Oracle Linux/Obfuscation
From r00tedvw.com wiki
(Difference between revisions)
(→Create VPN Management Service) |
|||
(10 intermediate revisions by one user not shown) | |||
Line 1: | Line 1: | ||
[[Oracle_Linux/Obfuscation|Obfuscation]] | [[Oracle_Linux/Obfuscation|Obfuscation]] | ||
+ | |||
+ | =OpenVPN with ProtonVPN= | ||
+ | Go to [https://protonvpn.com https://protonvpn.com], create an account, select the free plan, goto downloads and select linux, tcp, and the free server configs.<br> | ||
+ | Download one of the configuration files and share it with your server (scp).<br> | ||
+ | Create a file with the username and password on first two lines. | ||
+ | <nowiki>~$ printf "$USERNAME\n$PASSWORD" > ~/login.conf</nowiki> | ||
+ | Connect to the VPN | ||
+ | <nowiki>~$ openvpn --auth-user-pass login.conf --config ./nl-free-01.protonvpn.com.tcp.ovpn</nowiki> | ||
+ | ==Create VPN Service== | ||
+ | Since this is a long running application, we should create a service to manage it. | ||
+ | <nowiki>~$ sudo mkdir /opt/vpn | ||
+ | ~$ sudo touch /opt/vpn/vpn.sh | ||
+ | ~$ sudo chown root:root /opt/vpn/vpn.sh | ||
+ | ~$ sudo chmod 750 /opt/vpn/vpn.sh</nowiki> | ||
+ | |||
+ | <nowiki>~$ sudo vim /opt/vpn/vpn.sh | ||
+ | #!/bin/bash | ||
+ | vpnauth=/opt/vpn/login.conf | ||
+ | vpnconfig=/opt/vpn/nl-free-01.protonvpn.com.tcp.ovpn | ||
+ | |||
+ | openvpn --config $vpnconfig --auth-user-pass $vpnauth </nowiki> | ||
+ | |||
+ | <nowiki>~$ sudo touch /etc/systemd/system/vpn.service | ||
+ | ~$ sudo chown root:root /etc/systemd/system/vpn.service | ||
+ | ~$ sudo chmod 750 /etc/systemd/system/vpn.service </nowiki> | ||
+ | <nowiki>~$ sudo vim /etc/systemd/system/vpn.service | ||
+ | [Unit] | ||
+ | Description=VPN | ||
+ | |||
+ | [Service] | ||
+ | Type=simple | ||
+ | ExecStart=/opt/vpn/vpn.sh | ||
+ | User=root | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target</nowiki> | ||
+ | |||
+ | <nowiki>~$ sudo systemctl daemon-reload | ||
+ | ~$ sudo systemctl start vpn.service</nowiki> | ||
+ | |||
+ | ==Create VPN Management Service== | ||
+ | We also want a management service to make sure the VPN is always connected and if not, stop any reliant services.<br> | ||
+ | The OpenVPN service may not die when the connection is terminated from the host end, as such I cant depend on the service state so I've opted to rely on the exposed IP address and compare it to a dynamic dns entry. | ||
+ | <nowiki>~$ sudo touch /opt/vpn/vpnmanager.sh | ||
+ | ~$ sudo chown root:root /opt/vpn/vpnmanager.sh | ||
+ | ~$ sudo chmod 750 /opt/vpn/vpnmanager.sh</nowiki> | ||
+ | |||
+ | <nowiki>~$ sudo vim /opt/vpn/vpnmanager.sh | ||
+ | #!/bin/bash | ||
+ | |||
+ | dyndns="dyndns.tld" | ||
+ | logfile="/var/log/vpnmanager/vpnmanager.log" | ||
+ | enableslack=true | ||
+ | slackwebhookurl="https://hooks.slack.com/services/<UUID>" | ||
+ | limit=10 | ||
+ | |||
+ | if [ ! -d $(dirname $logfile) ]; then | ||
+ | mkdir $(dirname $logfile) | ||
+ | fi | ||
+ | if (( $? != 0 )); then | ||
+ | echo "ERROR:: Unable to create log directory" | ||
+ | exit 1 | ||
+ | fi | ||
+ | if ( ! touch $logfile ); then | ||
+ | echo "ERROR:: Unable to write log file" | ||
+ | exit 1 | ||
+ | else | ||
+ | touch $logfile | ||
+ | fi | ||
+ | |||
+ | #exec 3>&1 4>&2 | ||
+ | #trap 'exec 2>&4 1>&3' 0 1 2 3 | ||
+ | #exec 1>>$logfile 2>&1 | ||
+ | # Everything below will go to the file $logfile : | ||
+ | |||
+ | printf "\n\n$(date)\n----------------------------\n" >> $logfile | ||
+ | |||
+ | dyndnsip=$(dig -t a +short $dyndns) | ||
+ | |||
+ | function slacksend { | ||
+ | if [ "$enableslack" = true ]; then | ||
+ | curl -X POST -H 'Content-type: application/json' --data '{"text":"'"$1"'"}' $slackwebhookurl | ||
+ | fi | ||
+ | } | ||
+ | |||
+ | function checkip { | ||
+ | if [[ $(curl --max-time 10 --max-filesize 1000 --no-buffer --silent checkip.amazonaws.com) =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | ||
+ | ipaddr=$(curl --max-time 10 --max-filesize 1000 --no-buffer --silent checkip.amazonaws.com) | ||
+ | else | ||
+ | if [[ $(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ifconfig.me) =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | ||
+ | ipaddr=$(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ifconfig.me) | ||
+ | else | ||
+ | if [[ $(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ipinfo.io/ip) =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | ||
+ | ipaddr=$(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ipinfo.io/ip) | ||
+ | else | ||
+ | if [[ $(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ident.me) =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | ||
+ | ipaddr=$(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ident.me) | ||
+ | else | ||
+ | msg="$(date +%F"|"%R:%S) -- ERROR:: Unable to determine internet IP address." | ||
+ | echo "$msg" >> $logfile | ||
+ | if [[ $health -ge 3 ]]; then | ||
+ | slacksend "$msg" | ||
+ | fi | ||
+ | fi | ||
+ | fi | ||
+ | fi | ||
+ | fi | ||
+ | } | ||
+ | |||
+ | function compareip { | ||
+ | checkip | ||
+ | if [ -z $ipaddr ] || [ $dyndnsip = $ipaddr ]; then | ||
+ | msg="$(date +%F"|"%R:%S) -- ERROR:: VPN is down!!" | ||
+ | echo "$msg" >> $logfile | ||
+ | if [[ $health -ge 3 ]]; then | ||
+ | slacksend "$msg" | ||
+ | fi | ||
+ | trap exit 1 SIGINT | ||
+ | sleep 2 | ||
+ | msg="$(date +%F"|"%R:%S) -- Restarting VPN..." | ||
+ | echo "$msg" >> $logfile | ||
+ | if [[ $health -ge 3 ]]; then | ||
+ | slacksend "$msg" | ||
+ | fi | ||
+ | systemctl restart vpn.service | ||
+ | sleep 10 | ||
+ | limit=10 | ||
+ | ((health++)) | ||
+ | compareip | ||
+ | else | ||
+ | if [[ $limit -eq 10 ]]; then | ||
+ | msg="$(date +%F"|"%R:%S) -- VPN appears up. VPN IP: $ipaddr is not equal to dyndns IP: $dyndnsip" | ||
+ | echo "$msg" >> $logfile | ||
+ | unset limit | ||
+ | if [[ $health -ge 3 ]]; then | ||
+ | slacksend "$msg" | ||
+ | fi | ||
+ | else | ||
+ | ((limit++)) | ||
+ | fi | ||
+ | trap exit 1 SIGINT | ||
+ | sleep 10 | ||
+ | unset ipaddr health | ||
+ | compareip | ||
+ | fi | ||
+ | } | ||
+ | |||
+ | compareip</nowiki> | ||
+ | |||
+ | <nowiki>~$ sudo touch /etc/systemd/system/vpnmanager.service | ||
+ | ~$ sudo chown root:root /etc/systemd/system/vpnmanager.service | ||
+ | ~$ sudo chmod 750 /etc/systemd/system/vpnmanager.service</nowiki> | ||
+ | |||
+ | <nowiki>~$ sudo vim /etc/systemd/system/vpnmanager.service | ||
+ | [Unit] | ||
+ | Description=VPN Manager | ||
+ | |||
+ | [Service] | ||
+ | Type=simple | ||
+ | ExecStart=/opt/vpn/vpnmanager.sh | ||
+ | User=root | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target </nowiki> | ||
+ | |||
+ | <nowiki>~$ sudo systemctl daemon-reload | ||
+ | ~$ sudo systemctl start vpnmanager.service</nowiki> |
Latest revision as of 15:42, 22 April 2021
Obfuscation
[edit] OpenVPN with ProtonVPN
Go to https://protonvpn.com, create an account, select the free plan, goto downloads and select linux, tcp, and the free server configs.
Download one of the configuration files and share it with your server (scp).
Create a file with the username and password on first two lines.
~$ printf "$USERNAME\n$PASSWORD" > ~/login.conf
Connect to the VPN
~$ openvpn --auth-user-pass login.conf --config ./nl-free-01.protonvpn.com.tcp.ovpn
[edit] Create VPN Service
Since this is a long running application, we should create a service to manage it.
~$ sudo mkdir /opt/vpn ~$ sudo touch /opt/vpn/vpn.sh ~$ sudo chown root:root /opt/vpn/vpn.sh ~$ sudo chmod 750 /opt/vpn/vpn.sh
~$ sudo vim /opt/vpn/vpn.sh #!/bin/bash vpnauth=/opt/vpn/login.conf vpnconfig=/opt/vpn/nl-free-01.protonvpn.com.tcp.ovpn openvpn --config $vpnconfig --auth-user-pass $vpnauth
~$ sudo touch /etc/systemd/system/vpn.service ~$ sudo chown root:root /etc/systemd/system/vpn.service ~$ sudo chmod 750 /etc/systemd/system/vpn.service ~$ sudo vim /etc/systemd/system/vpn.service [Unit] Description=VPN [Service] Type=simple ExecStart=/opt/vpn/vpn.sh User=root [Install] WantedBy=multi-user.target
~$ sudo systemctl daemon-reload ~$ sudo systemctl start vpn.service
[edit] Create VPN Management Service
We also want a management service to make sure the VPN is always connected and if not, stop any reliant services.
The OpenVPN service may not die when the connection is terminated from the host end, as such I cant depend on the service state so I've opted to rely on the exposed IP address and compare it to a dynamic dns entry.
~$ sudo touch /opt/vpn/vpnmanager.sh ~$ sudo chown root:root /opt/vpn/vpnmanager.sh ~$ sudo chmod 750 /opt/vpn/vpnmanager.sh
~$ sudo vim /opt/vpn/vpnmanager.sh #!/bin/bash dyndns="dyndns.tld" logfile="/var/log/vpnmanager/vpnmanager.log" enableslack=true slackwebhookurl="https://hooks.slack.com/services/<UUID>" limit=10 if [ ! -d $(dirname $logfile) ]; then mkdir $(dirname $logfile) fi if (( $? != 0 )); then echo "ERROR:: Unable to create log directory" exit 1 fi if ( ! touch $logfile ); then echo "ERROR:: Unable to write log file" exit 1 else touch $logfile fi #exec 3>&1 4>&2 #trap 'exec 2>&4 1>&3' 0 1 2 3 #exec 1>>$logfile 2>&1 # Everything below will go to the file $logfile : printf "\n\n$(date)\n----------------------------\n" >> $logfile dyndnsip=$(dig -t a +short $dyndns) function slacksend { if [ "$enableslack" = true ]; then curl -X POST -H 'Content-type: application/json' --data '{"text":"'"$1"'"}' $slackwebhookurl fi } function checkip { if [[ $(curl --max-time 10 --max-filesize 1000 --no-buffer --silent checkip.amazonaws.com) =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then ipaddr=$(curl --max-time 10 --max-filesize 1000 --no-buffer --silent checkip.amazonaws.com) else if [[ $(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ifconfig.me) =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then ipaddr=$(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ifconfig.me) else if [[ $(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ipinfo.io/ip) =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then ipaddr=$(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ipinfo.io/ip) else if [[ $(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ident.me) =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then ipaddr=$(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ident.me) else msg="$(date +%F"|"%R:%S) -- ERROR:: Unable to determine internet IP address." echo "$msg" >> $logfile if [[ $health -ge 3 ]]; then slacksend "$msg" fi fi fi fi fi } function compareip { checkip if [ -z $ipaddr ] || [ $dyndnsip = $ipaddr ]; then msg="$(date +%F"|"%R:%S) -- ERROR:: VPN is down!!" echo "$msg" >> $logfile if [[ $health -ge 3 ]]; then slacksend "$msg" fi trap exit 1 SIGINT sleep 2 msg="$(date +%F"|"%R:%S) -- Restarting VPN..." echo "$msg" >> $logfile if [[ $health -ge 3 ]]; then slacksend "$msg" fi systemctl restart vpn.service sleep 10 limit=10 ((health++)) compareip else if [[ $limit -eq 10 ]]; then msg="$(date +%F"|"%R:%S) -- VPN appears up. VPN IP: $ipaddr is not equal to dyndns IP: $dyndnsip" echo "$msg" >> $logfile unset limit if [[ $health -ge 3 ]]; then slacksend "$msg" fi else ((limit++)) fi trap exit 1 SIGINT sleep 10 unset ipaddr health compareip fi } compareip
~$ sudo touch /etc/systemd/system/vpnmanager.service ~$ sudo chown root:root /etc/systemd/system/vpnmanager.service ~$ sudo chmod 750 /etc/systemd/system/vpnmanager.service
~$ sudo vim /etc/systemd/system/vpnmanager.service [Unit] Description=VPN Manager [Service] Type=simple ExecStart=/opt/vpn/vpnmanager.sh User=root [Install] WantedBy=multi-user.target
~$ sudo systemctl daemon-reload ~$ sudo systemctl start vpnmanager.service