Reads well for many users. Still don't see any mention of a linux client in the works. For newer folks that might be a "killshot".
I always use stock OpenVPN plus iptables rules. Not long ago, I did https://github.com/mirimir/vpnchains for *** and giggles. It sets up routing and iptables on the fly, and switches chains periodically. I'm rewriting the IVPN guides, and will include a single VPN version as an option. However, I'm not yet clear just how. To get the proper iptables rules, you need to connect to a specific server IPv4 address. Generating OpenVPN config files for all the IPv4 addresses is pretty easy, using bash. But the hard part is presenting all those server options to the user.
I understand where you are coming from and I wasn't talking about us. I simply meant a casual user shopping for a VPN provider just starting out in linux. "No client" may well mean clicking to another provider that does have one.
Nah,it's not hard. Just use dialog program and it's various commands from bash scripts to create menu-driven, semi-interactive console program that presents all those server options in menu box. For example: If you wanted user to choose, let's say system default DNS server, then you could script something like following: https://www.orwell1984.today/cname/dialog1.png In this case dialog progam comman menu options are: dialog --stdout (so we can save the result into variable for handling later) --menu (present simple menu to user) 10 (heigh of menu box in characters) 30 (width of menu box in characters) 3 (number of items to show, can be less than true number of items) item1 "label1" item2 "label2" etc .... Here's what user will see, controls are up arrow = up, down arrow = down and Enter = select. Note that dialog command gives you also scrolling option as a nice bonus: https://www.orwell1984.today/cname/dialog2.png And if we choose Google and press Enter.... https://www.orwell1984.today/cname/dialog3.png variable $result has our choise (and here I just echo it back) Super easy! Anyone with just bash scripting experience can make simple menus, input boxes, password boxes etc... with dialog command (see "man dialog" for detailed explanations and few helper links below) https://bash.cyberciti.biz/guide/A_menu_box http://linuxcommand.org/lc3_adv_dialog.php https://www.ubuntu-user.com/Magazin...enus-and-dialogs-for-shell-scripts/(offset)/2
AFAIK, not yet. I discussed of way to do OpenVPN kill switch with Linux network namespaces here https://www.wilderssecurity.com/threads/native-openvpn-kill-switch-under-linux.391828/ I also suggested it on OpenVPN forum. https://forums.openvpn.net/viewtopic.php?t=19193 So the only way to do it right now seems to be either iptables or network namespaces (just google github openvpn namespace) EDIT: Here also another even more elegant way to do OpenVPN with network namespace http://www.naju.se/articles/openvpn-netns.html
WOW! Hey, thanks a lot I should have read this before hacking what I just did I first get IPv4 addresses for all VPN server hostnames, in a table with hostname and IPv4 columns. I also hack a config file for each server IPv4 address. I have a script that shows the user what country codes are available (using echo) and prompts "What country code do you want?: " (using read). It then picks a random server IPv4 address for that country code, generates IPv4 rules that allow only connections via eth0/enp0s3 to that address, and restores them. Then it creates a script that deletes 0.0.0.0/1 and 128.0.0.0/1 routes, adds a route for the server IPv4 via eth0/enp0s3, and starts openvpn with the config file for the chosen server IPv4. It pings 1.1.1.1 via tun0, and if it gets a response, it sleeps forever. If ping fails, it restarts, and asks again for a country code. When you hit Ctrl-C (or if it disconnects accidentally) all Internet access will be blocked. Running the script again will connect to whatever country code you select. To restore connectivity without a VPN connected, you just restore the default iptables rules. But I gotta add a prompt for the DNS server to use. I'll just use your example. Update: Damn, I couldn't get dialog to work, and then went ahead and used read instead. But then I realized that I needed to install dialog Anyway, I'll mess with it later, and make the interface prettier. I used VPN.ac for testing. The interface looks like this: Code: Available country codes: au be br ca ch cz de es fi fr hk it jp lt lu mx nl no pl pt ro se sg tw uk us What country code do you want?: de Some DNS server options: 1.1.1.1 (CloudFlare) 8.8.8.8 (Google) 208.67.222.222 (OpenDNS) 9.9.9.9 (Quad9) [Hit return to use DNS server pushed by VPN.] What DNS server do you want?: The attached file explains how to implement it. Edit: There was an error in vpn-rules-base.v4 (I allowed input on eth0/enp0s3.). So I've replaced the file.
Lot's of stuff there in the script...will take some time for me to digest it. So this creates 2 hop VPN chain inside VM right? Few things come to my mind: - This is lot's of work to setup for average Joe. Could you create pre-made VM with most of the stuff done inside (script and all) image that one could download, tweak and then run? One that I could just download and play with VirtualBox or QEMU? - No need for separete IPv6 iptable rules. You can disable IPv6 support from kernel entirely (even in cases that it is compiled built-in or as module) by adding the following to kernel boot cmd-line in grub/grub2 boot menu: ipv6.disable=1 EDIT: This works okay but I am not so sure if the --stdout is the right way to do this after all... The "man dialog" warns that portable scripts should avoid it (which in this case would be not really problem if the script is piggybacked inside pre-made VMs) but the bigger problem is that it might actually fail #!/bin/bash while : do country=$(dialog --stdout --no-items --menu "Choose country:" 10 30 3 \ "au" "be" "br" "ca" "ch" "cz" "de" "es" "fi" "fr" "hk" "it" "jp" \ "lt" "lu" "mx" "nl" "no" "pl" "pt" "ro" "se" "sg" "tw" "uk" "us" ) dns=$(dialog --stdout --menu "Choose DNS Server:" 10 30 3 \ 1.1.1.1 "CloudFlare" \ 8.8.8.8 "Google" \ 208.67.222.222 "OpenDNS" \ 9.9.9.9 "Quad9" \ ) # handle your stuff here echo $country echo $dns done
No, this just does a single VPN. The chains stuff is here: https://github.com/mirimir/vpnchains. But I did reuse lots of that code. That's true. Some of that just reflects me not being a coder. But I also think that it's better for people to implement stuff themselves, even if it's just following instructions. Because they're more likely to understand what's going on. And it makes mistakes more obvious, even to those who aren't expert coders. I mean, sure, I could distribute VM images with this stuff setup. It'd be a pain though, because the specifics are different for each VPN. But I could leave that stuff out, and just explain where to put the required stuff (hostnames|ipv4s file, ca.crt, client.crt and client.key, up, and whatever. I suppose that I could do the same for the pfSense VMs. But wait. Are you saying that you'd like such a VM? If you do, I'd be happy to create one for you. True. I should mention that too. But I'm a belt-and-suspenders guy Hey, thanks The next level would be to package this as a real program, which just used a directory containing the desired OpenVPN conf files to configure itself. That is over my head.
Sure, I need to see this thing live running to see if it can be improved (I love to optimize stuff!) Great! I probably could translate the bash script (after I have seen it running live and have detailed step-by-step view of what it does in my head) to C-program. Reading the conf files and parsing them is not that hard but the difficult thing is the firewall part. I have never done that in C-code. I know that iptables is just a cmd-line tool that calls Linux kernel firewall API but I have never myself looked it more closely. Quick googling found this: https://tldp.org/HOWTO/Querying-libiptc-HOWTO/whatis.html So I guess I have some reading to do this week .... https://www.tldp.org/HOWTO/Querying-libiptc-HOWTO/qfunction.html
Hey, that would be really cool I'll do the VM later today, and get it to you. Unless I hear otherwise, it'll be Debian buster with Gnome desktop. It's larger, but you might be doing something GUI.