I have a buddy who doesn't know English, therefore he pleaded with me to post here on his behalf. I recommended him to get Perfect Privacy to anonymize the connections of his server and he listened. He's having trouble configuring though.
Basically, that's what he wants his Debian 7 server to do:
to make connections through a Perfect Privacy VPN; (DONE!)
to have IP leak protection;
to have DNS leak protection;
to offer services (like FTP and SSH) directly, without him having to connect through a forwarded port of the VPN in order to access them;
to autoconnect to a VPN after booting the operating system.
Now... what he did is this:
He followed this tutorial:
https://www.perfect-privacy.com/howt...pn-with-linux/
He has a few .ovpn files here: /etc/NetworkManager/system-connections/. Example:
Code:
root@Debian7:/etc/NetworkManager/system-connections# cat Rotterdam2
[connection]
id=Rotterdam2
uuid=###########
type=vpn
[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
ta-dir=1
fragment-size=1300
connection-type=password-tls
password-flags=1
auth=SHA512
tunnel-mtu=1500
cipher=AES-256-CBC
comp-lzo=yes
remote=rotterdam2.perfect-privacy.org
cert-pass-flags=0
reneg-seconds=3600
port=1150
mssfix=yes
username=###########
cert=/root/info/openvpn-config/Rotterdam_cl.crt
ca=/root/info/openvpn-config/ca.crt
key=/root/info/openvpn-config/Rotterdam_cl.key
ta=/root/info/openvpn-config/Rotterdam_ta.key
[vpn-secrets]
cert-pass=###########
password=###########
[ipv4]
method=auto
He has this script in /etc/NetworkManager/dispatcher.d which he can run after starting the server in order to activate the VPN. It works. Because of this script, the server also reconnects to the VPN if the connection is dropped.
Code:
#! /bin/bash
CONNECTION_NAME="Ifupdown"
VPN_NAME="Rotterdam2"
activ_con=$(nmcli con status | grep "${CONNECTION_NAME}")
activ_vpn=$(nmcli con status | grep "${VPN_NAME}")
if [ "${activ_con}" -a ! "${activ_vpn}" ];
then
nmcli con up id "${VPN_NAME}"
fi
How does he do the rest? He wants IP and DNS leak protection and he also wants to be able to connect directly to SSH or FTP, bypassing the VPN. All the replies will be greatly appreciated.
P.S. A few other configuration files from his server:
/etc/NetworkManager/NetworkManager.conf
Code:
[main]
plugins=ifupdown,keyfile
no-auto-default=42:11:0B:0A:33:0B,
[ifupdown]
managed=true
/etc/network/interfaces
Code:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address ###.###.###.###
netmask ###.###.###.###
network ###.###.###.###
broadcast ###.###.###.###
gateway ###.###.###.###
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 8.8.4.4
dns-search domain.com
/etc/resolv.conf
Code:
# Generated by NetworkManager
search domain.com
nameserver ###.###.###.###
nameserver ###.###.###.###
nameserver 8.8.4.4
In this file, the first two servers seem to be put there automatically by Perfect Privacy.
/etc/NetworkManager/dispatcher.d/01ifupdown
Code:
#!/bin/sh -e
# Script to dispatch NetworkManager events
#
# Runs ifupdown scripts when NetworkManager fiddles with interfaces.
# See NetworkManager(8) for further documentation of the dispatcher events.
if [ -z "$1" ]; then
echo "$0: called with no interface" 1>&2
exit 1;
fi
if [ -n "$IP4_NUM_ADDRESSES" ] && [ "$IP4_NUM_ADDRESSES" -gt 0 ]; then
ADDRESS_FAMILIES="$ADDRESS_FAMILIES inet"
fi
if [ -n "$IP6_NUM_ADDRESSES" ] && [ "$IP6_NUM_ADDRESSES" -gt 0 ]; then
ADDRESS_FAMILIES="$ADDRESS_FAMILIES inet6"
fi
# If we have a VPN connection ignore the underlying IP address(es)
if [ "$2" = "vpn-up" ] || [ "$2" = "vpn-down" ]; then
ADDRESS_FAMILIES=""
fi
if [ -n "$VPN_IP4_NUM_ADDRESSES" ] && [ "$VPN_IP4_NUM_ADDRESSES" -gt 0 ]; then
ADDRESS_FAMILIES="$ADDRESS_FAMILIES inet"
fi
if [ -n "$VPN_IP6_NUM_ADDRESSES" ] && [ "$VPN_IP6_NUM_ADDRESSES" -gt 0 ]; then
ADDRESS_FAMILIES="$ADDRESS_FAMILIES inet6"
fi
# We're probably bringing the interface down.
[ -n "$ADDRESS_FAMILIES" ] || ADDRESS_FAMILIES="inet"
# Fake ifupdown environment
export IFACE="$1"
export LOGICAL="$1"
export METHOD="NetworkManager"
export VERBOSITY="0"
for i in $ADDRESS_FAMILIES; do
export ADDRFAM="$i"
# Run the right scripts
case "$2" in
up|vpn-up)
export MODE="start"
export PHASE="post-up"
run-parts /etc/network/if-up.d
;;
down|vpn-down)
export MODE="stop"
export PHASE="post-down"
run-parts /etc/network/if-post-down.d
;;
# pre-up/pre-down not implemented. See
# https://bugzilla.gnome.org/show_bug.cgi?id=387832
# pre-up)
# export MODE="start"
# export PHASE="pre-up"
# run-parts /etc/network/if-pre-up.d
# ;;
# pre-down)
# export MODE="stop"
# export PHASE="pre-down"
# run-parts /etc/network/if-down.d
# ;;
hostname|dhcp4-change|dhcp6-change)
# Do nothing
;;
*)
echo "$0: called with unknown action \`$2'" 1>&2
exit 1
;;
esac
done