Awesome
<!-- MIT License Copyright (c) 2019 Rémi Ducceschi Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE -->
VPN Manager
Script to easily manage OpenVPN and create a firewall kill switch with UFW.
It allows easy start and stop of the VPN connection and the kill switch, and easy change of the VPN server.
Current version is bounded to OpenVPN, though it is easy to make it work with other VPN as only a small subset of code is concerned. More information below.
Installation
You need to install the following packages:
- openvpn
- ufw
Configuration
Below, we assume that your computer is connected to internet via the
interface enp1s0, that the VPN interface is called tun0, and that
you are on the local network 192.168.1.0/24.
If it is not the case, change the values below.
Firewall (ufw)
First, create the firewall rules:
- all incoming transfers are denied by default
- all outgoing transfers are denied by default
- all routed transfers are allowed by default (for a later update)
- create a kill switch
- we allow traffic through
enp1s0only from and to the local network, no internet access - we override these rules temporarily so internet is still accessible, until we start the VPN
- we allow traffic through
- allow all traffic on
tun0- when the VPN is on, all internet traffic pass through there
As root
# global rules
ufw default deny incoming
ufw default deny outgoing
ufw default allow routed
# kill switch
ufw allow in on enp1s0 from 192.168.1.0/24
ufw allow out on enp1s0 to 192.168.1.0/24
# bypass killswitch
ufw allow in on enp1s0
ufw allow out on enp1s0
# VPN
ufw allow in on tun0
ufw allow out on tun0
Thus, when we start the VPN, we just have to delete the 2 bypassing rules and add one to authorize traffic to VPN server only. This will create a kill switch as as soon as we can't connect to the VPN server, all traffic will be stopped.
This is automatically done thanks to vpn-mgr.sh.
OpenVPN
We need to create a file with our VPN credentials, so OpenVPN can
connect to VPN server by itself. Replace EMAIL and PASSWORD
with your credentials.
Note that it is important that the file is created in
/etc/openvpn/. If you want to change the filename, you'll have
to change the variable AUTHFILE in vpn-mgr.sh.
As root
echo "EMAIL" > /etc/openvpn/nordvpn_authentication
echo "PASSWORD" >> /etc/openvpn/nordvpn_authentication
chmod a-rwx,u=r /etc/openvpn/nordvpn_authentication
You now need to copy the files etc/default/openvpn,
etc/openvpn/update-resolv-conf and
etc/sysctl.d/00_tun0_noipv6.conf in
the proper folders (respectively /etc/default/openvpn,
/etc/openvpn/update-resolv-conf and /etc/sysctl.d/00_tun0_noipv6.conf).
The first file is the configuration for OpenVPN. The only interesting line
is AUTOSTART="nordvpn" which allows OpenVPN to automatically connect to
a VPN server, which configuration file is in /etc/openvpn/nordvpn.conf.
This file will be automatically generated by vpn-mgr.sh
The second file is used to prevent DNS leak.
The last file is to avoid ipv6 leaks as NordVPN doesn't support ipv6.
Finally, to automatically start OpenVPN on boot, we enable its service:
systemctl enable openvpn
vpn-mgr.sh
You can put the file vpn-mgr.sh wherever it is the most
convenient for you. A good folder would be in /usr/local/sbin/.
You can update the following variables (at the top of the file) with your values:
SERVERCONF_FILE='/etc/openvpn/nordvpn.conf'AUTHFILE='nordvpn_authentication'NET_INTERFACE='enp1s0'
Usage
You need to be root to use vpn-mgr.sh.
You can run vpn-mgr.sh help to see the full help. Briefly, you can
invoke it with the following commands:
help- shows the helpstart- starts the VPN and enable the kill switchstop- stop the VPN and disable the kill switchrestart- restart the VPN (useful when connection to VPN server is lost)status- tells the status of the VPN managerset- change the VPN server in used
More infornation on the set command.
You can chose which server to use for NordVPN here: https://nordvpn.com/servers/tools/.
vpn-mgr.sh set se203
This will automatically use the VPN server se203.nordvpn.com. What
happens exactly:
- if possible, it will download the full list of NordVPN servers from https://downloads.nordcdn.com/configs/archives/servers/ovpn.zip.
- it will copy the configuration file
se203.nordvpn.com.udp.ovpnto/etc/openvpn/nordvpn.conf- note that we use the UDP version
- it will update the configuration file by adding
- configuration to avoid DNS leak thanks to etc/openvpn/update-resolv-conf
- path to credential file to autoconnect
- name of the selected server as a comment on the last line
- update UFW rules
- restart OpenVPN and UFW
You then need to wait around 30 seconds before Internet comes back on the new server.
Use another VPN provider
This script has been created because the NordVPN app on Linux is not free (open source), and is widely bugged (lots of crashes).
This solution uses widely known tools (OpenVPN and UFW), and as far as I used it, it didn't crashed yet...
Now, if you want to use this script with another VPN provider, you only have to change the vpn-mgr.sh script a bit. Indeed, only these 2 functions are bounded to NordVPN:
_download-serverlistwhich downloads all the available servers from NordVPN_select_serverwhich selects a server from the aforementionned list.
These functions are 10 lines length so it should be very easy to use another provider. The main reason why it is not already here is because I only used NordVPN so far...
Feel free to contribute :)