Friday, May 17, 2013

How to setup VPN on Chrome OS

Chrome OS

In case you're running Chrome OS (e.g. on Chromebook, on a virtual machine, etc.), follow the steps below to create a L2TP or OpenVPN based VPN connection.
Note that when you want to connect simply via the ChromeOS GUI, you'll have to use L2TP protocol.
For using OpenVPN protocol, you'll have to use the console which might require that you get into developer mode. How to is explained below.

Setting up a VPN on Chromebook (quick instructions)

To set up a VPN on your Chromebook, follow these quick instructions, or scroll down for the step-by-step tutorial with screenshots.
  1. Click the network icon network icon in the top-right corner of your screen.
  2. In the list that appears, select Private networks.
  3. Click Add private network.
  4. In the box that appears, fill in the information below.
    • Server hostname: One of the L2TP server IPs http://hidemyass.com/vpn/r4662
    • Service name: Name it as you like. Eg: HMA! L2TP.
    • Provider type: Select L2TP/IPsec + Pre-shared key.
    • Pre-shared key: HideMyAss (case sensitive!)
    • Username: Your VPN account username
    • Password: Your PPTP Password. Can be found at http://vpn.hidemyass.com > PPTP Servers > Login Details
  5. Click Connect.

Step by step tutorial with screenshots

  • First, rightclick the time-bar in the bottom right of your desktop.
  • The settings overview will appear.
  • Here, click "Settings".
We want to create a new private network connection, so
  • please select "Add connection" and
  • and then select "Add private network...".
The "Add private network" window will appear. Here, please enter:
  • Server hostname: One of the L2TP server IPs http://hidemyass.com/vpn-config/l2tp/
     
  • Service name: Anything you want, e.g. "HMA L2TP VPN"
     
  • Provider type: L2TP/IPsec + pre-shared key
     
  • Pre-shared key: HideMyAss (attention, case sensitive!!)
     
  • Username: Your VPN account username
     
  • Password: Your PPTP password
    (get it from the VPN control panel under "PPTP servers")
Leave everything else to default (like in this screenshot).
Now click "Connect" and Chromium will attempt to connect
to the VPN server you chose.
While Chromium is still connecting, you'll see this icon next to
the private network connection you just created:
Once the connection has been made, the icon will change to
You should now see the icon, which means that the connection
has successfully beem made.

You can now select "Network options..." to get into a status
window of the newly created connection.

Or you can select "Disconnect" here, to disconnect from the VPN again.
This is the "Network options..." window that shows you additional
info about the connection, and allows you to set proxy-settings
(in case you're connected to the internet through a local proxyserver)
You can disconnect here as well.
That's all. To verify your current IP, go to websites like
http://ipaddress.com


Additional notes:

There have been reports of a bug making your VPN experience a bit annoying: about every 5 minutes, it automatically disconnects from your VPN and you can't reconnect unless you log out and in again, or delete your VPN and configure it again.
The Chrome OS developers are aware of this problem and you can keep track of this problem here and here. Star this issue in order to get it fixed earlier.
A workaround for now is opening a terminal (Ctrl+Alt+T) and starting an endless ping using ping google.com. This seems to work fine for affected systems.



OpenVPN on ChromeOS


Connecting via OpenVPN protocol on ChromeOS is a little bit tricky, because it currently does not accept common certificates and keys.
That means you can't connect using the ChromeOS GUI, like you would do with L2TP protocol as explained above.
So you'll have to use a small workaround:

First you need to get into the console mode. On some ChromeOS systems/devices this requires to enable the developer mode first.
How this is done differs from device to device, here's a list with links to instructions: http://www.chromium.org/chromium-os/developer-information-for-chrome-os-devices
General information on how to access console/terminal and other related info can be found at: http://www.chromium.org/chromium-os/poking-around-your-chrome-os-device

Now you have 2 options to get into the console mode. Which one you use, does not matter.

Option 1: Console mode:
To get into the console mode, try either
  • CTRL+ALT+F2 or
  • CTRL+ALT+RIGHTARROW
You should now get asked for a username and password.
If you didn't change any usernames/passwords of the system before, try:
  • User: chronos   Password: facepunch
  • Other possible usernames and passwords: chronos, chroneos, chrome, chromeos, facepunch


Option 2: Terminal mode:
To create a new terminal mode window, hit
  • CTRL+ALT+T
You should see this:
crosh>
Here, enter "shell"



You're now logged in with a restricted user account.
The next step is to get root access.
Enter: "sudo su"
You should now get asked to select a root password. Make sure to write it down somewhere, in case you forget it!
Now is the time to connect to the VPN.
You'll need the *.ovpn config files of the serves you'd like to connect to. Get them from
You can of course download them from your normal desktop
and put them into a specific folder where you can find them later.
To leave the console mode, hit CTRL+ALT+F1 or CTRL+ALT+LEFTARROW
to leave the terminal mode, hit ALT+TAB
To download a config file from the console/terminal mode, you could enter e.g.
"wget http://hidemyass.com/vpn-config/UDP/Bulgaria.Sofia.UDP.ovpn"
Now the file has been saved into the folder you're currently in.

That said, as long as you're in a folder that contains the *.ovpn config files within the console mode,
you can simply connect to the VPN by running:
"openvpn Bulgaria.Sofia.UDP.ovpn"
You'll then get asked for your HMA! Pro VPN username + password (the same that you use to login to the VPN control panel), and the client will connect.
Once the client shows you something like
"Sun Apr 21 07:45:21 2013  Initialization Sequence Completed",
that means you are successfully connected and you can go back to your normal desktop.

To leave the console mode, hit CTRL+ALT+F1 or CTRL+ALT+LEFTARROW
to leave the terminal mode, hit ALT+TAB

To confirm that you are successfully connected, you could e.g. browse to http://ipaddress.com
and verify your IP, ISP and location.

To disconnect from the VPN, go back to console mode (CTRL+ALT+F2 or CTRL+ALT+RIGHTARROW, for terminal mode just ALT+TAB )
and hit CTRL+C.

How to use all VPN protocols

HideMyAss is offering the following VPN protocols: OpenVPN-TCP (standard), OpenVPN-UDP, PPTP and L2TP.
This article will show how to use each of them for different devices and operating systems.
Especially when experiencing any kind of connection issues, the first thing to do is to try all protocols.

Windows

When using the HMA Pro VPN client software, you can use the protocols OpenVPN-TCP and PPTP.
See the screenshot on the right for how to change between both protocols (marked red):
Should you experience any kind of connection issues, try several servers, and both protocols.
Below are links to articles on how to use the other protocols, and what client applications you can also use.


OpenVPN-TCP:


OpenVPN-UDP:


PPTP:


L2TP:



 

Mac

When using the HMA Pro VPN client software, you can use the protocols OpenVPN-TCP and PPTP.
See the screenshot on the right for how to change between both protocols (marked red):
Should you experience any kind of connection issues, try several servers, and both protocols.
Below are links to articles on how to use the other protocols, and what client applications you can also use.


OpenVPN-TCP:

OpenVPN-UDP:


PPTP:


L2TP:


 

How to Force Mac OS X to automatically reconnect to VPN



Open up Applescript (Applications > Utilities) and paste in this code (replace "VPN_Connection_Name" with the name of your VPN connection):


UNIQ24186b68670829f7-pre-00000001-QINU Then, save the script as an application with the "Stay Open" box checked.
Run it. Now OS X will automatically reconnect if the connection drops for some reason.

How to Use Proxyserver as VPN router alternative

By running a proxy server on a Linux device, you can let multiple devices use your VPN connection without the need of getting a VPN router.
This works on any Linux-based device, e.g. Raspberry Pi, Linux-on-Android (e.g. via Linux Deploy) or even on a virtual machine.
If you want even more security, prevent fallsbacks to your real IP and ensure that your whole system is using the VPN, check this:

Tutorials:Using local PPTP server as VPN router alternative


Advantages:
  • you can even let devices use the VPN that only support proxies
  • you can let an unlimited number of devices use the VPN
  • you can use the VPN from anywhere, even on places where VPN is blocked
  • you don't need a VPN router

Example scenarios of use:
  • Your router does not support VPN: But using a local proxy server on your Linux device, you can just let all your devices connect to the proxy in order to have them protected by HMA Pro VPN.
  • You have devices that do not support VPN, but do support proxies. Now they can be protected by the VPN as well!
  • You don't want to use internet connection sharing or purchase a VPN router to protect all your devices by the VPN.
  • HMA's servers are blocked on a public or on your mobile connection. Using the local proxyserver you can now use the VPN from anywhere, since you are still able to connect to your home IP.



This tutorial is using tinyproxy as proxy server.
Basic Linux knowledge is required though!

Contents



Step 1: Install necessary packages


apt-get install wget curl sed tinyproxy openvpn iptables nano


Step 2: Modify /etc/tinyproxy.conf


nano /etc/tinyproxy.conf

Scroll down to this part:

# Allow: Customization of authorization controls. If there are any
# access control keywords then the default action is to DENY. Otherwise,
# the default action is ALLOW.
#
# The order of the controls are important. All incoming connections are
# tested against the controls based on order.
#
Allow 127.0.0.1

Here you can add IPs or subnets that are allowed to use the proxy.
So if you want to let only client IP 192.168.0.35 use the proxy, add:
Allow 192.168.0.35

If you want to let the whole subnet 192.168.0.x use the proxy, add:
Allow 192.168.0.0/24

Now, scroll down to this part:
# ConnectPort: This is a list of ports allowed by tinyproxy when the
# CONNECT method is used.  To disable the CONNECT method altogether, set
# the value to 0.  If no ConnectPort line is found, all ports are
# allowed (which is not very secure.)
#
# The following two ports are used by SSL.
#
ConnectPort 443
ConnectPort 563

Comment the "ConnectPort 443" line, so it looks like this:
# ConnectPort 443
Of course you can also remove it.
This is required, otherwise the proxy can't be used while the VPN is connected via OpenVPN-TCP on port 443.

Save the file, exit nano.

Now, enable forwarding if you wish to have access to your entire home network while away.
Edit the ‘sysctl’ file.
nano /etc/sysctl.conf
Find “net.ipv4.ip_forward=1” and uncomment it (or change =0 to =1) to enable forwarding.
Now, execute the following command to apply changes:
sysctl -p

Step 3: Testing the proxy


Start tinyproxy by running "tinyproxy".

Now get onto your client to test the proxy.
Set it to use the IP of the device where tinyproxy is running, at standard port 8888.
This is easily done in Windows by opening Internet Explorers menu:
Tools - Internet Options - Connections - LAN settings
Check: Use a proxy server for your LAN
Address: IP of the device where tinyproxy is running on
Port: If not configured in tinyprox.conf otherwise, its 8888
Click OK.

Browse to e.g. ipaddress.com
If you get an error page, tinyproxy.conf wasn't properly configured to allow you access.
If you can browse, tinyproxy is working.


Step 4: Connecting to VPN


Now download the HideMyAss OpenVPN connection script:
wget http://hmastuff.com/hma-vpn.sh

Make it executable:
chmod +x hma-vpn.sh

Connect to the VPN (e.g. "./hma-vpn.sh -p tcp Texas")
When the VPN is connected, go to ipaddress.com on your client computer and check location again.
It should now show you the location of the VPN server. Thats all!
Now you can set any device to use the proxy server, and it will automatically use the VPN connection.


Notes



  • If you get any permission denied errors, or can't modify file contents in the editor, make sure you have root access.
    Do so either by first running "su" and then proceed, or prefix each command with "sudo".
  • To use the proxyserver from outside of our local network, you'll need to create a port forwarding rule on your router
    for the port the proxyserver is running on (in this example, TCP port 8888) to the IP of the linux device.
    Here's a list of tutorials for various routers on how to create port forwarding rules.
    Since you may not always know your external IP, consider using a Dynamic DNS service on it.
  • When running the proxyserver on a virtual machine, you will have to use a bridged network setup in your virtualization software,
    so that the device fetches its own IP from your networks DHCP server.
  • To prevent non-proxified traffic, you could forbid all traffic that is not coming from / going to the proxy servers IP, e.g. with Windows or Comodo Firewall.
    For links on how IP binding rules are created, see the article IP Binding
  • Having trouble with this tutorial? Have suggestions, improvements, questions? Feel free to email in at wiki@hmastuff.com

Internet Explorer Proxy configuration

How to make bittorrent only use VPN IP (Static IP without router)

This tutorial is with the use of Comodo Firewall but we will add any info we find about other firewalls at the bottom. I highly suggest using Comodo Firewall and it is free. Gives program specific control over any and all applications.

***This tutorial will work with OpenVPN (installed) client and PPTP connections for each server once setup!

Download Comodo Firewall here.. http://personalfirewall.comodo.com/

You can choose only to install the firewall during setup if you choose to keep your antivirus.

[Image: java7.png]

Warning! This only works for static IP address that are permanent, not dynamic or those using public WIFI! This also does not work if using a router and need to use the "universal" tutorial This only works going directly through the modem. Link: http://forum.hidemyass.com/showthread.php?tid=1462

Step 1:

Open Comodo Firewall and click Firewall, Advanced, then Network Security Policy. It already opens to Application Rules and where you will control your bittorrent client. If you haven't already run your client since installing Comodo do so now to be asked to allow and it will be inserted here. Otherwise click Add (top right) then Select (top right, new window) and choose running processes or browse to find (ie. program files/utorrent/utorrent.exe).

Step 2:

You will need you real IP to do the following so go here with VPN disconnected
 if you do not know your own IP.. http://whatismyipaddress.com/

Right click bittorrent in application rule list and choose Add and 1st rule will be
 IN rule leaving source as ANY.. add real IP

[Image: utorrent4.png]

Step 3:

Right click bittorrent in application rule list and choose Add and 2nd rule will be OUT rule leaving destination as ANY.. add real IP

Step 4:

Note: If you already ran the bittorrent and chose allow then you can just use the allow rule already there and skip this rule but make sure it's the 3rd rule underneath the two block rules of you IP.

Right click bittorrent in application rule list and choose Add and 3rd rule will be ALLOW rule for all other IP's (ie. VPN IP).. leaving source and destination as ANY will do this..

[Image: utorrent8.png]

Make sure you keep the two block rules above the allow rule or it will allow your real
 IP to connect, should look like this..

[Image: utorrent9.png]

You can move the rules by highlighting and then move up or down on the
right side of the panel.

Now click OK (bottom right)

Done! Smile


[Image: java7.png]

Warning! This only works for static IP address that are permanent, not dynamic or those
using public WIFI! This also does not work if using a router and need to use the
 "universal" tutorial This only works going directly through the modem.
Link.. http://forum.hidemyass.com/showthread.php?tid=1462

Warning! Do not do this to HMA Pro VPN client, openvpn, DNS (ie. OpenDNSupdater)
and also System and svchost's or you will have problems!!!!! Best to control the last two
mentioned using port security. You can read more about that
here.. http://forum.hidemyass.com/showthread.php?tid=1416




To test run the VPN and then start a torrent file. Allow it to transfer to assure it's
active and choose Trackers to watch trackers for this.

[Image: utorrent6.png]

Now right click HMA tray icon and choose Disconnect and you will see transfer
slow to a stop and the tracker will show this..

[Image: utorrent1.png]

Note: This is related to the trackers updating so will not show refused until it
updates and changes to the above but your real IP will be blocked immediately!
You can speed this up to check by stopping and restarting torrent file or right click
torrent and choose Update Tracker.

Note: Doing the reverse, starting torrent with without VPN connection and then
connect to VPN you will see the trackers update to Working.

Check firewall and you will see this..

[Image: utorrent2.png]

Note: This is after VPN is disconnected and this is mainly the DHT (I keep on) trying to find others which uTorrent will continue to do.

This is my active connection in Comodo with 2 popular torrents trying to run disconnected from VPN. My real IP is only connected to the OpenDNS Updater which is correct just as your DNS will update with real IP. I suggest adjusting to use OpenDNS instead of your ISP. To setup go here.. https://store.opendns.com/get/basic

[Image: utorrent10.png]

If it isn't doing this then reread tutorial and start over.

Update: Now follow this link to learn how to quickly apply the same rules to any application in seconds.. http://forum.hidemyass.com/showthread.php?tid=1457

How to make bittorrent only use VPN IP - Universal IP

This tutorial will explain how to make any and all applications only use the VPN IP at all times and will block any leaks of your real IP using Comodo Firewall. This tutorial is universal for those who have static IP, dynamic IP and/or public WIFI IP usage. This tutorial is more cumbersome than the tutorial for static because specific VPN servers are involved in it's setup. If you have a static IP (permanent IP) and NOT using a router then follow the instructions here.. http://forum.hidemyass.com/showthread.php?tid=1298 I use uTorrent as example but you can use any application.

***This tutorial was setup to work originally with OpenVPN (installed client) but the PPTP uses a different range, updated Step 2

[Image: utorrent1b.png]

Download Comodo Firewall here.. http://personalfirewall.comodo.com/

This only works on PC, not Mac!

You can choose only to install the firewall during setup if you choose to keep your antivirus.



Step 1:

Open Comodo Firewall and click Firewall, Advanced, then Network Security Policy. It already opens to Application Rules and where you will control your bittorrent client. If you haven't already run your client since installing Comodo Firewall do so now to be asked to allow and it will be inserted here. Otherwise click Add (top right) then Select (top right, new window) and choose running processes or browse to find (ie. program files/utorrent/utorrent.exe).


Step 2:

You will need the servers IP range that you use to complete the following. It's very simple. While logged in to the VPN and connected to the server of choice (favorite) go here and find the VPN IP address.. http://whatismyipaddress.com/

Now take that VPN IP and write it down and your range will be the 1st 3 sets of numbers left the same but the last set will be .1 through .255. Example.. NJ US server will give you this 216.155.158.### so the range would be 216.155.158.1 - 216.155.158.255. Simple Smile

Update! For PPTP you will need to do the same as above and get the range for the PPTP connection. Example: NJ OpenVPN (installed client) will use 216.155.158.1 - 216.155.158.255 but the PPTP range is 216.155.145.1 - 216.155.145.255. So basically you need to write 2 extra PPTP rules for each server you use equaling a total of 4 rules per server and obviously the one block rule.

Find the application you want to control in the Application Rules list and and delete it's green allow rule.

Right click the application and choose Add and make the 1st rule "NY IN" (example) leaving source as Any..

[Image: allow2.jpg]


Step 3:

Right click the application and choose Add and make the 2nd rule "NY OUT" (example) leaving the destination as Any..

[Image: allow3.jpg]


Step 4:

Right click the application and choose Add and make the 3rd rule "Block the rest" leaving both source and destination as Any..

[Image: allow5.jpg]


Step 5:

Make sure that the block rule in red is the below the allow rules or it will block every IP including the VPN server. You can move by highlighting and then click move up or down on the right side of the panel. It should look like this..

[Image: utorrentblockrules.jpg]

Obviously this is the 3 main servers I use and you can add as many servers as you like. Just login to the server, get the IP, create the range (ie. .1 -.255) and keep adding but most important is you keep the block rule last.

Click OK (bottom right)

Done! Smile

[Image: java7.png]

Warning! Do not do this to the HMA VPN Pro client application, openvpn, DNS (ie. OpenDNSupdater) and also System and svchost's or you will have problems!!!!! Best to control the last two mentioned using port security. You can read more about that here.. http://forum.hidemyass.com/showthread.php?tid=1416

How to use Windows Firewall for blocking non-VPN traffic - IP binding

How to Always / Only Use VPN Connection and block ISP - Make applications only use VPN Connection.

This tutorial will explain you how to use Windows Firewall to block non-VPN traffic for selected applications, e.g. your torrent client, a browser, download manager, etc.

VPNs are great for added security when using the Internet - but what about when the VPN drops or disconnects? Unfortunately, if you use Windows (any version), any running application (for example, BitTorrent, your browser) will revert to using your ISP connection, exposing your IP address and opening you up to security and privacy issues. This is of particular concern when using a VPN to secure a public wi-fi spot. Windows will not prevent traffic in the event of a disconnect.

There are many guides found online to prevent this using third-party firewalls such as [[Comodo Firewall|Comodo], or using a third-party applications such as VPNetMon or VPNCheck (neither of which I know anything about, and cannot speak to their reliability or safety).

This guide will show you how to configure Windows 7 Firewall to block any specified application (I have used Firefox as an example - but you can pick any application, e.g. utorrent or your preferred torrent client) from using your ISP connection, and permit it to connect the the Internet using only the VPN connection. Users who are unfamiliar with the basic aspects of Windows 7 Firewall may wish to consult this guide. Unfortunately, this will not work with the built-in firewall in Windows XP or Vista.

If the method described below does not work for you (or perhaps you don't want to mess with your firewall, or you use Windows XP / 2000 / Vista / Mac OS X), consider using a VPN that offers a client with IP Binding, which will prevent any selected application(s) from accessing the Internet in the event of an unexpected disconnection.

HideMyAss! offers PPTP, L2TP and OpenVPN, and a client that can bind all network traffic to the VPN connection.


Preliminary Considerations:

1. If you use an antivirus program such as avast! that has a Web Shield / Filter that passes HTTP traffic through an antivirus/malware scan, you may want to consider this post.
2. The IPv6 functionality in Windows 7 can also leak IP information - you may wish to disable it - see the guide here.
3. After you complete the steps in this guide, you may want to consider adding a rule to block all traffic that does not match a rule to the Domain profile. See the guide here.
4. If you want to create these rules for one user account, and maintain less strict rules for another user account, please see this post.
5. If you are blocking a torrent application such as uTorrent, you'll want to disable uTP, DHT, UPnP, Local Peer Discovery and IPv6.




Steps:


1. Connect to your VPN as you normally would.


2. Open the Network and Sharing Center - right-click on the Internet connection icon in the taskbar and choose "Open Network and Sharing Center" (see below)






3. You should see (at least) two networks listed under "View Your Active Networks" - your VPN connection and one called "Network" - a.k.a. your ISP Connection. Ensure that your VPN is a "Public Network", and your ISP connection is "Home Network". If you need to change either connection, click it and an option window will appear (see below).







4. Go to the Control Panel and click System and Security (see below).






5. In the resulting window, click Windows Firewall (see below).






6. In the Windows Firewall  window, click Advanced Settings on the left pane (see below).
Note: You must be logged in as an Adminstrator to make changes to the Firewall Settings.







7. You should see a window titled Windows Firewall with Advanced Security. In this window, click Inbound Rules (see below).






8.  On the right pane, you will see an option for a New Rule. Click it (see below).






9.  In the New Inbound Rule Wizard (which should appear), do the following:

  
  • Choose Program and click Next.



  • Choose the program you wish to block all traffic to except on the VPN connection, and click next.



  • Choose Block the Connection.

  • Tick Domain and Private. Make sure Public is left unticked.




 
 
10. Repeat Step 9 for Outbound Rules.

When all of the above steps are complete, you should test the configuration. Run the application you made the rule for, and test that it is working when the VPN is connected. Start a download, and then disconnect from the VPN. If all is configured properly, the download should die immediately as the firewall will immediately block it from using your ISP-assigned IP address. If you wish to monitor traffic closely, use TCPView
Repeat step 9 and 10 for other applications you want IP binding to be enabled with, e.g. your browser, download manager, a game, etc.