Hi all - inspired by some other threads I've been involved in here is part 1 of my Ubuntu setup - please don't hesitate to correct or comment:
I use Ubuntu 16.04.5 LTS. I don't use 18.04 LTS as I have found it difficult get it set up just right. In particular I find preventing DNS leakage almost impossible.
Software & Updates
Change the update server to the main server because you'll want to use apt while connected to your VPN and you don't want it connecting back to your country of origin's mirror
I modify /etc/default/grub thus:
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"
i.e. I disable ipv6 in GRUB as it's been my experience I cannot stop leaks and other unwanted peer communication whilever ipv6 is enabled.
(don't forget to run update-grub after)
This is my minimal ufw init script:
ufw default deny incoming
ufw allow in 67/udp # for DHCP
ufw allow in 53/udp # DNS
ufw deny out 22,23/tcp # deny telnet and ssh
ufw status verbose
In Terminal run firefox -P, create a new profile "maxprivacy" and deselect the option for the default profile. Find the section on WebRTC and further securing firefox at https://privacytools.io (i.e. go through all the instructions to modify the settings such as geo.enabled and webgl.disabled etc.)
Ubuntu 16.04.5 doesn't come with OpenVPN 2.4 so you have to install it using the instructions here:
AIRVPN CONFIG GENERATOR (https://airvpn.org/generator/)
Check "Advanced Mode"
Check "Separate keys/certs from .ovpn file"
Check "Resolved hosts in .ovpn file" <-- VERY IMPORTANT - STOPS YOUR ISP KNOWING YOU'RE CONNECTING TO AN AIRVPN SERVER
Scroll down to where the "Entry IP" 3 and 4 are (i.e. we only want to use the servers with TLS encryption enabled)
Select protocols UDP 443, 2018, 41185 for Entry 3 and Entry 4
Scroll down to where the individual servers are listed and click "Invert Selection" - now all the individual servers will be downloaded with resolved hostnames
Scroll to bottom of page and select both checkboxes then click Generate
On the generated settings page scroll all the way down till you see the ZIP file and download it.
mkdir ~/mytemp && mkdir ~/mytemp/ovpntemp
chmod 600 *key # this makes sure only your user account can access your key files
mv *key ~/.airvpn
mv *crt ~/.airvpn # moving keys and certs to upper level directory - you only need one copy
mkdir ~/.airvpn/UDP-443-TLS-PRI && mkdir ~/.airvpn/UDP-443-TLS-ALT
mv Air*443*Entry3* ~/.airvpn/UDP-443-TLS-PRI
mv Air*443*Entry4* ~/.airvpn/UDP-443-TLS-ALT
repeat for ports 2018 and 41185 (i.e. make directories UDP-2018-TLS-PRI etc. and move the ovpn files)
MODIFY OVPN FILES
This part is a little laborious unless you're handy with python or something to write a script to modify all your ovpn files. Basically before you connect to a particular server change the following lines in the ovpn file:
ca "../ca.crt" # remember our key and crt files are one level above
# the following part locks down the DNS when connected
CONNECT TO VPN SERVER IN TERMINAL
sudo openvpn <the ovpn file you just modified - be in the same directory as it>
In the output you should see something like this:
Mon Nov 12 18:53:38 2018 /etc/openvpn/update-resolv-conf tun0 1500 1553 x1.x2.x3.x4 255.255.255.0 init
dhcp-option DNS y1.y2.y3.y4
Mon Nov 12 18:53:44 2018 /sbin/ip route add z1.z2.z3.z4/32 via m1.m2.m3.m4
Mon Nov 12 18:53:44 2018 /sbin/ip route add 0.0.0.0/1 via y1.y2.y3.y4
Mon Nov 12 18:53:44 2018 /sbin/ip route add 126.96.36.199/1 via y1.y2.y3.y4
Mon Nov 12 18:53:44 2018 Initialization Sequence Completed
but CHECK THE DNS resolver using dig:
;; Query time: 422 msec
;; SERVER: y1.y2.y3.y4#53(y1.y2.y3.y4) <-- if you see 127.0.0.1 here something is wrong!
;; WHEN: Mon Nov 12 20:02:37 AEDT 2018
;; MSG SIZE rcvd: 59
CHECK YOU HAVE NO DNS LEAKAGE and WebRTC is DISABLED
Run firefox and select the maxprivacy profile
sudo tcpdump -v -n 'port 53' -i tun0
which will show you all DNS resolution - you should only see server y1.y2.y3.y4 being used
This is a work in progress - I'm yet to add sections for setting up rtorrent and running Tor browser
DISCLAIMER: I have no formal training in Linux everything i know I've learnt from books or online. If I am in error anywhere don't hesitate to let me know - I welcome constructive feedback