IVPN goes open source

Discussion in 'privacy technology' started by LoneWolf, Feb 13, 2020.

  1. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,791
    https://www.ivpn.net/blog/
     
    Last edited: Feb 13, 2020
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
  3. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,434
    Reads well for many users. Still don't see any mention of a linux client in the works. For newer folks that might be a "killshot".
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    I always use stock OpenVPN plus iptables rules.

    Not long ago, I did https://github.com/mirimir/vpnchains for *** and giggles. It sets up routing and iptables on the fly, and switches chains periodically.

    I'm rewriting the IVPN guides, and will include a single VPN version as an option. However, I'm not yet clear just how. To get the proper iptables rules, you need to connect to a specific server IPv4 address. Generating OpenVPN config files for all the IPv4 addresses is pretty easy, using bash. But the hard part is presenting all those server options to the user.
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,434

    I understand where you are coming from and I wasn't talking about us. I simply meant a casual user shopping for a VPN provider just starting out in linux. "No client" may well mean clicking to another provider that does have one.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    True. But then, Linux is not all that popular, so I understand why it's not been a priority.
     
  7. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    4,208
    ...among the average joe. most linux users prefer to use ovpn sw. so that's understandable.
     
    Last edited: Feb 16, 2020
  8. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    Nah,it's not hard.

    Just use dialog program and it's various commands from bash scripts to create menu-driven, semi-interactive console program
    that presents all those server options in menu box.

    For example: If you wanted user to choose, let's say system default DNS server, then you could script something like following:

    https://www.orwell1984.today/cname/dialog1.png

    In this case dialog progam comman menu options are:

    dialog --stdout (so we can save the result into variable for handling later) --menu (present simple menu to user) 10 (heigh of menu box in characters) 30 (width of menu box in characters) 3 (number of items to show, can be less than true number of items) item1 "label1" item2 "label2" etc ....

    Here's what user will see, controls are up arrow = up, down arrow = down and Enter = select.
    Note that dialog command gives you also scrolling option as a nice bonus:

    https://www.orwell1984.today/cname/dialog2.png

    And if we choose Google and press Enter....
    https://www.orwell1984.today/cname/dialog3.png

    variable $result has our choise (and here I just echo it back)
    Super easy! :)

    Anyone with just bash scripting experience can make simple menus, input boxes, password boxes etc... with dialog command (see "man dialog" for detailed explanations and few helper links below)

    https://bash.cyberciti.biz/guide/A_menu_box

    http://linuxcommand.org/lc3_adv_dialog.php

    https://www.ubuntu-user.com/Magazin...enus-and-dialogs-for-shell-scripts/(offset)/2
     
  9. khanyash

    khanyash Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    2,431
    Does the stock OpenVPN come with a Kill Switch?
     
  10. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    AFAIK, not yet.

    I discussed of way to do OpenVPN kill switch with Linux network namespaces here
    https://www.wilderssecurity.com/threads/native-openvpn-kill-switch-under-linux.391828/

    I also suggested it on OpenVPN forum.
    https://forums.openvpn.net/viewtopic.php?t=19193

    So the only way to do it right now seems to be either iptables or network namespaces (just google github openvpn namespace)


    EDIT:

    Here also another even more elegant way to do OpenVPN with network namespace
    http://www.naju.se/articles/openvpn-netns.html
     
    Last edited: Feb 16, 2020
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    WOW!

    Hey, thanks a lot :)

    I should have read this before hacking what I just did ;)

    I first get IPv4 addresses for all VPN server hostnames, in a table with hostname and IPv4 columns. I also hack a config file for each server IPv4 address.

    I have a script that shows the user what country codes are available (using echo) and prompts "What country code do you want?: " (using read). It then picks a random server IPv4 address for that country code, generates IPv4 rules that allow only connections via eth0/enp0s3 to that address, and restores them.

    Then it creates a script that deletes 0.0.0.0/1 and 128.0.0.0/1 routes, adds a route for the server IPv4 via eth0/enp0s3, and starts openvpn with the config file for the chosen server IPv4. It pings 1.1.1.1 via tun0, and if it gets a response, it sleeps forever. If ping fails, it restarts, and asks again for a country code.

    When you hit Ctrl-C (or if it disconnects accidentally) all Internet access will be blocked. Running the script again will connect to whatever country code you select. To restore connectivity without a VPN connected, you just restore the default iptables rules.

    But I gotta add a prompt for the DNS server to use. I'll just use your example.

    Update: Damn, I couldn't get dialog to work, and then went ahead and used read instead. But then I realized that I needed to install dialog :( Anyway, I'll mess with it later, and make the interface prettier.

    I used VPN.ac for testing. The interface looks like this:
    Code:
    Available country codes:
    au  be  br  ca  ch  cz  de  es  fi  fr  hk  it  jp
    lt  lu  mx  nl  no  pl  pt  ro  se  sg  tw  uk  us
    What country code do you want?: de
    Some DNS server options:
    1.1.1.1         (CloudFlare)
    8.8.8.8         (Google)
    208.67.222.222  (OpenDNS)
    9.9.9.9         (Quad9)
    [Hit return to use DNS server pushed by VPN.]
    What DNS server do you want?:
    
    The attached file explains how to implement it.

    Edit: There was an error in vpn-rules-base.v4 (I allowed input on eth0/enp0s3.). So I've replaced the file.
     

    Attached Files:

    Last edited: Feb 18, 2020
  12. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747

    Lot's of stuff there in the script...will take some time for me to digest it.
    So this creates 2 hop VPN chain inside VM right?

    Few things come to my mind:

    - This is lot's of work to setup for average Joe. Could you create pre-made VM with most of the stuff done inside (script and all) image that one could download, tweak and then run? One that I could just download and play with VirtualBox or QEMU?

    - No need for separete IPv6 iptable rules. You can disable IPv6 support from kernel entirely (even in cases that it is compiled built-in or as module) by adding the following to kernel boot cmd-line in grub/grub2 boot menu:

    ipv6.disable=1


    EDIT:

    This works okay but I am not so sure if the --stdout is the right way to do this after all...
    The "man dialog" warns that portable scripts should avoid it (which in this case would
    be not really problem if the script is piggybacked inside pre-made VMs) but the bigger
    problem is that it might actually fail :eek:

    #!/bin/bash

    while :
    do

    country=$(dialog --stdout --no-items --menu "Choose country:" 10 30 3 \
    "au" "be" "br" "ca" "ch" "cz" "de" "es" "fi" "fr" "hk" "it" "jp" \
    "lt" "lu" "mx" "nl" "no" "pl" "pt" "ro" "se" "sg" "tw" "uk" "us"
    )


    dns=$(dialog --stdout --menu "Choose DNS Server:" 10 30 3 \
    1.1.1.1 "CloudFlare" \
    8.8.8.8 "Google" \
    208.67.222.222 "OpenDNS" \
    9.9.9.9 "Quad9" \
    )


    # handle your stuff here
    echo $country
    echo $dns

    done
     
    Last edited: Feb 17, 2020
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    No, this just does a single VPN. The chains stuff is here: https://github.com/mirimir/vpnchains. But I did reuse lots of that code.
    That's true.

    Some of that just reflects me not being a coder. But I also think that it's better for people to implement stuff themselves, even if it's just following instructions. Because they're more likely to understand what's going on. And it makes mistakes more obvious, even to those who aren't expert coders.

    I mean, sure, I could distribute VM images with this stuff setup. It'd be a pain though, because the specifics are different for each VPN. But I could leave that stuff out, and just explain where to put the required stuff (hostnames|ipv4s file, ca.crt, client.crt and client.key, up, and whatever.

    I suppose that I could do the same for the pfSense VMs.

    But wait. Are you saying that you'd like such a VM?

    If you do, I'd be happy to create one for you.
    True. I should mention that too. But I'm a belt-and-suspenders guy :)
    Hey, thanks :)

    The next level would be to package this as a real program, which just used a directory containing the desired OpenVPN conf files to configure itself.

    That is over my head.
     
  14. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    Sure, I need to see this thing live running to see if it can be improved (I love to optimize stuff!)

    Great! :)

    I probably could translate the bash script (after I have seen it running live and have detailed step-by-step view of what it does in my head) to C-program.

    Reading the conf files and parsing them is not that hard but the difficult thing is the firewall part.
    I have never done that in C-code.

    I know that iptables is just a cmd-line tool that calls Linux kernel firewall API but I have never myself looked it more closely.

    Quick googling found this:
    https://tldp.org/HOWTO/Querying-libiptc-HOWTO/whatis.html

    So I guess I have some reading to do this week ....
    https://www.tldp.org/HOWTO/Querying-libiptc-HOWTO/qfunction.html
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Hey, that would be really cool :)

    I'll do the VM later today, and get it to you.

    Unless I hear otherwise, it'll be Debian buster with Gnome desktop.

    It's larger, but you might be doing something GUI.
     
  16. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    Debian is okay :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.