Private Internet Access VPN

Post Reply
ricksebak
Member
Member
Posts: 33
Joined: February 10th, 2013, 9:34 pm

Private Internet Access VPN

Post by ricksebak »

I had previously been using a SOCKS proxy to hide my IP when torrenting, and then noticed that it really wasn't working. Deluge was making connections outside of the proxy. So I decided to switch to a VPN. I'm putting this here in case anyone else wants to do the same thing, or in case anyone has ideas for how I could do this better.

The setup described here will route all internet-bound traffic through the VPN, not just torrents. This would include web browsing, etc. I don't really want that, so I used a virtual machine that will be dedicated to just torrent downloading. But using a VM isn't really necessary if you don't want it.

I signed up for VPN service with http://privateinternetaccess.com. It's about $7/month or $40/year.

Then on my VM, I installed openvpn as my VPN client, then downloaded their sample config files for their various locations.

Code: Select all

sudo apt-get install openvpn
cd /etc/openvpn
wget http://privateinternetaccess.com/openvpn/openvpn.zip
unzip openvpn.zip
When Openvpn starts up it will look for any file named *.conf, and none of the downloaded config files use that extension. So I chose the location I wanted (CA Toronto.ovpn) and symlinked it so that OpenVPN would find it.

Code: Select all

ln -s CA\ Toronto.ovpn client.conf
If you want to store your Private Internet Access credentials, so that you do not have to type them each time you connect, you can create a file called auth to store the credentials. The contents of that file should be two lines, your username and your password.

Code: Select all

p98885918
Pa$$w0rdHere
Then open your client.conf file and add a line that calls the auth file:

Code: Select all

auth-user-pass auth
You can chown the auth file to root and chmod it 600 for security.

Then run "/etc/init.d/openvpn start" to start the vpn connection. Assuming the VPN connects successfully, you should see new routes routing all your traffic through the VPN when you run "route -n".

At this point the VPN connection is all set up, but there are a few extras you can do if you want.

You can set up iptables so that it only allows outbound communication from deluge to go over the VPN by adding these rules (the first two rules allow local LAN traffic and localhost traffic to skip the vpn, then the third rule forces all other deluge traffic over the vpn):

Code: Select all

iptables -A OUTPUT -d 192.168.1.0/24 -m owner --uid-owner 103 -j ACCEPT
iptables -A OUTPUT -d 127.0.0.0/8 -m owner --uid-owner 103 -j ACCEPT
iptables -A OUTPUT ! -o tun0 -m owner --uid-owner 103 -j REJECT --reject-with icmp-port-unreachable
This way, if the VPN connection dies, Deluge can't download anything. Without these rules, if the VPN died, Deluge would just keep on downloading and your torrent activity wouldn't be private.

And if you are using monit to restart the VPN in case it dies and to notify you when that happens, here is a simple monit configuration for OpenVPN:

Code: Select all

  check process openvpn with pidfile /var/run/openvpn.client.pid
     start program  "/etc/init.d/openvpn start"
     stop program  "/etc/init.d/openvpn stop"
     if 5 restarts within 5 cycles then timeout and alert
Post Reply