Friday, May 3, 2013

How to Use Linux Virtual Machine instead of router for VPN

Connecting Your Home Devices To The Internet Via A VPN Service, Without A VPN Client Capable Router

I’ve just been through this process at home for a “project” I was working on. Those attempting similar “projects” will understand why you’d do it. Those asking the question “But my computer connects fine to the internet already?” can probably stop reading. To give you a hint, I’m in Australia and I’ve just purchased a Roku Media Player from Amazon.
I wanted to set up my computers at home to access the internet through a VPN service. What HMA suggest is to configure the VPN at the router. The router being the gateway between the Internet and my home network. This is fine if your router supports acting as a VPN client. Mine, a TP-Link w8960N, does not support such functionality. So what to do?
The Synology supports acting as a VPN server for connecting back home, and with some tweaking, can be made to support being a VPN client. However, I prefer not to hack my Syno box unless I really have to though. After a quick try (thanks to Greg Hughes blog for the tips), I decided it’d be safer to break something else.
I could have purchased a router that supports VPN client connectivity. There are some articles over at VPNFreedom.com such as this one by Thomas Fals that explain how to set it up. I already have a NAS, Gigabit Switch and Router in the Home theatre cabinet though so the thought of adding another box doesn’t appeal. I also thought there must be a way to do it using software and without spending more money.
In the end, I decided to attempt it using a Ubuntu Linux Virtual Machine running an openVPN cilent and using IPTables to configure routing between the home network and VPN. Sound hard? Well, I wouldn’t recommend it to a novice user but if you have some Linux experience you should be able to manage.

Ubuntu Linux VM
Firstly you’ll want to set up a Linux VM. For those unfamiliar with Virtual Machines, it’s basically just a virtual computer running on another computer. Sticking with the ‘free’ theme of this thread. I decided to go with VirtualBox from Oracle. It’s a freely available Virtualization platform that you can install at home. Unlike VMWare Player or others, it will run on any platform, Windows / Mac / Linux.
I have a MacMini at home that I use as a Plex Media Client. I already had VirtualBox installed. It’s quite a simple download and install from VirtualBox. I won’t cover the install here.
I already had a Ubuntu 10.04 Linux VM configured that I’d used for another project. I’d tried out PS3 Media Server a while ago. So I decided to use that. If you need to install Ubuntu, there are several ways to do it as detailed on the Ubuntu website. You can also just download a pre-built VM image. Oracle have them available here.
I’ll leave it up to you how you want to do it.

OpenVPN Client
I’ll assume you’ve signed up with HMA already. If not, you should sign up for an account if you plan to use it before going any further.
Log on to your Ubuntu VM with root privileges. Whether that’s as root or if you want to sudo each command I’ll again leave that up to you. There are a few packages that you need to install in order to run the openVPN client and connect to HMA. Run the following:
sudo apt-get install openvpn curl unzip dnsmasq-base wget
This installs the OpenVPN client for connecting to HMA plus some tools you’ll need.

HMA Config
Create a directory where you would like to install HMA. HMA will run self contained out of this directory. Then download and unzip the HMA config to that directory.
mkdir /opt/hma
cd /opt/hma
wget http://vpn.hidemyass.com/linux.zip
unzip linux.zip
You are now ready to test your HMA connection. As per the HMA README file you just downloaded. Run the following to connect.
/opt/hma/hma-start -l
This will list the available servers. Choose one in the country you wish to connect via and start the VPN connection e.g.
/opt/hma/hma-start "USA, California, Los Angeles (DC1 S1)"
You will be prompted for your HMA username and password. This should then establish your connection.
If you get time out errors, try a different location. You should see some entries starting with /sbin/ifconfig and /sbin/route add. These entries should be on consecutive lines, if there are errors reported. Kill the process using ctrl+c and try again.

Routing Traffic Via Your VPN Connection
The goal here is to tell our clients to connect to the internet via our Linux VM instead of out directly through the router. We also need to make sure the VM is configured to forward IP packets out to through the VPN instead of bouncing them back to the client.
Firstly, make sure you configure your Ubuntu Linux VM with a Static IP address outside your DHCP range on your local network and that the gateway of your VM is pointing to the address of your router. e.g.
IP: 192.168.1.10
Subnet Mask: 255.255.255.0
Gateway: 192.168.1.1
DNS: 192.168.1.1 assuming your router is providing DNS information.
There’s an excellent Ubuntu doc here on configuring Internet connection sharing. I really recommend reading it. Basically, this document assumes you have two network cards (NICs) or at least two interfaces configured and that your clients are connected to one and that the Internet is connected to the other. This is exactly what we’re doing here. Your local network interface is normally eth0. What we would normally do is set up another interface on eth1 and route traffic between eth0 and eth1. The difference here is that we’re using a openVPN client. When it’s running, this client creates a vpn tunnel interface called tun0. So we will be routing traffic to eth0 out via tun0. We do that using IP tables. For the how’s and why’s check out the Ubuntu doc. In command line form though, it’s the following commands.
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
sudo iptables -A FORWARD -o tun0 -i eth0 -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo iptables-save | sudo tee /etc/iptables.sav
You may also have to modify the /etc/sysctl.conf file to uncomment the line
net.ipv4.ip_forward=1
Done, assuming you’ve established a VPN connection, you’ve now set up routing on the Linux VM.

Client Config
Connecting clients will vary based on what type of client it is. Computers are the easiest because they’re the most configurable. Basically, you now just change the Gateway or Router address in your network config of your computer to point to your Linux VM. In this case it would be 192.168.1.10. That’s it. If you go to google.com and type in “what is my ip address” it will now show you the IP address of the VPN connection. It will also probably ask if you’d like to stop connecting to google.com.au and use google.com instead as it now thinks you’re in the U.S.

DHCP Only Clients (Optional)
There are some clients. Notably the Roku Media Player, that don’t support static IP addresses or changing the gateway. This is a bit of a pain. Normally, DHCP addresses are provided by your router. In my case this was the TP-Link w8960N at 192.168.1.1. The problem with this is that it also tells your client that the gateway address is 192.168.1.1. This is a problem because then your client uses that for the internet connection and not your fancy new VPN software router. To get around this, I turned off the DHCP function on my router and installed a DHCP server on the Linux VM.
sudo apt-get install dhcp3-server
Then put the following in a file called /etc/dhcp3/dhcpd.conf
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.10;
option domain-name-servers 192.168.1.1;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.100 192.168.1.200;
}
Then start the dhcp server using
/etc/init.d/dhcp-server start
Reboot your clients and they should pick up an IP address from the Linux VM and be provided with the new gateway address of 192.168.1.10.
Done.

Conclusion
It looks harder than it is and it’s a bit of messing around. You might decide it’s cheaper and easier to just buy a new router that supports VPN connections. I already had VirtualBox installed and a Linux VM so the whole process only took about an hour or so. It also avoids the need for another box in your setup, and it doesn’t cost anything except your time.
Big thanks to the info in everyone’s articles I read putting that helped put this together. I’ve linked where possible.

How to Secure IP Binding for Linux

For more info and other scripts regarding IP binding on linux, please see:



This script allows Secure IP Binding for Linux:

#!/bin/bash

cd `dirname $0`
if $1 == '-l'
then
  curl -s "http://vpn.hidemyass.com/vpnconfig/countries.php"
else
  sudo iptables -F

  COUNTRY=`echo $1 | sed 's/ /+/g'`
  curl -s "http://vpn.hidemyass.com/vpnconfig/client_config.php?win=1&loc=$COUNTRY"
> client.cfg

# Allow traffic to any HMA server.
  for remote in `cat client.cfg | awk '/remote [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/ { print $2; }'`;
  do
    REMOTE_IP=`echo $remote | cut -d ':' -f 1`
    sudo iptables -A INPUT -s $REMOTE_IP -j ACCEPT
  done


  # Allow local traffic.
  sudo iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
  sudo iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT
  sudo iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT

  # Disallow everything else.
  sudo iptables -A INPUT ! -i tun+ -j DROP

# Allow traffic from any HMA server.
  for remote in `cat client.cfg | awk '/remote [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/ { print $2; }'`;
  do
    REMOTE_IP=`echo $remote | cut -d ':' -f 1`
    sudo iptables -A OUTPUT -d $REMOTE_IP -j ACCEPT
  done


  # Allow local traffic.
  sudo iptables -A OUTPUT -d 10.0.0.0/8 -j ACCEPT
  sudo iptables -A OUTPUT -d 172.16.0.0/12 -j ACCEPT
  sudo iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT

  # Disallow everything else.
  sudo iptables -A OUTPUT ! -o tun+ -j DROP

  sudo openvpn --config client.cfg --auth-user-pass client.cred --daemon
fi

Note that this Script requires a username/password auth-user-pass file called "client.cred" in the working directory of the script.

It should be formatted thusly:
YourUserName
YourPassword

Type "man openvpn" for more information.

How to setup HMA VPN via OpenVPN on Ubuntu with Network Manager

Do this to connect to HMA Pro VPN via OpenVPN on Ubuntu with the help of the integrated network manager:

  • Install network-manager-openvpn-gnome
  • Download the vpn-config.zip ( http://hidemyass.com/vpn-config/vpn-config.zip )
  • Download the linux installer ( https://vpn.hidemyass.com/linux.zip )
  • Create vpn folder (I used ~/vpn)
  • Extract both zip files there
  • Open network-manager (System->Preferences->Network Connections)
  • Go to VPN tab
  • Import the *.ovpn entry for the location you wish to connect
  • Edit the entry and change the "Type" to Password with Certificates (TLS)
  • The gateway and cert/keys should already be populated from the import
  • Add your vpn username and password
  • Apply
  • Use the network icon in the panel to navigate to your VPN entry and connect

Tuesday, April 30, 2013

How to Check and improve your internet connection speed

With Pro VPN the speeds of your internet connection should usually not be much less than normally.
Of course this depends on several factors like server load, distance to server, speeds of your ISP, etc.
Should your speeds be lower than expected, there are several things you can try to max out your speed:
  • Change protocol (OpenVPN <> PPTP <> L2TP) and test again
  • Switch server (nearest does not necessarily mean fastest!)
  • Try using OpenVPN-UDP with our alternative clients - it's much faster than PPTP or usual OpenVPN. -> UDP
  • Tweak your network settings as explained below

Speedtest

To test your connection speed before and after tweaking anything, you can use e.g. 

Network tweaking

There are numerous ways to tweak your network-, TCP- and browser-settings.
All tools you will need are linked below.

Deactivate Halfopen-Limit (Windows)

First you should deactivate the limit for halfopen connections windows has. This archive (download) includes several tools for that: TCP-Z, Universal TCP/IP Patch, EvID (LvlLord Patch), TCP Patch.
Goal is to set the limit to 255 or deactivate it completely, depending on your operating system.

Network tweaking with TCP-Optimizer (Windows)

TCP-Optimizer is the best freeware tool for optimizing, tweaking and tuning network settings normal users don't have access to or know of.
It replaces all known Net-Tweak-Apps due its complexity. By using the presets (Windows Default, Current, Optimal, Custom) you can easily tweak all settings with one click.

Use the fastest DNS server (all operating systems)

With Tools like NameBench or browsermob-dns-perf you can test which is the fastest DNS server for you.
For most people it is Googles Public DNS (8.8.8.8 + 8.8.4.4) but they log your DNS queries.
There are others which are also fast and not from Google.


Tweaking MacOSX

Unfortunately MacOSX does not have as many possible tweaks and networking related settings as Windows does, but still there are some things you can try:

TCP tweaks
  • Start up a terminal window and run the following commands:
    sudo sysctl -w net.inet.tcp.rfc1323=1
    sudo sysctl -w kern.ipc.maxsockbuf=16777216
    sudo sysctl -w net.inet.tcp.sendspace=1048576
    sudo sysctl -w net.inet.tcp.recvspace=1048576

Apple broadband tuner:

Additional:
  • If you have a WLAN connection, change your routers channel and other WLAN related settings to see if you can get a better signal.
    Also, consider using a wired network setup instead of WLAN. It's more secure and always faster.
  • Temporarily disable your firewall to see if this has a significant effect on your connection performance. If it does, check your firewalls settings,
    remove unnecessary rules or consider using a different firewall software.

Tweaking Linux

Please note that any of the following suggested modifications may improve performance and stability as well as make it worse.
To know if a setting has a positive, negative or any effect at all, it's a good idea to keep doing speedtests before and after each change.

  • Modify TCP settings in sysctl.conf:
    Changing TCP settings on Linux is done by adding the corresponding lines at the end of the file /etc/sysctl.conf and then running "sysctl -p" to apply the changes.
    You should make a backup of the file (e.g. run "cp /etc/sysctl.conf /etc/sysctl.backup")

    net.core.rmem_max = 16777216
    net.core.wmem_max = 16777216
    net.ipv4.tcp_rmem = 4096 87380 16777216
    net.ipv4.tcp_wmem = 4096 65536 16777216
    net.ipv4.tcp_no_metrics_save = 1
    net.ipv4.tcp_congestion_control=htcp
  • To increase TCP throughput, run this (replace eth0 with your network device identifier if different, e.g. wlan0):
    ifconfig eth0 txqueuelen 1000

  • Disable auto-tuning to prevent unwanted behavior:
    sysctl -w net.ipv4.route.flush=1

  • Modify TCP congestion control
    The sysctl variable net.ipv4.tcp_congestion_control is set to "reno" by default. You can set it to one of the following options:   

    reno: Traditional TCP used by almost all other OSes. (default)   
    bic: BIC-TCP   
    highspeed: HighSpeed TCP: Sally Floyd's suggested algorithm   
    htcp: Hamilton TCP   
    hybla: For satellite links   
    scalable: Scalable TCP 
    vegas: TCP Vegas  
    westwood: optimized for lossy networks

    E.g. run this:
    sysctl -w net.ipv4.tcp_congestion_control=htcp

  • Disable segmentation offload, decreases performance but increases stability:
    ethtool -K eth0 tso off



Additional (all operating systems)

  • Always make sure you have the latest available device drivers for your computer; Router firmware, ethernet-adapter and motherboard drivers, BIOS update, etc.
    If you have a network device from realtek, click here. Otherwise check the website of your motherboard/network-device manufacturer.
    Updating your operating system is also a good idea; you should regularly check WindowsUpdate.
  • If you're using Firefox, check out the FasterFox add-on. It really improves surfing performance: FasterFox | FasterFox Extra | FasterFox Lite
  • For testing your speeds, try the speedtest from above, or download an test-file from qsc.de, or download a test torrent: Knoppix Torrent
  • For tweaking uTorrent Advanced Settings there are also several tutorials on this. None of them are perfect, you have to try each setting patiently until you're satisfied with the results. Checkout our article UTorrent for more Info.
  • Old routers, or even new router that are provided to you by your internet provider, are often using outdated firmware or are technically badly manufactured. This can make a difference of multiple megabits - consider getting a better router!

Unnecessary protocols and services (Windows)
On Windows, you should check the advanced settings of your network adapter in the Windows Network Center:
It often contains unnecessary protocols and services that are slowing down your internet connection without being useful in any way.
Disable, or better uninstall services like:
  • QoS Packet Scheduler
  • Virtualbox / VMware drivers, protocols and services
  • Link-Layer Topology
  • Bluetooth related

Basically you can uninstall everything except
  • Internet Protocol Version 4 (TCP/IPv4)
This is the only thing that's essential for the internet connection to work.
However, should you loose connectivity after changing anything here, you can just reboot your computer and reinstall the removed things again, one by one.

Links


If you have any other network and bandwidth specific tweaks, feel free to let us know :) -> wiki@hmastuff.com
We can also use reports on the results of your speed tweaking, so we know which tweaks to recommend.

How to setup gOpenVPN on Linux

gOpenVPN on Linux step by step

Jump to: navigation, search

 
First thing first, download appropriate installation file. You can do so by loading the official gopenvpn web page: http://gopenvpn.sourceforge.net/



Depending on your system, there are RPM and DEB files available. Also, you can build it form the source.
For 64-bit Ubuntu, find the necessary files here instead:

For older systems, 32-bit DEB file can be found on the official web site. Save the file you need.


Open the DEB archive with your favorite package installer.



Click the Install button:



Provide your root password:


And wait a bit:


Confirm it's installed:



Then, you can locate gopenvpn in the main menu.



If you try running the software at this moment, you will be greeted with the following message:


 Don't panic, you will just need to copy any of these configuration files to /etc/openvpn/ folder:


Extract the content of the .zip archive to /etc/openvpn/ using root privileges.
(so that the content of the archive, the keys, certificates and *.ovpn files are in that folder)



Start gopenvpn again, you will find the icon in the upper right corner. Right clicking will bring up the menu:



Click on any server from the list and enter your HMA credentials (the same that you're using to login to the VPN control panel)
Check "Remember Password", so you don't have to enter it again.



If connected, the icon will turn green:



Congratulations! You're connected and you can start enjoying the service.

How to setup HMA VPN via PPTP on Ubuntu

Instructions

  1. On the bar on the top right click on the connections icon
  2. Click on modification of connections
  3. Go to the VPN tab
  4. On the right click add click "PPTP"
  5. OK
  6. Name of the connection hma and maybe the name of the server
  7. Enter the IP adress of the PPTP server as "Gateway"
  8. Enter your HMA account username and your PPTP password
    (Get the PPTP server IPs and your PPTP password from
    the VPN control panel @ https://vpn.hidemyass.com under "PPTP servers")
  9. Click on "advanced"
  10. Enable "use point to point encryption (mmpe)"
  11. Disable "allow bsd data compression"
  12. Disable "allow deflate dat compression"
  13. Disable "use tcp header compresion"
  14. Leave disable "send ppp echo packet"
  15. Apply
  16. Apply
  17. Go back to the connection icon
  18. Left click
  19. Vpn Connection
  20. Click on your VPN. That's all!


Example video:
<iframe src="http://www.youtube.com/embed/YUgSpKFhuqg" width="514" height="423"></iframe>


Screenshots

1. Configure your VPN:




2. Add new connection:

  
3. Enter your credentials and server's IP address(Get the PPTP server IPs and your PPTP password from
the VPN control panel @ https://vpn.hidemyass.com under "PPTP servers")

  

4. Here you can use custom DNS if you like, I'm using Google Public DNS:

  
5. Turn all off except MPPE:



[Image: screenshotpptpadvancedo.th.png]

Remember, it's important not to tick "Available to all users".

Scheduled IP change for Linux

Would it be possible to start and stop HMA! Pro VPN programmatically via the cronjob or a command line script?

Yes, but that is not possible in the default configuration. It requires a bit more work.
The method described here works on all distributions, and on command-line as well as via GUIs.
Requirement is the openvpn package. Step-by-step guide follows:

  1. Download hma-udp-grabber.sh script and save it in some folder. In our example, we have saved it in ~/Desktop
  2. Download and save hma-scheduled-runner.sh It is just a working example which will help you build your own custom script.
  3. Run the Terminal, type cd ~/Desktop/ and press enter.
  4. Make it executable: sudo chmod +x hma-udp-grabber.sh
  5. Run it: sudo sh hma-udp-grabber.sh (don't run it via ./hma-udp-grabber.sh - that would not work!)

 


  1. Click Yes and provide your HMA! Credentials when prompted.

 



  1. Congratulations! Correct .ovpn files are set in place.
  2. In order to test it, run sudo chmod +x hma-scheduled-runner.sh then sudo sh hma-scheduled-runner.sh

 


  1. IP address will start cycling randomly. You may press CTRL + C to stop the loop.
    To check the assigned IP address, you may use our HMA! IP Checker browser extension
    http://hidemyass.com/software/ip-checker-browser-extension/

 


  1. Combine the method described above with a clever use of the export display command (export DISPLAY=:0) and some other scripting and this could easily be converted to a cron job.