
echo "Test Done." >> test_result.txt

done

echo "Test terminated !"

Then compare results and make your choice :)

13 comments:

  1. This is EXACTLY what I have spent the last week trying to do manually... Thank you! I will play around with this tonight on a RasPi :)

    ReplyDelete
    Replies
    1. Hi, You're welcome ^^^

      My script may need some improvement, i've seen some cases where it did not seemed to work as expected.

      Therefore it globally works fine and i use it all days with no major issue.

      Let me know if you have any suggestion!

      Delete
  2. Thanks for sharing this such a great information about Personal VPN i shared this excellent information to my all facebook and twitter friends because this info helps to everyone

    ReplyDelete
  3. Greetings from Los angeles! I'm bored to tears at work so I decided to browse your site on my iphone during lunch break. I really like the info you provide here and can't wait to take a look when I get home. I'm amazed at how quick your blog loaded on my mobile .. I'm not even using WIFI, just 3G . Anyways, very good blog! Here is my blog;
    vpn service
    dedicated vpn

    ReplyDelete
    Replies
    1. Greetings from Toulouse :-) Thanks for your comment, very glad you enjoy it!

      Delete
  4. Heya i'm for the first time here. I found this board and I find It truly useful & it helped me out a lot. I hope to give
    something back and aid others like you aided me. Here is my web blog.

    SEO Service Provider
    all in one seo packages

    ReplyDelete
  5. What's Happening i am new to this, I stumbled upon this I've discovered It positively useful and it has aided me out
    loads. I hope to give a contribution & help other users like its helped me. Good job.






    Option Tips
    Intraday Tips
    Equity Tips

    ReplyDelete
  6. I'm glad I found this web site, I couldn't find any knowledge on this matter prior to.Also operate a site and if you are ever interested in doing some visitor writing for me if possible feel free to let me know, im always look for people to check out my web site. windscribe free

    ReplyDelete
  7. including reasonable comments here... tor vs vpn

    ReplyDelete
  8. Thank you a bunch for sharing this with all of us you actually realize what you are talking about! Bookmarked. Please also seek advice from my site =). We could have a hyperlink change contract between us! avast vpn torrenting

    ReplyDelete
  9. I can't recommend this site enough! The articles are well-written and insightful, covering a wide range of topics.

    ReplyDelete

Please feel free to comment ^^