Simple VPN implementation for FossaPup

OscarTalks · Post by **OscarTalks** » Sat Apr 10, 2021 12:30 pm

Treat as experimental and use at your own risk, but I have been using it regularly for a long time without any observed problems in my everyday Pups. I have assembled a version of my Simple VPN implementation which I named "vpn-onoff". It is based around openvpn-2.4.10 compiled from source in FossaPup, with a dedicated yad for the tray icon also compiled from source. Thanks to jafadmin for the netinfo.yad script.

After installing the PET, usage is Menu > Network > VPN-Start to connect to VPN and Menu > Network > VPN-Stop to disconnect (or use the tray icon right-click).
Connection and disconnection takes some time, wait, observe the notifications, then click the OK in the dialog at the end of the process.

At the time of posting, this should connect to the free VPN service "cryptofree" by cryptostorm.is without needing any configuration. This service has no data limit, but the speed is restricted to some degree.

Beyond that, setting up VPN clients requires some configuration by the user. This is done inside the directory /etc/vpn-onoff using ROX, JWM and Geany as you would normally do with files in Puppy. See the README. There are some configuration files for vpnbook.com and FreeVPN.me which are 2 other free VPN services, but you need to switch the symlink and add in username and password. Other VPN services (free and paid-for) can be added if you are able to follow the instructions of the providers regarding openvpn configuration.

allendiggity · Post by **allendiggity** » Sun Apr 18, 2021 11:17 pm

Thanks. For those who want to try Wireguard, I compiled a kernel: https://www.forum.puppylinux.com/viewto ... 146&t=1004

mow9902 · Post by **mow9902** » Thu Apr 22, 2021 5:01 am

I posted this a year ago - and use it myself continuously..
Works fine on fossapup

viewtopic.php?f=89&t=818

joet12345 · Post by **joet12345** » Tue Apr 27, 2021 1:51 am

Is this compatible with stubby?

I have stubby DoT listening on 127.0.0.1 port 53 and your VPN app seems to be working fine along with stubby. If I go to https://whatismyipaddress.com/ I can see that my IP is different but I don't understand how stubby is working still? Is it encrypting DNS over the VPN?

Or is stubby lowering the performance of the VPN? I guess I am just wondering if there is conflict or not... thanks

In a terminal when i do

Code: Select all

nslookup google.com

The proxy is 127.0.0.1 on port 53 which means stubby is active while at the same time your VPN app is running and working too...

OscarTalks · Post by **OscarTalks** » Tue Apr 27, 2021 9:18 am

I have never tried to use stubby so I don't know the answer to be honest. All I can tell you is that the VPN-Start function takes a backup of your existing DNS settings and then changes the DNS to Cloudflare. This is considered a reputable service and it eliminates DNS leaks (which often happen because DNS look-ups get sent to your Internet Service Provider). The VPN-Stop function restores your original settings when you exit VPN. I guess that if stubby is then making modifications to DNS it will depend on exactly how and when those modifications are carried out. Try using https://dnsleaktest.com/ to see if that confirms what is happening with DNS in your scenario.

joet12345 · Post by **joet12345** » Wed Apr 28, 2021 1:04 am

I went to the dnsleak test site and it shows it is using studdy DNS...In other words, not Cloudflare.

I've been using it for a while and everything seems to be working fine meaning with your VPN app and Stubby - nice! Never thought one could encrypt DNS inside a VPN network

festus · Post by **festus** » Fri Apr 30, 2021 11:38 am

This is working very well on fossapup64.

Thank you, Oscar, for this contribution.

kylerickards · Post by **kylerickards** » Thu May 27, 2021 1:47 pm

Hi

I've just found this and am having massive trouble in that I don't understand how to get it working. Normally I switch between Linux Mint and my VPN which I understand and works but I thought I would try using my VPN on my SD card installation of Puppy (bionicpup64 version 8.0). I have tried openvpn and not had much joy and I found this tool.

If I try the default settings and wait 30 seconds I am just connected to regular ISP after that period and I have gone through the instructions and I don't understand what I am changing and where to put my credentials in to use my paid for service - is anyone able to help or point me to something that would help?

Thank you.

OscarTalks · Post by **OscarTalks** » Thu May 27, 2021 2:49 pm

The one posted in this thread was compiled in FossaPup so there is a strong chance it won't work in BionicPup64
There is one compiled in BionicPup64 which you can try. It has a slightly earlier version of openvpn if I recall correctly, but it should still work.
http://smokey01.com/OscarTalks/vpn-onof ... bionic.pet

kylerickards · Post by **kylerickards** » Thu May 27, 2021 3:10 pm

Hi Oscar

Thank you - that works first time

Is is easy for me to set my paid for VPN up with this system or am I likely to get stuck? I'm not that confident at doing things in Puppy if I am honest

OscarTalks · Post by **OscarTalks** » Thu May 27, 2021 4:09 pm

You will need an .ovpn configuration file for the chosen server of your VPN provider. Many providers offer easy ways of downloading these. You will need to edit this file, at least the line pointing to the passfile. This should read auth-user-pass /etc/vpn-onoff/vpnpass
Then edit the vpnpass file, putting your username on the first line and your password on the second line. (Beware, some providers code your login details into something else, in which case you might need to dig deeper).
Then delete the vpnconfig symlink and create a new one with the same name (vpnconfig), but linking to your .ovpn config file which you have placed in the /etc/vpn-onoff directory.
Then test it and see if it connects. If the provider supports openvpn and all the details are correct, there is a good chance it will, but no guarantees.

mikeslr · Post by **mikeslr** » Thu May 27, 2021 4:56 pm

Hi kylerickards,

You may be able to use 666philb's instructions here, viewtopic.php?p=7747#p7747 as a guide. IIRC, I followed them under Bionicpup64.

This thread could also be helpful. https://oldforum.puppylinux.com/viewtop ... 7#p1026517

But, if you need further guidance start a thread under the Bionicpup64 or User Section.

kylerickards · Post by **kylerickards** » Thu May 27, 2021 6:15 pm

Thank you both.

I managed to follow the steps, more than I thought I would be able to but it didn't work. I am not used to sim linking things so that's something I have learned. I was confused because I didn't have to put my certificate details in anywhere, just the username and password. I will start a new thread as you suggest but for now I will have to try and reverse what I have done for now so at least it works for me.

Thank you again

EDIT: I've just noticed, my .ovpn file has much less in it than the ones in the default folder?

Code: Select all

client
dev tun
proto udp
remote tpe-c02.ipvanish.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca ca.ipvanish.com.crt
verify-x509-name tpe-c02.ipvanish.com name
auth-user-pass /etc/vpn-onoff/vpnpass
comp-lzo
verb 3
auth SHA256
cipher AES-256-CBC
keysize 256
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA

OscarTalks · Post by **OscarTalks** » Thu May 27, 2021 9:37 pm

Often the certificate details are all included in the .ovpn file, but they can be in a separate file with the path or name defined in the .ovpn file. This seems to be the case here, so if you can find the certificate file you still might be able to get it going. Note the line ca ca.ipvanish.com.crt, but I am not sure of the exact configuration method as I have never needed to do this, so you may have to experiment a bit.

kylerickards · Post by **kylerickards** » Thu May 27, 2021 10:05 pm

Thanks Oscar, I have my certificate file along with a huge list of all the other locations I can link to, I am not sure where I would specify the certificate though?

joet12345 · Post by **joet12345** » Mon Jun 07, 2021 5:29 pm

OscarTalks wrote: ↑Sat Apr 10, 2021 12:30 pm

Is there a way do edit a file to change the default Cloudfare DNS?

I am trying to make it work on Fatdog64. I have it running and working except I cannot change the default DNS so I am thinking if I can edit the default DNS to one of my own?

OscarTalks · Post by **OscarTalks** » Mon Jun 07, 2021 11:08 pm

You can change the DNS from Cloudflare to something else if you wish. In /usr/bin/vpn-start line 23 change the numbers 1.1.1.1 and 1.0.0.1 to the nameserver numbers of your desired DNS provider.

joet12345 · Post by **joet12345** » Mon Jun 07, 2021 11:18 pm

OscarTalks wrote: ↑Mon Jun 07, 2021 11:08 pm

That worked thanks

By the way, in fatdog64, I installed the this fossa version VPN but the openVPN did not install/worked... so I just installed openvpn from the package manager and then it worked

miltonx · Post by **miltonx** » Tue Dec 21, 2021 8:36 am

Thank you, OscarTalks!
I never expected such a small package to work so well and easy by just a single click!

On the other hand, I'm quite surprised that after turning on the vpn, my chrome browser and terminal instantly get connected through the vpn. I always thought that, on linux, I have to set the proxy config on browser or terminal to route their traffic through the vpn app. Why does vpn-onoff work instantly on my browser, terminal and maybe other apps?

Is there any alternative option for me to set the browser's proxy address to route through this vpn (so that I can config bypassing url hosts)?

OscarTalks · Post by **OscarTalks** » Thu Dec 23, 2021 11:40 am

Hello miltonx,
Yes, when you click VPN-Start it switches your internet connection so that traffic goes through the VPN server system-wide. This is an advantage over browsers such as Opera which offer a VPN connection (only for the browser) because other applications (such as torrent clients and media players) are all connected to the internet via the VPN. If I understand your question correctly, I'm afraid I don't know of any way to use a browser's proxy settings to route through a VPN server, because this requires the additional VPN client software (as contained within vpn-onoff) to handle the encrypted tunnel connection between you and the VPN server.

Sepp1945 · Post by **Sepp1945** » Mon Sep 25, 2023 7:33 am

Dear OskarTalks,
i would like to use your VPNonoff to add to my client fossapup for loging to my company server.
so it would require that the username is not added by the file, but it is asked for in a popup.
Can this be done?
this is the conf file from our company VPN server.

Many thanks

Sepp

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 6e7c8r9.sg 1194

# Allow remote peer to change its IP address and/or port number
float

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Comment out user and group if you wish to increase security. Be advised you
# can experience some issues when reconnecting
# user nobody
# the group option may be wrong for some distributions
# normally distributions use wether 'nobody' (Fedora) or 'nogroup'
# for the no-priviligies group name
# group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

# Write the PID file for compatibility with Ubuntu init.d script

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca "cacert.pem"
cert "134C32140A6E1E5A.pem"
key "mercury.pem"

# Verify server certificate by common name
verify-x509-name vpn-mercuryvpn name

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-256-CBC

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Explicitly notify disconnections
explicit-exit-notify 3

# Silence repeating messages
;mute 20

## Custom configuration
auth-user-pass

Sepp1945 · Post by **Sepp1945** » Mon Sep 25, 2023 7:34 am