Split tunneling: Difference between revisions
No edit summary |
No edit summary |
||
| Line 36: | Line 36: | ||
Configure VPN DNS Servers to Stop DNS Leaks | ===Configure VPN DNS Servers to Stop DNS Leaks=== | ||
Next we are going to prevent DNS leak. DNS Leaks are often the main reason your real identity gets exposed even if using VPN. You can read more about DNS leaks here and test them here. The update-resolv-conf script that comes with OpenVPN will automatically apply the preferred DNS servers when OpenVPN connects. | Next we are going to prevent DNS leak. DNS Leaks are often the main reason your real identity gets exposed even if using VPN. You can read more about DNS leaks here and test them here. The update-resolv-conf script that comes with OpenVPN will automatically apply the preferred DNS servers when OpenVPN connects. | ||
| Line 45: | Line 45: | ||
Open the update-resolv-conf file | Open the update-resolv-conf file | ||
sudo nano /etc/openvpn/update-resolv-conf | sudo nano /etc/openvpn/update-resolv-conf | ||
Locate this part | Locate this part | ||
# foreign_option_1='dhcp-option DNS 193.43.27.132' | # foreign_option_1='dhcp-option DNS 193.43.27.132' | ||
# foreign_option_2='dhcp-option DNS 193.43.27.133' | # foreign_option_2='dhcp-option DNS 193.43.27.133' | ||
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch' | # foreign_option_3='dhcp-option DOMAIN be.bnc.ch' | ||
Replace the part highlighted in red, make sure you uncomment (remove the # from beginning) these 3 lines, and pay attention to the third line where your need to replace DOMAIN with DNS. | Replace the part highlighted in red, make sure you uncomment (remove the # from beginning) these 3 lines, and pay attention to the third line where your need to replace DOMAIN with DNS. | ||
It should look exactly like this | It should look exactly like this | ||
foreign_option_1='dhcp-option DNS 208.67.222.222' | |||
foreign_option_2='dhcp-option DNS 208.67.220.220' | |||
foreign_option_3='dhcp-option DNS 8.8.8.8' | |||
Hit Ctrl+X, Y and Enter to Save. | Hit Ctrl+X, Y and Enter to Save. | ||
Your DNS is configured for OpenVPN to prevent DNS leaks. | Your DNS is configured for OpenVPN to prevent DNS leaks. | ||
===Split Tunneling with iptables and Routing Tables=== | |||
We will use iptables to mark packets from a user (in our case the vpn user), and then use routing tables to route these marked packets through the OpenVPN interface, while allowing unmarked packets direct access to the Internet. | |||
Create vpn User | |||
Create the user vpn. All of the applications you want tunneled over VPN will run as this user, especially your torrent client of choice (Transmission or Deluge). At the end of this guide you will see the links to our guides on how to configure Transmission and Deluge with Split Tunneling. | |||
Create vpn user with no login option | |||
sudo adduser --disabled-login vpn | |||
I suggest to leave personal details blank, just proceed with Enter, and finally answer Y to create vpn user. We disabled login for the vpn user for security reasons, there is no need to log in to the system as the vpn user. | |||
We are going to use the vpn user to run services (like Torrent client), it is recommended to add your regular user to the vpn group and vpn user to your regular user's group to avoid any permission issues. | |||
Replace username with the user you would like to add to the vpn group | |||
sudo usermod -aG vpn username | |||
Replace group with the group name of your regular user that you would like to add the vpn user to | |||
sudo usermod -aG group vpn | |||
==Sources== | ==Sources== | ||
https://www.htpcguides.com/compile-latest-openvpn-from-source-on-debian-8/<br> | https://www.htpcguides.com/compile-latest-openvpn-from-source-on-debian-8/<br> | ||
https://www.htpcguides.com/force-torrent-traffic-vpn-split-tunnel-debian-8-ubuntu-16-04/ | https://www.htpcguides.com/force-torrent-traffic-vpn-split-tunnel-debian-8-ubuntu-16-04/ | ||
Revision as of 22:04, 3 March 2022
setup openvpn
create systemd service file for openvpn
sudo nano /etc/systemd/system/openvpn@openvpn.service
[Unit] Description=OpenVPN connection to %i Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO After=network.target [Service] RuntimeDirectory=openvpn PrivateTmp=true KillMode=mixed Type=forking ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid PIDFile=/run/openvpn/%i.pid ExecReload=/bin/kill -HUP $MAINPID WorkingDirectory=/etc/openvpn Restart=on-failure RestartSec=3 ProtectSystem=yes LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw [Install] WantedBy=multi-user.target
make sure the following are installed:
apt-get install nano sudo apt-utils iptables curl resolvconf unzip
Configure VPN DNS Servers to Stop DNS Leaks
Next we are going to prevent DNS leak. DNS Leaks are often the main reason your real identity gets exposed even if using VPN. You can read more about DNS leaks here and test them here. The update-resolv-conf script that comes with OpenVPN will automatically apply the preferred DNS servers when OpenVPN connects.
This script will make sure that when using OpenVPN you are not subject to DNS leaks. We will use PIA's DNS Servers (209.222.18.222 and 209.222.18.218) and Google's (8.8.8.8) as a third option. You are free to use the DNS servers you trust and prefer. It is advised to change the local DNS to a public even if you are not using VPN. If you are behind a router (and you probably are), it is also a good practice to configure public DNS address on the router too.
Note: make sure you are using a static IP on your machine or reserved DHCP also known as static DHCP. Do not configure the static IP on your server, as resolvconf will not work then. You should set the static IP from your router!
Open the update-resolv-conf file
sudo nano /etc/openvpn/update-resolv-conf
Locate this part
# foreign_option_1='dhcp-option DNS 193.43.27.132' # foreign_option_2='dhcp-option DNS 193.43.27.133' # foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
Replace the part highlighted in red, make sure you uncomment (remove the # from beginning) these 3 lines, and pay attention to the third line where your need to replace DOMAIN with DNS.
It should look exactly like this
foreign_option_1='dhcp-option DNS 208.67.222.222' foreign_option_2='dhcp-option DNS 208.67.220.220' foreign_option_3='dhcp-option DNS 8.8.8.8'
Hit Ctrl+X, Y and Enter to Save.
Your DNS is configured for OpenVPN to prevent DNS leaks.
Split Tunneling with iptables and Routing Tables
We will use iptables to mark packets from a user (in our case the vpn user), and then use routing tables to route these marked packets through the OpenVPN interface, while allowing unmarked packets direct access to the Internet.
Create vpn User Create the user vpn. All of the applications you want tunneled over VPN will run as this user, especially your torrent client of choice (Transmission or Deluge). At the end of this guide you will see the links to our guides on how to configure Transmission and Deluge with Split Tunneling.
Create vpn user with no login option
sudo adduser --disabled-login vpn
I suggest to leave personal details blank, just proceed with Enter, and finally answer Y to create vpn user. We disabled login for the vpn user for security reasons, there is no need to log in to the system as the vpn user.
We are going to use the vpn user to run services (like Torrent client), it is recommended to add your regular user to the vpn group and vpn user to your regular user's group to avoid any permission issues.
Replace username with the user you would like to add to the vpn group
sudo usermod -aG vpn username
Replace group with the group name of your regular user that you would like to add the vpn user to
sudo usermod -aG group vpn
Sources
https://www.htpcguides.com/compile-latest-openvpn-from-source-on-debian-8/
https://www.htpcguides.com/force-torrent-traffic-vpn-split-tunnel-debian-8-ubuntu-16-04/
