[lug] neat trick with gnome + network manager + VPN

Lee Woodworth blug-mail at duboulder.com
Fri Sep 15 23:25:10 MDT 2017


On 09/15/2017 10:58 AM, Bear Giles wrote:
> I have noscript. Unfortunately there's so many exceptions to get these
> sites to do what I went there for some of these ads sneak through anyway.

Have you considered a filtering proxy on the vpn outbound side. tinyproxy
filters domains and you can set the logging level.

Using your own DNS resolver allows never using DNS forwarding. Perhaps
a little better security since resolution starts with the root servers.

I use both but do the filtering in the proxy instead of DNS. I think its
easier to manage the proxy filter list than multiple zone files.

> 
> On Fri, Sep 15, 2017 at 10:46 AM, Davide Del Vento <
> davide.del.vento at gmail.com> wrote:
> 
>>> poorly written javascript that cause my browser to slow down and crash
>>
>> For this issue, the right solution is https://noscript.net/ not VPN + DNS
>> hijacking.
>>
>> On Fri, Sep 15, 2017 at 9:47 AM, Bear Giles <bgiles at coyotesong.com> wrote:
>>
>>> ​I've used HideMyAss in the past but I'm switching to my own servers on
>>> Digital Ocean and AWS. ​ The cost with a nano instance is about the same as
>>> the cost of a decent commercial offering - about $60/year. I know there are
>>> cheaper sites but I just don't trust their economic model.
>>>
>>> I found an ipad app that takes openvpn config (and in fact it comes from
>>> a site that seems to be a commercial offering from the openvpn group) but
>>> haven't set it up yet since I don't have an imac and getting the .ovpn file
>>> onto the ipad requires a little more work.
>>>
>>> I also need to regenerate my keys. I've been using a test set that don't
>>> require a password - I want to switch to per-host keys with passwords.
>>>
>>> The funniest thing is that one of the biggest reasons for running your
>>> own VPN is that you don't have to worry about the VPN logging your
>>> activity. Running your own VPN is simultaneously less anonymous - someone
>>> doing a reverse IP address lookup will find your hosting company and they
>>> can identify what account has that IP address - but it's also more
>>> anonymous since you own the logs. The big guys can put in  network tap and
>>> see all the sites you go to but marketers can't get any information.
>>>
>>> So what's one of the first things I'm thinking of adding? My own caching
>>> DNS server. Something that will keep a log of every site I visit - and that
>>> means all of the ad servers, etc., not just the sites that appear in the
>>> address bar.
>>>
>>> The reason to do this is to blackhole abusive ad sites. I'm not opposed
>>> to ads at an abstract level, just the scammy ads and the ones that have
>>> poorly written javascript that cause my browser to slow down and crash.
>>> With the DNS server logs I can toss in my own DNS records that redirect
>>> these sites to my own server that immediately returns either a 404 or a
>>> blank page. Of course that now means that there's a nice handy list of all
>>> of the sites I visited (but not the URLs) if someone does get into the
>>> system.
>>>
>>> On Fri, Sep 15, 2017 at 8:16 AM, Quentin Hartman <qhartman at gmail.com>
>>> wrote:
>>>
>>>> Good trick! Thanks for sharing. What VPN service are you using?
>>>>
>>>> I just started using TunnelBear and it's working pretty well so far.
>>>> They don't "officially" support linux in that they don't build a client for
>>>> it, but they have instructions available for using standard VPN tools to
>>>> connect to their endpoints. The experience on my phone with their client is
>>>> very seamless.
>>>>
>>>> Q
>>>>
>>>> On Thu, Sep 14, 2017 at 7:58 PM, Bear Giles <bgiles at coyotesong.com>
>>>> wrote:
>>>>
>>>>> I came across this when playing with the VPN configurations.
>>>>>
>>>>> 0. install network-manager-openvpn-gnome.
>>>>>
>>>>> 1. right-click on network icon and go to bottom of menu - select Edit
>>>>> Connections.
>>>>>
>>>>> 2. create your VPN entry. (This lets you easily select it by
>>>>> right-clicking on the network icon and then selecting VPN Connections.) You
>>>>> can import a .ovpn file, or just read the configuration and figure out what
>>>>> values to use.
>>>>>
>>>>> 3. edit your wired and wifi connections. On the 'General' tab one of
>>>>> the last items is "Connect to this VPN...". You can specify one of your VPN
>>>>> connections.
>>>>>
>>>>> The wifi connections that launch without forcing me to a login page
>>>>> work fine - they launch with the VPN enabled.
>>>>>
>>>>> I haven't had a chance to try it on a wifi connection that requires a
>>>>> login page. It might be smart enough to recognize the private IP address
>>>>> range and not route through the VPN for those connections.
>>>>>
>>>>> This solves one of my annoyances - I might have a VPN account but a lot
>>>>> of traffic goes out between when I establish the connection and when I can
>>>>> right-click on the network icon and turn on the VPN. Not everything uses
>>>>> https. This should eliminate that window.
>>>>>
>>>>> _______________________________________________
>>>>> Web Page:  http://lug.boulder.co.us
>>>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>>> Join us on IRC: irc.hackingsociety.org port=6667
>>>>> channel=#hackingsociety
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Web Page:  http://lug.boulder.co.us
>>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>>>>
>>>
>>>
>>> _______________________________________________
>>> Web Page:  http://lug.boulder.co.us
>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>>>
>>
>>
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>>
> 
> 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
> 



More information about the LUG mailing list