bash hack for creating dynamic VPN chains in Debian

Discussion in 'privacy technology' started by mirimir, Nov 14, 2019.

  1. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
    I've come up with a bash hack for creating dynamic VPN chains in a Debian router with DHCP. There's an infinite while loop script which:
    • terminates all openvpn processes
    • uses shuf to randomly select a VPN server IPv4 from each of two lists (vpns0 and vpns1)
    • writes an iptables ruleset for the VPN chain, and restores it
    • writes an init script for each VPN server, which tweaks routing before connecting
    • connects to the first VPN server, and waits five seconds
    • connects to the second VPN server, and waits 15 seconds
    • pings 1.1.1.1 via the second VPN
    • if there's a response, waits 10 minutes, and then restarts the loop
    • otherwise restarts the loop immediately
    The ip6tables ruleset drops everything.

    The iptables ruleset for each VPN chain:
    • allows traffic only to vpn0 via enp0s3
    • allows traffic only to vpn1 via tun0
    • forwards enp0s8 via tun1 with masquerade
    Each vpn0 init script:
    • deletes routes for 0.0.0.0/1 and 128.0.0.0/1
    • adds a route for vpn0 via enp0s3
    • starts openvpn with vpn0.conf
    Each vpn1 init script:
    • deletes routes for 0.0.0.0/1 and 128.0.0.0/1
    • adds a route for vpn1 via tun0
    • starts openvpn with vpn1.conf
    It's at https://github.com/mirimir/vpnchains/.

    You get nested VPN chains, as with https://www.ivpn.net/privacy-guides/advanced-privacy-and-anonymity-part-1. However, there's no OS-level isolation between OpenVPN processes. While that's arguably less secure, it uses less resources. And it also facilitates changing the VPN chain periodically. So it's more like Tor. And without the forwarding and DHCP, the scripts could be used in a single machine or VM. Less secure still, but much lighter.

    The basic idea for this came from https://github.com/TensorTom/VPN-Chain. It just took me a while to get around to playing with it.

    Maximum uptime so far is about four days.

    Having a dynamic IPv4 address doesn't interfere with browsing and streaming. However, it does kill connectivity with BitTorrent swarms, and you must restart the client. So for torrenting, you may want to increase the cycle period.
     
    Last edited: Nov 14, 2019
  2. mag1c

    mag1c Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    39
    I like the lightweight aspect of it, I'll give it a go and do some testing.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
    Cool.

    Testing with tcpdump, I found no leaks. Even during the switch from one VPN chain to another.

    Also, streaming didn't even notice switching, because there's so much buffering.

    I did occasionally see torrent swarms die after switching. But restarting the torrent app got them going again.

    However, some VPN servers (mainly US and Canada) don't allow torrenting. But you can drop them from the server lists.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.