Please help my buddy configure his server!

uhonhon · 12-25-2014, 05:04 PM

I have a buddy who doesn't know English, therefore he pleaded with me to post here on his behalf. I recommended him to get Perfect Privacy to anonymize the connections of his server and he listened. He's having trouble configuring though.

Basically, that's what he wants his Debian 7 server to do:
to make connections through a Perfect Privacy VPN; (DONE!)
to have IP leak protection;
to have DNS leak protection;
to offer services (like FTP and SSH) directly, without him having to connect through a forwarded port of the VPN in order to access them;
to autoconnect to a VPN after booting the operating system.

Now... what he did is this:
He followed this tutorial: https://www.perfect-privacy.com/howt...pn-with-linux/
He has a few .ovpn files here: /etc/NetworkManager/system-connections/. Example:

Code:

root@Debian7:/etc/NetworkManager/system-connections# cat Rotterdam2
[connection]
id=Rotterdam2
uuid=###########
type=vpn

[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
ta-dir=1
fragment-size=1300
connection-type=password-tls
password-flags=1
auth=SHA512
tunnel-mtu=1500
cipher=AES-256-CBC
comp-lzo=yes
remote=rotterdam2.perfect-privacy.org
cert-pass-flags=0
reneg-seconds=3600
port=1150
mssfix=yes
username=###########
cert=/root/info/openvpn-config/Rotterdam_cl.crt
ca=/root/info/openvpn-config/ca.crt
key=/root/info/openvpn-config/Rotterdam_cl.key
ta=/root/info/openvpn-config/Rotterdam_ta.key

[vpn-secrets]
cert-pass=###########
password=###########

[ipv4]
method=auto

He has this script in /etc/NetworkManager/dispatcher.d which he can run after starting the server in order to activate the VPN. It works. Because of this script, the server also reconnects to the VPN if the connection is dropped.

Code:

#! /bin/bash

CONNECTION_NAME="Ifupdown"
VPN_NAME="Rotterdam2"

activ_con=$(nmcli con status | grep "${CONNECTION_NAME}")
activ_vpn=$(nmcli con status | grep "${VPN_NAME}")
if [ "${activ_con}" -a ! "${activ_vpn}" ];
then
    nmcli con up id "${VPN_NAME}"
fi

How does he do the rest? He wants IP and DNS leak protection and he also wants to be able to connect directly to SSH or FTP, bypassing the VPN. All the replies will be greatly appreciated.

P.S. A few other configuration files from his server:
/etc/NetworkManager/NetworkManager.conf

Code:

[main]
plugins=ifupdown,keyfile

no-auto-default=42:11:0B:0A:33:0B,

[ifupdown]
managed=true

/etc/network/interfaces

Code:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
 address ###.###.###.###
 netmask ###.###.###.###
 network ###.###.###.###
 broadcast ###.###.###.###
 gateway ###.###.###.###
 # dns-* options are implemented by the resolvconf package, if installed
 dns-nameservers 8.8.4.4
 dns-search domain.com

/etc/resolv.conf

Code:

# Generated by NetworkManager
search domain.com
nameserver ###.###.###.###
nameserver ###.###.###.###
nameserver 8.8.4.4

In this file, the first two servers seem to be put there automatically by Perfect Privacy.

/etc/NetworkManager/dispatcher.d/01ifupdown

Code:

#!/bin/sh -e
# Script to dispatch NetworkManager events
#
# Runs ifupdown scripts when NetworkManager fiddles with interfaces.
# See NetworkManager(8) for further documentation of the dispatcher events.

if [ -z "$1" ]; then
    echo "$0: called with no interface" 1>&2
    exit 1;
fi

if [ -n "$IP4_NUM_ADDRESSES" ] && [ "$IP4_NUM_ADDRESSES" -gt 0 ]; then
   ADDRESS_FAMILIES="$ADDRESS_FAMILIES inet"
fi
if [ -n "$IP6_NUM_ADDRESSES" ] && [ "$IP6_NUM_ADDRESSES" -gt 0 ]; then
   ADDRESS_FAMILIES="$ADDRESS_FAMILIES inet6"
fi

# If we have a VPN connection ignore the underlying IP address(es)
if [ "$2" = "vpn-up" ] || [ "$2" = "vpn-down" ]; then
   ADDRESS_FAMILIES=""
fi

if [ -n "$VPN_IP4_NUM_ADDRESSES" ] && [ "$VPN_IP4_NUM_ADDRESSES" -gt 0 ]; then
   ADDRESS_FAMILIES="$ADDRESS_FAMILIES inet"
fi
if [ -n "$VPN_IP6_NUM_ADDRESSES" ] && [ "$VPN_IP6_NUM_ADDRESSES" -gt 0 ]; then
   ADDRESS_FAMILIES="$ADDRESS_FAMILIES inet6"
fi

# We're probably bringing the interface down.
[ -n "$ADDRESS_FAMILIES" ] || ADDRESS_FAMILIES="inet"

# Fake ifupdown environment
export IFACE="$1"
export LOGICAL="$1"
export METHOD="NetworkManager"
export VERBOSITY="0"

for i in $ADDRESS_FAMILIES; do

    export ADDRFAM="$i"

    # Run the right scripts
    case "$2" in
        up|vpn-up)
            export MODE="start"
            export PHASE="post-up"
            run-parts /etc/network/if-up.d
            ;;
        down|vpn-down)
            export MODE="stop"
            export PHASE="post-down"
            run-parts /etc/network/if-post-down.d
            ;;
# pre-up/pre-down not implemented. See
# https://bugzilla.gnome.org/show_bug.cgi?id=387832
#        pre-up)
#            export MODE="start"
#            export PHASE="pre-up"
#            run-parts /etc/network/if-pre-up.d
#            ;;
#        pre-down)
#            export MODE="stop"
#            export PHASE="pre-down"
#            run-parts /etc/network/if-down.d
#            ;;
        hostname|dhcp4-change|dhcp6-change)
            # Do nothing
            ;;
        *)
            echo "$0: called with unknown action \`$2'" 1>&2
            exit 1
            ;;
    esac
done

unSpawn · 12-26-2014, 10:24 AM

Quote:

Originally Posted by uhonhon

(..) I recommended him to get Perfect Privacy to anonymize the connections of his server and he listened.

So for no disclosed reasons you "recommended" a service that doesn't offer free trials, which purportedly offers "good security" and "don’t log user activity" (as in words but no proof), which gets mixed reviews wrt customer service (including refunding), locations offered and speed and isn't cheap to boot?.. None of my business but I sure won't pass up on the opportunity...

Quote:

Originally Posted by uhonhon

He wants IP and DNS leak protection and

All non-local device traffic should be routed through the VPN tunnel. Achieve that by enabling only the IP Suite protocols you need (you prolly don't want or need IPv6), configuring /etc/resolv.conf to use the DNS servers you want (maybe the VPN providers, maybe Google DNS and such but not ISP DNS), configure routes and firewall to drop any traffic from / to external hosts that tries to bypass the tunnel and configuring traffic to be dropped once the VPN connection is severed (indeed: ifupdown hooks). Bonus points for actually testing the connection regularly and monitoring changes in routing or traffic. See https://openvpn.net/howto.html for basic documentation and https://wiki.debian.org/OpenVPN for anything Debian.

Quote:

Originally Posted by uhonhon

he also wants to be able to connect directly to SSH or FTP, bypassing the VPN.

That's different compared to the "to offer services" phrase you used before. Anyway, ensure ports TCP/20,21,22 and their related/established connections are not forwarded through the VPN tunnel. Obviously that counts as IP and DNS leakage, ROTFL.