ANSWERED My Ubuntu 16.04.5 LTS setup Part 1

[wintermute1912 6]

Ed. actually see my latest reply to this topic for some python code to modify all all your ovpn files at once

 

----------

 

Hi all - inspired by some other threads I've been involved in here is part 1 of my Ubuntu setup - please don't hesitate to correct or comment:

 

The OS
======
I use Ubuntu 16.04.5 LTS. I don't use 18.04 LTS as I have found it difficult get it set up just right. In particular I find preventing DNS leakage almost impossible.

Software & Updates
==================
Change the update server to the main server because you'll want to use apt while connected to your VPN and you don't want it connecting back to your country of origin's mirror

GRUB
====
I modify /etc/default/grub thus:
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"
i.e. I disable ipv6 in GRUB as it's been my experience I cannot stop leaks and other unwanted peer communication whilever ipv6 is enabled.
(don't forget to run update-grub after)

UFW
===
This is my minimal ufw init script:

ufw reset
ufw enable
ufw default deny incoming
ufw allow in 67/udp               # for DHCP
ufw allow in 53/udp               # DNS        
ufw deny out 22,23/tcp            # deny telnet and ssh
ufw reload
ufw status verbose

FIREFOX -P
==========
In Terminal run firefox -P, create a new profile "maxprivacy" and deselect the option for the default profile. Find the section on WebRTC and further securing firefox at https://privacytools.io (i.e. go through all the instructions to modify the settings such as geo.enabled and webgl.disabled etc.)

OPENVPN 2.4
===========
Ubuntu 16.04.5 doesn't come with OpenVPN 2.4 so you have to install it using the instructions here:
https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos

AIRVPN CONFIG GENERATOR (https://airvpn.org/generator/)
=======================================================
Check "Advanced Mode"
Click Linux
Check "Separate keys/certs from .ovpn file"
Check "Resolved hosts in .ovpn file"  <-- VERY IMPORTANT - STOPS YOUR ISP KNOWING YOU'RE CONNECTING TO AN AIRVPN SERVER
Scroll down to where the "Entry IP" 3 and 4 are (i.e. we only want to use the servers with TLS encryption enabled)
Select protocols UDP 443, 2018, 41185 for Entry 3 and Entry 4
Scroll down to where the individual servers are listed and click "Invert Selection" - now all the individual servers will be downloaded with resolved hostnames
Scroll to bottom of page and select both checkboxes then click Generate

On the generated settings page scroll all the way down till you see the ZIP file and download it.

In Terminal:
------------
mkdir ~/mytemp && mkdir ~/mytemp/ovpntemp
cd ~/mytemp/ovpntemp
unzip ~/Downloads/AirVPN.zip
rm ~/Downloads/AirVPN.zip
chmod 600 *key                              # this makes sure only your user account can access your key files
mkdir ~/.airvpn
mv *key ~/.airvpn
mv *crt ~/.airvpn                           # moving keys and certs to upper level directory - you only need one copy
mkdir ~/.airvpn/UDP-443-TLS-PRI && mkdir ~/.airvpn/UDP-443-TLS-ALT
mv Air*443*Entry3* ~/.airvpn/UDP-443-TLS-PRI
mv Air*443*Entry4* ~/.airvpn/UDP-443-TLS-ALT
repeat for ports 2018 and 41185 (i.e. make directories UDP-2018-TLS-PRI etc. and move the ovpn files)

MODIFY OVPN FILES
=================
This part is a little laborious unless you're handy with python or something to write a script to modify all your ovpn files. Basically before you connect to a particular server change the following lines in the ovpn file:

ca "../ca.crt"                # remember our key and crt files are one level above
cert "../user.crt"
key "../user.key"
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto udp
tls-crypt "../tls-crypt.key"
auth sha512

# the following part locks down the DNS when connected

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

 

CONNECT TO VPN SERVER IN TERMINAL
=================================
sudo openvpn <the ovpn file you just modified - be in the same directory as it>

In the output you should see something like this:

...
Mon Nov 12 18:53:38 2018 /etc/openvpn/update-resolv-conf tun0 1500 1553 x1.x2.x3.x4 255.255.255.0 init
dhcp-option DNS y1.y2.y3.y4
Mon Nov 12 18:53:44 2018 /sbin/ip route add z1.z2.z3.z4/32 via m1.m2.m3.m4
Mon Nov 12 18:53:44 2018 /sbin/ip route add 0.0.0.0/1 via y1.y2.y3.y4
Mon Nov 12 18:53:44 2018 /sbin/ip route add 128.0.0.0/1 via y1.y2.y3.y4
Mon Nov 12 18:53:44 2018 Initialization Sequence Completed
...

but CHECK THE DNS resolver using dig:

dig www.ubuntu.com

...

;; Query time: 422 msec
;; SERVER: y1.y2.y3.y4#53(y1.y2.y3.y4)     <-- if you see 127.0.0.1 here something is wrong!
;; WHEN: Mon Nov 12 20:02:37 AEDT 2018
;; MSG SIZE  rcvd: 59


CHECK YOU HAVE NO DNS LEAKAGE and WebRTC is DISABLED
====================================================
Run firefox and select the maxprivacy profile

 

https://ipleak.net/
https://dnsleaktest.com/ (run exteneded tests)


Also in a separate terminal window you can run:

 

sudo tcpdump -v -n 'port 53' -i tun0

 

which will show you all DNS resolution - you should only see server y1.y2.y3.y4 being used

-----------

This is a work in progress - I'm yet to add sections for setting up rtorrent and running Tor browser

-----------

DISCLAIMER: I have no formal training in Linux everything i know I've learnt from books or online. If I am in error anywhere don't hesitate to let me know - I welcome constructive feedback
 

[OpenSourcerer 1435]

I use Ubuntu 16.04.5 LTS. I don't use 18.04 LTS as I have found it difficult get it set up just right. In particular I find preventing DNS leakage almost impossible.

 

It may have something to do with the fact that 18.04 uses systemd-resolved for DNS resolution and that module does not use resolv.conf in its traditional sense. Seems like a miscofiguration on your part. I agree that 16.04 is safer in that regard.

 

 

GRUB

====

I modify /etc/default/grub thus:

GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"

i.e. I disable ipv6 in GRUB as it's been my experience I cannot stop leaks and other unwanted peer communication whilever ipv6 is enabled.

(don't forget to run update-grub after)

 

This is one way of solving it. An easier one would be the sysctl way: In /etc/sysctl.conf, or in a file like /etc/sysctl.d/ipv6-disable.conf, append:

net.ipv6.conf.all.disable_ipv6 = 1

Apply via

sysctl -p

 

In Terminal run firefox -P, create a new profile "maxprivacy" and deselect the option for the default profile. Find the section on WebRTC and further securing firefox at https://privacytools.io (i.e. go through all the instructions to modify the settings such as geo.enabled and webgl.disabled etc.)

 

This is not maxprivacy.

This is maxprivacy. Might even call it overkillmaxprivacy, but it's max.

 

 

Those are no error corrections, they're additions. You went quite far with your thoughts, I really like this. Keep it up!

[wintermute1912 6]

 

I use Ubuntu 16.04.5 LTS. I don't use 18.04 LTS as I have found it difficult get it set up just right. In particular I find preventing DNS leakage almost impossible.

It may have something to do with the fact that 18.04 uses systemd-resolved for DNS resolution and that module does not use resolv.conf in its traditional sense. Seems like a miscofiguration on your part. I agree that 16.04 is safer in that regard.

 

 

GRUB

====

I modify /etc/default/grub thus:

GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"

i.e. I disable ipv6 in GRUB as it's been my experience I cannot stop leaks and other unwanted peer communication whilever ipv6 is enabled.

(don't forget to run update-grub after)

 

This is one way of solving it. An easier one would be the sysctl way: In /etc/sysctl.conf, or in a file like /etc/sysctl.d/ipv6-disable.conf, append:

net.ipv6.conf.all.disable_ipv6 = 1

Apply via

sysctl -p

 

>In Terminal run firefox -P, create a new profile "maxprivacy" and deselect the option for the default profile. Find the section on WebRTC and further securing firefox at https://privacytools.io (i.e. go through all the instructions to modify the settings such as geo.enabled and webgl.disabled etc.)

 

This is not maxprivacy.

This is maxprivacy. Might even call it overkillmaxprivacy, but it's max.

 

 

Those are no error corrections, they're additions. You went quite far with your thoughts, I really like this. Keep it up!

 

 

Thank you muchly for the feedback and suggestions

[wintermute1912 6]

Again I am no expert in python but this script is handy to modify all the downloaded ovpn files to change the path to the crt and key files and add the section at the bottom to prevent DNS leakage. You can pass it a folder to operate on or leave the default which is current working directory:

 

import os

import sys

import shutil

 

class OVPNMod:

    def __init__(self, ovpndir=''):

        self.texttoreplace = 'ca "ca.crt"\ncert "user.crt"\nkey "user.key"\nremote-cert-tls server\ncipher AES-256-CBC\ncomp-lzo no\nproto udp\ntls-crypt "tls-crypt.key"\nauth sha512\n'

        self.replacementtext = 'ca "../ca.crt"\ncert "../user.crt"\nkey "../user.key"\nremote-cert-tls server\ncipher AES-256-CBC\ncomp-lzo no\nproto udp\ntls-crypt "../tls-crypt.key"\nauth sha512\n\nscript-security 2\nup /etc/openvpn/update-resolv-conf\ndown /etc/openvpn/update-resolv-conf\n'

        self.ovpndir = os.getcwd() if ovpndir == '' else ovpndir

 

    def processFiles(self):

        files = []

        for f in os.listdir(self.ovpndir):

            files.append(f)

        files.sort()

        for file in files:

            print('Processing {0}'.format(file))

            src = os.path.join(self.ovpndir, file)

            backup = src + '.backup'

            shutil.copy(src, backup)

            with open(backup, 'rt') as f:

                content = f.read()

                content = content.replace(self.texttoreplace, self.replacementtext)

                f2 = open(src, 'wt')

                f2.write(content)

                f2.close()

                f.close()

        return 0

 

if __name__ == "__main__":

    ovpnmod = None

    ovpnmod = OVPNMod(sys.argv[1]) if len(sys.argv) >= 2 else OVPNMod()

    ovpnmod.processFiles()