Ssh tunnel or VPN - why not both with a VPS?

Sometimes there is a need to bypass ip geocoding and appear somewhere else in the world. There are many articles that talk about doing this to gain access to the BBC iplayer.

The article openvpn-ubuntu-and-hulu formed the basis of my discoveries.

There are normally two solutions, one being to tunnel your traffic through ssh (secure shell) to a remote server and the other being to use a vpn (virtual private network) (i would recomend strongvpn here as it is a well run and professional service and has hosts in the US and the UK) to gain access to a server located elsewhere and then access the internet from there.

I made my own solution, using a VPS (virtual private server) to provide me with both! The main objective is that you want the cost to be sensible. I was actually able to find a VPS provider for 5 pounds, which was cheaper than the $15 for strongvpn.

I used a VPS provider with an ubuntu 8.04 server installation.

There are probably plenty of guides out there on how to configure this with openssh.

This was the first thing i did. I then used putty on my local windows xp box and set it up to create a ssh tunnel to this box (as a dynamic forward, ie create a batch fie and use this: "putty -D 1060 user@yourvpshost"). Then install foxyproxy in firefox and route your traffic through port 1060, ensure its set up as a SOCKS proxy.

now should you surf to a site that uses the geocode information (look at the top right of strongvpn), you should be identified as being in the country location of your VPS.

If its that easy why VPN?

There are some services out there that go beyond what your browser is accessing, and example would be channel 4s video on demand service (4od) or channel 4 catchup. This uses a microsoft component that through its DRM determines if you are in the UK or not. The proxy through the web browser simply isnt enough. Using a vpn would allow you to access 4od or itv player from another country.

The very easy solution is to use strongvpn, but thats not what this article is about This is about installing openvpn into your VPS which is more technically challenging.

I used the guide first followed the guide openvpn ubuntu and hulu and combined it with instructions from running openvpn client on windows to make my client side configuration.

However I got this error:

Initial error (/var/log/openvpn)
Tue Jan 20 14:07:29 2009 Note: Cannot open TUN/TAP dev /dev/net/tun:
Permission denied (errno=13)


This article meant
i sent a request to my vpn operator to get them to:

If your administrator doesn't know the commands to issue on the HOST
using vzctl I'll provide them here:

1) Allow the VPS to use the tun/tap device:
vzctl set --devices c:10:200:rw --save

2) Create the device in the VPS:
vzctl exec mkdir -p /dev/net
vzctl exec mknod /dev/net/tun c 10 200

3) Set proper permissions for /dev/net/tun:
vzctl exec chmod 600 /dev/net/tun

Finally, restart the psa-vpn.


The request was actioned within a few hours, and the errno=13 was gone!

I was now able to connect (from my windows xp client) to my VPN running on my VPS. However i could not surf the internet.

I had to setup my firewall rules, i created a script nat.sh and entered the following:


#/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to
xx.xx.xx.xx

iptables -L --line-numbers -v
iptables -I INPUT 1 -p udp -i venet0 --destination-port 1194 -m state
--state NEW -j ACCEPT
iptables -I INPUT 2 -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT


#verify:
sudo iptables -L -t nat


Were xx.xx.xx.xx is your vps exposed ip address, you probably already know it because youve had to login, but if not do a ifconfig and look for the ip of venet0:0.

Note that this is all running inside a virtual server, other articles
on the net often refer to eth0 and use MASQUERADE whereas the virtual server uses venet0 and doesnt support MASQUERADE.

Restart openvpn, /etc/init.d/openvpn restart and you should be up and running.

If not after reading the file that was installed in /etc/openvpn/update-resolv-conf i modified my openvpn config to also include:

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf


Comments