
Be your own VPN provider with OpenBSD - fcambus
http://networkfilter.blogspot.com/2015/01/be-your-own-vpn-provider-with-openbsd.html
======
cfallin
If anyone's ever looking for an even quicker hack, ssh has built-in the
ability to act as a SOCKS5 proxy, tunneling your traffic over ssh to whatever
remote machine you might have access to:

$ ssh -D 1080 myserver.myhost.net

Then configure Chrome or Firefox or whatever to use a SOCKS5 proxy on
localhost, port 1080. (N.B. that this does _not_ tunnel DNS lookups by
default.)

The OpenVPN-based route is the way to go for something used regularly, but the
above is sometimes super-convenient!

~~~
delsarto
I think the fact that this leaks DNS lookups is really quite key because that
gives away a huge amount about what you're looking at over your "vpn", not to
mention services like netflix that are pointing you to different responses
based upon the source of your dns lookups.

In firefox you want to go to about:config page and turn on
network.proxy.socks_remote_dns

~~~
ReidZB
I'm using the latest stable release of Firefox (34.0.5) and I see a "Remote
DNS" checkbox under my SOCKS proxy configuration. Isn't that the same option
in the GUI? No about:config tweaks needed?

I would think so, but everyone seems to be giving the about:config business,
so maybe I am missing something.

~~~
mortenlarsen
Yes, that is the same option. Toggling the option in the GUI toggles
network.proxy.socks_remote_dns in about:config. As default it is, is still off
though.

------
borski
We made this really easy, on Ubuntu:
[https://www.tinfoilsecurity.com/vpn](https://www.tinfoilsecurity.com/vpn)
will generate you a private VPN on your own box with a single click.

If you don't trust us and prefer to do it on your own, that's fine too, it's
open source:
[https://github.com/tinfoil/openvpn_autoconfig/blob/master/bi...](https://github.com/tinfoil/openvpn_autoconfig/blob/master/bin/openvpn.sh)

~~~
kordless
How about a 'start this with Bitcoin' button? :)

------
guelo
The disadvantage of this over a shared VPN that doesn't keep logs is that
there's now a unique IP address that can be tied back to you. A cool feature
for a VPS would be to have a shared IP address between a bunch of customers.

~~~
crypt1d
I suppose you could always come up with some script that recreates the whole
VPS and thus get a new IP address... but that makes it overly complicated for
most people.

~~~
dzhiurgis
AWS does not charge for first 100 IP addresses.

They also have OpenVPN AMI.

------
kgtm
Another approach:
[https://github.com/jlund/streisand](https://github.com/jlund/streisand)

"Streisand sets up a new server running L2TP/IPsec, OpenSSH, OpenVPN,
Shadowsocks, sslh, Stunnel, and a Tor bridge. It also generates custom
configuration instructions for all of these services. At the end of the run
you are given an HTML file with instructions that can be shared with friends,
family members, and fellow activists."

------
unsignedint
Another solution I'd recommend is SoftEtherVPN[1].

It's a bit easier to configure and supports multiple protocols, including
OpenVPN.

[1]
[https://github.com/SoftEtherVPN/SoftEtherVPN/](https://github.com/SoftEtherVPN/SoftEtherVPN/)

~~~
ashmud
Back when I tried SoftEther several months back, by way of VPN Gate, the
connections seemed pretty unreliable compared to OpenVPN. I think the VPN Gate
software locked down the options in SoftEther, though. Packet loss affected
gaming and video streaming in particular. Casual web browsing was OK.

~~~
unsignedint
If you are talking about VPNGate, the public VPN gateways, VPNGate can be a
mixed bag. As far as I know, those connections are maintained by varying
network environments; some are probably better than others.

I use SoftEther server/client for LAN access for work and home, and it works
decently well. (Only thing is things like compression and certificate based
authentication only works over SoftEther client, although support for
certificate auth for other protocols are on its roadmap.)

------
decisiveness
Cool guide, makes me want to learn more about BSD and pf. I've been doing this
but with a Linux VPS, iptables and EasyRSA3[0][1].

[0][https://github.com/OpenVPN/easy-rsa](https://github.com/OpenVPN/easy-rsa)

[1][https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-...](https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-
Howto).

------
hiou
If you aren't partial to OpenBSD, I've had good success with this:

[https://github.com/Nyr/openvpn-install](https://github.com/Nyr/openvpn-
install)

You can turn off logging on the server with

/etc/openvpn/server.conf

    
    
        log /dev/null
        status /dev/null
    

Remember to restart the openvpn service after that.

That said, this wouldn't deal with the VPS provider's logging etc.

------
__mp
I use Debian + UFW + OpenVPN + Digitalocean for my US Netflix needs. I get
10Mbit downstream and 20Mbit upstream from NY3 to my 60/60 fiber connection
here in Zurich. I could also configure it to use DNS only, but open dns
servers are not so welcomed at the moment. Since I do quite a bit of roaming
it's easiest to just configure OpenVPN.

------
stephen-mw
If anyone is interested, here's a script that will install openvpn on a
raspberry pi in one command[1].

I use it along with the openvpn ios app on my phone when I'm on corporate
wifi, or I connect to it with my laptop any time I'm in a coffee shop. Just
note it's meant to tunnel traffic to a "safe" network, not anonymize you on
the internet.

1\. [https://github.com/stephen-mw/raspberrypi-openvpn-auto-
insta...](https://github.com/stephen-mw/raspberrypi-openvpn-auto-install)

------
leni536
Why would you trust a VPS more than a VPN? They still can log or intercept
your traffic, can't they?

~~~
SixSigma
Because then you can use public Wifi with less paranoia.

------
gatehouse
I've been considering running all my mobile data through a VPN for better
security, and saving all of it so I can analyze anything after the fact.
Anyone doing anything like this?

~~~
regecks
Keeping a VPN connection alive doesn't do the battery any favors, and bringing
up a VPN connection isn't that fast to do it on-demand.

~~~
amenonsen
I am often dependent on a high-latency GPRS link, and the overhead of
establishing a tunnel using OpenVPN or SSH (e.g. sshuttle) is prohibitive.
OpenVPN is very likely to timeout before it can negotiate a TLS session. This
is one of the major reasons why I wrote my own VPN software[1] using NaCl.
Deterministic public-key encryption means that there is no negotiation
required at startup. The tunnel is therefore ready to use as soon as the
program is started. To me, that's the difference between a usable connection
and nothing at all.

[1] [https://github.com/amenonsen/tappet](https://github.com/amenonsen/tappet)

------
brycehamrick
By far the fastest and easiest setup I've done of a VPN was with Pritunl, an
open source and OpenVPN compatible VPN server that has installable packages
for the big distros. It has a great web based admin interface for managing the
server as well.

[https://pritunl.com](https://pritunl.com) [https://medium.com/pritunl-
tutorials/pritunl-tutorial-ed50a5...](https://medium.com/pritunl-
tutorials/pritunl-tutorial-ed50a5d2a4eb)

------
INTPenis
These days there's a working OpenVPN client for Android but there were times
when IPsec[1] VPN was the only good way to connect many different clients like
Windows, Mac OS and iPhone to your VPN server.

Which is why I had to mention IPsec VPN and link to a good article on how to
manage it on OpenBSD.

[1] [http://www.kernel-panic.it/openbsd/vpn/vpn3.html](http://www.kernel-
panic.it/openbsd/vpn/vpn3.html)

------
nsinenko
Why go through all those hoops when there are plenty of open source VPNs
installed with one line. eg
[https://github.com/sockeye44/instavpn](https://github.com/sockeye44/instavpn)
<\- works with mac, ios, android etc

------
RJIb8RBYxzAMX9u
Why not just use npppd, which is in the base install, and then use L2TP/IPsec?

[http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-
current/man8/...](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-
current/man8/npppd.8)

------
girvo
What I really want to do is set up something like the "UnblockUs" proxy
servers, where it's all done through DNS or something similar. The key reason
is for Netflix access here in Australia, through my Apple TV. Ideally it'd be
at my router level, to require no config on the boxes themselves, and be able
to have a filter list where certain hosts on that list are proxied and others
aren't.

Last time I checked there were some nascent projects to do this in a FOSS way,
but they weren't complete and most seemed abandoned. Any ideas?

~~~
throwaway58791
What these services do is spoof the DNS replies -- redirecting your apps
towards their reverse proxies.

Eventually this will break due to a) DNSsec, and b) encrypted netflix traffic.

Better come up with a more robust VPN solution. DNS hacks will work until
Netflix actually cares enough to stop them.

------
mobiplayer
Please everyone keep in mind that if you're using a tutorial to set this up
you're probably not an expert, so in the future you could suffer security
issues (inherent to any service) without even knowing.

That's why I pay for services, not because I can't follow a tutorial to set
them up :)

------
stevenspins
SSH over socks 5 would be a better option than OpenBSD

~~~
hobarrera
Since you need a secure server on the other end to ssh into, why not just go
with OpenBSD anyway?

------
blazespin
Does this work on iOS?

~~~
ianlevesque
Yes, there is an OpenVPN client on the App Store.

------
higherpurpose
Why not use SigmaVPN over OpenVPN? From what I gathered from the CCC talks
OpenVPN can fall pretty easily to NSA.

[http://frozenriver.net/SigmaVPN](http://frozenriver.net/SigmaVPN)

Last talk on HN about it:
[https://news.ycombinator.com/item?id=7599091](https://news.ycombinator.com/item?id=7599091)

There seems to be this similar project as well:

[https://github.com/zerotier/ZeroTierOne](https://github.com/zerotier/ZeroTierOne)

