VPN Setup

From Da Nerd Mage Wiki
Revision as of 15:39, 17 April 2023 by Tinker (talk | contribs) (Created page with "== Install OpenVPN == Install OpenVPN and unzip<br>* <code>sudo apt-get install openvpn unzip -y</code> == Configure OpenVPN == * [[OpenVPN Configuration - Using PIA{{!}}Using PIA]]<br>* [[OpenVPN Configuration - Using NordVPN{{!}}Using NordVPN]] == Test that the VPN is working ==<br>Start the vpn:<br>* <code>sudo openvpn --config /etc/openvpn/Sweden.ovpn --auth-user-pass /etc/openvpn/login.txt</code> Check it (in a second terminal):<br>* &lt...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Install OpenVPN

Install OpenVPN and unzip
* <code>sudo apt-get install openvpn unzip -y</code>

Configure OpenVPN

== Test that the VPN is working ==
Start the vpn:
* <code>sudo openvpn --config /etc/openvpn/Sweden.ovpn --auth-user-pass /etc/openvpn/login.txt</code>

Check it (in a second terminal):
* <code>ip a</code>

You should see at least 3 interfaces listed.  One will be <code>tun0</code>.

It should look much like this:

<pre>
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 10.4.112.57/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::91f3:b087:4ce6:738e/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
</pre>

Verify that your public IP address is different from what your ISP thinks it is:

You can check by running the same command or browsing to whatsmyip.org from another machine on your network.

To verify that you're appearing as being in the country you've set your VPN to

(Tho, you may need to <code>sudo apt install whois</code first...)

The resulting wall-o-text will include details about where the internet thinks you are.

Autoconnect OpenVPN

Changing the exit point of your VPN

  • Edit <code>/etc/init.d/openvpnauto</code> 
    **Change the DAEMON_OPTS line
    *<code>sudo systemctl daemon-reload</code>
    *<code>sudo service openvpnauto restart</code>

Fix DNS issues by using the Google DNS servers

  • <code>echo "nameserver 8.8.8.8" | sudo tee -a /etc/resolv.conf</code>
    * <code>echo "nameserver 8.8.4.4" | sudo tee -a /etc/resolv.conf</code>

<span style="color:#8e44ad">Make the DNS changes permanent. This sets the <code>resolv.conf</code> file to immutable (i.e. unchangeable)</span>

  • <code>sudo chattr +i /etc/resolv.conf</code>

Note: PIA seems to occasionally forget to act like a VPN

When this happens, you may just want to know about it & remind them by restarting OpenVPN

Finding out if you're still protected:

Compare your public IP to that of the rest of the network

<code>wget <nowiki>http://ipinfo.io/ip</nowiki> -qO -</code>

&

<code>ssh user@othermachine 'wget <nowiki>http://ipinfo.io/ip</nowiki> -qO -'</code>

or even better

<code>sshpass -p "Password" ssh user@othermachine 'wget <nowiki>http://ipinfo.io/ip</nowiki> -qO -'</code>

or even betterer, use public key authentication

(some discussion on stack overflow)

<span style="color:#800080">Now figure out how to compare these results...</span>

Here's a nifty little shell script...

<pre>
#!/bin/bash

if nc -zw1 google.com 443
then
  echo "We have Internets..."
else
  echo "NOPE!  No Internets..."
  exit
fi

Local=$(wget http://ipinfo.io/ip -qO -)
Remote=$(sshpass -p 'PASSWORD' ssh USER@OTHERLOCALSERVER wget http://ipinfo.io/ip -qO -)

echo Local: $Local
echo Remote: $Remote

if [ $Local != $Remote ]
then
  echo "PIA is currently behaving"
  echo $(date) " - PIA is Just Fine!" >> vpnfix.log
  mosquitto_pub -h automation -t "Scotts Speaker" -m "P I A is OK"
 else
  echo "PIA is mis-behaving"
  date >> vpnfix.log
  echo $(date) " - PIA is Buggered!" >> vpnfix.log
  mosquitto_pub -h automation -t "Scotts Speaker" -m "P I A is Fucked"

  echo "Attempting repair..."
  service openvpnauto restart
fi
</pre>

Not only does it check if PIA is doing its thing, it announces the result verbally (the mosquitto... lines) and restarts openvpn (asking for a password for sudo...).  It could use a bit of improvement, but it works.

<span style="color:#9b59b6">NOTE:</span>  You have to ssh into OTHERLOCALSERVER manually first so the machine knows it's ok.

<span style="color:#9b59b6">NOTE:</span>  Ya kinda need to install <code>mosquitto-clients</code> and <code>sshpass</code> or it aint gonna work quite right...

Ideas for improvement
  • Figure out how to use the Internet connectivity check to avoid trying to announce failure & attempt repair if PIA failed because the Internet is missing.
    *Find a way to safely allow it to restart the service without asking for a password.
    *<u><span style="color:#c0392b">Then, make it run periodically from cron.</span></u>