Sciencemadness Discussion Board
Not logged in [Login - Register]
Go To Bottom

Printable Version  
 Pages:  1  ..  4    6
Author: Subject: Reliable VPN services?
WGTR
International Hazard
*****




Posts: 832
Registered: 29-9-2013
Location: Online
Member Is Offline

Mood: Outline

[*] posted on 5-12-2018 at 19:23


This is targeted to a NordVPN setup on a Linux machine, using software that is compatible with my (and hopefully woelen's) setup. Other systems may require some additional tweaks or software installs, a change in route entries, etc. Keep in mind that I'm using an Ubuntu LiveCD; on a standard install the use of sudo will probably require some password to be entered. I'm not yet sure if that will break anything.

I know a lot about networking on a very low, close to the hardware level. My Linux scripting Kung Fu is rather rudimentary, however. There are probably better ways to write this code. Anyway, here is a step-by-step guide to the way that I currently have things working. Hopefully there are no mistakes or omissions. Basically, by clicking on the AddGW icon, the restore_gateway.sh script checks for the presence of the default gateway. If it isn't already present, then it adds it. This is necessary for the VPN tunnel to startup smoothly, without extra programming work. When clicking the VPN.desktop icon, OpenVPN initializes the tunnel and logs in using the user.txt and .ovpn files. This script also removes the original default gateway by calling the startup_routes.sh script. If you shutdown the VPN script (with ctrl+C), then you have to click on AddGW.desktop again before you'll have internet access. You don't want the VPN scripts to re-add the original gateway upon shutdown automatically, for security reasons.

1. Create files vpn.sh, startup_routes.sh, and restore_gateway.sh.

Save this to vpn.sh. Change the --config file directory to match your system and .ovpn file:

Code:
#!/bin/bash sleep 2 xterm -hold -e 'sudo openvpn --config '/home/ubuntu/Downloads/ch108.nordvpn.com.tcp443.ovpn'' &


Save this to startup_routes.sh:

Code:
#!/bin/bash PROG_RET="$(ip route list exact 0.0.0.0/0 | awk '{print $1}')" if [ "$PROG_RET" == "default" -o "$PROG_RET" == "0.0.0.0" -o "$PROG_RET" == "0.0.0.0/0" ]; then sudo ip route del 0.0.0.0/0 via 192.168.1.1 echo "Default route that follows this should be null value "$(ip route list exact 0.0.0.0/0)"" fi


Save this to restore_gateway.sh:

Code:
#!/bin/bash PROG_RET="$(ip route list exact 0.0.0.0/0 | awk '{print $1}')" if [ -z "$PROG_RET" ]; then sudo ip route add 0.0.0.0/0 via 192.168.1.1 echo $(ip route list exact 0.0.0.0/0) echo "Default route added" else echo "Default route already exists" echo "$(ip route list exact 0.0.0.0/0)" fi


After saving and closing the three previous files, make them executable.

2. Create a file "user.txt", that contains your username and password

Code:
user@notreal.com notmypassword


3. Add this to the .ovpn file, after the "auth SHA512" line. You'll have to modify the file path to match your system:

Code:
script-security 2 up '/home/ubuntu/Downloads/startup_routes.sh'


Also add the path for the user.txt file after the auth-user-pass variable

Code:
auth-user-pass /home/ubuntu/Downloads/user.txt


4. Create two more files, VPN and AddGW.

Copy this to VPN. Make sure that the Exec= path points to the vpn.sh file:

Code:
[Desktop Entry] Version=1.0 Name=VPN Comment=start up vpn Exec=/home/ubuntu/Downloads/vpn.sh Terminal=false X-MultipleArgs=false Type=Application Icon=false StartupNotify=true


Copy this to AddGW. Again, make sure that the Exec= path is correct:

Code:
[Desktop Entry] Version=1.0 Name=AddGW Comment=restore default gateway Exec=xterm -hold -e '/home/ubuntu/Downloads/restore_gateway.sh' Terminal=false X-MultipleArgs=false Type=Application Icon=false StartupNotify=true


After saving and closing both files, add .desktop to the end of both filenames (i.e. VPN.desktop and AddGW.desktop), and make them executable.

5. Take it for a spin! Make sure the default gateway exists by first clicking the AddGW icon. A terminal window should pop up and either say that the rule already exists, or that it was successfully added. You can close the window. Click on the VPN icon to start up the tunnel. It should log in and delete the old default route. In the VPN terminal window you should see a line that says "Default route that follows this should be null value". Nothing should follow this on the same line. If there's a route entry there, then the default route did not get successfully deleted. Leave this window open as long as you are running the VPN. To close it, use ctrl+C, wait for the process to end, and then close the terminal window. You can re-add the old default route by clicking the AddGW icon again.


[Edited on 12-6-2018 by WGTR]




View user's profile View All Posts By User
woelen
Super Administrator
*********




Posts: 6656
Registered: 20-8-2005
Location: Netherlands
Member Is Offline

Mood: interested

[*] posted on 6-12-2018 at 06:39


@WGTR: I'll try using OpenVPN and the scripts in the last post. This is a nice weekend job for me :)

Using the nordvpn software I always have the same issue. I first need to logout and login before I can use the connection. Very weird. Must be some bug. Also weird that the combined login/connect option of the software also does not work. In that case I need to login twice before I can use the link.




The art of wondering makes life worth living...
Want to wonder? Look at http://www.oelen.net/science
View user's profile Visit user's homepage View All Posts By User
woelen
Super Administrator
*********




Posts: 6656
Registered: 20-8-2005
Location: Netherlands
Member Is Offline

Mood: interested

[*] posted on 12-12-2018 at 12:07


Issue now seems to be fixed. I used WGTR's scripts.

The scripts give me a VPN connection which is appr. 3 times as fast as with the nordvpn client software. I now get appr. 300 Mbit/s download speed at a certain server in Germany. Using the same server with nordvpn gives me appr. 100 Mbit/s download speed and occasional stalls. I think that the stalls with nordvpn are due to MTU issues. I noticed that sometimes after visiting a website, or setting up a SSH session with a server, the connection suddenly locks up. It becomes totally dead and the only thing I can do is disconnect and reconnect again.

With WGTR's scripts I did not notice such behavior. The scripts of WGTR do have one serious issue and that is that DNS requests still go 'around' the vpn-connection and not through it.

I solved that as follows:

Install the following: sudo apt install openvpn-systemd-resolved
Add the following lines to the .ovpn file:

Code:
script-security 2 up '/root/startup_routes.sh' down /etc/openvpn/update-systemd-resolved down-pre dhcp-option DOMAIN-ROUTE .


And at the end of the startup_routes.sh script I added the following:
Code:
/etc/openvpn/update-systemd-resolved


With these additions, I see no DNS leaking anymore on ipleak.net and dnsleaktest.com

Without the update-systemd-resolved scripts all DNS goes around the vpn-connection. With these scripts, but without the dhcp option DOMAIN-ROUTE . part of my DNS requests goes around the vpn connection. Then I have a little DNS leaking. With this option added as well, I have no DNS leaking at all :)

Thanks WGTR: Your initial posts have helped me a lot further and I have built up some valuable networking knowledge in the past few days, which also may one day be useful in my day to day job as ICT consultant.



[Edited on 13-12-18 by woelen]




The art of wondering makes life worth living...
Want to wonder? Look at http://www.oelen.net/science
View user's profile Visit user's homepage View All Posts By User
WGTR
International Hazard
*****




Posts: 832
Registered: 29-9-2013
Location: Online
Member Is Offline

Mood: Outline

[*] posted on 13-12-2018 at 11:15


Quote: Originally posted by woelen  
With WGTR's scripts I did not notice such behavior. The scripts of WGTR do have one serious issue and that is that DNS requests still go 'around' the vpn-connection and not through it.


Thank you for catching that. I was unaware that DNS queries would bypass the rules in the routing tables and use a different gateway. That's rather disturbing, actually.

I still additionally encourage using an external hardware router that has a packet filtering function based on IP address (everything blocked except IP address for the VPN server). If there's something like a DNS leak from the operating system for any reason whatsoever, it will get blocked at the router. Worse case, you won't have DNS functionality until some settings are fixed. "Even worse" case, any browser exploit, etc, that tries to phone home will be forced to go through the VPN or will be blocked at the router.

I'm very happy to see that this is working for you woelen. I'll take a look at some of the changes that you posted later, and try to understand them. Networking is fun, isn't it?




View user's profile View All Posts By User
Tsjerk
International Hazard
*****




Posts: 1383
Registered: 20-4-2005
Location: Netherlands
Member Is Offline

Mood: Mood

[*] posted on 13-12-2018 at 11:57


Quote: Originally posted by WGTR  
Networking is fun, isn't it?


It definitely is, I should start using Linux... Windows is so much easier though. But not safer it seems.
View user's profile View All Posts By User
JJay
International Hazard
*****




Posts: 3320
Registered: 15-10-2015
Member Is Offline

Mood: resigned

[*] posted on 13-12-2018 at 13:37


DNS often tears big rips in people's Guy Fawkes masks. It would be one of the first things I would look at if I were trying to decloak a hacker.



I'm no longer involved in this forum.
View user's profile View All Posts By User
woelen
Super Administrator
*********




Posts: 6656
Registered: 20-8-2005
Location: Netherlands
Member Is Offline

Mood: interested

[*] posted on 14-12-2018 at 00:17


Yes, networking is fun, but at times also frustrating.
In my home I use a pfSense router (made from a small PC like Intel's NUCs, but a cheap variation: a QOTOM chinese low-budget Celeron system) and I consider setting up the VPN from that system. In that case there will be no leaking at all, any internet access must go through the VPN.
I still am looking for a way to make it switchable easily. I want to have a simple toggle, which can switch between VPN and normal access.




The art of wondering makes life worth living...
Want to wonder? Look at http://www.oelen.net/science
View user's profile Visit user's homepage View All Posts By User
The jersey rebel
Hazard to Self
**




Posts: 76
Registered: 27-5-2016
Location: Jersey Fresh
Member Is Offline

Mood: dealing with excessive change

[*] posted on 14-12-2018 at 14:49


Quote: Originally posted by Zombie  

Here's the list...

http://www.gizmodo.com.au/2013/06/you-wont-believe-how-many-...


[Edited on 6-2-2015 by Zombie]
I haven't searched some of those more 'worrying' terms but most of the terms overall I have either used when posting comments on other forums/sites or have searched for my own research. Sometimes even for school! as for the list, the fact that they're even tracking stuff like illuminati and psyops gives validity to the conspiracy theories so it's counterproductive for them to do.



Water is wet, fire is hot, I'm a jersey born rebel

AKA the roguemillenial on other sites.
View user's profile View All Posts By User
woelen
Super Administrator
*********




Posts: 6656
Registered: 20-8-2005
Location: Netherlands
Member Is Offline

Mood: interested

[*] posted on 20-12-2018 at 05:44


WGTR's script works fine, it deletes the standard route to internet which I get from my router's DHCP:

Once the VPN connection is set up, it does "ip route del 0.0.0.0/0 via 192.168.1.1" and this deletes the non-VPN route to internet.

But after some time, while I use the VPN connection, this route appears again. I can see it in the output of netstat -rn. If this occurs, then still all traffic is going through the VPN and with my additions I still have no DNS-leaking. The reappearance of the non-VPN route to internet does worry me though. If the tun0 connection by whatever mechanism is brought down, then the connection simply switches to standard internet. I tried this. I pinged to google.com while the VPN is connected, and once I use CTRL-C in WGTR's script, then I miss one ping-packet to google.com and then it continues, directly from my host.
If I do the disconnect from the VPN only a few minutes after setting it up (there still is no route to 0.0.0.0 through 192.168.1.1), then having a google.com ping running leads to error messages each second that there is no route to that host.

What causes the reappearance of the default route through 192.168.1.1 and what can I do against that? I have searched the internet, but could not found a decent answer.


[Edited on 20-12-18 by woelen]




The art of wondering makes life worth living...
Want to wonder? Look at http://www.oelen.net/science
View user's profile Visit user's homepage View All Posts By User
WGTR
International Hazard
*****




Posts: 832
Registered: 29-9-2013
Location: Online
Member Is Offline

Mood: Outline

[*] posted on 20-12-2018 at 05:53


Maybe something is re-running DHCP on the operating system, and the router is sending you the gateway, etc. I haven’t thought much about this yet, but perhaps try disabling DHCP in your router to see what happens. FYI, you won’t be able to connect other computers to the router unless you configure them manually, since you’ll be disabling the router’s “autoconfig”.

This is another reason why I keep suggesting using a hardware packet filter, because there’s no way to really be sure that your OS isn’t doing something sneaky in the background to undermine your intended network security configurations.

[Edited on 12-20-2018 by WGTR]




View user's profile View All Posts By User
The jersey rebel
Hazard to Self
**




Posts: 76
Registered: 27-5-2016
Location: Jersey Fresh
Member Is Offline

Mood: dealing with excessive change

[*] posted on 3-3-2019 at 13:52


got some more stuff to add. For VPN's i'm switching to BoxPN as recommended by a online friend of mine known as Shane Killian on his bogosity podcast. he has an affiliate link. The company is registered in the Seychelles so your data is about as safe as it gets. likely even more so than expressVPN. although express is a very good option, arguably even better than nord

Also, please check this site out. it took my privacy protocol and put it into overdrive. Had to get a new system to support everything mentioned as Lenovo machines are compromised and my puny dual core X1 carbon isn't gonna cut it for non-school applications

https://www.privacytools.io/

Also. there's channels like "the hated one" and "Techlore" who will walk you through the process of reducing your attack surface as much as possible. CubesOS is what Snowden recommends. if you got more than a quad core system and more than 16GB of RAM, you should definitely consider it.

Also, replace closed source with open source software whenever possible. Propriatary software hides a lot of backdoors.

One thing I learned is that it's impossible to remove 100% of the attack surface, but, that doesn't mean you can't get close. in fact, the strategy which has lead to me avoiding being doxed or getting into all sorts of trouble is to make it so your internet traffic makes no sense, with the likes of makeinternetnoise or is encrypted so heavily that the feds just can't decrypt it without retreiving a key in a data haven like the Seychelles or the british Virgin islands.

One thing with TOR that makes it less than ideal is that it's NOT E2E encrypted. Darknets like I2P are E2E encrypted, but the drawback is that I2P can only access EPP sites. however, this isn't that hard actually as sites where people post their epp sites do exist, including threads on reddit

It's meant for advanced users though so most privacy channels don't cover it.

TBH, for optimal privacy, i'd absolutely recommend just outright having separate PCs for each application. That way each system can be optimized for whatever it is that you wish to do. in my case, school, gaming, and P2P/archiving. So I got a privacy buffed TS430 type 411 server running ubuntu for things like P2P and archiving, an X1 carbon for school, and soon i'll get a 9900K custom system from ironside for gaming and online stuff, running windows as well as a whonix, cubes, ubuntu, and tails VMs using oracle VMbox, the last thing you want is to have your twitter account tied to your linkdin account for instance.




Water is wet, fire is hot, I'm a jersey born rebel

AKA the roguemillenial on other sites.
View user's profile View All Posts By User
 Pages:  1  ..  4    6

  Go To Top