Oracle Linux/Obfuscation
From r00tedvw.com wiki
Obfuscation
OpenVPN with ProtonVPN
Go to https://protonvpn.com, create an account, select the free plan, goto downloads and select linux, tcp, and the free server configs.
Download one of the configuration files and share it with your server (scp).
Create a file with the username and password on first two lines.
~$ printf "$USERNAME\n$PASSWORD" > ~/login.conf
Connect to the VPN
~$ openvpn --auth-user-pass login.conf --config ./nl-free-01.protonvpn.com.tcp.ovpn
Create VPN Service
Since this is a long running application, we should create a service to manage it.
~$ sudo mkdir /opt/vpn ~$ sudo touch /opt/vpn/vpn.sh ~$ sudo chown root:root /opt/vpn/vpn.sh ~$ sudo chmod 750 /opt/vpn/vpn.sh
~$ sudo vim /opt/vpn/vpn.sh #!/bin/bash vpnauth=/opt/vpn/login.conf vpnconfig=/opt/vpn/nl-free-01.protonvpn.com.tcp.ovpn openvpn --config $vpnconfig --auth-user-pass $vpnauth
~$ sudo touch /etc/systemd/system/vpn.service ~$ sudo chown root:root /etc/systemd/system/vpn.service ~$ sudo chmod 750 /etc/systemd/system/vpn.service ~$ sudo vim /etc/systemd/system/vpn.service [Unit] Description=VPN [Service] Type=simple ExecStart=/opt/vpn/vpn.sh User=root [Install] WantedBy=multi-user.target
~$ sudo systemctl daemon-reload ~$ sudo systemctl start vpn.service
Create VPN Management Service
We also want a management service to make sure the VPN is always connected and if not, stop any reliant services.
The OpenVPN service may not die when the connection is terminated from the host end, as such I cant depend on the service state so I've opted to rely on the exposed IP address and compare it to a dynamic dns entry.
~$ sudo touch /opt/vpn/vpnmanager.sh ~$ sudo chown root:root /opt/vpn/vpnmanager.sh ~$ sudo chmod 750 /opt/vpn/vpnmanager.sh
~$ sudo vim /opt/vpn/vpnmanager.sh
#!/bin/bash
dyndns="dyndns.tld"
logfile="/var/log/vpnmanager/vpnmanager.log"
enableslack=true
slackwebhookurl="https://hooks.slack.com/services/<UUID>"
limit=10
if [ ! -d $(dirname $logfile) ]; then
mkdir $(dirname $logfile)
fi
if (( $? != 0 )); then
echo "ERROR:: Unable to create log directory"
exit 1
fi
if ( ! touch $logfile ); then
echo "ERROR:: Unable to write log file"
exit 1
else
touch $logfile
fi
#exec 3>&1 4>&2
#trap 'exec 2>&4 1>&3' 0 1 2 3
#exec 1>>$logfile 2>&1
# Everything below will go to the file $logfile :
printf "\n\n$(date)\n----------------------------\n" >> $logfile
dyndnsip=$(dig -t a +short $dyndns)
function slacksend {
if [ "$enableslack" = true ]; then
curl -X POST -H 'Content-type: application/json' --data '{"text":"'"$1"'"}' $slackwebhookurl
fi
}
function checkip {
if [[ $(curl --max-time 10 --max-filesize 1000 --no-buffer --silent checkip.amazonaws.com) =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
ipaddr=$(curl --max-time 10 --max-filesize 1000 --no-buffer --silent checkip.amazonaws.com)
else
if [[ $(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ifconfig.me) =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
ipaddr=$(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ifconfig.me)
else
if [[ $(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ipinfo.io/ip) =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
ipaddr=$(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ipinfo.io/ip)
else
if [[ $(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ident.me) =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
ipaddr=$(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ident.me)
else
msg="$(date +%F"|"%R:%S) -- ERROR:: Unable to determine internet IP address."
echo "$msg" >> $logfile
if [[ $health -ge 3 ]]; then
slacksend "$msg"
fi
fi
fi
fi
fi
}
function compareip {
checkip
if [ -z $ipaddr ] || [ $dyndnsip = $ipaddr ]; then
msg="$(date +%F"|"%R:%S) -- ERROR:: VPN is down!!"
echo "$msg" >> $logfile
if [[ $health -ge 3 ]]; then
slacksend "$msg"
fi
trap exit 1 SIGINT
sleep 2
msg="$(date +%F"|"%R:%S) -- Restarting VPN..."
echo "$msg" >> $logfile
if [[ $health -ge 3 ]]; then
slacksend "$msg"
fi
systemctl restart vpn.service
sleep 10
limit=10
((health++))
compareip
else
if [[ $limit -eq 10 ]]; then
msg="$(date +%F"|"%R:%S) -- VPN appears up. VPN IP: $ipaddr is not equal to dyndns IP: $dyndnsip"
echo "$msg" >> $logfile
unset limit
if [[ $health -ge 3 ]]; then
slacksend "$msg"
fi
else
((limit++))
fi
trap exit 1 SIGINT
sleep 10
unset ipaddr health
compareip
fi
}
compareip
~$ sudo touch /etc/systemd/system/vpnmanager.service ~$ sudo chown root:root /etc/systemd/system/vpnmanager.service ~$ sudo chmod 750 /etc/systemd/system/vpnmanager.service
~$ sudo vim /etc/systemd/system/vpnmanager.service [Unit] Description=VPN Manager [Service] Type=simple ExecStart=/opt/vpn/vpnmanager.sh User=root [Install] WantedBy=multi-user.target
~$ sudo systemctl daemon-reload ~$ sudo systemctl start vpnmanager.service
