Difference between revisions of "VPN Setup"
Jump to navigation
Jump to search
(Created page with "== Install OpenVPN == Install OpenVPN and unzip<br>* <code>sudo apt-get install openvpn unzip -y</code> == Configure OpenVPN == * [[OpenVPN Configuration - Using PIA{{!}}Using PIA]]<br>* [[OpenVPN Configuration - Using NordVPN{{!}}Using NordVPN]] == Test that the VPN is working ==<br>Start the vpn:<br>* <code>sudo openvpn --config /etc/openvpn/Sweden.ovpn --auth-user-pass /etc/openvpn/login.txt</code> Check it (in a second terminal):<br>* <...") |
|||
| Line 1: | Line 1: | ||
== Install OpenVPN == | == Install OpenVPN == | ||
Install OpenVPN and unzip< | Install OpenVPN and unzip | ||
* <code>sudo apt-get install openvpn unzip -y</code> | |||
== Configure OpenVPN == | == Configure OpenVPN == | ||
* [[OpenVPN Configuration - Using PIA | * [[OpenVPN Configuration - Using PIA|Using PIA]] | ||
* [[OpenVPN Configuration - Using NordVPN|Using NordVPN]] | |||
== Test that the VPN is working == | == Test that the VPN is working == | ||
Start the vpn: | |||
* <code>sudo openvpn --config /etc/openvpn/Sweden.ovpn --auth-user-pass /etc/openvpn/login.txt</code> | |||
Check it (in a second terminal):< | Check it (in a second terminal): | ||
* <code>ip a</code> | |||
You should see at least 3 interfaces listed. | You should see at least 3 interfaces listed. One will be <code>tun0</code>. | ||
It should look much like this: | It should look much like this: | ||
<pre> | |||
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500 | |||
link/none | |||
inet 10.4.112.57/24 scope global tun0 | |||
valid_lft forever preferred_lft forever | |||
inet6 fe80::91f3:b087:4ce6:738e/64 scope link stable-privacy | |||
valid_lft forever preferred_lft forever | |||
</pre> | |||
Verify that your public IP address is different from what your ISP thinks it is: | Verify that your public IP address is different from what your ISP thinks it is: | ||
* | * <code>wget <nowiki>http://ipinfo.io/ip</nowiki> -qO -</code> | ||
You can check by running the same command or browsing to [http://whatsmyip.org whatsmyip.org] from another machine on your network. | You can check by running the same command or browsing to [http://whatsmyip.org whatsmyip.org] from another machine on your network. | ||
| Line 25: | Line 37: | ||
To verify that you're appearing as being in the country you've set your VPN to | To verify that you're appearing as being in the country you've set your VPN to | ||
* | * <code>whois `wget <nowiki>http://ipinfo.io/ip</nowiki> -qO -`</code> | ||
(Tho, you may need to | (Tho, you may need to <code>sudo apt install whois</code first...) | ||
The resulting wall-o-text will include details about where the internet thinks you are. | The resulting wall-o-text will include details about where the internet thinks you are. | ||
| Line 33: | Line 45: | ||
== Autoconnect OpenVPN == | == Autoconnect OpenVPN == | ||
* [[OpenVPN Autoconnect - Using PIA | * [[OpenVPN Autoconnect - Using PIA|Using PIA]] | ||
* [[OpenVPN Autoconnect - Using NordVPN|Using NordVPN]] | |||
== Changing the exit point of your VPN == | == Changing the exit point of your VPN == | ||
*Edit | *Edit <code>/etc/init.d/openvpnauto</code> | ||
**Change the '''DAEMON_OPTS''' line | |||
*<code>sudo systemctl daemon-reload</code> | |||
*<code>sudo service openvpnauto restart</code> | |||
== Fix DNS issues by using the Google DNS servers == | == Fix DNS issues by using the Google DNS servers == | ||
* | * <code>echo "nameserver 8.8.8.8" | sudo tee -a /etc/resolv.conf</code> | ||
* <code>echo "nameserver 8.8.4.4" | sudo tee -a /etc/resolv.conf</code> | |||
<span style="color:#8e44ad">Make the DNS changes permanent. This sets the <code>resolv.conf</code> file to immutable (i.e. unchangeable)</span> | |||
* | * <code>sudo chattr +i /etc/resolv.conf</code> | ||
== Note: PIA seems to occasionally forget to act like a VPN == | == Note: PIA seems to occasionally forget to act like a VPN == | ||
| Line 55: | Line 72: | ||
Compare your public IP to that of the rest of the network | Compare your public IP to that of the rest of the network | ||
<code>wget <nowiki>http://ipinfo.io/ip</nowiki> -qO -</code> | |||
& | & | ||
<code>ssh user@othermachine 'wget <nowiki>http://ipinfo.io/ip</nowiki> -qO -'</code> | |||
or even better | or even better | ||
<code>sshpass -p "Password" ssh user@othermachine 'wget <nowiki>http://ipinfo.io/ip</nowiki> -qO -'</code> | |||
or even betterer, [https://help.ubuntu.com/community/SSH/OpenSSH/Keys use public key authentication] | or even betterer, [https://help.ubuntu.com/community/SSH/OpenSSH/Keys use public key authentication] | ||
| Line 69: | Line 86: | ||
([https://stackoverflow.com/questions/12202587/automatically-enter-ssh-password-with-script/12202672#12202672 some discussion on stack overflow]) | ([https://stackoverflow.com/questions/12202587/automatically-enter-ssh-password-with-script/12202672#12202672 some discussion on stack overflow]) | ||
<span style="color:#800080">Now figure out how to compare these results...</span> | |||
=== Here's a nifty little shell script... === | === Here's a nifty little shell script... === | ||
<pre> | |||
#!/bin/bash | |||
if nc -zw1 google.com 443 | if nc -zw1 google.com 443 | ||
then | |||
echo "We have Internets..." | |||
else | |||
echo "NOPE! No Internets..." | |||
exit | |||
fi | |||
Local=$(wget http://ipinfo.io/ip -qO -) | Local=$(wget http://ipinfo.io/ip -qO -) | ||
Remote=$(sshpass -p 'PASSWORD' ssh USER@OTHERLOCALSERVER wget http://ipinfo.io/ip -qO -) | |||
echo Local: $Local | echo Local: $Local | ||
echo Remote: $Remote | |||
if [ $Local != $Remote ] | if [ $Local != $Remote ] | ||
then | |||
echo "PIA is currently behaving" | |||
echo $(date) " - PIA is Just Fine!" >> vpnfix.log | |||
mosquitto_pub -h automation -t "Scotts Speaker" -m "P I A is OK" | |||
else | |||
echo "PIA is mis-behaving" | |||
date >> vpnfix.log | |||
echo $(date) " - PIA is Buggered!" >> vpnfix.log | |||
mosquitto_pub -h automation -t "Scotts Speaker" -m "P I A is Fucked" | |||
echo "Attempting repair..." | |||
service openvpnauto restart | |||
fi | |||
</pre> | |||
Not only does it check if PIA is doing its thing, it announces the result verbally (the '''mosquitto...''' lines) and restarts openvpn (asking for a password for sudo...). It could use a bit of improvement, but it works. | Not only does it check if PIA is doing its thing, it announces the result verbally (the '''mosquitto...''' lines) and restarts openvpn (asking for a password for sudo...). It could use a bit of improvement, but it works. | ||
<span style="color:#9b59b6">'''NOTE:'''</span> You have to ssh into OTHERLOCALSERVER manually first so the machine knows it's ok. | |||
<span style="color:#9b59b6">'''NOTE:'''</span> Ya kinda need to install <code>mosquitto-clients</code> and <code>sshpass</code> or it aint gonna work quite right... | |||
=====Ideas for improvement===== | =====Ideas for improvement===== | ||
*Figure out how to use the Internet connectivity check to avoid trying to announce failure & attempt repair if PIA failed because the Internet is missing. | *Figure out how to use the Internet connectivity check to avoid trying to announce failure & attempt repair if PIA failed because the Internet is missing. | ||
*Find a way to safely allow it to restart the service without asking for a password. | |||
*''<u>'''<span style="color:#c0392b">Then, make it run periodically from cron.</span>'''</u>'' | |||
Revision as of 16:40, 17 April 2023
Install OpenVPN
Install OpenVPN and unzip
sudo apt-get install openvpn unzip -y
Configure OpenVPN
Test that the VPN is working
Start the vpn:
sudo openvpn --config /etc/openvpn/Sweden.ovpn --auth-user-pass /etc/openvpn/login.txt
Check it (in a second terminal):
ip a
You should see at least 3 interfaces listed. One will be tun0.
It should look much like this:
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 10.4.112.57/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::91f3:b087:4ce6:738e/64 scope link stable-privacy
valid_lft forever preferred_lft forever
Verify that your public IP address is different from what your ISP thinks it is:
wget http://ipinfo.io/ip -qO -
You can check by running the same command or browsing to whatsmyip.org from another machine on your network.
To verify that you're appearing as being in the country you've set your VPN to
whois `wget http://ipinfo.io/ip -qO -`
(Tho, you may need to sudo apt install whois</code first...)
The resulting wall-o-text will include details about where the internet thinks you are.
Autoconnect OpenVPN
Changing the exit point of your VPN
- Edit
/etc/init.d/openvpnauto
- Change the DAEMON_OPTS line
sudo systemctl daemon-reloadsudo service openvpnauto restart
Fix DNS issues by using the Google DNS servers
echo "nameserver 8.8.8.8" | sudo tee -a /etc/resolv.confecho "nameserver 8.8.4.4" | sudo tee -a /etc/resolv.conf
Make the DNS changes permanent. This sets the resolv.conf file to immutable (i.e. unchangeable)
sudo chattr +i /etc/resolv.conf
Note: PIA seems to occasionally forget to act like a VPN
When this happens, you may just want to know about it & remind them by restarting OpenVPN
Finding out if you're still protected:
Compare your public IP to that of the rest of the network
wget http://ipinfo.io/ip -qO -
&
ssh user@othermachine 'wget http://ipinfo.io/ip -qO -'
or even better
sshpass -p "Password" ssh user@othermachine 'wget http://ipinfo.io/ip -qO -'
or even betterer, use public key authentication
(some discussion on stack overflow)
Now figure out how to compare these results...
Here's a nifty little shell script...
#!/bin/bash
if nc -zw1 google.com 443
then
echo "We have Internets..."
else
echo "NOPE! No Internets..."
exit
fi
Local=$(wget http://ipinfo.io/ip -qO -)
Remote=$(sshpass -p 'PASSWORD' ssh USER@OTHERLOCALSERVER wget http://ipinfo.io/ip -qO -)
echo Local: $Local
echo Remote: $Remote
if [ $Local != $Remote ]
then
echo "PIA is currently behaving"
echo $(date) " - PIA is Just Fine!" >> vpnfix.log
mosquitto_pub -h automation -t "Scotts Speaker" -m "P I A is OK"
else
echo "PIA is mis-behaving"
date >> vpnfix.log
echo $(date) " - PIA is Buggered!" >> vpnfix.log
mosquitto_pub -h automation -t "Scotts Speaker" -m "P I A is Fucked"
echo "Attempting repair..."
service openvpnauto restart
fi
Not only does it check if PIA is doing its thing, it announces the result verbally (the mosquitto... lines) and restarts openvpn (asking for a password for sudo...). It could use a bit of improvement, but it works.
NOTE: You have to ssh into OTHERLOCALSERVER manually first so the machine knows it's ok.
NOTE: Ya kinda need to install mosquitto-clients and sshpass or it aint gonna work quite right...
Ideas for improvement
- Figure out how to use the Internet connectivity check to avoid trying to announce failure & attempt repair if PIA failed because the Internet is missing.
- Find a way to safely allow it to restart the service without asking for a password.
- Then, make it run periodically from cron.