If anyone's ever looking for an even quicker hack, ssh has built-in the ability to act as a SOCKS5 proxy, tunneling your traffic over ssh to whatever remote machine you might have access to:
$ ssh -D 1080 myserver.myhost.net
Then configure Chrome or Firefox or whatever to use a SOCKS5 proxy on localhost, port 1080. (N.B. that this does not tunnel DNS lookups by default.)
The OpenVPN-based route is the way to go for something used regularly, but the above is sometimes super-convenient!
Even quicker still is to use sshuttle; it automatically transparently tunnels all of your traffic through an SSH connection, without having to change any proxy settings.
Agreed, I set myself up an OpenVPN server on digitalocean without too much of a hassle. The easy-rsa utilities make the whole process quite simple. It has frankly been a life saver for me, as it allows me to bypass all restrictions imposed where I live (Oman).
I think the fact that this leaks DNS lookups is really quite key because that gives away a huge amount about what you're looking at over your "vpn", not to mention services like netflix that are pointing you to different responses based upon the source of your dns lookups.
In firefox you want to go to about:config page and turn on network.proxy.socks_remote_dns
Nice! I've been using dnsmasq to route my DNS queries and prevent leakage. Didn't realize the nework.proxy.socks_remote_dns option existed. Thanks for sharing!
I'm using the latest stable release of Firefox (34.0.5) and I see a "Remote DNS" checkbox under my SOCKS proxy configuration. Isn't that the same option in the GUI? No about:config tweaks needed?
I would think so, but everyone seems to be giving the about:config business, so maybe I am missing something.
Yes, that is the same option. Toggling the option in the GUI toggles network.proxy.socks_remote_dns in about:config. As default it is, is still off though.
I believe that Mac OS X does tunnel DNS when you configure the proxy through Control Panel -> Network. I used this when I was in the Army and lived in housing whose internet connections were managed by a crappy ISP that did DNS-based filtering of sites they deemed objectionable.
Even better trick is SSH can actually tunnel level 3 data! Via TUN/TAP interfaces (this is effectively how some VPN implementations do it).
See "-w" option
Here are a few guides. This is more involved than just adding the -D option and setting a "proxy" field in some applications but this is more general as well:
SSH does it's own flow control, and with HPN-SSH it is much better.
Also, if your connection to the VPN host is quite good, then the TCP-over-TCP issue does not apply as much. The bad cases happen when that connection has packet loss.
You could configure a transparent proxy with Privoxy set to use a custom dns server with dnsmasq and foxy-proxy to configure firefox to use that to forward dns request through your proxy.
Ah yes, ssh tunneling. The high school IT initiate's go-to method to dodge the web filter. It really can be an elegant solution when you don't have the patience to rev up OpenVPN for real.
I've been considering running all my mobile data through a VPN for better security, and saving all of it so I can analyze anything after the fact. Anyone doing anything like this?
OpenVPN has a tuneable keepalive interval. I think the default is 10 seconds, which is not so good for battery. But if you set it to 10 minutes, that would be fine.
(I bet the roaming between wifi and cellular data could be a problem, though.)
If anyone is interested, here's a script that will install openvpn on a raspberry pi in one command[1].
I use it along with the openvpn ios app on my phone when I'm on corporate wifi, or I connect to it with my laptop any time I'm in a coffee shop. Just note it's meant to tunnel traffic to a "safe" network, not anonymize you on the internet.
By far the fastest and easiest setup I've done of a VPN was with Pritunl, an open source and OpenVPN compatible VPN server that has installable packages for the big distros. It has a great web based admin interface for managing the server as well.
Back when I tried SoftEther several months back, by way of VPN Gate, the connections seemed pretty unreliable compared to OpenVPN. I think the VPN Gate software locked down the options in SoftEther, though. Packet loss affected gaming and video streaming in particular. Casual web browsing was OK.
If you are talking about VPNGate, the public VPN gateways, VPNGate can be a mixed bag. As far as I know, those connections are maintained by varying network environments; some are probably better than others.
I use SoftEther server/client for LAN access for work and home, and it works decently well. (Only thing is things like compression and certificate based authentication only works over SoftEther client, although support for certificate auth for other protocols are on its roadmap.)
Some VPS providers _do_ provide shared IPv4 address, as a way to reduce their costs. A set number (e.g. 20) of ports are forwarded to the VPS' internal IPv4 address.
Any VPS which provides 'only' IPv6 will typically support outbound IPv4 via NAT, with that IPv4 address being shared between all customers on the same node.
I am often dependent on a high-latency GPRS link, and the overhead of establishing a tunnel using OpenVPN or SSH (e.g. sshuttle) is prohibitive. OpenVPN is very likely to timeout before it can negotiate a TLS session. This is one of the major reasons why I wrote my own VPN software[1] using NaCl. Deterministic public-key encryption means that there is no negotiation required at startup. The tunnel is therefore ready to use as soon as the program is started. To me, that's the difference between a usable connection and nothing at all.
Why go through all those hoops when there are plenty of open source VPNs installed with one line. eg https://github.com/sockeye44/instavpn <- works with mac, ios, android etc
What I really want to do is set up something like the "UnblockUs" proxy servers, where it's all done through DNS or something similar. The key reason is for Netflix access here in Australia, through my Apple TV. Ideally it'd be at my router level, to require no config on the boxes themselves, and be able to have a filter list where certain hosts on that list are proxied and others aren't.
Last time I checked there were some nascent projects to do this in a FOSS way, but they weren't complete and most seemed abandoned. Any ideas?
I was going to comment with this. I have a VPS and have thought about running a VPN from there. This would protect me from a whole lot of man in the middle attacks as well as preventing the ISP's on snooping in on my traffic.
However, another big advantage to a VPN for me is anonimity, not directly giving the site information on who you are. If you were to set this up and use it just for you it's not unthinkable that government organisations like the NSA in Amerika and the AIVD in my homecountry of the Netherlands could identify you pretty easily.
For that I use Private Internet Access[1] right now, they claim to have patched a lot of the important software to have no logging, so they can't keep them. They also share IP addresses between customers which means the IP address is not a form of identification anymore. Their site looks like shit, I agree, but the service is pretty great.
I use Debian + UFW + OpenVPN + Digitalocean for my US Netflix needs. I get 10Mbit downstream and 20Mbit upstream from NY3 to my 60/60 fiber connection here in Zurich.
I could also configure it to use DNS only, but open dns servers are not so welcomed at the moment. Since I do quite a bit of roaming it's easiest to just configure OpenVPN.
These days there's a working OpenVPN client for Android but there were times when IPsec[1] VPN was the only good way to connect many different clients like Windows, Mac OS and iPhone to your VPN server.
Which is why I had to mention IPsec VPN and link to a good article on how to manage it on OpenBSD.
"Streisand sets up a new server running L2TP/IPsec, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists."
I suppose you could always come up with some script that recreates the whole VPS and thus get a new IP address... but that makes it overly complicated for most people.
59 comments
[ 3.5 ms ] story [ 127 ms ] thread$ ssh -D 1080 myserver.myhost.net
Then configure Chrome or Firefox or whatever to use a SOCKS5 proxy on localhost, port 1080. (N.B. that this does not tunnel DNS lookups by default.)
The OpenVPN-based route is the way to go for something used regularly, but the above is sometimes super-convenient!
Very useful.
You can bundle all the configuration for a particular client into a .ovpn file - this includes the client and CA certificates.
I use this on iPhones and iPads, with the OpenVPN iOS app - works great for a family of iOS devices that need access to some geo-locked services.
In firefox you want to go to about:config page and turn on network.proxy.socks_remote_dns
I would think so, but everyone seems to be giving the about:config business, so maybe I am missing something.
See "-w" option
Here are a few guides. This is more involved than just adding the -D option and setting a "proxy" field in some applications but this is more general as well:
http://sleepyhead.de/howto/?href=vpn
https://wiki.archlinux.org/index.php/VPN_over_SSH
https://help.ubuntu.com/community/SSH_VPN
I was just surprised it was there.
Also, if your connection to the VPN host is quite good, then the TCP-over-TCP issue does not apply as much. The bad cases happen when that connection has packet loss.
I hope someone is able to crank out a version that used pf soon.
[0]https://github.com/OpenVPN/easy-rsa
[1]https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-....
https://github.com/Nyr/openvpn-install
You can turn off logging on the server with
/etc/openvpn/server.conf
Remember to restart the openvpn service after that.That said, this wouldn't deal with the VPS provider's logging etc.
(I bet the roaming between wifi and cellular data could be a problem, though.)
I use it along with the openvpn ios app on my phone when I'm on corporate wifi, or I connect to it with my laptop any time I'm in a coffee shop. Just note it's meant to tunnel traffic to a "safe" network, not anonymize you on the internet.
1. https://github.com/stephen-mw/raspberrypi-openvpn-auto-insta...
https://pritunl.com https://medium.com/pritunl-tutorials/pritunl-tutorial-ed50a5...
It's a bit easier to configure and supports multiple protocols, including OpenVPN.
[1] https://github.com/SoftEtherVPN/SoftEtherVPN/
I use SoftEther server/client for LAN access for work and home, and it works decently well. (Only thing is things like compression and certificate based authentication only works over SoftEther client, although support for certificate auth for other protocols are on its roadmap.)
http://frozenriver.net/SigmaVPN
Last talk on HN about it: https://news.ycombinator.com/item?id=7599091
There seems to be this similar project as well:
https://github.com/zerotier/ZeroTierOne
For example: http://lowendspirit.com/
Any VPS which provides 'only' IPv6 will typically support outbound IPv4 via NAT, with that IPv4 address being shared between all customers on the same node.
[1] https://github.com/amenonsen/tappet
Last time I checked there were some nascent projects to do this in a FOSS way, but they weren't complete and most seemed abandoned. Any ideas?
Eventually this will break due to a) DNSsec, and b) encrypted netflix traffic.
Better come up with a more robust VPN solution. DNS hacks will work until Netflix actually cares enough to stop them.
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/...
However, another big advantage to a VPN for me is anonimity, not directly giving the site information on who you are. If you were to set this up and use it just for you it's not unthinkable that government organisations like the NSA in Amerika and the AIVD in my homecountry of the Netherlands could identify you pretty easily.
For that I use Private Internet Access[1] right now, they claim to have patched a lot of the important software to have no logging, so they can't keep them. They also share IP addresses between customers which means the IP address is not a form of identification anymore. Their site looks like shit, I agree, but the service is pretty great.
[1]https://www.privateinternetaccess.com/
Which is why I had to mention IPsec VPN and link to a good article on how to manage it on OpenBSD.
[1] http://www.kernel-panic.it/openbsd/vpn/vpn3.html
If you don't trust us and prefer to do it on your own, that's fine too, it's open source: https://github.com/tinfoil/openvpn_autoconfig/blob/master/bi...
"Streisand sets up a new server running L2TP/IPsec, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists."
They also have OpenVPN AMI.
Not stopping me, though. I use the VPN when using public WiFis, knowing that my data is protected but that I'm not anonymous.