Configure VPN with openvpn on Ubuntu and Kodibuntu

Configure VPN with openvpn on Ubuntu and Kodibuntu

Here is the guide to install openvpn on your Linux setup and then run it with a boot script. We want to launch the VPN before any application that would require it. To do so, we will use a use a script that is executed after the VPN connection is establish, and another script to kill any apps before the VPN shuts down.

INSTALL OPENVPN

  1. Install openvpn:
    sudo apt-get install openvpn
  2. Your VPN servie provider should give you an ovpn file. Otherwise you will have to create it by youself. Copy your openvpn file to your openvpn dir. If you have any certificate file or perm files, copy them too.
    cp myvpnconf.ovpn /etc/openvpn/default.conf
    cp mycertificate.crt /etc/openvpn/
    cp myperm.crt /etc/openvpn/
  3. Automatically login with your username and password, so you are not prompt for them each time you start openvpn:
    echo *username* | sudo tee /etc/openvpn/pass.txt echo *password* | sudo tee -a /etc/openvpn/pass.txt echo auth-user-pass /etc/openvpn/pass.txt | sudo tee -a /etc/openvpn/default.conf

Create VPN Launch/Shutdown Scripts:

We will create a script that will that first run when the VPN is up and on before the VPN is down. So we can open/shut an application hooked to the VPN.

With openvpn we have 2 main argument that will help us to do so. First one: route-up. This one will launch a script right after the VPN connection is establish. And we have down in conjunction with pre-down that will launch a script just before the VPN connection shut it self. With this setup we can have an application that run exclusively under the VPN.

  1. To do so we need to create two script files.
    echo "#!/bin/bash" | sudo tee /etc/openvpn/vpn_startup.sh echo "#!/bin/bash" | sudo tee /etc/openvpn/vpn_shutdown.sh
  2. Change the permission of these file to be executable:
    sudo chmod +x /etc/openvpn/vpn_*
  3. Once files are created add some arguments to the openvpn init file. We can find it here:
    sudo vi /etc/init.d/openvpn
  4. Inside vi you can show the lines by typing the following command
    :set nu
  5. Around lines 42 and 48 you should find the command variable being setup. Just after the fi add the argument we need. It should look like this:
    if grep -q '^[ ]*daemon' $CONFIG_DIR/$NAME.conf ; then # daemon already given in config file DAEMONARG= else # need to daemonize DAEMONARG="--daemon ovpn-$NAME" fi DAEMONARG="$DAEMONARG --route-up /etc/openvpn/vpn_startup.sh --verb 4 --script-security 2 --down-pre --down /etc/openvpn/vpn_shutdown.sh --log /var/log/openvpn.log"

    –route-up script_file: Is the script that launch just after the VPN is being set up and proofed to work.
    –verb 4: It it will output more information when you launch openvpn.
    –script-security 2: It will loosen the security a bit to allow our script to run.
    –down script_file: it will launch a script after the VPN shut down.
    –pre-down: it alter the –down argument to launch the script just before the VPN shut down.
    –log: it will redirect the output to a log file for future debugging if needed.
    You can find more about those arguments and help about openvpn by taping in a terminal:
    man openvpn
  6. You can start VPN via:
    sudo /etc/init.d/openvpn start
  7. To enable openvpn at start up type:
    sudo update-rc.d openvpn defaults
  8. If it works you should now have a new ip. Here is 2 cool commands to check your public IP:
    wget -qO- http://ipecho.net/plain ; echo
    curl ifconfig.me
  9. Now you just have to edit your 2 script files to your taste. DO NOT COPY EXACTLY THOSE SCRIPT, UNDERSTAND THEM AND MODIFY THEM TO YOUR OWN TASTE. Start programs, set up firewall rules, etc… Here some more advance topic about the kind of rules you can set:
    1. Bypass the VPN connections on specifics ports
    2. VPN UP script exemple:
      # ---ENABLING KERNEL OPTIONS sudo sysctl -w net.ipv4.conf.eth0.rp_filter=0 sudo sysctl -w net.ipv4.conf.tun0.rp_filter=0 sudo sysctl -w net.ipv4.conf.all.rp_filter=0 sudo sysctl -w net.ipv4.conf.default.rp_filter=0 sudo sysctl -w net.ipv4.conf.lo.rp_filter=0 sudo sysctl -w net.ipv4.conf.all.forwarding=1 sudo sysctl -w net.ipv4.conf.default.forwarding=1 sudo sysctl -w net.ipv4.conf.eth0.forwarding=1 sudo sysctl -w net.ipv4.conf.lo.forwarding=1 sudo sysctl -w net.ipv4.conf.tun0.forwarding=1 sudo sysctl -w net.ipv6.conf.all.forwarding=1 sudo sysctl -w net.ipv6.conf.default.forwarding=1 sudo sysctl -w net.ipv6.conf.eth0.forwarding=1 sudo sysctl -w net.ipv6.conf.lo.forwarding=1 sudo sysctl -w net.ipv6.conf.tun0.forwarding=1 sudo sysctl -w net.ipv4.tcp_fwmark_accept=1 # ---CLEAR ALL FIREWALL RULES iptables -F iptables -t mangle -F iptables -t nat -F # ---FLSUH EXISTING TABLE 101 + cache ip route flush table 101 ip route flush cache #--- DEL IF EXISTS AND ADD RULE ip rule del fwmark 2 table 2 ip rule add fwmark 2 table 2 #--- CREATE TABLE 101 ip route add table 101 default via 192.168.0.1 dev eth0 ip route add table 101 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.20 metric 1 #--- PORT FORWARD TO TABLE 101 # SETTING MASQUERADE FOR OUTPUT iptables --table nat --append POSTROUTING -o eth0 -j MASQUERADE # VPN BYPASS! # SSH THIS ONE IS THE MOST IMPORTANT iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 2 # PLEX iptables -t mangle -A OUTPUT -p tcp --dport 32400 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -p tcp --dport 32400 -j MARK --set-mark 2 # HTTP S iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark 2 # FTP iptables -t mangle -A PREROUTING -p tcp --dport 21 -j MARK --set-mark 2 # YOU NEED TO SET UP MIN/MAX PORT IN VSFTPD iptables -t mangle -A PREROUTING -p tcp --dport 13000:13100 -j MARK --set-mark 2 iptables -t mangle -A OUTPUT -p tcp --sport 21 -j MARK --set-mark 2 #DELUGE LOCAL only from LOCAL NETWORK IPs iptables -t mangle -A PREROUTING -p tcp --dport 58846 -s 192.168.0.0/24 -j MARK --set-mark 2 # ----------- FIREWALL: THIS IS OPTIONAL BUT GIVE EXTRA SECURITY ----------- # REJECT ALL INCOMING CONNECTIONS iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # ALLOW LOCAL iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # ALLOW ALREADY ESTABLISHED CONNECTIONS iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # ALLOW PLEX iptables -I INPUT -p tcp --dport 32400 -j ACCEPT # ALLOW HTTPS iptables -I INPUT -p tcp --dport 443 -j ACCEPT # ALLOW SAMBA IN LOCAL NETWORK LOCALLY iptables -I INPUT -p tcp --dport 137 -s 192.168.0.0/24 -j ACCEPT iptables -I INPUT -p tcp --dport 138 -s 192.168.0.0/24 -j ACCEPT iptables -I INPUT -p tcp --dport 139 -s 192.168.0.0/24 -j ACCEPT iptables -I INPUT -p tcp --dport 445 -s 192.168.0.0/24 -j ACCEPT # ALLOW SAMBA LOCALLY iptables -I INPUT -p tcp --dport 58846 -s 192.168.0.0/24 -j ACCEPT # ALLOW SSH LOCAL NETWORK iptables -A INPUT -p tcp --dport 22 -s 192.168.0.0/24 -j ACCEPT # VSFTPD iptables -I INPUT -p tcp --dport 21 -j ACCEPT iptables -I INPUT -p tcp --dport 13000:13100 -j ACCEPT # ----------- END OF THE FIREWALL ----------- # AVOID DNS LEAK WITH GOOGLE DNS echo "nameserver 8.8.8.8 nameserver 8.8.4.4" | tee /etc/resolv.conf # START ANY PROGRAMS HERE /etc/init.d/deluged start /etc/init.d/deluge-web start
    3. VPN DOWN script exemple:
      # KILL ANY PROCESS: PIDS=$(ps -ef| grep deluged | grep -v grep |awk '{print $2}') kill -9 $PIDS # TO BE SURE: /etc/init.d/deluged stop #BLOCK ALL CONNECTIONS HERE EXCEPT SSH: 22. YOU CAN ADD WHATEVER PORT HERE # REJECT ALL CONNECTIONS EXCEPT SSH iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # ALLOW LOCAL iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # ALLOW ALREADY ESTABLISHED CONNECTIONS iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # ALLOW SSH LOCAL NETWORK iptables -A INPUT -p tcp --dport 22 -s 192.168.0.0/24 -j ACCEPT