I recently setup OpenPYN NordVPN in my homelab, and I wanted to share how simple it is.
OpenPYN NordVPN – Introduction
If you haven’t played with OpenPYN NordVPN yet, then you can find it in the GitHub repository.
I went with NordVPN because it was recently on sale, and I had heard good things about their service. This isn’t really a post about the best VPN provider or who to choose though.
I wanted to set up a Linux box with an always-on VPN, and programmatically access it if I needed to. This covered my use case, and has worked great so far.
Preparation
First, I setup a new Ubuntu server box.
I went through the entire setup process like normal, and just enabled a few services here and there.
Next, I installed and configured ubuntu-desktop, so that I’d be able to use the UI for applications.
doyler@torrents:~$ sudo apt-get update && sudo apt-get install ubuntu-desktop
Finally, I upgraded all the packages on the system, and installed any necessary patches.
Installation and Configuration
With my OS setup, I installed all the necessary prerequisites.
doyler@torrents:~$ sudo apt install openvpn unzip wget python3-setuptools python3-pip [sudo] password for doyler: Reading package lists... Done Building dependency tree Reading state information... Done
Next, I installed the openpyn python module via pip
doyler@torrents:~$ sudo python3 -m pip install --upgrade openpyn The directory '/home/doyler/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag. The directory '/home/doyler/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag. Collecting openpyn
When the installation completed, I initialized the script using the –init flag.
doyler@torrents:~$ sudo openpyn --init Enter your username for NordVPN, i.e youremail@yourmail.com: testaccount@doyler.net Enter the password for NordVPN: --2018-09-02 20:05:39-- https://downloads.nordcdn.com/configs/archives/servers/ovpn.zip Resolving downloads.nordcdn.com (downloads.nordcdn.com)... 2400:cb00:2048:1::6812:6d0e, 2400:cb00:2048:1::6812:6e0e, 2400:cb00:2048:1::6812:700e, ... Connecting to downloads.nordcdn.com (downloads.nordcdn.com)|2400:cb00:2048:1::6812:6d0e|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 20352464 (19M) [application/zip] Saving to: ‘/usr/local/lib/python3.5/dist-packages/openpyn/ovpn.zip’ ovpn.zip 100%[===================>] 19.41M 39.2MB/s in 0.5s 2018-09-02 20:05:39 (39.2 MB/s) - ‘/usr/local/lib/python3.5/dist-packages/openpyn/ovpn.zip’ saved [20352464/20352464] Enter Openpyn options to be stored in systemd service file (/etc/systemd/system/openpyn.service, Default(Just Press Enter) is, uk : us 2018-09-02 20:05:57 [INFO] To see usage options type: "openpyn -h" or "openpyn --help"
Next, I modified the new service file based on the examples from the repository.
doyler@torrents:~$ sudo cat /etc/systemd/system/openpyn.service [Unit] Description=NordVPN connection manager Wants=network-online.target After=network-online.target After=multi-user.target [Service] Type=simple User=root WorkingDirectory=/usr/local/lib/python3.5/dist-packages/openpyn/ ExecStartPre=/bin/sleep 5 ExecStart=/usr/local/bin/openpyn us -f --p2p ExecStop=/usr/local/bin/openpyn --kill StandardOutput=syslog StandardError=syslog [Install] WantedBy=multi-user.target
OpenPYN NordVPN – Verification
With my service file created, I restarted the openpyn service.
doyler@torrents:~$ systemctl restart openpyn doyler@torrents:~$ systemctl status openpyn ● openpyn.service - NordVPN connection manager Loaded: loaded (/etc/systemd/system/openpyn.service; disabled; vendor preset: Active: active (running) since Sun 2018-09-02 20:08:05 EDT; 2s ago Process: 3414 ExecStartPre=/bin/sleep 5 (code=exited, status=0/SUCCESS) Main PID: 3423 (openpyn) Tasks: 3 Memory: 36.0M CPU: 523ms CGroup: /system.slice/openpyn.service ├─3423 /usr/bin/python3 /usr/local/bin/openpyn us -f --p2p ├─3467 ping -n -i .2 -c 3 us1087.nordvpn.com └─3468 grep -B 1 min/avg/max/ Sep 02 20:08:05 torrents sudo[3446]: pam_unix(sudo:session): session closed for Sep 02 20:08:05 torrents sudo[3456]: root : TTY=unknown ; PWD=/usr/local/lib Sep 02 20:08:05 torrents sudo[3456]: pam_unix(sudo:session): session opened for Sep 02 20:08:05 torrents sudo[3456]: pam_unix(sudo:session): session closed for Sep 02 20:08:05 torrents sudo[3458]: root : TTY=unknown ; PWD=/usr/local/lib Sep 02 20:08:05 torrents sudo[3458]: pam_unix(sudo:session): session opened for Sep 02 20:08:05 torrents sudo[3458]: pam_unix(sudo:session): session closed for Sep 02 20:08:05 torrents sudo[3460]: root : TTY=unknown ; PWD=/usr/local/lib Sep 02 20:08:05 torrents sudo[3460]: pam_unix(sudo:session): session opened for Sep 02 20:08:05 torrents sudo[3460]: pam_unix(sudo:session): session closed for
When my connection was complete, I verified that the VPN was working by checking my external IP address. As you can see, this is a NordVPN controlled IP address.
doyler@torrents:~$ curl -4 https://ifconfig.co/ip 192.171.29.107
Bonus CIFS Share
With the VPN connection now working, I also installed cifs-utils and created a new directory for my various downloads.
doyler@torrents:~$ sudo apt-get install cifs-utils [sudo] password for doyler: Reading package lists... Done Building dependency tree ... doyler@torrents:~$ sudo mkdir /media/torrent
Next, I setup a new mount point in my fstab file to mount my file share as a local directory.
//192.168.5.2/Backup/Torrent /media/torrent cifs credentials=/home/doyler/.smbcredentials,iocharset=utf8,sec=ntlm,vers=2.0 0 0
Once I mounted everything, my /media/torrent directory was now up and working.
doyler@torrents:~$ sudo mount -a doyler@torrents:~$ ls -al /media/ total 20 drwxr-xr-x 6 root root 4096 Sep 2 20:52 . drwxr-xr-x 23 root root 4096 Sep 2 18:51 .. drwxr-xr-x 2 root root 4096 Sep 2 18:47 cdrom drwxr-x---+ 2 root root 4096 Sep 2 19:55 doyler lrwxrwxrwx 1 root root 7 Sep 2 18:46 floppy -> floppy0 drwxr-xr-x 2 root root 4096 Sep 2 18:46 floppy0 drwxr-xr-x 2 root root 0 Sep 2 18:52 torrent doyler@torrents:~$ ls -al /media/torrent/ total 4 drwxr-xr-x 2 root root 0 Sep 2 18:52 . drwxr-xr-x 6 root root 4096 Sep 2 20:52 ..
I then had to update the openpyn.service file, to allow the requisite SMB ports through the firewall rules.
doyler@torrents:~$ sudo cat /etc/systemd/system/openpyn.service [Unit] Description=NordVPN connection manager Wants=network-online.target After=network-online.target After=multi-user.target [Service] Type=simple User=root WorkingDirectory=/usr/local/lib/python3.5/dist-packages/openpyn/ ExecStartPre=/bin/sleep 5 ExecStart=/usr/local/bin/openpyn us -f --allow 137 138 139 445 --p2p ExecStop=/usr/local/bin/openpyn --kill StandardOutput=syslog StandardError=syslog [Install] WantedBy=multi-user.target
OpenPYN NordVPN – Conclusion
This was a fairly simple process, and I’m glad that I finally got it working.
I now have an always on VPN box for various testing or troubleshooting.
Let me know if you’ve used other solutions, or what you think of this configuration!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.
As an Amazon Associate I earn from qualifying purchases.
Common passed on this blog, I made it to a jam.
Hi Ray,
your setup look great and I’ve used openpyn before but I’m interested
to get your comments on using this as a vpn gateway so that any user
who points his/her “gateway=xxx.xxx.xxx.xxx” at the server’s ip address
can access the vpn tunnel
I don’t think that OpenPYN will work as a gateway, but someone suggested that I give this a try.
https://github.com/mrahmadt/SmartGW
Pingback: Setting up a DigitalOcean VPN with strongSwan | doyler.net