Archive for January, 2012


HideMyAss VPN Part 3

So now we have our daemons with multiple tunnels so how do we keep them uptodate. Below is the script i use to update the config. it preforms some simple error checking to avoid restarting the tunnels unnecessarily so you could possibly run it from cron



declare -A DOMAINS=(["uk"]=${UK_DOMAINS} ["us"]=${US_DOMAINS})
declare -A URL=(["uk"]=${UK_URL} ["us"]=${US_URL})

for COUNTRY in us uk
        TMPFILE=`mktemp` || exit 1
        wget "${URL[${COUNTRY}]}" -O ${TMPFILE}  || exit 1
        sed -i -e 's/\.\/keys\//\/etc\/openvpn\/keys\//g' -e 's/^auth-user-pass/auth-user-pass \/etc\/openvpn\/up/' ${TMPFILE}
        echo "route-nopull" >> ${TMPFILE}
        echo "max-routes 10240" >> ${TMPFILE}
        for DOMAIN in ${DOMAINS[${COUNTRY}]}
                echo origin $(dig +short ${DOMAIN} | tail -1)  | \
                nc 43 | awk '{print "prefix",$1}'  | \
                nc 43  | \
                while read line
                        echo -en "route "  
                        ipcalc --nocolor --nobinary ${line}  |  awk '/(Address|Netmask)/ {printf "%s ", $2}'  
        done | sort | uniq >> ${TMPFILE}
        O_HASH=$(md5sum /etc/openvpn/openvpn-${COUNTRY}.cfg | awk '{print $1}')
        N_HASH=$(md5sum ${TMPFILE} | awk '{print $1}')
        if [ "${O_HASH}" != "${N_HASH}" ]
                echo "${O_HASH}"
                echo "${N_HASH}"
                echo  "/etc/openvpn/openvpn-${COUNTRY}.cfg has changed"
                mv ${TMPFILE}  /etc/openvpn/openvpn-${COUNTRY}.cfg
                svc -d  /service/openvpn-${COUNTRY}
                svc -u  /service/openvpn-${COUNTRY}
                rm  ${TMPFILE}

HideMyAss VPN Part 2

In the last post i showed how to create seperate vpns for differnt prefixes. Here i show how to ensure different tunnels come up at boot and remain up.  i use daemontools, ubuntu users are probably best using upstart.

We first need to add auth-user-pass /etc/openvpn/up to the config files. Then create  /etc/openvpn/up with your username and password on separate lines.  and install daemontools.  for this i use yaourt to pull it from AUR.  check here for how to install yaourt

yaourt -S daemontools

add the following to initab, i put mine after the su line. i had problems when i put it at the end of the file.


create a directory for the two damons, make the run file and link them to /services/

for i in uk us ; do mkdir /etc/openvpn-${i}; echo  '#!/bin/sh' > /etc/openvpn-${i}/run ; echo "exec /usr/sbin/openvpn /etc/openvpn/openvpn-${i}.cfg  1> log.1.out 2> log.2.out" >> /etc/openvpn-${i}/run ; ln -sv /etc/openvpn-${i} /service/; done

reboot. use the following to check you have tun devices and routes for you new vpns

ifconfig ; netstat -rn

check `man svc` and `man svstat` for basic info on daemon tools

The next and last part of this series will show how to keep your tunnels upto date


HideMyAss VPN Part 1

So you have a vpn account but its a pain in the arse to change servers when you want to change between iplayer and hulu. Below i describe the config i used to set up my system to have multiple vpns depending on the destination. in the below example i will use iplayer i.e.

Ok i’ll start by saying im using arch linux so instructions will be for that, if your stuck on a different distro, leave comments and ill try to help

First install nc, ipcalc, dnsutils, openvpn, curl and unzip (because for some reason hide my ass uses zip)

pacman -S openvpn curl unzip nc ipcalc dnsutils

Get a base uk file, selecting a location from the countries file

wget -O - | sed -e 's/ /+/g' -e s'/+$//'
wget,+Greater+Manchester,+Manchester+(LOC1+S2) > /etc/openvpn/openvpn-uk.cfg

Add the option `route-nopull` to the config. This ignores the default route sent by the hidemyass servers.

Now to get a list of prefixes associated with

First get a starting address:

dig +short | tail -1

Then the AS number:

echo origin | nc 43
2818 | | BBC | UK | BBC.CO.UK | BBC

Then the associated prefixes

echo "prefix 2818" |  nc 43


echo origin `dig +short | tail -1` | nc 43 | awk '{print "prefix",$1}' |  nc 43

now we need to convert

i used the following but im sure there is a better way:

echo -en "route " ; ipcalc --nocolor --nobinary |  awk '/(Address|Netmask)/ {printf "%s ", $2}' ; echo

Adding it together:

echo "route-nopull"; echo origin `dig +short | tail -1` | nc 43 | awk '{print "prefix",$1}' |  nc 43 | while read line ; do  echo -en "route " ; ipcalc --nocolor --nobinary ${line}  |  awk '/(Address|Netmask)/ {printf "%s ", $2}' ; echo ; done >> /etc/openvpn/openvpn-uk.cfg

Finally fetch the hidemyass files:


unzip the file and copy the keys directory to /etc/openvpn/keys. Update the ca, cert and keys parameters in  /etc/openvpn/openvpn-uk.cfg changing the directory to /etc/openvpn/openvpn-uk.cfg

mv keys /etc/openvpn/
sed -i 's/\.\/keys\//\/etc\/openvpn\/keys\//g' /etc/openvpn/openvpn-uk.cfg

start openvpn and enter your username and password.

openvpn /etc/openvpn/openvpn-uk.cfg

Now traffic destined for the bbc will originate from a uk server. you can now create another config using to set up a tunnel for the us which is only valid for hulu. e.g.

wget,+New+York+(DC2+S1) > /etc/openvpn/openvpn-uk.cfg
echo "route-nopull"; echo origin `dig +short | tail -1` | nc 43 | awk '{print "prefix",$1}' |  nc 43 | while read line ; do  echo -en "route " ; ipcalc --nocolor --nobinary ${line}  |  awk '/(Address|Netmask)/ {printf "%s ", $2}' ; echo ; done >> /etc/openvpn/openvpn-us.cfg
openvpn /etc/openvpn/openvpn-us.cfg

in the next part i show how to make these vpns into a daemon using daemon tools