Mageia forum

[isadora]

What with all the furor over the well known fact that the United States government is vacuuming up everything and it's metadata, I decided to start looking at some privacy solutions. Things like Duckduckgo.com and proxies/virtual private networks. I found that generally, this stuff is Linux friendly, but I also found out that if you're a modest user like myself, there may be some technical obstacles to implementation of these things.

Take VPN's. If you're setting up and running your own openvpn server, things might actually be easier, but when it comes to a commercial offering, there may be frustration in the mix. I have noticed the VPN section in Netapplet in KDE for years, but was never really interested in it. I had no reason to be. I never had a job or any other association that required a VPN. Now, a VPN looks like it might be a prudent thing - assuming my tinfoil hat isn't fully effective - so that VPN thing in the Netapplet should make it easy, right? Well, maybe.

I looked at VPN solutions out there with an eye to the free (as in beer) versions and had some trouble getting them to work. The one or two that might have worked either carried a throughput penalty that I could not live with given my meager bandwidth, or didn't make any sense because they had no problem gathering data which they said they would gladly turn over to authorities for an offer of chocolate or a cross look from somebody with a badge. I'm not writing this to compare or recommend VPN services, just as a record of my practical experience in the exercise of pursuing privacy, so I'm not dropping any names.

Except this one. Ipredator.se is the VPN I settled on. It was a random choice in that it was the first provider in my list that was free (at least for a trial period) and seemed to offer a genuinely PRIVATE option. Would they rat a subscriber out to the Feds? I'll leave that judgement up to you. It doesn't matter because this is an exercise in getting such a networking service to actually work under Mageia 3 with the KDE 10 desktop. Here's how it went.

There is a fairly substantial guide to getting this thing integrated into Gnome, but I don't use Gnome. This is a purely KDE-centric exercise. And I don't use the network manager in KDE, I use the Netapplet that is installed out of the box. If Mageia knows what it's doing, that should work right?

Well, maybe it does. I started trying to get it configured and was immediately overwhelmed. I had no idea that there were so many methods to authenticate on a network! Not having anything but generic command line instructions and the essentially useless (to me) Gnome instructions, I opted for the generic. The process, simply put, is this: install openvpn (it installed by default on my desktop and my laptop), download the openvpn config file and certificates, create the openvpn authentication file, and run openvpn with the config file passed as an option thus "/usr/sbin/openvpn --config /etc/openvpn/IPredator-CLI-Password.conf".

And since that's a mouthful, I made it a one-line bash script. I tweaked that a little, and I mean very little, and it worked. It created a tun0 virtual interface in my ipconfig stack and I was able to browse from an originating address in Sweden! How do I know it originated in Sweden? To begin with, I noticed Google was offering me everything in Swedish, and all the targetted adds were in Swedish about Swedish stuff. I love Swedish fish, but the rest of it was kind of incomprehensible. I discovered that there are ways around that (google.com/ncr) but I am moving to Duckduckgo.com, so it doesn't matter.

I also tested my ip address in a browser with the vpn active and with it deactivated. Those addresses are different and the address with the vpn activated showed whois registration in Stockholm. And I don't mean the one in Canada.

While I was doing that testing, I discovered that my ham-handed bash script created both an instance of the bash file and the openvpn instance that I was testing. To deactivate the vpn connection, it seems I had to kill both the shell script and the openvpn instance. Kind of inconvenient, but remember my goal was to integrate all this into the KDE desktop environment, so the shell script was an expedient just to get the concept to work. I had no intention of refining that situation. Now, it was time to tackle that "Manage VPN" thing in Netapplet.

Long story short - I spent about 4 hours online with people who know a lot more about this than I do and we eventually folded. Everything looked like it should be working - netstat said it was good, but there were no incoming packets. The firewall was clear and down. Log files showed everything we expected to see. It just wasn't working. Eventually, the guys I was working with had to go eat, or sleep or something and I was left to my own devices. I dug just a little bit and found that the Netapplet was simply configuring an openvpn config file as I entered information in the fields it presented. I found that config file buried in /etc/sysconfig/networking-scripts/vpn.d/openvpn. Progress!

I started comparing that file with the config file that I started with - the one that works from the command line. Eventually, I just copied everything from /etc/openvpn, which worked on the commandline, into the vpn.d directory above. It worked. Sort of. I had to tweak a bit, but once I got all the details in the config file (originally, the config file referred to the authentication file I created for username and password, and some other "inline" configs which needed to be explicit in the Netapplet version) it works as intended.

Now, all I have to do to activate this vpn is to right-click my Netapplet in the tray (which in this version seems really crashy btw), hover over the VPN option, then click the radio button next to the name of the config I configured. After a short wait for networking to reach out and hook up, I am coming to you from Sweden!

Well, that's not quite all. I have to pay for this VPN if I want to keep it. I'm not sure it's worth 150 Swedish krona every 90 days, even if it is only about $24 USD. I'll have to think about that, but given the amount of work I've put into it, it's kind of cool. I will probably spring for one subscription just to play with it and see if there really is any benefit to the VPN.

After all, you just never know when the NSA will defeat the excellent protection offered by my tinfoil hat.

Just wanted to share the experience and declare that the Netapplet thing works!

Sort of.

Mark

[digigold]

Using openvpn w/KDE is pretty easy actually. For this example I'll use some different openvpn tunnels that are free to use from vpnBook

#1 - I downloaded the needed files to /etc/openvpn/
#2 - I visited this directory as root in the CLI as shown. To manage these 4 tunnels (2 UDP, 2 TCP) with KDE's native net_applet you just have to copy them to /etc/sysconfig/network-scripts/vpn.d/openvpn/<desired vpn name>.conf

0624131.png (92.6 KiB) Viewed 4725 times

#3 - Once I did that for all four, I quit net_applet, then restarted it as the current user. Now, as you see below any of the four tunnels are available from KDE's network applet.

0624133.png (40.62 KiB) Viewed 4725 times

**NOTE: If you are having trouble setting up a VPN tunnel, it is always best to turn off iptables/firewall etc as they are often the culprit.

Don't forget to change DNS servers, otherwise your IP can still easily track you. You can test your tunnel and check for DNS leaks at dnsleaktest.com

Good Luck.

[mark9117]

Thanks for the info digi, it looks very helpful. I haven't found much about the vpn connection applet anywhere. And my initial attempts to set up the connection with the "manage my vpn connections" thing in the applet was frustrating and unsuccessful.

I don't know anything about vpnBook either, but I am going to look into it. Thanks for that tip as well.

Mark

[oj]

I never got vpn working with the net tools, either KDE or in mcc. But following this tutorial it works every time:

http://www.techrepublic.com/blog/openso ... erver/1873

The same fellow wrote about client setup too, can't find that bookmark atm.

[mark9117]

Those instructions are for implementing an openvpn server. I've never tried that, but I'm sure it has some merit.

I was flummoxed by my attempts to configure a client to work with somebody else's server. Looks like it certainly can be done.

At any rate, thanks for that link. It's good to know.

Mark

[Erik]

Dear Mark,

congratulations with your achievement! However, aren't you afraid that the NSA will look for you as soon as they notice that your profile at Google and/or elsewhere is no longer updated? This must appear higly suspicious to them.

Greetings and good luck,

Erik.

[mark9117]

Funny you should mention that. There was an article on /. recently about TOR usage making you more likely to be a target of the likes of the NSA. It kind of breaks my heart that the terrorists actually won on this issue. Nevertheless, I like the idea of at least knowing some things about security and privacy where my computer hobby is concerned. As a user with a network providing services on the Internet, I have a responsibility to look after it.

It seems we can have privacy, or we can have the Internet. It seems to be a small thing with a lot of folks -- look at Facebook and twitter. People post the most personal and intimate stuff under their own names on social networking. Privacy just isn't appreciated these days.

I think I may use two vpn's.


Mark

[isadora]

~topic moved by moderator