My VPN setup | PlexGuide.com

My VPN setup

  • Stop using Chrome! Download the Brave Browser via >>> [Brave.com]
    It's a forked version of Chrome with native ad-blockers and Google's spyware stripped out! Download for Mac, Windows, Android, and Linux!
Welcome to the PlexGuide.com
Serving the Community since 2016!
Register Now

ClockWorkFuchsia

Citizen
Original poster
Jun 24, 2020
6
3
I use a dedicated CENTOS 6 VM, which acts as a VPN gateway. I can route traffic to it by setting that IP as the clients default gateway, or I can SSH to it, and create a SOCKS proxy with my SSH client, and I run tinyproxy on it, so I can use it as an HTTP proxy.

I have a script on it which checks to make sure I'm connected to VPN all the time, and doesn't allow non-vpn traffic to get routed through with my public IP, ever. So if the VPN is down, anything routed through this device doesn't work, and more importantly, doesn't expose my real IP. That gets accomplished with user specific iptables rules for my SOCKS and HTTP proxy, and with FORWARD drop rules for my regular ip routing.
eth0 is my primary trusted LAN network, and also how this device connects to my main gateway to get out to the public internet.
eth1 is a guest network, where I have all my untrusted devices (kodi boxes, guest wifi, etc)
tun0 is the interface which openvpn creates for sending vpn traffic through.
the user tinyproxy is used for the tinyproxy http proxy application
the user proxy is used to SSH in with (using rsa keys for passwordless authentication), which I use for setting up a localhost SOCKS proxy.

Here are components I use to make it work:
iptables:
Code:
*nat
:PREROUTING ACCEPT [2802825:548715000]
:POSTROUTING ACCEPT [34816:5782072]
:OUTPUT ACCEPT [372947:31056249]
#
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack -i eth0 --ctstate NEW -m tcp -p tcp --match multiport --dports 22,53,8200,8888,10050 -j ACCEPT -m comment --comment "eth0 LAN traffic"
-A INPUT -m conntrack -i eth0 --ctstate NEW -m udp -p udp --match multiport --dports 53,161 -j ACCEPT -m comment --comment "eth0 LAN traffic"
-A INPUT -m conntrack -i eth1 --ctstate NEW -m tcp -p tcp --dport 53 -j ACCEPT -m comment --comment "eth1 Guest traffic"
-A INPUT -m conntrack -i eth1 --ctstate NEW -m udp -p udp --dport 53 -j ACCEPT -m comment --comment "eth1 Guest traffic"
-A INPUT -j LOG --log-prefix "INPUT denied:" --log-level 6
-A INPUT -j DROP
#-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o eth0 -m owner --uid-owner 70002 -d 192.168.220.0/24 -j ACCEPT -m comment --comment "Allow proxy user access to LAN resources"
-A OUTPUT -o eth0 -m owner --uid-owner 70002 -j DROP -m comment --comment "Prevent proxy user from going out main internet connection"
-A OUTPUT -o eth0 -m owner --uid-owner 497 -d 192.168.1.0/24 -j ACCEPT -m comment --comment "Allow tinyproxy user access to LAN resources"
-A OUTPUT -o eth0 -m owner --uid-owner 497 -j DROP -m comment --comment "Prevent tinyproxy user from going out main internet connection"
-A OUTPUT -j ACCEPT
-A FORWARD -i eth0 -o eth0 -j REJECT
-A FORWARD -i eth1 -o eth0 -j REJECT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A FORWARD -i eth1 -o tun0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -p icmp -j ACCEPT
-A FORWARD -i eth1 -o tun0 -p icmp -j ACCEPT
-A FORWARD -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A FORWARD -j LOG --log-prefix "FORWARD denied:" --log-level 6
-A FORWARD -j DROP
#-A FORWARD -m state --state INVALID,NEW -j DROP
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

This is a simple bash script which monitors my connection, and reconnects to my vpn provider if I get disconnected. I shuffle through vpn servers so I am connecting to a different one each time.
Code:
#!/bin/bash

MYIPS="my.public.IP.address1 my.public.ip.address2"

startvpn() {
#servers.txt contains a list of all VPN servers, and the shuf command will randomly shuffle through and select a different server each time.
REMOTE=`grep -v "#" /etc/openvpn/profile1/servers.txt | shuf -n 1`
logger "OpenVPN: Connecting to $REMOTE"
/usr/sbin/openvpn --daemon --remote $REMOTE --config /etc/openvpn/profile1/default-profile1.ovpn
}
stopvpn() {
logger "OpenVPN: Killing openvpn"
killall openvpn
}
reconnect() {
stopvpn
startvpn
}


healthcheck() {
while true; do
    unset EXT_IP1
    unset EXT_IP2
    EXT_IP1=`curl -s -H'User-Agent:' ipinfo.io/ip`
    CURL_STATUS1="$?"
    #echo "External IP is:$EXT_IP1"
    if [[ "$CURL_STATUS1" -ne 0 ]]; then
        logger "OpenVPN: Unable to get ip address from http://ipinfo.io/ip - Trying ifconfig.me"
        EXT_IP2=`curl -s ifconfig.me`
        CURL_STATUS2="$?"
        if [[ "$CURL_STATUS1" -ne 0 ]] && [[ "$CURL_STATUS2" -ne 0 ]]; then
            logger "OpenVPN: Curl is unable to get public IP - likely because VPN is down. Restarting OpenVPN"
            reconnect
        fi
    fi
    if [[ ! "$EXT_IP1" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
        logger "OpenVPN: Non Standard IP $EXT_IP1 from http://ipinfo.io/ip - Trying ifconfig.me"
                EXT_IP2=`curl -s ifconfig.me`
        if [[ ! "$EXT_IP2" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            logger "OpenVPN: Non Standard IP $EXT_IP2 from ifconfig.me. Restarting OpenVPN"
            reconnect
        fi
        fi

    #Check to see if the returned IP is one of my non VPN IPs
    if [[ "$MYIPS" == *"$EXT_IP1"* ]] || [[ "$MYIPS" == *"EXT_IP2"* ]];  then
            logger "OpenVPN: Detected $EXT_IP1 as public IP. Restarting OpenVPN."
        reconnect  
    fi  
#sleep for a random amount of time.
    sleep `shuf -i 5-420 -n 1`
done
}
# trap ctrl-c and call ctrl_c()
trap ctrl_c INT TERM
function ctrl_c() {
        logger "OpenVPN: Issued kill, so exiting. "
        stopvpn
        exit
}
trap refresh HUP
function refresh() {
reconnect
}


startvpn
sleep 5
healthcheck
Because firefox allows you to use a dedicated SOCKS proxy per profile, I use a dedicated profile, which I launch after creating the socks proxy... this is what it looks like:

Code:
[[email protected] ~]$ ssh -D 8200 -C -q -N [email protected]
[[email protected] ~]$ /opt/firefox/firefox --profile /home/username/.mozilla/firefox/my-media.user/ --new-instance
#An example using the socks proxy with curl instead of firefox:
[[email protected] ~]$ curl -x socks5h://localhost:8200 https://ipinfo.io
{
  "ip": "my.vpn.ip.address",
  "city": "Secaucus",
  "region": "New Jersey",
  "country": "US",
  "loc": "40.7895,-74.0565",
  "org": "AS9009 M247 Ltd",
  "postal": "07094",
  "timezone": "America/New_York",
  "readme": "https://ipinfo.io/missingauth"
}
#An example using the tinyproxy http proxy
[[email protected] ~]$ curl -x 192.168.1.3:8888 https://ipinfo.io
{
  "ip": "my.vpn.ip.address",
  "city": "Secaucus",
  "region": "New Jersey",
  "country": "US",
  "loc": "40.7895,-74.0565",
  "org": "AS9009 M247 Ltd",
  "postal": "07094",
  "timezone": "America/New_York",
  "readme": "https://ipinfo.io/missingauth"
}

Other misc:
You need to enable ip forwarding in /etc/sysctl.conf
net.ipv4.ip_forward = 1


I also run a forwarding DNS server, that forwards requests to an outside set of DNS servers, which none of my internal clients use, and of course it can only go out via VPN, so all devices pointing to this server get DNS through vpn, and from a different source than the rest of the devices on my network. I don't intend this to be an exhaustive howto, but a guide. I use linux for everything, including my client, but there's no reason the client can't be windows boxes, plex boxes, media servers, etc. I know there are other pre packaged applications and OS's out there that do this, but I felt more comfortable rolling my own.
 
  • Like
Reactions: 1 user

Datamonkeh

Data Hoarding Primate
Project Manager
Donor
Donor
Jan 20, 2018
892
405
As you point out, other (and i'd suggest more specifically suited/hardened) options exist. A lot depends on the specific usage scenario, but I always liked the BinHex VPN containers with Privoxy enabled to allow you to expose it to other clients/containers that absolutely will not route traffic unencrypted if the VPN goes down (remote administration is another matter). The other option is for those of us with dedicated boxes to use ESXi/ProxMox and add your router distro of choice (pfsense or similar) to do PBR, bonus points for site to site tunnel and VLAN's which open up some other interesting possibilities.
 

Recommend NewsGroups

      Up To a 58% Discount!

Trending