[lug] neat trick with gnome + network manager + VPN

Bear Giles bgiles at coyotesong.com
Fri Sep 15 09:47:42 MDT 2017 

​I've used HideMyAss in the past but I'm switching to my own servers on
Digital Ocean and AWS. ​ The cost with a nano instance is about the same as
the cost of a decent commercial offering - about $60/year. I know there are
cheaper sites but I just don't trust their economic model.

I found an ipad app that takes openvpn config (and in fact it comes from a
site that seems to be a commercial offering from the openvpn group) but
haven't set it up yet since I don't have an imac and getting the .ovpn file
onto the ipad requires a little more work.

I also need to regenerate my keys. I've been using a test set that don't
require a password - I want to switch to per-host keys with passwords.

The funniest thing is that one of the biggest reasons for running your own
VPN is that you don't have to worry about the VPN logging your activity.
Running your own VPN is simultaneously less anonymous - someone doing a
reverse IP address lookup will find your hosting company and they can
identify what account has that IP address - but it's also more anonymous
since you own the logs. The big guys can put in  network tap and see all
the sites you go to but marketers can't get any information.

So what's one of the first things I'm thinking of adding? My own caching
DNS server. Something that will keep a log of every site I visit - and that
means all of the ad servers, etc., not just the sites that appear in the
address bar.

The reason to do this is to blackhole abusive ad sites. I'm not opposed to
ads at an abstract level, just the scammy ads and the ones that have poorly
written javascript that cause my browser to slow down and crash. With the
DNS server logs I can toss in my own DNS records that redirect these sites
to my own server that immediately returns either a 404 or a blank page. Of
course that now means that there's a nice handy list of all of the sites I
visited (but not the URLs) if someone does get into the system.

On Fri, Sep 15, 2017 at 8:16 AM, Quentin Hartman <qhartman at gmail.com> wrote:

> Good trick! Thanks for sharing. What VPN service are you using?
>
> I just started using TunnelBear and it's working pretty well so far. They
> don't "officially" support linux in that they don't build a client for it,
> but they have instructions available for using standard VPN tools to
> connect to their endpoints. The experience on my phone with their client is
> very seamless.
>
> Q
>
> On Thu, Sep 14, 2017 at 7:58 PM, Bear Giles <bgiles at coyotesong.com> wrote:
>
>> I came across this when playing with the VPN configurations.
>>
>> 0. install network-manager-openvpn-gnome.
>>
>> 1. right-click on network icon and go to bottom of menu - select Edit
>> Connections.
>>
>> 2. create your VPN entry. (This lets you easily select it by
>> right-clicking on the network icon and then selecting VPN Connections.) You
>> can import a .ovpn file, or just read the configuration and figure out what
>> values to use.
>>
>> 3. edit your wired and wifi connections. On the 'General' tab one of the
>> last items is "Connect to this VPN...". You can specify one of your VPN
>> connections.
>>
>> The wifi connections that launch without forcing me to a login page work
>> fine - they launch with the VPN enabled.
>>
>> I haven't had a chance to try it on a wifi connection that requires a
>> login page. It might be smart enough to recognize the private IP address
>> range and not route through the VPN for those connections.
>>
>> This solves one of my annoyances - I might have a VPN account but a lot
>> of traffic goes out between when I establish the connection and when I can
>> right-click on the network icon and turn on the VPN. Not everything uses
>> https. This should eliminate that window.
>>
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>>
>
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20170915/74577a5d/attachment.html>

More information about the LUG mailing list