Select Page
VPN Gateway With Dead Man Switch

VPN Gateway With Dead Man Switch

VPN Gateway Server with Dead Man Switch

Overview

Keep machines on your network safe with all internet traffic leaving using end to end encryption via AirVPN. A dead man switch ensures internet traffic can never be broadcast over your clear internet.

  • A VPN gateway that any client on your network can use.
  • Stop prying eyes seeing your internet activity.
  • Protect yourself on public networks.
  • Protect your net neutrality.

This guide is aimed at Raspberry Pis, but will work for any Debian based OS. E.g. Ubuntu 18.04 server, so just use what suits you. I’ve chosen a Raspberry Pi as it makes for a great low power client.

Technical Jargon

VPN

VPN stands for virtual private network. VPN secures your computer’s internet connection by ensuring all of the data being sent and recieved is encrypted and secure from prying eyes.

Click here for a full detailed description of VPN.

DNS

Domain Name System (DNS) translates easily rememberable names such as google.com into addresses that a machine understands.

Click here for a full detailed description of DNS.

DNS Server

A DNS server is like a telephone directory, you ask for the address of a computer and it will tell you what the address is.

Click here for a full detailed description of DNS server.

DNS Leak

DNS leaking is when your requests are being sent to DNS servers that are not your designated ones (usually your VPN server). This means that while no one can read your encrypted traffic, they can see which addresses you are requesting. To ensure you stay as safe online as possible making sure your DNS does not leak is critical.

Click here for a full detailed description of DNS leak.

VPN Gateway

A computer that routes internet traffic from other computers via its VPN connection.

IPTables

IPTables is a utility program that allows admins to define rules on how to treat packets of data.

Click here for a full detailed description of IPTables.

Assumptions

This guide assumes you have a fresh install of Raspbian on a headless server

This guide assumes you have a VPN client installed and configured on your device.

This guide assumes you have set a static IP for your device.

This guide assumes your network connection is called eth0.

Install Software

We only need to install two extra pieces of software (iptables-persistent & dnsmasq) to get the VPN Gateway working.

Type the following into the command line:

sudo apt install iptables-persistent dnsmasq -y

Select “<yes>” for both IPv4 and IPv6 rules and allow it to complete the installation.

Enable Forwarding

The Raspberry Pi is going to be setup to forward incoming requests from other clients to its VPN connection. By default this is not enabled or setup so we’re going to configure it now.

First ssh into your Raspberry Pi with a sudo enabled user.

Now we need to enable forwarding in the sysctl.conf file by removing the # at the start of line 28 “#net.ipv4.ip_forward=1”:

sudo nano /etc/sysctl.conf

Delete “#” infront of “net.ipv4.ip_forward=1” then press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Enable the forwarding service:

sudo sysctl -p

Update IPTables

Inorder to forward the incoming traffic correctly we need to make some changes to the IPTables on our Raspberry Pi. These updates will create a dead man switch so traffic from any client using our VPN Gateway can only exit it via its VPN connection. This means, if the VPN connection is lost, the clients will lose their internet.

Paste the following into the command line to update the IPTables:

sudo iptables –flush
sudo iptables –delete-chain
sudo iptables -t nat -F
sudo iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
sudo iptables -A INPUT -i eth0 -p tcp –dport 22 -j ACCEPT
sudo iptables -A INPUT -i lo -m comment –comment “loopback” -j ACCEPT
sudo iptables -A OUTPUT -o lo -m comment –comment “loopback” -j ACCEPT
sudo iptables -I INPUT -i eth0 -m comment –comment “In from LAN” -j ACCEPT
sudo iptables -I OUTPUT -o tun+ -m comment –comment “Out to VPN” -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp –dport 443 -m comment –comment “openvpn” -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp –dport 123 -m comment –comment “ntp” -j ACCEPT
sudo iptables -A OUTPUT -p UDP –dport 67:68 -m comment –comment “dhcp” -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp –dport 53 -m comment –comment “dns” -j ACCEPT
sudo iptables -A FORWARD -i tun+ -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun+ -m comment –comment “LAN out to VPN” -j ACCEPT
sudo iptables -P FORWARD DROP

The change we’ve made is only temporary. To make it permanent type:

sudo netfilter-persistent save

To ensure these rules are applied every time the device turns on type:

sudo systemctl enable netfilter-persistent

Now that we’ve enabled forwarding, we need to make an edit to the route-up.sh and down.sh files in /etc/openvpn to ensure client traffic is routed correctly.

Navigate to the OpenVPN directory:

cd /etc/openvpn

Open route-up.sh:

sudo nano route-up.sh

At the bottom of the file add:

/etc/openvpn/update-resolv-conf

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Now update down.sh:

sudo nano down.sh

At the bottom of the file add:

 /etc/openvpn/update-resolv-conf

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Finally reboot your Raspberry Pi to ensure the changes have been loaded

dns-nameserversClient Configuration

Now the VPN Gateway is setup we need to configure a client to use it and do some final checks that everything is working as expected!

It’s as easy as changing two options to point at your VPN Gateway:

  • Default gateway
  • DNS server

Depending what operating system your client is using there are a number of different ways of achieving this. I’ll try to briefly outline the most common ones. I would recommend setting a static IP address for the clients and the below examples will assume that.

Raspberry Pi

The easiest option is to follow the static IP guide and use the VPN Gateway IP address for the static routes and static domain_name_servers.

Linux – Debian Based

If you are running a Debian based Linux distro, open the command line (or ssh into the client) and we’re going to update the static IP options to make sure it’s using our VPN Gateway.

sudo nano /etc/network/interfaces

Find the line “iface eth0 inet static” and just below that look for:

  • gateway
  • dns-nameservers

Now update both of them to be the VPN Gateway IP address.

Once updated save and exit and to be sure the change has stuck reboot the client.

Windows 10

Go to the search tool on the task bar and type “Network Settings” to open the network settings panel.

Once open find and click “Change Adaptor Options” to show all of your network adaptors. Locate the one you use to connect to the internet, right click it and select properties.

In the properties window double click “Internet Protocol Version 4 (TCP/IPv4)” to set a static IP address.

Fill in the boxes with the appropriate configuration, My VPN Gateway has an IP address of 10.8.60.185.

Click OK to close the panels and Windows will take care of updating your settings.

Final Checks

Now we have updated our client to use the VPN Gateway for all of its internet traffic we need up run some checks and make sure everything is working as expected.

There are 3 checks we’ll be carrying out:

  • Can it see the outside world?
  • Does it have the correct external IP?
  • Is the DNS leaking?

We’ll run through two methods of checking these for if you have a command line only client, or one with a full desktop.

Command line

If like me your client is a headless server and you only have a command line we’ll go about making these checks as follows, in the command line type:

ping google.com -c 4

You should see returns from google.

To check if you have the correct external IP type:

wget -qO- ifconfig.me/ip

The IP address shown should be the same as the VPN Gateway shows when you run the same command there.

Finally to check if the DNS is leaking we’ll use the same script we did when setting up the VPN Gateway.

There is a commandline tool that will check if our DNS is leaking. For more information on the script we’re going to use see the authors GitHub page.

First make sure all dependencies are installed:

sudo apt install curl jq -y

We’re going to download it to the opt folder:

cd /opt

Download using:

sudo wget https://raw.githubusercontent.com/macvk/dnsleaktest/master/dnsleaktest.sh

Let’s make it executable:

sudo chmod +x dnsleaktest.sh

To run the script from /opt use:

./dnsleaktest.sh

Or outside this folder use:

/opt/dnsleaktest.sh

If everything is successful you should see something like the image below: 

From a Web Browser

If you have a web browser on your client the checks are very quick and easy.

To see if you have access to the outside world let’s open up the browser and try navigating to your favourite site. e.g. https://philldavis.co.uk

If you can see the site, great news! You’re connected to the internet.

Now lets have a look at our IP address, go to https://whatismyipaddress.com/ and you’ll be shown your current external IP address. This should be the same one you see on your VPN Gateway.

To see if our DNS is leaking lets going to https://dnsleaktest.com and click “Standard Test”. Let it run and it should return the same DNS servers that your VPN Gateway returned when running the command line tool.

Check the Dead Man Switch

The final and possibly most immportant check is the dead man switch. Will the internet connection be terminated when the VPN connection drops?

This is easy to test, SSH into your VPN Gateway and stop the VPN client by typing:

sudo systemctl stop openvpn

Now back on your client machine try to access the internet. You shouldn’t be able to get any internet connection at all. If this is the case, hop back into the VPN Gateway and start the VPN client by typing:

sudo systemctl start openvpn

Finished

Congratulations! Assuming all of the checks passed with flying colours you have successfully created a VPN Gateway and are providing secure connection to the world to any clients that use it.

So what do we actually have in this setup?

  • A VPN Client that is not leaking its IP address.
  • A VPN Client that still has access to the internet when the VPN connection drops so regular maintenance and updates are simple.
  • A VPN Gateway with a dead man switch so no traffic can accidentally go out via the regular connection.

Raspberry Pi Install Lidarr

Raspberry Pi Install Lidarr

Raspberry Pi – Install Lidarr

Overview

  • Install Lidarr.
  • Automatically manage your music.
  • Find new and missing albums.

Lidarr automates the finding, downloading, naming and organisation of Music libraries. It is designed to work in conjunction with a torrent client and media server. E.g. qBittorrent to download files and your choice of distribution software e.g. Plex Media Server to distribute the music to clients.

If you haven’t already, check out the guide to setup a secure torrent client before continuing with the install of Lidarr.

I do not in any way, shape or form condone or support the downloading of illegal or copyrighted material.

I use Lidarr to organise all of my legally purchased music, its tags, names etc and track which albums I’m missing. The Calendar view is great for seeing release dates of new albums from my favourite artists.

Technical Jargon

SSH

SSH stands for secure shell. SSH is an encrypted connection established between two computer programs. On the server side (the computer being connected to) a service is running that listens for another computer trying to contact it via SSH.

Click here for a full detailed description of SSH.

Assumptions

This guide assumes you have a fresh install of Raspbian on a headless server.

This guide assumes you either have a folder on the Raspberry Pi for your Music, or have setup a connection to your network share that contains all of your current Music.

If it is legal to download copyrighted music where you are and you wish to use Lidarr’s ability to tap into torrent RSS feeds, it’s assumed you have setup a secure torrent client.

Install Lidarr

Before we start we’re going to ensure the Raspberry Pi is up to date. Run the following commands to grab and install the latest packages:

sudo apt-get update

sudo apt-get upgrade -y

We want Lidarr to sit in the /opt directory so let’s cd into it:

cd: /opt

Now let’s grab the latest Lidar.tar.gz file. For me that is version 0.6.0.815, check https://github.com/lidarr/Lidarr/releases to find out which is the latest for you:

sudo wget https://github.com/lidarr/Lidarr/releases/download/v0.6.0.815/Lidarr.develop.0.6.0.815.linux.tar.gz

Once it’s downloaded extract the package:

sudo tar -xzvf Lidarr.develop.0.6.0.815.linux.tar.gz

Create a Service

It is recommended to run Lidarr as its own user for security purposes. We’re going to use qbtuser to own the Lidarr install and run the service. This is to tie in with the user setup in the secure torrent client guide. Feel free to use any user you like. E.g. pi:

sudo chown -R qbtuser:qbtuser /opt/Lidarr

sudo chmod -R a=,a+X,u+rw,g+r /opt/Lidarr

We’re going to create a file under /etc/systemd/system that will tell the Raspberry Pi how to handle Lidarr and ensure it runs as a service:

sudo nano /lib/systemd/system/lidarr.service

Now that we’ve created the file, paste the following into it:

[Unit]
Description=Lidarr Daemon
After=syslog.target network.target

[Service]
User=qbtuser
Group=media
Type=simple
ExecStart=/usr/bin/mono /opt/Lidarr/Lidarr.exe -nobrowser
TimeoutStopSec=20
KillMode=process
Restart=on-failure
[Install]
WantedBy=multi-user.target

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Start the Sonarr Service

If everything has gone to plan we can start the service.

Start the service for the first time with:

sudo systemctl start lidarr

Check it all Works

Now we’ve finished installing Lidarr and the service is running, lets check it all works by going to http://*Rasbperry Pi Ip Address*:8686 and we should see the default page.

Auto Start Lidarr – No Torrenting

If Lidarr is used to check the status of your collections we want to start Lidarr with the Raspberry Pi:

sudo systemctl enable lidarr

Now ensure everything works, reboot your Raspberry Pi:

sudo reboot

If you intend to use Sonarr to find torrents enable it by following the below section. Note I do not condone this.

Auto Start Lidarr – Linked to Torrent Client

If Lidarr is used to find torrents, we only want the Lidarr service to be active when there is a VPN connection available.

To do this we’re going to update some files in the OpenVPN directory so cd into /etc/openvpn:

cd /etc/openvpn

To auto start Lidarr when the VPN connection is established we need to edit route-up.sh.

sudo nano route-up.sh

And paste the following at the bottom of the file:

systemctl start lidarr

The file should look like:

#!/bin/sh
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
systemctl start qbittorrent

systemctl start lidarr

 Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Auto Stop Lidarr – Linked to Torrent Client

To make sure no peer 2 peer traffic is sent over your clear internet connection we’re going to ensure the Lidarr service is stopped before we lose our VPN connection.

To do this we’re going to add a line to down.sh:

sudo nano down.sh

Paste the following line above “iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE”:

systemctl stop lidarr

The file should look like:

#!/bin/sh
systemctl stop qbittorrent

systemctl stop lidarr
iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Reboot your Raspberry Pi to ensure all our changes are applied:

sudo reboot

Check Everything is Working

After the reboot lets check everything is working as we expect.

In your web browser navigate to the Lidarr Web UI as you did earlier and make sure it loads.

Import Your Current Library

Now that everything is working let’s import your current music library so Lidarr can start handling it – showing you what albums you are missing and the current track quality. This process can take a very long time, so once you’ve kicked it off it’s probably best to leave it over night. The time it takes will depend on your internet connection and device you’ve installed Lidarr on. The Raspberry Pi isn’t very powerful so will take a long time if you have a big library.

Before we start the import we want to update some settings to tell Lidarr how to handle file naming and imported track metadata.

Media Management

Click on “Settings and then “Media Management”:

I only include the track number and title in my naming scheme so as can be seen above I’ve updated the Standard Track Format. Click the “?” if you want to customise the naming convention.

Once you’re happy click “Save Changes” at the top.

Metadata

Now click on “Metadata” to update how Lidarr will handle track Metadata:

Lidarr will handle all of your music metadata and you’ve got a few options on how and when it does this. From the dropdown box next to “Tag Audio Files with Metadata” select the right options for you.

I’ve already got my music tagged so I only want Lidarr to handle new files.

If you are unsure click “More Info” to find out which option is right for you.

Once you’re happy click “Save Changes” at the top.

Import Music

To perform a bulk import of our existing library click “Artist”, “Import” and then the big green “Choose Folder” button.

Use the menu to navigate to your music folder and click “Ok”: 

Once the folder is selected Lidarr will scrape through all of the sub folders matching the artists. If any are miss matches or not found use the drop down to search for the correct artist.

It will only try to import artists that aren’t already imported:

After clicking “Import” Lidarr will take you to the Artist page and start downloading all of the album artwork, artist/album information and scrapping your folders to see which albums you currently have.

Don’t worry if the images don’t show up straight away, this process can take a long time:

Finished

The installation and basic setup of Lidarr is complete and it’s up to you to play around with the rest of the settings to get everything sorted. Jump in and have a go.

Raspberry Pi Install Sonarr

Raspberry Pi Install Sonarr

Raspberry Pi – Install Sonarr

Overview

  • Install Sonarr.
  • Automatically manage your media.
  • Find missing episodes.

Sonarr automates the finding, downloading, naming and organisation of TV shows. It is designed to work in conjunction with a torrent client and media server. E.g. qBittorrent to download files and Plex Media Server to distribute them to clients.

If you haven’t already, check out the guide to setup a secure torrent client before continuing with the install of Sonarr.

I do not in any way, shape or form condone or support the downloading of illegal or copyrighted material.

Technical Jargon

SSH

SSH stands for secure shell. SSH is an encrypted connection established between two computer programs. On the server side (the computer being connected to) a service is running that listens for another computer trying to contact it via SSH.

Click here for a full detailed description of SSH.

Assumptions

This guide assumes you have a fresh install of Raspbian on a headless server.

This guide assumes you either have a folder on the Raspberry Pi for your TV shows, or have setup a connection to your network share that contains your TV media.

If it is legal to download TV box sets where you are and you wish to use Sonarr’s ability to tap into torrent RSS feeds, it’s assumed you have setup a secure torrent client.

Install Sonarr

Before we start we’re going to ensure the Raspberry Pi is up to date. Run the following commands to grab and install the latest packages:

sudo apt-get update

sudo apt-get upgrade -y

As Sonarr isn’t in the default Raspbian repository we’ll want to add Sonarr’s. To do this let’s install the directory manager to allow us to modify our repositories:

sudo apt-get install dirmngr

Now we can add new repositories let’s make sure we can use secure connections:

sudo apt-get install apt-transport-https -y –force-yes

With all that sorted we can add Sonarr’s repository:

sudo apt-key adv –keyserver keyserver.ubuntu.com –recv-keys 0xA236C58F409091A18ACA53CBEBFF6B99D9B78493
echo “deb http://apt.sonarr.tv/ master main” | sudo tee /etc/apt/sources.list.d/sonarr.list

With the repository available we’ll now be able to install Sonarr, but before we do we need to  update our sources so the Pi knows where to look:

sudo apt update
sudo apt install nzbdrone -y

Create a Service

It is recommended to run Sonarr as its own user for security purposes. We’re going to use qbtuser to own the Sonarr install and run the service. This is to tie in with the user setup in the secure torrent client guide. Feel free to use any user you like. E.g. pi:

sudo chown -R qbtuser:qbtuser /opt/NzbDrone

We’re going to create a file under /etc/systemd/system that will tell the Raspberry Pi how to handle Sonarr and ensure it runs as a service:

sudo nano /lib/systemd/system/sonarr.service

Now that we’ve created the file, paste the following into it:

[Unit]
Description=Sonarr Daemon
After=syslog.target network.target

[Service]
User=qbtuser
Group=qbtuser

Type=simple
ExecStart=/usr/bin/mono –debug /opt/NzbDrone/NzbDrone.exe -nobrowser
TimeoutStopSec=20
KillMode=process
Restart=on-failure

[Install]
WantedBy=multi-user.target

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Start the Sonarr Service

If everything has gone to plan we can start the service.

Start the service for the first time with:

sudo systemctl start sonarr

Check it all Works

Now we’ve finished installing Sonarr and the service is running, lets check it all works by going to http://*Rasbperry Pi Ip Address*:8989 and we should see the default page.

Auto Start Sonarr – No Torrenting

If Sonarr is used to check the status of your collections we want to start Sonarr with the Raspberry Pi:

sudo systemctl enable sonarr

Now ensure everything works, reboot your Raspberry Pi:

sudo reboot

If you intend to use Sonarr to find torrents enable it by following the below section. Note I do not condone this.

Auto Start Sonarr – Linked to Torrent Client

If Sonarr is used to find torrents, we only want the Sonarr service to be active when there is a VPN connection available.

To do this we’re going to update some files in the OpenVPN directory so cd into /etc/openvpn:

cd /etc/openvpn

To auto start Sonarr when the VPN connection is established we need to edit route-up.sh.

sudo nano route-up.sh

And paste the following at the bottom of the file:

systemctl start sonarr

The file should look like:

#!/bin/sh
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
systemctl start qbittorrent

systemctl start sonarr

 Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Auto Stop Sonarr – Linked to Torrent Client

To make sure no peer 2 peer traffic is sent over your clear internet connection we’re going to ensure the Sonarr service is stopped before we lose our VPN connection.

To do this we’re going to add a line to down.sh:

sudo nano down.sh

Paste the following line above “iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE”:

systemctl stop sonarr

The file should look like:

#!/bin/sh
systemctl stop qbittorrent

systemctl stop sonarr
iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Reboot your Raspberry Pi to ensure all our changes are applied:

sudo reboot

Check Everything is Working

After the reboot lets check everything is working as we expect.

In your web browser navigate to the Sonarr Web UI as you did earlier and make sure it loads.

Add A TV Show

Now that everything is working let’s add a TV show. Click Add Series and search for the series you want to monitor. I’ve searched for one of my favourite shows Black Books.

Point the path to the parent folder containing your TV Shows and click the green plus button to add it to your list.

You can either add a single series that you don’t currently have by searching for it and clicking add, or you can import your entire folder by clicking “Import Existing Series On Disk” and selecting the parent folder of your TV shows. This will bulk import everything you have already.

Finished

The installation of Sonarr is complete and it’s up to you to play around with the settings to get everything sorted. Jump in and have a go.

Setup a Secure VPN Client

Setup a Secure VPN Client

Setup a Secure VPN Client Using AirVPN

Overview

 Keep yourself safe with all traffic leaving your computer using end to end encryption via AirVPN.

  • Stop prying eyes seeing your internet activity.
  • Protect yourself on public networks.
  • Protect your net neutrality.

This guide is aimed at Raspberry Pis, but will work for any Debian based OS. E.g. Ubuntu 18.04 server, so just use what suits you. I’ve chosen a Raspberry Pi as it makes for a great low power client.

Technical Jargon

VPN

VPN stands for virtual private network. VPN secures your computer’s internet connection by ensuring all of the data being sent and recieved is encrypted and secure from prying eyes.

Click here for a full detailed description of VPN.

DNS

Domain Name System (DNS) translates easily rememberable names such as google.com into addresses that a machine understands.

Click here for a full detailed description of DNS.

DNS Server

A DNS server is like a telephone directory, you ask for the address of a computer and it will tell you what the address is.

Click here for a full detailed description of DNS server.

DNS Leak

DNS leaking is when your requests are being sent to DNS servers that are not your designated ones (usually your VPN server). This means that while no one can read your encrypted traffic, they can see which addresses you are requesting. To ensure you stay as safe online as possible making sure your DNS does not leak is critical.

Click here for a full detailed description of DNS leak.

Note Other VPN services will work, but this guide will concentrate on AirVPN. If you chose another provider ensure they are reputable, do not keep logs and are pro net neutrality. Often you get what you pay for.

Assumptions

This guide assumes you have a fresh install of Raspbian on a headless server

This guide assumes your Raspberry Pi is able to use any DNS server it choses. If it can’t, you’ll need to make an exception in your firewall..

 

Install the VPN Client

Before we start we’re going to ensure the Raspberry Pi is up to date. Run the following commands to grab and install the latest packages:

sudo apt-get update
sudo apt-get upgrade -y

Now we’re ready to install our VPN client, which for this guide will be OpenVPN. Install using:

sudo apt-get install openvpn -y

Once OpenVPN has been installed you’ll notice a new folder at /etc/openvpn.

This is where we’re going to do the next few bits so lets cd into it:

cd /etc/openvpn

Before we start thinking about connecting to AirVPN we’re going to create 2 files.

  • route-up.sh – To divert all traffic to AirVPN once a connection is established.
  • down.sh – Remove the divert rule and restore normal routing.

Create the file called route-up.sh that will divert all traffic to AirVPN:

sudo nano route-up.sh

Now add the instruction to route all traffic over the VPN connection:

#!/bin/sh
/etc/openvpn/update-systemd-resolved
# replace /etc/resolv.conf with special version for AirVPN
rm /etc/resolv.conf
cp /etc/resolv.conf.airvpn /etc/resolv.conf

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Create the file called down.sh that will reverse the actions of route-up.sh:

sudo nano down.sh

Now add the instruction to stop routing traffic over the VPN connection:

#!/bin/sh
/etc/openvpn/update-systemd-resolved
# restore default resolv.conf
rm /etc/resolv.conf
cp /etc/resolv.conf.original /etc/resolv.conf

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Now let’s give them the correct permissions, we want only the owner (root) to be able to read, write and execute the files:

 

sudo chmod 700 route-up.sh
sudo chmod 700 down.sh

 

If it’s all gone to plan, our folder should look like this.  To check file permissions use:

ls -al

You’ll have noticed that we referenced some files that don’t currently exist:

  • update-systemd-resolved
  • /etc/resolve.conf.original
  • /etc/resolve.confairvpn

These files are used to ensure we don’t get any DNS leakage and this will help keep our connection more secure and private.

Let’s grab a copy ofupdate-systemd-resolved from github:

sudo wget https://raw.githubusercontent.com/jonathanio/update-systemd-resolved/master/update-systemd-resolved -P /etc/openvpn/

Once it’s downloaded we need to give it the correct permissions:

sudo chmod +x /etc/openvpn/update-systemd-resolved

Double check the file permissions and folder contents, it should look like:

ls -al

Finally let’s make sure OpenVPN uses the AirVPN DNS servers for all of its requests so nothing is leaked. This change will mean the Raspberry Pi will use AirVPNs DNS servers while the VPN connection is established and the default DNS servers when the VPN connection drops.

Let’s copy resolve.conf so we have an original to default back to when there is no VPN connection:

sudo cp /etc/resolv.conf /etc/resolv.conf.original

And now let;s create a new resolv.conf file that includes AirVPNs DNS servers. I’ve chosen two of their servers that work well for me, but feel free to check out their website if you want to use different servers:

sudo nano /etc/resolv.conf.airvpn

Inside this file paste the following:

# — BEGIN PVE —
search local.lan
nameserver 10.4.0.1
nameserver 10.5.0.1
# — END PVE —

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

There is a risk here that if the VPN connection drops your traffic will be sent over your clear internet and will be fully visible to your internet provider. To remove this risk, follow the tutorial on setting up a VPN gateway server with dead man switch to ensure traffic is only sent over VPN.

We’re all sorted now and can go on to create the AirVPN config!

Create an AirVPN Config File

To be able to connect to AirVPN we need to generate a config from the Client Area. For a direct link to the generator click here.

  • Login to AirVPN.
  • Click Client Area from the tabs across the top.
  • Click Config Generator from the menu on the left hand side.
  • Select your operating system (RPi).
  • Select UDP protocol.
  • Choose a server – I’m using Europe.
  • Scroll to the bottom.
  • Diligently read the Terms of Service.
  • Accept both terms of services boxes.
  • Select Generate.
  • Download the .ovpn file .

If you open up the .ovpn file in a text editor (I recommend something like Visual Studio Code) you’ll see a comment about the file, some VPN parameters, two certificates, a private key and a static key. The top should look something like:

# ——————————————————–
# Air VPN | https://airvpn.org | Sunday 24th of February 2019 09:50:09 PM
# OpenVPN Client Configuration
# AirVPN_Europe_UDP-443
# ——————————————————–

client
dev tun
remote europe.vpn.airdns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
route-delay 5
verb 3
explicit-exit-notify 5
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto udp
key-direction 1

We have chosen the UDP protocol on port 443, if you have issues connecting or have frequent dropouts your Internet Service Provider may be monitoring your connection a little more closely than mine. Some will throttle or not allow VPN traffic and if this is the case you will want to try using TCP instead of UDP. If you’ve had to do this change the line “proto udp” to “proto tcp” in the .ovpn file.

We need to add 7 more lines to the .ovpn file to make sure route-up.sh and down.sh are used when we establish or close the VPN connection. While the .ovpn file is open in your text editor add the following lines below “key-direction 1”:

dhcp-option DOMAIN-ROUTE .
script-security 2
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
up /etc/openvpn/route-up.sh
up-restart
down /etc/openvpn/down.sh
down-pre

script-security 2 allows the execution of the two scripts and down-pre means that this line is executed before the connection is lost. I.e. no traffic is sent from the device before this line is executed in the event of the connection failing. 

Configure AirVPN on the Raspberry Pi

We now have everything we need to connect our Raspberry Pi to AirVPN.

cd back into /etc/openvpn and create a new file called AirVPN.conf:

 

cd /etc/openvpn
sudo nano AirVPN.conf

 

Now paste the content of the .ovpn file you edited in the section above into AirVPN.conf before saving and exiting. Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Now ensure it has the right file permissions with:

sudo chmod 644 AirVPN.conf

If it’s all gone to plan, our folder should look like this.

Before we connect to the VPN lets make sure we know what our clear public IP address is:

wget -qO- ifconfig.me/ip

Make a note of the number returned to be confident your VPN connection works.

Auto Connect to AirVPN on Boot

There is no point having a headless secure torrent client that requires human input each time it reboots to make sure it connects to VPN server. This would make unexpected power outages a security nightmare. Let’s make sure OpenVPN connects using your AirVPN config every time the Raspberry Pi boots up.

Open the file responsible for default actions on OpenVPN:

sudo nano /etc/default/openvpn

Now scroll to the bottom and add:

AUTOSTART=”AirVPN”

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

What this does is tells OpenVPN to use our AirVPN.conf config file each time it starts. Now go ahead and reboot the Raspberry Pi.

Once the Raspberry Pi has rebooted, check that is is now connected to the VPN:

wget -qO- ifconfig.me/ip

Compare the IP address shown now to the one taken before and if all things have gone to plan they should be different! 

Check if DNS is Leaking

There is a commandline tool that will check if our DNS is leaking. For more information on the script we’re going to use see the authors GitHub page.

First make sure all dependencies are installed:

sudo apt install curl jq -y

We’re going to download it to the opt folder:

cd /opt

Download using:

sudo wget https://raw.githubusercontent.com/macvk/dnsleaktest/master/dnsleaktest.sh

Let’s make it executable:

sudo chmod +x dnsleaktest.sh

To run the script from /opt use:

./dnsleaktest.sh

Or outside this folder use:

/opt/dnsleaktest.sh

If everything is successful you should see something like the image below: 

Finished

Now w’re finished and we’ve got a secure VPN Client setup on our device!

Raspberry Pi Samba Server

Raspberry Pi Samba Server

Setup a Samba Server to Share File with Windows Clients

Overview

 Access files on your Raspberry Pi from Windows clients by using Samba.

  • Raspberry Pi discoverable on the network.
  • Easily manipulate files from other devices.

This guide is aimed at Raspberry Pis, but will work for any Debian based OS. E.g. Ubuntu 18.04 server, so just use what suits you. I’ve chosen a Raspberry Pi as it makes for a great low power server and a lot of the projects I do require network file shares to be created. For best results connect the Raspberry Pi to the network via ethernet cable.

Note The Raspberry Pi 3B+ has a 300Mb/s ethernet connection, Raspberry Pi 4 Model B has a 1Gb/s ethernet connection.

Assumptions

This guide assumes you have a fresh install of Raspbian on a headless server.

This guide assumes you have set a static IP address

Technical Jargon

Samba

Samba is a network protocol to allow Windows clients to share files, printers and access other Windows services such as Active Directory.

Click here for a full detailed description of Samba.

SSH

SSH stands for secure shell. SSH is an encrypted connection established between two computer programs. On the server side (the computer being connected to) a service is running that listens for another computer trying to contact it via SSH.

Click here for a full detailed description of SSH.

Create a Network Share

 First things first, let’s install the packages necessary to run a Samba server:

sudo apt-get install samba -y

Once the package has installed we can configure the Samba server, this is done by editing the smb.conf file in /etc/samba/smb.conf.

Before we configure the server let’s create the folder that will be shared (I’m assuming it’s not already existing, if it exists skip this step). I’m using /mnt/SharedFolder for my file share:

sudo mkdir /mnt/SharedFolder

With having a folder to share we need to make sure the user that will connect to it is the owner. I’m using the user pi for this guide:

sudo chown -R pi:pi /mnt/SharedFolder

The option -R means the chown command is recursive and will update all sub files and folders.

Now we can start editing the config file, but before we make any edits, lets make a backup of the original so we can always roll back:

sudo cp /etc/samba/smb.conf /etc/samba/smb.bak

Now to update smb.conf:

sudo nano /etc/samba/smb.conf

We’re going to enable WINS (Windows Internet Name Service) support.

Look for the line:

# wins support = no

And replace it with:

wins support = yes

Now to setup the Samba share, but before we do, let’s look into some of the options below.

  • path – This is the path to the folder you’re going to be sharing.
  • force user – This is the username that everything will be stored as. I’m going to use pi for this guide.
  • valid users – This is a comma separated list of users that are allowed to access the samba share.

Now we know what we’re doing go to the end of the file and paste the following:

[SharedFolder] #This is the name of the share it will show up as when you browse

comment = Finished Torrents Folder

path = /mnt/SharedFolder

create mask = 0775

directory mask = 0775

read only = no

browseable = yes

public = yes

force user = pi

valid users = pi

only guest = no

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

We need to set a samba (memorable and secure) password for qbtuser, this will be used to connect to the share:

sudo smbpasswd -a pi

Now we’ve finished setting it up lets restart the samba service:

sudo service smbd restart

Once the service has restarted let’s try and connect. If this fails, reboot your Raspberry Pi to ensure all settings have been updated.

The Raspberry Pi should be visible on your Network tab, but you can directly navigate to it using either the hostname or IP address of the Raspberry Pi in the address bar of a file explorer window:

\10.8.10.115\SharedFolder

Logging in

On the first time logging in you’ll need to provide the user details.

  • username: pi.
  • password: *Setup earlier*.

Ticking Remember my credentials means you won’t have to go through this process each time you try to access the Raspberry Pi’s file share.

It’s not recommended to remember credentials on a shared computer as anyone will be able to access the share.

With everything going to plan you’ll see your folder and have all the permissions set to the user connected to it. Mine is a new folder so currently empty.

Finished

Congratulations! You’ve got a working Samba share that will let you copy, paste and manipulate files and folders.