Jump to content


Photo
- - - - -

My Ubuntu 16.04.5 LTS setup Part 1

ubuntu linux

  • Please log in to reply
2 replies to this topic

#1 wintermute1912

wintermute1912

    Member

  • Members2
  • PipPip
  • 23 posts

Posted 12 November 2018 - 09:49 AM

Hi all - inspired by some other threads I've been involved in here is part 1 of my Ubuntu setup - please don't hesitate to correct or comment:

 

The OS
======
I use Ubuntu 16.04.5 LTS. I don't use 18.04 LTS as I have found it difficult get it set up just right. In particular I find preventing DNS leakage almost impossible.

Software & Updates
==================
Change the update server to the main server because you'll want to use apt while connected to your VPN and you don't want it connecting back to your country of origin's mirror ;)

GRUB
====
I modify /etc/default/grub thus:
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"
i.e. I disable ipv6 in GRUB as it's been my experience I cannot stop leaks and other unwanted peer communication whilever ipv6 is enabled.
(don't forget to run update-grub after)

UFW
===
This is my minimal ufw init script:

ufw reset
ufw enable
ufw default deny incoming
ufw allow in 67/udp               # for DHCP
ufw allow in 53/udp               # DNS        
ufw deny out 22,23/tcp            # deny telnet and ssh
ufw reload
ufw status verbose

FIREFOX -P
==========
In Terminal run firefox -P, create a new profile "maxprivacy" and deselect the option for the default profile. Find the section on WebRTC and further securing firefox at https://privacytools.io (i.e. go through all the instructions to modify the settings such as geo.enabled and webgl.disabled etc.)

OPENVPN 2.4
===========
Ubuntu 16.04.5 doesn't come with OpenVPN 2.4 so you have to install it using the instructions here:
https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos

AIRVPN CONFIG GENERATOR (https://airvpn.org/generator/)
=======================================================
Check "Advanced Mode"
Click Linux
Check "Separate keys/certs from .ovpn file"
Check "Resolved hosts in .ovpn file"  <-- VERY IMPORTANT - STOPS YOUR ISP KNOWING YOU'RE CONNECTING TO AN AIRVPN SERVER
Scroll down to where the "Entry IP" 3 and 4 are (i.e. we only want to use the servers with TLS encryption enabled)
Select protocols UDP 443, 2018, 41185 for Entry 3 and Entry 4
Scroll down to where the individual servers are listed and click "Invert Selection" - now all the individual servers will be downloaded with resolved hostnames ;)
Scroll to bottom of page and select both checkboxes then click Generate

On the generated settings page scroll all the way down till you see the ZIP file and download it.

In Terminal:
------------
mkdir ~/mytemp && mkdir ~/mytemp/ovpntemp
cd ~/mytemp/ovpntemp
unzip ~/Downloads/AirVPN.zip
rm ~/Downloads/AirVPN.zip
chmod 600 *key                              # this makes sure only your user account can access your key files
mkdir ~/.airvpn
mv *key ~/.airvpn
mv *crt ~/.airvpn                           # moving keys and certs to upper level directory - you only need one copy
mkdir ~/.airvpn/UDP-443-TLS-PRI && mkdir ~/.airvpn/UDP-443-TLS-ALT
mv Air*443*Entry3* ~/.airvpn/UDP-443-TLS-PRI
mv Air*443*Entry4* ~/.airvpn/UDP-443-TLS-ALT
repeat for ports 2018 and 41185 (i.e. make directories UDP-2018-TLS-PRI etc. and move the ovpn files)

MODIFY OVPN FILES
=================
This part is a little laborious unless you're handy with python or something to write a script to modify all your ovpn files. Basically before you connect to a particular server change the following lines in the ovpn file:

ca "../ca.crt"                # remember our key and crt files are one level above
cert "../user.crt"
key "../user.key"
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto udp
tls-crypt "../tls-crypt.key"
auth sha512

# the following part locks down the DNS when connected

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

CONNECT TO VPN SERVER IN TERMINAL
=================================
sudo openvpn <the ovpn file you just modified - be in the same directory as it>

In the output you should see something like this:

...
Mon Nov 12 18:53:38 2018 /etc/openvpn/update-resolv-conf tun0 1500 1553 x1.x2.x3.x4 255.255.255.0 init
dhcp-option DNS y1.y2.y3.y4
Mon Nov 12 18:53:44 2018 /sbin/ip route add z1.z2.z3.z4/32 via m1.m2.m3.m4
Mon Nov 12 18:53:44 2018 /sbin/ip route add 0.0.0.0/1 via y1.y2.y3.y4
Mon Nov 12 18:53:44 2018 /sbin/ip route add 128.0.0.0/1 via y1.y2.y3.y4
Mon Nov 12 18:53:44 2018 Initialization Sequence Completed
...

but CHECK THE DNS resolver using dig:

dig www.ubuntu.com

...

;; Query time: 422 msec
;; SERVER: y1.y2.y3.y4#53(y1.y2.y3.y4)     <-- if you see 127.0.0.1 here something is wrong!
;; WHEN: Mon Nov 12 20:02:37 AEDT 2018
;; MSG SIZE  rcvd: 59


CHECK YOU HAVE NO DNS LEAKAGE and WebRTC is DISABLED
====================================================
Run firefox and select the maxprivacy profile

 

https://ipleak.net/
https://dnsleaktest.com/ (run exteneded tests)



Also in a separate terminal window you can run:

 

sudo tcpdump -v -n 'port 53' -i tun0

 

which will show you all DNS resolution - you should only see server y1.y2.y3.y4 being used

-----------

This is a work in progress - I'm yet to add sections for setting up rtorrent and running Tor browser

-----------

DISCLAIMER: I have no formal training in Linux everything i know I've learnt from books or online. If I am in error anywhere don't hesitate to let me know - I welcome constructive feedback :)

 


VG8gZXJyIGlzIGh1bWFuLCB0byByZWFsbHkgZnVjayB1cCB0YWtlcyBhIGNvbXB1dGVyIQ==

#2 giganerd

giganerd

    I shall have no title

  • Members2
  • PipPipPip
  • 2687 posts
  • LocationGermany

Posted 12 November 2018 - 09:44 PM

I use Ubuntu 16.04.5 LTS. I don't use 18.04 LTS as I have found it difficult get it set up just right. In particular I find preventing DNS leakage almost impossible.

 

It may have something to do with the fact that 18.04 uses systemd-resolved for DNS resolution and that module does not use resolv.conf in its traditional sense. Seems like a miscofiguration on your part. I agree that 16.04 is safer in that regard.

 

 

 

GRUB
====
I modify /etc/default/grub thus:
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"
i.e. I disable ipv6 in GRUB as it's been my experience I cannot stop leaks and other unwanted peer communication whilever ipv6 is enabled.
(don't forget to run update-grub after)

 

This is one way of solving it. An easier one would be the sysctl way: In /etc/sysctl.conf, or in a file like /etc/sysctl.d/ipv6-disable.conf, append:

net.ipv6.conf.all.disable_ipv6 = 1

Apply via

sysctl -p

 

 

In Terminal run firefox -P, create a new profile "maxprivacy" and deselect the option for the default profile. Find the section on WebRTC and further securing firefox at https://privacytools.io (i.e. go through all the instructions to modify the settings such as geo.enabled and webgl.disabled etc.)

 

This is not maxprivacy. :D

This is maxprivacy. Might even call it overkillmaxprivacy, but it's max. :)

 

 

 

Those are no error corrections, they're additions. You went quite far with your thoughts, I really like this. Keep it up!


Always remember:
There's a guide to AirVPN,

Amazon IPs are not dangerous here,
running TOR exits is discouraged,

using spoilers for your logs helps us read your thread.

~ Furthermore, I propose that your paranoia is to be destroyed. ~

Instead of writing me a personal mail, consider contacting me via XMPP at gigan3rd@xmpp.airvpn.org or join the lounge@conference.xmpp.airvpn.org. I might read the mail too late whereas I'm always available on XMPP ;)


#3 wintermute1912

wintermute1912

    Member

  • Members2
  • PipPip
  • 23 posts

Posted 15 November 2018 - 09:13 AM

I use Ubuntu 16.04.5 LTS. I don't use 18.04 LTS as I have found it difficult get it set up just right. In particular I find preventing DNS leakage almost impossible.

It may have something to do with the fact that 18.04 uses systemd-resolved for DNS resolution and that module does not use resolv.conf in its traditional sense. Seems like a miscofiguration on your part. I agree that 16.04 is safer in that regard.

 

 

 

GRUB
====
I modify /etc/default/grub thus:
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"
i.e. I disable ipv6 in GRUB as it's been my experience I cannot stop leaks and other unwanted peer communication whilever ipv6 is enabled.
(don't forget to run update-grub after)

 

This is one way of solving it. An easier one would be the sysctl way: In /etc/sysctl.conf, or in a file like /etc/sysctl.d/ipv6-disable.conf, append:

net.ipv6.conf.all.disable_ipv6 = 1

Apply via

sysctl -p

 

 

>In Terminal run firefox -P, create a new profile "maxprivacy" and deselect the option for the default profile. Find the section on WebRTC and further securing firefox at https://privacytools.io (i.e. go through all the instructions to modify the settings such as geo.enabled and webgl.disabled etc.)

 

This is not maxprivacy. :D

This is maxprivacy. Might even call it overkillmaxprivacy, but it's max. :)

 

 

 

Those are no error corrections, they're additions. You went quite far with your thoughts, I really like this. Keep it up!

 

 

Thank you muchly for the feedback and suggestions :yes:


VG8gZXJyIGlzIGh1bWFuLCB0byByZWFsbHkgZnVjayB1cCB0YWtlcyBhIGNvbXB1dGVyIQ==





Similar Topics Collapse


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 15923 - BW: 70861 Mbit/sYour IP: 34.229.194.198Guest Access.