OpenPYN NordVPN – Always on Linux VPN

I recently setup OpenPYN NordVPN in my homelab, and I wanted to share how simple it is.

OpenPYN NordVPN – Introduction

If you haven’t played with OpenPYN NordVPN yet, then you can find it in the GitHub repository.

I went with NordVPN because it was recently on sale, and I had heard good things about their service. This isn’t really a post about the best VPN provider or who to choose though.

I wanted to set up a Linux box with an always-on VPN, and programmatically access it if I needed to. This covered my use case, and has worked great so far.

Preparation

First, I setup a new Ubuntu server box.

OpenPYN NordVPN - Ubuntu Setup

I went through the entire setup process like normal, and just enabled a few services here and there.

OpenPYN NordVPN - Setup Complete

Next, I installed and configured ubuntu-desktop, so that I’d be able to use the UI for applications.

[email protected]:~$ sudo apt-get update && sudo apt-get install ubuntu-desktop

Finally, I upgraded all the packages on the system, and installed any necessary patches.

Installation and Configuration

With my OS setup, I installed all the necessary prerequisites.

[email protected]:~$ sudo apt install openvpn unzip wget python3-setuptools python3-pip
[sudo] password for doyler:
Reading package lists... Done
Building dependency tree       
Reading state information... Done

Next, I installed the openpyn python module via pip

[email protected]:~$ sudo python3 -m pip install --upgrade openpyn
The directory '/home/doyler/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/doyler/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting openpyn

When the installation completed, I initialized the script using the –init flag.

[email protected]:~$ sudo openpyn --init
Enter your username for NordVPN, i.e [email protected]: [email protected]
Enter the password for NordVPN:
--2018-09-02 20:05:39--  https://downloads.nordcdn.com/configs/archives/servers/ovpn.zip
Resolving downloads.nordcdn.com (downloads.nordcdn.com)... 2400:cb00:2048:1::6812:6d0e, 2400:cb00:2048:1::6812:6e0e, 2400:cb00:2048:1::6812:700e, ...
Connecting to downloads.nordcdn.com (downloads.nordcdn.com)|2400:cb00:2048:1::6812:6d0e|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20352464 (19M) [application/zip]
Saving to: ‘/usr/local/lib/python3.5/dist-packages/openpyn/ovpn.zip’

ovpn.zip            100%[===================>]  19.41M  39.2MB/s    in 0.5s    

2018-09-02 20:05:39 (39.2 MB/s) - ‘/usr/local/lib/python3.5/dist-packages/openpyn/ovpn.zip’ saved [20352464/20352464]


Enter Openpyn options to be stored in systemd service file (/etc/systemd/system/openpyn.service, Default(Just Press Enter) is, uk : us
2018-09-02 20:05:57 [INFO] To see usage options type: "openpyn -h" or "openpyn --help"

Next, I modified the new service file based on the examples from the repository.

[email protected]:~$ sudo cat /etc/systemd/system/openpyn.service
[Unit]
Description=NordVPN connection manager
Wants=network-online.target
After=network-online.target
After=multi-user.target
[Service]
Type=simple
User=root
WorkingDirectory=/usr/local/lib/python3.5/dist-packages/openpyn/
ExecStartPre=/bin/sleep 5
ExecStart=/usr/local/bin/openpyn us -f --p2p
ExecStop=/usr/local/bin/openpyn --kill
StandardOutput=syslog
StandardError=syslog
[Install]
WantedBy=multi-user.target

OpenPYN NordVPN – Verification

With my service file created, I restarted the openpyn service.

[email protected]:~$ systemctl restart openpyn
[email protected]:~$ systemctl status openpyn
● openpyn.service - NordVPN connection manager
   Loaded: loaded (/etc/systemd/system/openpyn.service; disabled; vendor preset:
   Active: active (running) since Sun 2018-09-02 20:08:05 EDT; 2s ago
  Process: 3414 ExecStartPre=/bin/sleep 5 (code=exited, status=0/SUCCESS)
Main PID: 3423 (openpyn)
    Tasks: 3
   Memory: 36.0M
      CPU: 523ms
   CGroup: /system.slice/openpyn.service
           ├─3423 /usr/bin/python3 /usr/local/bin/openpyn us -f --p2p
           ├─3467 ping -n -i .2 -c 3 us1087.nordvpn.com
           └─3468 grep -B 1 min/avg/max/

Sep 02 20:08:05 torrents sudo[3446]: pam_unix(sudo:session): session closed for
Sep 02 20:08:05 torrents sudo[3456]:     root : TTY=unknown ; PWD=/usr/local/lib
Sep 02 20:08:05 torrents sudo[3456]: pam_unix(sudo:session): session opened for
Sep 02 20:08:05 torrents sudo[3456]: pam_unix(sudo:session): session closed for
Sep 02 20:08:05 torrents sudo[3458]:     root : TTY=unknown ; PWD=/usr/local/lib
Sep 02 20:08:05 torrents sudo[3458]: pam_unix(sudo:session): session opened for
Sep 02 20:08:05 torrents sudo[3458]: pam_unix(sudo:session): session closed for
Sep 02 20:08:05 torrents sudo[3460]:     root : TTY=unknown ; PWD=/usr/local/lib
Sep 02 20:08:05 torrents sudo[3460]: pam_unix(sudo:session): session opened for
Sep 02 20:08:05 torrents sudo[3460]: pam_unix(sudo:session): session closed for

When my connection was complete, I verified that the VPN was working by checking my external IP address. As you can see, this is a NordVPN controlled IP address.

[email protected]:~$ curl -4 https://ifconfig.co/ip
192.171.29.107

Bonus CIFS Share

With the VPN connection now working, I also installed cifs-utils and created a new directory for my various downloads.

[email protected]:~$ sudo apt-get install cifs-utils
[sudo] password for doyler:
Reading package lists... Done
Building dependency tree       

...

[email protected]:~$ sudo mkdir /media/torrent

Next, I setup a new mount point in my fstab file to mount my file share as a local directory.

//192.168.5.2/Backup/Torrent /media/torrent cifs credentials=/home/doyler/.smbcredentials,iocharset=utf8,sec=ntlm,vers=2.0 0 0

Once I mounted everything, my /media/torrent directory was now up and working.

[email protected]:~$ sudo mount -a
[email protected]:~$ ls -al /media/
total 20
drwxr-xr-x   6 root root 4096 Sep  2 20:52 .
drwxr-xr-x  23 root root 4096 Sep  2 18:51 ..
drwxr-xr-x   2 root root 4096 Sep  2 18:47 cdrom
drwxr-x---+  2 root root 4096 Sep  2 19:55 doyler
lrwxrwxrwx   1 root root    7 Sep  2 18:46 floppy -> floppy0
drwxr-xr-x   2 root root 4096 Sep  2 18:46 floppy0
drwxr-xr-x   2 root root    0 Sep  2 18:52 torrent
[email protected]:~$ ls -al /media/torrent/
total 4
drwxr-xr-x 2 root root    0 Sep  2 18:52 .
drwxr-xr-x 6 root root 4096 Sep  2 20:52 ..

I then had to update the openpyn.service file, to allow the requisite SMB ports through the firewall rules.

[email protected]:~$ sudo cat /etc/systemd/system/openpyn.service
[Unit]
Description=NordVPN connection manager
Wants=network-online.target
After=network-online.target
After=multi-user.target
[Service]
Type=simple
User=root
WorkingDirectory=/usr/local/lib/python3.5/dist-packages/openpyn/
ExecStartPre=/bin/sleep 5
ExecStart=/usr/local/bin/openpyn us -f --allow 137 138 139 445 --p2p
ExecStop=/usr/local/bin/openpyn --kill
StandardOutput=syslog
StandardError=syslog
[Install]
WantedBy=multi-user.target

OpenPYN NordVPN – Conclusion

This was a fairly simple process, and I’m glad that I finally got it working.

I now have an always on VPN box for various testing or troubleshooting.

Let me know if you’ve used other solutions, or what you think of this configuration!

4 thoughts on “OpenPYN NordVPN – Always on Linux VPN”

  1. Hi Ray,
    your setup look great and I’ve used openpyn before but I’m interested
    to get your comments on using this as a vpn gateway so that any user
    who points his/her “gateway=xxx.xxx.xxx.xxx” at the server’s ip address
    can access the vpn tunnel

  2. Pingback: Setting up a DigitalOcean VPN with strongSwan | doyler.net

  3. Pingback: DEFCON Convention - Black Badges, CTFs, and VEGAS! | doyler.net

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.