Setup OpenVPN in Ubuntu

By Cèbe, . Permalink Ubuntu

I recently installed a PC running Ubuntu in an encrypted drive. The next step was to use a VPN provider to anonymize it a bit.

I first used the Network Manager to configure and run the VPN, but I was a bit confused by the GUI, and wanted to customize the VPN a bit more. Moreover Network Manager stores its settings under /etc/NetworkManager/system-connections in a binary format that I couldn't edit.

Finally I used the instructions from IPredator for Debian and added the following to make sure the DNS would also get updated:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

I finally ran OpenVPN by hand

sudo openvpn --config IPredator.conf

And I did the sanity checks:

# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
         inet addr:93.182.184.48  P-t-P:93.182.184.48  Mask:255.255.255.128
         UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
         RX packets:7 errors:0 dropped:0 overruns:0 frame:0
         TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:100 
         RX bytes:336 (336.0 B)  TX bytes:456 (456.0 B)
# ip route show
93.182.184.2 via 10.211.55.1 dev eth0 
93.182.184.0/25 dev tun0  proto kernel  scope link  src 93.182.184.48 
10.211.55.0/24 dev eth0  proto kernel  scope link  src 10.211.55.8 
0.0.0.0/1 via 93.182.184.1 dev tun0 
128.0.0.0/1 via 93.182.184.1 dev tun0 
default via 10.211.55.1 dev eth0
# cat /etc/resolv.conf
nameserver 93.182.132.32
nameserver 93.182.182.93
nameserver 127.0.1.1
search ipredator.se

For added security, I wanted to force the use of the VPN, and block all other traffic. If the VPN would drop, no traffic would go through the plain uncrypted network. I installed firestarter for that (I know, firestarter is for noobs, I should have used iptables)

  • Install firestarter
sudo apt-get install firestarter
  • Allow traffic on the openvpn virtual interface
gksudo gedit /etc/firestarter/user-pre
  • Append the following text to /etc/firestarter/user-pre and save.
$IPT -A INPUT -i tun+ -j ACCEPT
$IPT -A OUTPUT -o tun+ -j ACCEPT
  • Restart firestarter
sudo /etc/init.d/firestarter restart
  • Run Firestarter, a wizard should popup
  • Select Ethernet connection (not tunnel connection) as the internet connected network
  • Let standard options, go to the main GUI
  • Choose Policy, Editing, Outbound traffic policy
  • Choose "Restrictive by default, whitelist traffic."
  • Allow service OpenVPN, port 1194 for All
  • Validate

When your openvpn connection drops you will not be able to access the net while the firewall is activated. If you wish to connect to the net without openvpn just press the "stop firewall" button within firestarter.

source

Page top