VPN Setup
 |
11 (bullseye) |
|
 |
4, 5 |
|
 |
20.04.3 |
|
Install OpenVPN
Install OpenVPN and unzip
sudo apt-get install openvpn unzip -y
Configure OpenVPN
Test that the VPN is working
Start the vpn:
sudo openvpn --config /etc/openvpn/Sweden.ovpn --auth-user-pass /etc/openvpn/login.txt
Check it (in a second terminal):
ip a
You should see at least 3 interfaces listed. One will be tun0.
It should look much like this:
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 10.4.112.57/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::91f3:b087:4ce6:738e/64 scope link stable-privacy
valid_lft forever preferred_lft forever
Verify that your public IP address is different from what your ISP thinks it is:
wget http://ipinfo.io/ip -qO -
You can check by running the same command or browsing to whatsmyip.org from another machine on your network.
To verify that you're appearing as being in the country you've set your VPN to
whois `wget http://ipinfo.io/ip -qO -`
(Tho, you may need to sudo apt install whois</code first...)
The resulting wall-o-text will include details about where the internet thinks you are.
Autoconnect OpenVPN
Changing the exit point of your VPN
- Edit
/etc/init.d/openvpnauto
- Change the DAEMON_OPTS line
sudo systemctl daemon-reloadsudo service openvpnauto restart
Fix DNS issues by using the Google DNS servers
echo "nameserver 8.8.8.8" | sudo tee -a /etc/resolv.confecho "nameserver 8.8.4.4" | sudo tee -a /etc/resolv.conf
Make the DNS changes permanent. This sets the resolv.conf file to immutable (i.e. unchangeable)
sudo chattr +i /etc/resolv.conf
Note: PIA seems to occasionally forget to act like a VPN
When this happens, you may just want to know about it & remind them by restarting OpenVPN
Finding out if you're still protected:
Compare your public IP to that of the rest of the network
wget http://ipinfo.io/ip -qO -
&
ssh user@othermachine 'wget http://ipinfo.io/ip -qO -'
or even better
sshpass -p "Password" ssh user@othermachine 'wget http://ipinfo.io/ip -qO -'
or even betterer, use public key authentication
(some discussion on stack overflow)
Now figure out how to compare these results...
Here's a nifty little shell script...
#!/bin/bash
if nc -zw1 google.com 443
then
echo "We have Internets..."
else
echo "NOPE! No Internets..."
exit
fi
Local=$(wget http://ipinfo.io/ip -qO -)
Remote=$(sshpass -p 'PASSWORD' ssh USER@OTHERLOCALSERVER wget http://ipinfo.io/ip -qO -)
echo Local: $Local
echo Remote: $Remote
if [ $Local != $Remote ]
then
echo "PIA is currently behaving"
echo $(date) " - PIA is Just Fine!" >> vpnfix.log
mosquitto_pub -h automation -t "Scotts Speaker" -m "P I A is OK"
else
echo "PIA is mis-behaving"
date >> vpnfix.log
echo $(date) " - PIA is Buggered!" >> vpnfix.log
mosquitto_pub -h automation -t "Scotts Speaker" -m "P I A is Fucked"
echo "Attempting repair..."
service openvpnauto restart
fi
Not only does it check if PIA is doing its thing, it announces the result verbally (the mosquitto... lines) and restarts openvpn (asking for a password for sudo...). It could use a bit of improvement, but it works.
NOTE: You have to ssh into OTHERLOCALSERVER manually first so the machine knows it's ok.
NOTE: Ya kinda need to install mosquitto-clients and sshpass or it aint gonna work quite right...
Ideas for improvement
- Figure out how to use the Internet connectivity check to avoid trying to announce failure & attempt repair if PIA failed because the Internet is missing.
- Find a way to safely allow it to restart the service without asking for a password.
- Then, make it run periodically from cron.