Link Search Menu Expand Document

Making your own VPN & Socks Tunnel

Table of contents

Making your own VPN server

Prerequisites

  1. A running server
  2. Networking firewall - ensure SSH/22, UDP/443, TCP/80,443, 9418 (for git://) is open and whitelisted the client IP
  3. A strong ssh public key ssh-keygen -t rsa -b 4096

Server configuration

  • apt-get update && apt-get upgrade ensure server is up to date

  • Change root to user:

useradd -G sudo -m ella -s /bin/bash
passwd ella
  • Log out as root and log in as ella
ssh-copy-id -i ~/.ssh/id_rsa [email protected]
    # ssh-copy-id in my case didn't work as it should. 
    # Manual workaround: copy `~/.ssh/authorized_keys` file from root, 
    # then paste to user level (`su - ella`)
  • Edit sshd config file: vim /etc/ssh/sshd_config
Port 22 
    # change to other ports (any port instead of 22)
PermitRootLogin no
PasswordAuthentication no
    # ensure aboves are set to no
  • Restart sshd: sudo systemctl restart sshd

  • From local machine (using port 88): ssh -i ~/.ssh/id_rsa [email protected] -p 88

  • Create a ssh config file: vim ~/.ssh/config for easier command line, add below content

Host ellavpn
        User ella
        port 88
        IdentityFile ~/.ssh/id_rsa
        HostName 192.168.0.1
  • Use ssh ellavpn to ssh into the VM

openVPN installation on server

  • Install wget: sudo apt install wget

  • Download openVPN: wget https://github.com/Nyr/openvpn-install/raw/master/openvpn-install.sh

  • Install openVPN sudo bash openvpn-install.sh

Questions: 
    1. Which IPv4 address should be used? 
        # select 1, the public ipv4 of the VM
    2. Which protocol should OpenVPN use?
        # enter nothing 
    3. What port should OpenVPN listen to?
        # default is port 1194, change it to 443 or any port 
    4. Select a DNS server for the clients:
        # choose whichever one
    5. Enter a name for the first client:
        # whatever name, ellavpn-client
  • Once installed, it creates a .ovpn file under the root directory by default.
/root/ellavpn-client.ovpn
  • Move this file to user level directory, and give the privilege:
su - ella
    # ensure using user instead of root 
sudo mv /root/ellavpn-client.ovpn .
    # move .ovpn file from /root to /ella 
sudo chown ella ellavpn-client.ovpn 
ls -all

openVPN configuration on server

sudo vim /etc/openvpn/server/server.conf
    # to disable the logs 
    > Edit `verb 3` to `verb 0` 
sudo systemctl restart [email protected]
sudo hostnamectl set-hostname ellavpn
    # to change the hostname to `ellavpn` 

Download the .ovpn file from server to client

sftp ellavpn 
Connected to ellavpn.
sftp> get ellavpn-client.ovpn
Fetching /home/ella/ellavpn-client.ovpn to ellavpn-client.ovpn  
sftp> exit

Enable 2FA on the VM

  • Install: sudo apt install libpam-google-authenticator

  • Run: google-authenticator, follow screen output. You will need an Authenticator not limited to Google, any would do. Once you complete all questionnaires, copy the recovery codes.

Do you want me to update your "/home/ewho/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) n

By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) n

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

2FA configuration

  • Run: sudo vim /etc/pam.d/sshd
@include common-auth
    # comment out this line 
auth required pam_google_authenticator.so
    # add this line to the last line
  • Modify sshd file: sudo vim /etc/ssh/sshd_config
KbdInteractiveAuthentication yes
ChallengeResponseAuthentication yes
    # add this line just below above
*** ***
UsePAM yes
    # change to yes
AuthenticationMethods publickey,keyboard-interactive
    # add this line below UsePAM    
    # Or, use any: `AuthenticationMethods any`
  • Restart sshd: sudo systemctl restart sshd

  • Don’t close terminal, open a new terminal to login, you will be prompt with Verification code: , just in case you don’t lock yourself out.

Automated updates & upgrades on VM

  • Install: sudo apt install unattended-upgrades apt-listchanges bsd-mailx

  • Security updates: sudo dpkg-reconfigure -plow unattended-upgrades

  • Configuration: sudo vim /etc/apt/apt.conf.d/50unattended-upgrades, edit with below:

Unattended-Upgrade::Mail "[email protected]";
    # add your email when receiving notification for updates
Unattended-Upgrade::Automatic-Reboot "true";
    # change false to true for automatic reboot 
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
    # reboot time -> 2am 
Unattended-Upgrade::Remove-Unused-Dependencies "true";
    # change false to true to auto delete unused dependencies
  • Run auto update & upgrade: sudo unattended-upgrades --dry-run

Optional - Using mosh instead of ssh

sudo pacman -S mosh 
    # or, `brew install mosh`
    # install on local machine
    # If pacman not found, do `brew install pacman4console`
sudo apt install mosh 
    # install on server
  • After installation, use mosh ellavpn to login instead of ssh ellavpn.

Run openVPN on MacOS

Add VPN configuration file .ovpn to MacOS, here I used Tunnelblick: https://tunnelblick.net/

  1. Download & install Tunnelblick
  2. Drag and drop ellavpn-client.ovpn file to the tunnelblick icon in the top right bar
  3. Click connect

Socks Tunnel

Prerequisites

  1. A working remote server
  2. Public SSH key is added to the server

Setting up the tunnel

ssh -i ~/.ssh/id_rsa -D 1337 -f -C -q -N [email protected]
  • -i: The path to the SSH key to be used to connect to the host
  • -D: Tells SSH that we want a SOCKS tunnel on the specified port number (you can choose a number between 1025 and 65536)
  • -f: Forks the process to the background
  • -C: Compresses the data before sending it
  • -q: Uses quiet mode
  • -N: Tells SSH that no command will be sent once the tunnel is up

Checking the tunnel is running

ps aux | grep ssh

outputs:

Output
root   14345   0.0  0.0  2462228    452   ??  Ss    6:43AM   0:00.00 ssh -i ~/.ssh/id_rsa -D 1337 -f -C -q -N [email protected]

Terminate tunnel

kill 14345

Enabling SOCK5 proxy on Firefox

  • Open Firefox > Settings > General > Network Settings

Firefox-SOCKS5