Archive for January, 2012

28
Jan
12

HideMyAss VPN Part 3

So now we have our daemons with multiple tunnels so how do we keep them uptodate. Below is the script i use to update the config. it preforms some simple error checking to avoid restarting the tunnels unnecessarily so you could possibly run it from cron

#!/bin/bash

UK_URL="http://vpn.hidemyass.com/vpnconfig/client_config.php?win=1&loc=UK,+London+(LOC1+S1)"
US_URL="http://vpn.hidemyass.com/vpnconfig/client_config.php?win=1&loc=USA,+New+York+(DC2+S1)"
UK_DOMAINS="www.bbc.co.uk www.itv.co.uk mercury.itv.com www.channel4.com ais.channel4.com ll.securestream.channel4.com"
US_DOMAINS="www.hulu.com www.vevo.com www.crackle.com"

declare -A DOMAINS=(["uk"]=${UK_DOMAINS} ["us"]=${US_DOMAINS})
declare -A URL=(["uk"]=${UK_URL} ["us"]=${US_URL})

for COUNTRY in us uk
do
        TMPFILE=`mktemp` || exit 1
        wget "${URL[${COUNTRY}]}" -O ${TMPFILE}  || exit 1
        sed -i -e 's/\.\/keys\//\/etc\/openvpn\/keys\//g' -e 's/^auth-user-pass/auth-user-pass \/etc\/openvpn\/up/' ${TMPFILE}
        echo "route-nopull" >> ${TMPFILE}
        echo "max-routes 10240" >> ${TMPFILE}
        for DOMAIN in ${DOMAINS[${COUNTRY}]}
        do
                echo origin $(dig +short ${DOMAIN} | tail -1)  | \
                nc asn.shadowserver.org 43 | awk '{print "prefix",$1}'  | \
                nc asn.shadowserver.org 43  | \
                while read line
                do  
                        echo -en "route "  
                        ipcalc --nocolor --nobinary ${line}  |  awk '/(Address|Netmask)/ {printf "%s ", $2}'  
                        echo  
                done
        done | sort | uniq >> ${TMPFILE}
        O_HASH=$(md5sum /etc/openvpn/openvpn-${COUNTRY}.cfg | awk '{print $1}')
        N_HASH=$(md5sum ${TMPFILE} | awk '{print $1}')
        if [ "${O_HASH}" != "${N_HASH}" ]
        then 
                echo "${O_HASH}"
                echo "${N_HASH}"
                echo  "/etc/openvpn/openvpn-${COUNTRY}.cfg has changed"
                mv ${TMPFILE}  /etc/openvpn/openvpn-${COUNTRY}.cfg
                svc -d  /service/openvpn-${COUNTRY}
                svc -u  /service/openvpn-${COUNTRY}
        else
                rm  ${TMPFILE}
        fi
done
Advertisements
28
Jan
12

HideMyAss VPN Part 2

In the last post i showed how to create seperate vpns for differnt prefixes. Here i show how to ensure different tunnels come up at boot and remain up.  i use daemontools, ubuntu users are probably best using upstart.

We first need to add auth-user-pass /etc/openvpn/up to the config files. Then create  /etc/openvpn/up with your username and password on separate lines.  and install daemontools.  for this i use yaourt to pull it from AUR.  check here for how to install yaourt https://wiki.archlinux.org/index.php/Yaourt

yaourt -S daemontools

add the following to initab, i put mine after the su line. i had problems when i put it at the end of the file.

sv:123456:respawn:/usr/sbin/svscanboot

create a directory for the two damons, make the run file and link them to /services/

for i in uk us ; do mkdir /etc/openvpn-${i}; echo  '#!/bin/sh' > /etc/openvpn-${i}/run ; echo "exec /usr/sbin/openvpn /etc/openvpn/openvpn-${i}.cfg  1> log.1.out 2> log.2.out" >> /etc/openvpn-${i}/run ; ln -sv /etc/openvpn-${i} /service/; done

reboot. use the following to check you have tun devices and routes for you new vpns

ifconfig ; netstat -rn

check `man svc` and `man svstat` for basic info on daemon tools

The next and last part of this series will show how to keep your tunnels upto date

28
Jan
12

HideMyAss VPN Part 1

So you have a vpn account but its a pain in the arse to change servers when you want to change between iplayer and hulu. Below i describe the config i used to set up my system to have multiple vpns depending on the destination. in the below example i will use iplayer i.e. http://www.bbc.co.uk

Ok i’ll start by saying im using arch linux so instructions will be for that, if your stuck on a different distro, leave comments and ill try to help

First install nc, ipcalc, dnsutils, openvpn, curl and unzip (because for some reason hide my ass uses zip)

pacman -S openvpn curl unzip nc ipcalc dnsutils

Get a base uk file, selecting a location from the countries file

wget http://vpn.hidemyass.com/vpnconfig/countries.php -O - | sed -e 's/ /+/g' -e s'/+$//'
wget http://vpn.hidemyass.com/vpnconfig/client_config.php?win=1&loc=UK,+Greater+Manchester,+Manchester+(LOC1+S2) > /etc/openvpn/openvpn-uk.cfg

Add the option `route-nopull` to the config. This ignores the default route sent by the hidemyass servers.

Now to get a list of prefixes associated with http://www.bbc.co.uk.

First get a starting address:

dig +short www.bbc.co.uk | tail -1
212.58.244.67

Then the AS number:

echo origin 212.58.244.67 | nc asn.shadowserver.org 43
2818 | 212.58.224.0/19 | BBC | UK | BBC.CO.UK | BBC

Then the associated prefixes

echo "prefix 2818" |  nc asn.shadowserver.org 43

or

echo origin `dig +short www.bbc.co.uk | tail -1` | nc asn.shadowserver.org 43 | awk '{print "prefix",$1}' |  nc asn.shadowserver.org 43
132.185.128.0/20
132.185.144.0/20
132.185.240.0/24
132.185.0.0/16
212.58.224.0/19

now we need to convert
from:
132.185.240.0/24
to:
route 132.185.240.0 255.255.255.0

i used the following but im sure there is a better way:

echo -en "route " ; ipcalc --nocolor --nobinary 132.185.240.0/24 |  awk '/(Address|Netmask)/ {printf "%s ", $2}' ; echo

Adding it together:

echo "route-nopull"; echo origin `dig +short www.bbc.co.uk | tail -1` | nc asn.shadowserver.org 43 | awk '{print "prefix",$1}' |  nc asn.shadowserver.org 43 | while read line ; do  echo -en "route " ; ipcalc --nocolor --nobinary ${line}  |  awk '/(Address|Netmask)/ {printf "%s ", $2}' ; echo ; done >> /etc/openvpn/openvpn-uk.cfg

Finally fetch the hidemyass files:

wget https://vpn.hidemyass.com/linux.zip

unzip the linux.zip file and copy the keys directory to /etc/openvpn/keys. Update the ca, cert and keys parameters in  /etc/openvpn/openvpn-uk.cfg changing the directory to /etc/openvpn/openvpn-uk.cfg

unzip linux.zip
mv keys /etc/openvpn/
sed -i 's/\.\/keys\//\/etc\/openvpn\/keys\//g' /etc/openvpn/openvpn-uk.cfg

start openvpn and enter your username and password.

openvpn /etc/openvpn/openvpn-uk.cfg

Now traffic destined for the bbc will originate from a uk server. you can now create another config using to set up a tunnel for the us which is only valid for hulu. e.g.

wget http://vpn.hidemyass.com/vpnconfig/client_config.php?win=1&loc=USA,+New+York+(DC2+S1) > /etc/openvpn/openvpn-uk.cfg
echo "route-nopull"; echo origin `dig +short www.hulu.com | tail -1` | nc asn.shadowserver.org 43 | awk '{print "prefix",$1}' |  nc asn.shadowserver.org 43 | while read line ; do  echo -en "route " ; ipcalc --nocolor --nobinary ${line}  |  awk '/(Address|Netmask)/ {printf "%s ", $2}' ; echo ; done >> /etc/openvpn/openvpn-us.cfg
openvpn /etc/openvpn/openvpn-us.cfg

in the next part i show how to make these vpns into a daemon using daemon tools