Revision as of 14:24, 22 April 2021

Obfuscation

OpenVPN with ProtonVPN

Go to https://protonvpn.com, create an account, select the free plan, goto downloads and select linux, tcp, and the free server configs.
Download one of the configuration files and share it with your server (scp).
Create a file with the username and password on first two lines.

~$ printf "$USERNAME\n$PASSWORD" > ~/login.conf

Connect to the VPN

~$ openvpn --auth-user-pass login.conf --config ./nl-free-01.protonvpn.com.tcp.ovpn

Create VPN Service

Since this is a long running application, we should create a service to manage it.

~$ sudo mkdir /opt/vpn
~$ sudo touch /opt/vpn/vpn.sh
~$ sudo chown root:root /opt/vpn/vpn.sh
~$ sudo chmod 750 /opt/vpn/vpn.sh

~$ sudo vim /opt/vpn/vpn.sh
#!/bin/bash
vpnauth=/opt/vpn/login.conf
vpnconfig=/opt/vpn/nl-free-01.protonvpn.com.tcp.ovpn

openvpn --config $vpnconfig --auth-user-pass $vpnauth

~$ sudo touch /etc/systemd/system/vpn.service
~$ sudo chown root:root /etc/systemd/system/vpn.service
~$ sudo chmod 750 /etc/systemd/system/vpn.service 
~$ sudo vim /etc/systemd/system/vpn.service
[Unit]
Description=VPN

[Service]
Type=simple
ExecStart=/opt/vpn/vpn.sh
User=root

[Install]
WantedBy=multi-user.target

~$ sudo systemctl daemon-reload
~$ sudo systemctl start vpn.service

Create VPN Management Service

We also want a management service to make sure the VPN is always connected and if not, stop any reliant services.
The OpenVPN service may not die when the connection is terminated from the host end, as such I cant depend on the service state so I've opted to rely on the exposed IP address and compare it to a dynamic dns entry.

~$ sudo touch /opt/vpn/vpnmanager.sh
~$ sudo chown root:root /opt/vpn/vpnmanager.sh
~$ sudo chmod 750 /opt/vpn/vpnmanager.sh

~$ sudo vim /opt/vpn/vpnmanager.sh
#!/bin/bash

dyndns="r00tedvw.duckdns.org"
logfile="/var/log/vpnmanager/vpnmanager.log"
slackwebhookurl="https://hooks.slack.com/services/<webhookUUID>"
limit=10

if [ ! -d $(dirname $logfile) ]; then
    mkdir $(dirname $logfile)
fi
if (( $? != 0 )); then
    echo "ERROR:: Unable to create log directory"
    exit 1
fi
if ( ! touch $logfile ); then
    echo "ERROR:: Unable to write log file"
    exit 1
else
    touch $logfile
fi

#exec 3>&1 4>&2
#trap 'exec 2>&4 1>&3' 0 1 2 3
#exec 1>>$logfile 2>&1
# Everything below will go to the file $logfile :

printf "\n\n$(date)\n----------------------------\n" >> $logfile

dyndnsip=$(dig -t a +short $dyndns)

function slacksend {
        curl -X POST -H 'Content-type: application/json' --data '{"text":"'"$1"'"}' $slackwebhookurl
}

function checkip {
    if [[ $(curl --max-time 10 --max-filesize 1000 --no-buffer --silent checkip.amazonaws.com) =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
        ipaddr=$(curl --max-time 10 --max-filesize 1000 --no-buffer --silent checkip.amazonaws.com)
    else
        if [[ $(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ifconfig.me) =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            ipaddr=$(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ifconfig.me)
        else
            if [[ $(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ipinfo.io/ip) =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
                ipaddr=$(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ipinfo.io/ip)
            else
                if [[ $(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ident.me)  =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
                    ipaddr=$(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ident.me)
                else
                    msg="$(date +%F"|"%R:%S) -- ERROR:: Unable to determine internet IP address."
                    echo "$msg" >> $logfile
                    slacksend "$msg"
                fi
            fi
        fi
    fi
}

function compareip {
    checkip
    if [ -z $ipaddr ] || [ $dyndnsip = $ipaddr ]; then
        msg="$(date +%F"|"%R:%S) -- ERROR:: VPN is down!!"
        echo "$msg" >> $logfile
        slacksend "$msg"
        trap exit 1 SIGINT
        sleep 2
        msg="$(date +%F"|"%R:%S) -- Restarting VPN..."
        echo "$msg" >> $logfile
        slacksend "$msg"
        systemctl restart vpn.service
        status=0
        sleep 10
        limit=10
        compareip
    else
        if [[ $limit -eq 10 ]]; then
                msg="$(date +%F"|"%R:%S) -- VPN appears up.  VPN IP: $ipaddr is not equal to dyndns IP: $dyndnsip"
                echo "$msg" >> $logfile
                unset limit
                if [[ $status -eq 0 ]]; then
                        slacksend "$msg"
                        status=1
                fi
        else
                ((limit++))
        fi
        trap exit 1 SIGINT
        sleep 10
        unset ipaddr
        compareip
    fi
}

compareip

~$ sudo touch /etc/systemd/system/vpnmanager.service
~$ sudo chown root:root /etc/systemd/system/vpnmanager.service
~$ sudo chmod 750 /etc/systemd/system/vpnmanager.service

~$ sudo vim /etc/systemd/system/vpnmanager.service
[Unit]
Description=VPN Manager

[Service]
Type=simple
ExecStart=/opt/vpn/vpnmanager.sh
User=root

[Install]
WantedBy=multi-user.target

~$ sudo systemctl daemon-reload
~$ sudo systemctl start vpnmanager.service

Oracle Linux/Obfuscation

Revision as of 14:24, 22 April 2021

OpenVPN with ProtonVPN

Create VPN Service

Create VPN Management Service

Personal tools

Namespaces

Variants

Views

Actions

Search

Navigation

Mediawiki

Confluence

DevOps Tools

Ubuntu

Ubuntu 22

Mac OSX

Oracle Linux

AWS

Windows

OpenVPN

Grafana

InfluxDB2

TrueNas

OwnCloud

Pivotal

osTicket

OTRS

phpBB

WordPress

VmWare ESXI 5.1

Crypto currencies

HTML

CSS

Python

Java Script

PHP

Raspberry Pi

Canvas LMS

Kaltura Media Server

Plex Media Server

MetaSploit

Zoneminder

ShinobiCE

Photoshop CS2

Fortinet

Uploaded

Certifications

General Info

Games

Meal Plans

NC Statutes

2020 Election

Volkswagen

Covid

NCDMV

Toolbox