And the BBC iPlayer got blocked as the BBC shut out swathes of VPN addresses in yet another attempt to monetise their media.
When will they realise that blocking the internet and trying to block encryption and geoip blocking etc is just a path to madness. I have no problems with them checking my data if they have suspicion I have done something illegal like make a bomb. But they can go through the normal channels and get a warrant to do so. I am innocent until proven guilty.
But with the way the law is going, we are all tarred as guilty, and should all be spied on. Orwellian.
Anyway, for a variety of reasons I wanted a cheap little VPN with a UK IP address.
After a bit of advice (and a referral to save me a few pounds) I got me a droplet over at www.digitalocean.com to act as server. I use all sorts of devices to connect including a Raspberry Pi as a simple VPN router for some kit I have.
From choice as a systemd loather I decided to install CentOS 6.x with openvpn and tinydns and dnscache as I am familiar with it from my server of choice Koozali SME Server. I could install squid/danguardian etc as well, but this suits purpose for now
Roughly speaking this is how to do it..... I'll add a note on the Rasberry Pi config in the next post
# install wget
yum install wget
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
# Get epel & rpmforge repos
yum localinstall epel-release-6-8.noarch.rpm rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
# Add the webmin repo
cat <
[Webmin]
name=Webmin Distribution Neutral
#baseurl=http://download.webmin.com/download/yum
mirrorlist=http://download.webmin.com/download/yum/mirrorlist
enabled=1
EOF
wget http://www.webmin.com/jcameron-key.asc
rpm --import jcameron-key.asc
mc openvpn wget mutt mailx man syslog traceroute nload iptraf vnstat webmin ntpdate bind-utils daemontools elinks ndjbdns htop
# Allow access to webmin with your own IPs
mcedit /etc/webmin/miniserv.conf
allow=127.0.0.1 1.2.3.4 5.6.7.8 LOCAL
# Sort the time out
Webmin - set timezone in System Time
cat <
server 0.uk.pool.ntp.org
server 1.uk.pool.ntp.org
server 2.uk.pool.ntp.org
server 3.uk.pool.ntp.org
EOF
# Sort out ssh to prevent password access - make sure you add your keys
scp ~/.ssh/id_rsa.pub root@1.2.3.4://root/.ssh/id_rsa.pub.mykey
cat /root/.ssh/id_rsa.pub.mykey /root/.ssh/authorized_hosts
# Change the default port please.
mcedit /etc/ssh/sshd_config
Port 2244
PasswordAuthentication no
# Sort out iptables - see the file below
# adjust your IPs/VPN accordingly in it
copy to /etc/sysconfig/iptables
# Add Openvpn module
# Webmin/Configuration/Add module
http://www.openit.it/downloads/OpenVPNadmin/openvpn-2.6.wbm.gz
mcedit /etc/ndjbdns/dnscache.conf
IP=192.168.x.1
cp /etc/ndjbdns/ip/127.0.0.1 192.168.x
# Webmin adjust Bootup & shutdown - tinydns & dnscache
openvpn starts at S24 and dnscache at S20 so I set dnscache to S30
modify # chkconfig: - 30 80
Then
chkconfig dnscache off and then on
# Webmin Openvpn - First sort your certs
New CA Authority
Make sure country code is two letters e.g. UK or ES
In CA list
VPN Server list select Keys List
New Server and generate key
# Get coffee
# Now
VPN List
New VPN Server
# Basic minimal settings
Management Yes 8876
Net Ip - your tunnel IP
Persist Yes
router client to client Yes
option cipher AES-256-CBC
user/group nobody
verb 5
tun-mtu 1500
fragment 1300
mssfix 1300
push "dhcp-option DNS 192.168.x.1"
push "route 192.168.x.0 255.255.255.0"
push "redirect-gateway def1"
Go back to CA list
Select Keys List
Add New key
Key Name - whatever
Pass - no
KeyServer Client
Go to VPN List, Client List
Add Client
# Then get your client certificates out and installed. Minimal opvn file below
# Modify Logging for openvpn and iptables
mcedit /etc/openvpn/{your-server}.conf
status /var/log/openvpn/openvpn-status.log
# log-append servers/DigiDrop-SVR/logs/openvpn.log
touch /etc/rsyslog.d/10-iptables.conf
cat <
:msg, startswith, "IPTables-Dropped: " -/var/log/iptables.log
& ~
EOF
touch /etc/rsyslog.d/20-ovpn.conf
cat <
# Create a template for the vpn log location
$template OpenVPN,"/var/log/openvpn/openvpn.log"
if $programname startswith 'openvpn' then /var/log/openvpn/openvpn.log
& ~
EOF
touch /etc/logrotate.d/ovpn
cat <
/var/log/openvpn/*.log {
weekly
size 100M
rotate 4
compress
delaycompress
missingok
notifempty
create 640 syslog adm
}
EOF
# Set DNS to OpenDNS if you want
/etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=208.67.222.222
DNS2=208.67.220.220
# And get beer :-)
----------------------------------
# Generic opvn for Android - add your keys in the relevant sections
client
dev tun
proto udp
remote 46.101.92.188 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
cipher BF-CBC
comp-lzo
verb 3
#mute-replay-warnings
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
----------------------------------
/etc/sysconfig/iptables
# /etc/sysconfig/iptables
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.x.0/24 -o eth0 -j MASQUERADE
# Pre Route OpenVPN
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOGGING - [0:0]
# Allow tunnel out forward
-A FORWARD -o tun+ -j ACCEPT
# Allow tunnel out
-A OUTPUT -o tun+ -j ACCEPT
# Allow tunnel in forward
-A FORWARD -i tun+ -j ACCEPT
# Allow tunnel in
-A INPUT -i tun+ -j ACCEPT
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Allow Webmin
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
# Allow OpenVPN
-A INPUT -p udp -m udp -i eth0 --dport 1194 -j ACCEPT
# Logging
-A INPUT -j LOGGING
-A LOGGING -m limit --limit 2/sec -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
-A LOGGING -j DROP
COMMIT
No comments:
Post a Comment