LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-25-2014, 05:04 PM   #1
uhonhon
LQ Newbie
 
Registered: Dec 2014
Posts: 1

Rep: Reputation: Disabled
Smile Please help my buddy configure his server!


I have a buddy who doesn't know English, therefore he pleaded with me to post here on his behalf. I recommended him to get Perfect Privacy to anonymize the connections of his server and he listened. He's having trouble configuring though.

Basically, that's what he wants his Debian 7 server to do:
to make connections through a Perfect Privacy VPN; (DONE!)
to have IP leak protection;
to have DNS leak protection;
to offer services (like FTP and SSH) directly, without him having to connect through a forwarded port of the VPN in order to access them;
to autoconnect to a VPN after booting the operating system.

Now... what he did is this:
He followed this tutorial: https://www.perfect-privacy.com/howt...pn-with-linux/
He has a few .ovpn files here: /etc/NetworkManager/system-connections/. Example:
Code:
root@Debian7:/etc/NetworkManager/system-connections# cat Rotterdam2
[connection]
id=Rotterdam2
uuid=###########
type=vpn

[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
ta-dir=1
fragment-size=1300
connection-type=password-tls
password-flags=1
auth=SHA512
tunnel-mtu=1500
cipher=AES-256-CBC
comp-lzo=yes
remote=rotterdam2.perfect-privacy.org
cert-pass-flags=0
reneg-seconds=3600
port=1150
mssfix=yes
username=###########
cert=/root/info/openvpn-config/Rotterdam_cl.crt
ca=/root/info/openvpn-config/ca.crt
key=/root/info/openvpn-config/Rotterdam_cl.key
ta=/root/info/openvpn-config/Rotterdam_ta.key

[vpn-secrets]
cert-pass=###########
password=###########

[ipv4]
method=auto
He has this script in /etc/NetworkManager/dispatcher.d which he can run after starting the server in order to activate the VPN. It works. Because of this script, the server also reconnects to the VPN if the connection is dropped.
Code:
#! /bin/bash

CONNECTION_NAME="Ifupdown"
VPN_NAME="Rotterdam2"

activ_con=$(nmcli con status | grep "${CONNECTION_NAME}")
activ_vpn=$(nmcli con status | grep "${VPN_NAME}")
if [ "${activ_con}" -a ! "${activ_vpn}" ];
then
    nmcli con up id "${VPN_NAME}"
fi
How does he do the rest? He wants IP and DNS leak protection and he also wants to be able to connect directly to SSH or FTP, bypassing the VPN. All the replies will be greatly appreciated.





P.S. A few other configuration files from his server:
/etc/NetworkManager/NetworkManager.conf
Code:
[main]
plugins=ifupdown,keyfile

no-auto-default=42:11:0B:0A:33:0B,

[ifupdown]
managed=true


/etc/network/interfaces
Code:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
 address ###.###.###.###
 netmask ###.###.###.###
 network ###.###.###.###
 broadcast ###.###.###.###
 gateway ###.###.###.###
 # dns-* options are implemented by the resolvconf package, if installed
 dns-nameservers 8.8.4.4
 dns-search domain.com


/etc/resolv.conf
Code:
# Generated by NetworkManager
search domain.com
nameserver ###.###.###.###
nameserver ###.###.###.###
nameserver 8.8.4.4
In this file, the first two servers seem to be put there automatically by Perfect Privacy.



/etc/NetworkManager/dispatcher.d/01ifupdown
Code:
#!/bin/sh -e
# Script to dispatch NetworkManager events
#
# Runs ifupdown scripts when NetworkManager fiddles with interfaces.
# See NetworkManager(8) for further documentation of the dispatcher events.

if [ -z "$1" ]; then
    echo "$0: called with no interface" 1>&2
    exit 1;
fi

if [ -n "$IP4_NUM_ADDRESSES" ] && [ "$IP4_NUM_ADDRESSES" -gt 0 ]; then
   ADDRESS_FAMILIES="$ADDRESS_FAMILIES inet"
fi
if [ -n "$IP6_NUM_ADDRESSES" ] && [ "$IP6_NUM_ADDRESSES" -gt 0 ]; then
   ADDRESS_FAMILIES="$ADDRESS_FAMILIES inet6"
fi

# If we have a VPN connection ignore the underlying IP address(es)
if [ "$2" = "vpn-up" ] || [ "$2" = "vpn-down" ]; then
   ADDRESS_FAMILIES=""
fi

if [ -n "$VPN_IP4_NUM_ADDRESSES" ] && [ "$VPN_IP4_NUM_ADDRESSES" -gt 0 ]; then
   ADDRESS_FAMILIES="$ADDRESS_FAMILIES inet"
fi
if [ -n "$VPN_IP6_NUM_ADDRESSES" ] && [ "$VPN_IP6_NUM_ADDRESSES" -gt 0 ]; then
   ADDRESS_FAMILIES="$ADDRESS_FAMILIES inet6"
fi

# We're probably bringing the interface down.
[ -n "$ADDRESS_FAMILIES" ] || ADDRESS_FAMILIES="inet"

# Fake ifupdown environment
export IFACE="$1"
export LOGICAL="$1"
export METHOD="NetworkManager"
export VERBOSITY="0"

for i in $ADDRESS_FAMILIES; do

    export ADDRFAM="$i"

    # Run the right scripts
    case "$2" in
        up|vpn-up)
            export MODE="start"
            export PHASE="post-up"
            run-parts /etc/network/if-up.d
            ;;
        down|vpn-down)
            export MODE="stop"
            export PHASE="post-down"
            run-parts /etc/network/if-post-down.d
            ;;
# pre-up/pre-down not implemented. See
# https://bugzilla.gnome.org/show_bug.cgi?id=387832
#        pre-up)
#            export MODE="start"
#            export PHASE="pre-up"
#            run-parts /etc/network/if-pre-up.d
#            ;;
#        pre-down)
#            export MODE="stop"
#            export PHASE="pre-down"
#            run-parts /etc/network/if-down.d
#            ;;
        hostname|dhcp4-change|dhcp6-change)
            # Do nothing
            ;;
        *)
            echo "$0: called with unknown action \`$2'" 1>&2
            exit 1
            ;;
    esac
done
 
Old 12-26-2014, 10:24 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by uhonhon View Post
(..) I recommended him to get Perfect Privacy to anonymize the connections of his server and he listened.
So for no disclosed reasons you "recommended" a service that doesn't offer free trials, which purportedly offers "good security" and "donít log user activity" (as in words but no proof), which gets mixed reviews wrt customer service (including refunding), locations offered and speed and isn't cheap to boot?.. None of my business but I sure won't pass up on the opportunity...


Quote:
Originally Posted by uhonhon View Post
He wants IP and DNS leak protection and
All non-local device traffic should be routed through the VPN tunnel. Achieve that by enabling only the IP Suite protocols you need (you prolly don't want or need IPv6), configuring /etc/resolv.conf to use the DNS servers you want (maybe the VPN providers, maybe Google DNS and such but not ISP DNS), configure routes and firewall to drop any traffic from / to external hosts that tries to bypass the tunnel and configuring traffic to be dropped once the VPN connection is severed (indeed: ifupdown hooks). Bonus points for actually testing the connection regularly and monitoring changes in routing or traffic. See https://openvpn.net/howto.html for basic documentation and https://wiki.debian.org/OpenVPN for anything Debian.


Quote:
Originally Posted by uhonhon View Post
he also wants to be able to connect directly to SSH or FTP, bypassing the VPN.
That's different compared to the "to offer services" phrase you used before. Anyway, ensure ports TCP/20,21,22 and their related/established connections are not forwarded through the VPN tunnel. Obviously that counts as IP and DNS leakage, ROTFL.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Install and Configure Samba Server as File Server on Ubuntu Server 12.04 LXer Syndicated Linux News 0 06-06-2012 12:01 PM
Configure dhcpd (Configure DHCP Server) hanserver2004 LinuxQuestions.org Member Success Stories 3 10-23-2006 06:39 AM
can we configure a Linux server with mail server,file server and web server kumarx Linux - Newbie 5 09-09-2004 06:21 AM
Configure dhcpd (Configure DHCP Server) hanserver2004 General 1 08-16-2004 01:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration