[lug] neat trick with gnome + network manager + VPN

Bear Giles bgiles at coyotesong.com
Sat Sep 16 12:35:54 MDT 2017 

I don't mind forwarding to Level 3 or Google. (An evil Google could still
link IP addresses between DNS lookups and gmail accounts - enough to get
down to the household level.) The goal is to NOT go through Comcast, not to
go totally dark.

I've been watching 'tail -f' on the logs. Lots of hits on facebook.com even
though it's blacklisted in my javascript filter.

... or so I thought. Turns out I had turned off SafeScript because of a
critical need and then forgot to turn it back on. At least another
extension says to block facebook cookies. Plus I haven't logged into it for
years - I only have an account to prevent someone else from pretending to
be me.

(Have I mentioned how evil facebook is? For awhile they were even tracking
people without facebook accounts - they could still issue a cookie and
track all of the information provided by the sites that use their API. At
some point your name etc will appear in the data. They claim they stopped
doing this)

Turning on SafeScript again has really cut down on the DNS lookups. They're
also largely sites that I recognize.

.....

This morning I realized that there's probably an easy way to do selective
redirects with a proxy server instead of doing DNS hijacking in my own DNS
server. A reverse proxy has been another item on my 'to-do list' since I'm
constantly bouncing between 4(?) systems, to say nothing of the ubuntu
updates on 6+ systems. It's never reached the top of my list though.

On Fri, Sep 15, 2017 at 11:25 PM, Lee Woodworth <blug-mail at duboulder.com>
wrote:

> On 09/15/2017 10:58 AM, Bear Giles wrote:
> > I have noscript. Unfortunately there's so many exceptions to get these
> > sites to do what I went there for some of these ads sneak through anyway.
>
> Have you considered a filtering proxy on the vpn outbound side. tinyproxy
> filters domains and you can set the logging level.
>
> Using your own DNS resolver allows never using DNS forwarding. Perhaps
> a little better security since resolution starts with the root servers.
>
> I use both but do the filtering in the proxy instead of DNS. I think its
> easier to manage the proxy filter list than multiple zone files.
>
> >
> > On Fri, Sep 15, 2017 at 10:46 AM, Davide Del Vento <
> > davide.del.vento at gmail.com> wrote:
> >
> >>> poorly written javascript that cause my browser to slow down and crash
> >>
> >> For this issue, the right solution is https://noscript.net/ not VPN +
> DNS
> >> hijacking.
> >>
> >> On Fri, Sep 15, 2017 at 9:47 AM, Bear Giles <bgiles at coyotesong.com>
> wrote:
> >>
> >>> ​I've used HideMyAss in the past but I'm switching to my own servers on
> >>> Digital Ocean and AWS. ​ The cost with a nano instance is about the
> same as
> >>> the cost of a decent commercial offering - about $60/year. I know
> there are
> >>> cheaper sites but I just don't trust their economic model.
> >>>
> >>> I found an ipad app that takes openvpn config (and in fact it comes
> from
> >>> a site that seems to be a commercial offering from the openvpn group)
> but
> >>> haven't set it up yet since I don't have an imac and getting the .ovpn
> file
> >>> onto the ipad requires a little more work.
> >>>
> >>> I also need to regenerate my keys. I've been using a test set that
> don't
> >>> require a password - I want to switch to per-host keys with passwords.
> >>>
> >>> The funniest thing is that one of the biggest reasons for running your
> >>> own VPN is that you don't have to worry about the VPN logging your
> >>> activity. Running your own VPN is simultaneously less anonymous -
> someone
> >>> doing a reverse IP address lookup will find your hosting company and
> they
> >>> can identify what account has that IP address - but it's also more
> >>> anonymous since you own the logs. The big guys can put in  network tap
> and
> >>> see all the sites you go to but marketers can't get any information.
> >>>
> >>> So what's one of the first things I'm thinking of adding? My own
> caching
> >>> DNS server. Something that will keep a log of every site I visit - and
> that
> >>> means all of the ad servers, etc., not just the sites that appear in
> the
> >>> address bar.
> >>>
> >>> The reason to do this is to blackhole abusive ad sites. I'm not opposed
> >>> to ads at an abstract level, just the scammy ads and the ones that have
> >>> poorly written javascript that cause my browser to slow down and crash.
> >>> With the DNS server logs I can toss in my own DNS records that redirect
> >>> these sites to my own server that immediately returns either a 404 or a
> >>> blank page. Of course that now means that there's a nice handy list of
> all
> >>> of the sites I visited (but not the URLs) if someone does get into the
> >>> system.
> >>>
> >>> On Fri, Sep 15, 2017 at 8:16 AM, Quentin Hartman <qhartman at gmail.com>
> >>> wrote:
> >>>
> >>>> Good trick! Thanks for sharing. What VPN service are you using?
> >>>>
> >>>> I just started using TunnelBear and it's working pretty well so far.
> >>>> They don't "officially" support linux in that they don't build a
> client for
> >>>> it, but they have instructions available for using standard VPN tools
> to
> >>>> connect to their endpoints. The experience on my phone with their
> client is
> >>>> very seamless.
> >>>>
> >>>> Q
> >>>>
> >>>> On Thu, Sep 14, 2017 at 7:58 PM, Bear Giles <bgiles at coyotesong.com>
> >>>> wrote:
> >>>>
> >>>>> I came across this when playing with the VPN configurations.
> >>>>>
> >>>>> 0. install network-manager-openvpn-gnome.
> >>>>>
> >>>>> 1. right-click on network icon and go to bottom of menu - select Edit
> >>>>> Connections.
> >>>>>
> >>>>> 2. create your VPN entry. (This lets you easily select it by
> >>>>> right-clicking on the network icon and then selecting VPN
> Connections.) You
> >>>>> can import a .ovpn file, or just read the configuration and figure
> out what
> >>>>> values to use.
> >>>>>
> >>>>> 3. edit your wired and wifi connections. On the 'General' tab one of
> >>>>> the last items is "Connect to this VPN...". You can specify one of
> your VPN
> >>>>> connections.
> >>>>>
> >>>>> The wifi connections that launch without forcing me to a login page
> >>>>> work fine - they launch with the VPN enabled.
> >>>>>
> >>>>> I haven't had a chance to try it on a wifi connection that requires a
> >>>>> login page. It might be smart enough to recognize the private IP
> address
> >>>>> range and not route through the VPN for those connections.
> >>>>>
> >>>>> This solves one of my annoyances - I might have a VPN account but a
> lot
> >>>>> of traffic goes out between when I establish the connection and when
> I can
> >>>>> right-click on the network icon and turn on the VPN. Not everything
> uses
> >>>>> https. This should eliminate that window.
> >>>>>
> >>>>> _______________________________________________
> >>>>> Web Page:  http://lug.boulder.co.us
> >>>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>>>> Join us on IRC: irc.hackingsociety.org port=6667
> >>>>> channel=#hackingsociety
> >>>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Web Page:  http://lug.boulder.co.us
> >>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>>> Join us on IRC: irc.hackingsociety.org port=6667
> channel=#hackingsociety
> >>>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Web Page:  http://lug.boulder.co.us
> >>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >>> Join us on IRC: irc.hackingsociety.org port=6667
> channel=#hackingsociety
> >>>
> >>
> >>
> >> _______________________________________________
> >> Web Page:  http://lug.boulder.co.us
> >> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >> Join us on IRC: irc.hackingsociety.org port=6667
> channel=#hackingsociety
> >>
> >
> >
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
> >
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20170916/bb180ace/attachment.html>

More information about the LUG mailing list