If anyone's ever looking for an even quicker hack, ssh has built-in the ability to act as a SOCKS5 proxy, tunneling your traffic over ssh to whatever remote machine you might have access to:
$ ssh -D 1080 myserver.myhost.net
Then configure Chrome or Firefox or whatever to use a SOCKS5 proxy on localhost, port 1080. (N.B. that this does not tunnel DNS lookups by default.)
The OpenVPN-based route is the way to go for something used regularly, but the above is sometimes super-convenient!
I think the fact that this leaks DNS lookups is really quite key because that gives away a huge amount about what you're looking at over your "vpn", not to mention services like netflix that are pointing you to different responses based upon the source of your dns lookups.
In firefox you want to go to about:config page and turn on network.proxy.socks_remote_dns
I believe that Mac OS X does tunnel DNS when you configure the proxy through Control Panel -> Network. I used this when I was in the Army and lived in housing whose internet connections were managed by a crappy ISP that did DNS-based filtering of sites they deemed objectionable.
I'm using the latest stable release of Firefox (34.0.5) and I see a "Remote DNS" checkbox under my SOCKS proxy configuration. Isn't that the same option in the GUI? No about:config tweaks needed?
I would think so, but everyone seems to be giving the about:config business, so maybe I am missing something.
Yes, that is the same option. Toggling the option in the GUI toggles network.proxy.socks_remote_dns in about:config. As default it is, is still off though.
Nice! I've been using dnsmasq to route my DNS queries and prevent leakage. Didn't realize the nework.proxy.socks_remote_dns option existed. Thanks for sharing!
Even better trick is SSH can actually tunnel level 3 data! Via TUN/TAP interfaces (this is effectively how some VPN implementations do it).
See "-w" option
Here are a few guides. This is more involved than just adding the -D option and setting a "proxy" field in some applications but this is more general as well:
SSH does it's own flow control, and with HPN-SSH it is much better.
Also, if your connection to the VPN host is quite good, then the TCP-over-TCP issue does not apply as much. The bad cases happen when that connection has packet loss.
Even quicker still is to use sshuttle; it automatically transparently tunnels all of your traffic through an SSH connection, without having to change any proxy settings.
Agreed, I set myself up an OpenVPN server on digitalocean without too much of a hassle. The easy-rsa utilities make the whole process quite simple. It has frankly been a life saver for me, as it allows me to bypass all restrictions imposed where I live (Oman).
Ah yes, ssh tunneling. The high school IT initiate's go-to method to dodge the web filter. It really can be an elegant solution when you don't have the patience to rev up OpenVPN for real.
You could configure a transparent proxy with Privoxy set to use a custom dns server with dnsmasq and foxy-proxy to configure firefox to use that to forward dns request through your proxy.
The disadvantage of this over a shared VPN that doesn't keep logs is that there's now a unique IP address that can be tied back to you. A cool feature for a VPS would be to have a shared IP address between a bunch of customers.
I was going to comment with this. I have a VPS and have thought about running a VPN from there. This would protect me from a whole lot of man in the middle attacks as well as preventing the ISP's on snooping in on my traffic.
However, another big advantage to a VPN for me is anonimity, not directly giving the site information on who you are. If you were to set this up and use it just for you it's not unthinkable that government organisations like the NSA in Amerika and the AIVD in my homecountry of the Netherlands could identify you pretty easily.
For that I use Private Internet Access[1] right now, they claim to have patched a lot of the important software to have no logging, so they can't keep them. They also share IP addresses between customers which means the IP address is not a form of identification anymore. Their site looks like shit, I agree, but the service is pretty great.
Some VPS providers _do_ provide shared IPv4 address, as a way to reduce their costs. A set number (e.g. 20) of ports are forwarded to the VPS' internal IPv4 address.
Any VPS which provides 'only' IPv6 will typically support outbound IPv4 via NAT, with that IPv4 address being shared between all customers on the same node.
I suppose you could always come up with some script that recreates the whole VPS and thus get a new IP address... but that makes it overly complicated for most people.
"Streisand sets up a new server running L2TP/IPsec, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists."
Back when I tried SoftEther several months back, by way of VPN Gate, the connections seemed pretty unreliable compared to OpenVPN. I think the VPN Gate software locked down the options in SoftEther, though. Packet loss affected gaming and video streaming in particular. Casual web browsing was OK.
If you are talking about VPNGate, the public VPN gateways, VPNGate can be a mixed bag. As far as I know, those connections are maintained by varying network environments; some are probably better than others.
I use SoftEther server/client for LAN access for work and home, and it works decently well. (Only thing is things like compression and certificate based authentication only works over SoftEther client, although support for certificate auth for other protocols are on its roadmap.)
I use Debian + UFW + OpenVPN + Digitalocean for my US Netflix needs. I get 10Mbit downstream and 20Mbit upstream from NY3 to my 60/60 fiber connection here in Zurich.
I could also configure it to use DNS only, but open dns servers are not so welcomed at the moment. Since I do quite a bit of roaming it's easiest to just configure OpenVPN.
If anyone is interested, here's a script that will install openvpn on a raspberry pi in one command[1].
I use it along with the openvpn ios app on my phone when I'm on corporate wifi, or I connect to it with my laptop any time I'm in a coffee shop. Just note it's meant to tunnel traffic to a "safe" network, not anonymize you on the internet.
I've been considering running all my mobile data through a VPN for better security, and saving all of it so I can analyze anything after the fact. Anyone doing anything like this?
I am often dependent on a high-latency GPRS link, and the overhead of establishing a tunnel using OpenVPN or SSH (e.g. sshuttle) is prohibitive. OpenVPN is very likely to timeout before it can negotiate a TLS session. This is one of the major reasons why I wrote my own VPN software[1] using NaCl. Deterministic public-key encryption means that there is no negotiation required at startup. The tunnel is therefore ready to use as soon as the program is started. To me, that's the difference between a usable connection and nothing at all.
OpenVPN has a tuneable keepalive interval. I think the default is 10 seconds, which is not so good for battery. But if you set it to 10 minutes, that would be fine.
(I bet the roaming between wifi and cellular data could be a problem, though.)
By far the fastest and easiest setup I've done of a VPN was with Pritunl, an open source and OpenVPN compatible VPN server that has installable packages for the big distros. It has a great web based admin interface for managing the server as well.
These days there's a working OpenVPN client for Android but there were times when IPsec[1] VPN was the only good way to connect many different clients like Windows, Mac OS and iPhone to your VPN server.
Which is why I had to mention IPsec VPN and link to a good article on how to manage it on OpenBSD.
Why go through all those hoops when there are plenty of open source VPNs installed with one line. eg https://github.com/sockeye44/instavpn <- works with mac, ios, android etc
What I really want to do is set up something like the "UnblockUs" proxy servers, where it's all done through DNS or something similar. The key reason is for Netflix access here in Australia, through my Apple TV. Ideally it'd be at my router level, to require no config on the boxes themselves, and be able to have a filter list where certain hosts on that list are proxied and others aren't.
Last time I checked there were some nascent projects to do this in a FOSS way, but they weren't complete and most seemed abandoned. Any ideas?
Please everyone keep in mind that if you're using a tutorial to set this up you're probably not an expert, so in the future you could suffer security issues (inherent to any service) without even knowing.
That's why I pay for services, not because I can't follow a tutorial to set them up :)
$ ssh -D 1080 myserver.myhost.net
Then configure Chrome or Firefox or whatever to use a SOCKS5 proxy on localhost, port 1080. (N.B. that this does not tunnel DNS lookups by default.)
The OpenVPN-based route is the way to go for something used regularly, but the above is sometimes super-convenient!