OpenPYN NordVPN – Always on Linux VPN

I recently setup OpenPYN NordVPN in my homelab, and I wanted to share how simple it is.

OpenPYN NordVPN - Introduction

If you haven't played with OpenPYN NordVPN yet, then you can find it in the GitHub repository.

I went with NordVPN because it was recently on sale, and I had heard good things about their service. This isn't really a post about the best VPN provider or who to choose though.

I wanted to set up a Linux box with an always-on VPN, and programmatically access it if I needed to. This covered my use case, and has worked great so far.

Preparation

First, I setup a new Ubuntu server box.

OpenPYN NordVPN - Ubuntu Setup

I went through the entire setup process like normal, and just enabled a few services here and there.

OpenPYN NordVPN - Setup Complete

Next, I installed and configured ubuntu-desktop, so that I'd be able to use the UI for applications.

doyler@torrents:~$ sudo apt-get update && sudo apt-get install ubuntu-desktop

Finally, I upgraded all the packages on the system, and installed any necessary patches.

Installation and Configuration

With my OS setup, I installed all the necessary prerequisites.

doyler@torrents:~$ sudo apt install openvpn unzip wget python3-setuptools python3-pip
[sudo] password for doyler:
Reading package lists... Done
Building dependency tree       
Reading state information... Done

Next, I installed the openpyn python module via pip

doyler@torrents:~$ sudo python3 -m pip install --upgrade openpyn
The directory '/home/doyler/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/doyler/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting openpyn

When the installation completed, I initialized the script using the --init flag.

doyler@torrents:~$ sudo openpyn --init
Enter your username for NordVPN, i.e youremail@yourmail.com: dev.doyler@gmail.com
Enter the password for NordVPN:
--2018-09-02 20:05:39--  https://downloads.nordcdn.com/configs/archives/servers/ovpn.zip
Resolving downloads.nordcdn.com (downloads.nordcdn.com)... 2400:cb00:2048:1::6812:6d0e, 2400:cb00:2048:1::6812:6e0e, 2400:cb00:2048:1::6812:700e, ...
Connecting to downloads.nordcdn.com (downloads.nordcdn.com)|2400:cb00:2048:1::6812:6d0e|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20352464 (19M) [application/zip]
Saving to: ‘/usr/local/lib/python3.5/dist-packages/openpyn/ovpn.zip’

ovpn.zip            100%[===================>]  19.41M  39.2MB/s    in 0.5s    

2018-09-02 20:05:39 (39.2 MB/s) - ‘/usr/local/lib/python3.5/dist-packages/openpyn/ovpn.zip’ saved [20352464/20352464]


Enter Openpyn options to be stored in systemd service file (/etc/systemd/system/openpyn.service, Default(Just Press Enter) is, uk : us
2018-09-02 20:05:57 [INFO] To see usage options type: "openpyn -h" or "openpyn --help"

Next, I modified the new service file based on the examples from the repository.

doyler@torrents:~$ sudo cat /etc/systemd/system/openpyn.service
[Unit]
Description=NordVPN connection manager
Wants=network-online.target
After=network-online.target
After=multi-user.target
[Service]
Type=simple
User=root
WorkingDirectory=/usr/local/lib/python3.5/dist-packages/openpyn/
ExecStartPre=/bin/sleep 5
ExecStart=/usr/local/bin/openpyn us -f --p2p
ExecStop=/usr/local/bin/openpyn --kill
StandardOutput=syslog
StandardError=syslog
[Install]
WantedBy=multi-user.target

OpenPYN NordVPN - Verification

With my service file created, I restarted the openpyn service.

doyler@torrents:~$ systemctl restart openpyn
doyler@torrents:~$ systemctl status openpyn
● openpyn.service - NordVPN connection manager
   Loaded: loaded (/etc/systemd/system/openpyn.service; disabled; vendor preset:
   Active: active (running) since Sun 2018-09-02 20:08:05 EDT; 2s ago
  Process: 3414 ExecStartPre=/bin/sleep 5 (code=exited, status=0/SUCCESS)
Main PID: 3423 (openpyn)
    Tasks: 3
   Memory: 36.0M
      CPU: 523ms
   CGroup: /system.slice/openpyn.service
           ├─3423 /usr/bin/python3 /usr/local/bin/openpyn us -f --p2p
           ├─3467 ping -n -i .2 -c 3 us1087.nordvpn.com
           └─3468 grep -B 1 min/avg/max/

Sep 02 20:08:05 torrents sudo[3446]: pam_unix(sudo:session): session closed for
Sep 02 20:08:05 torrents sudo[3456]:     root : TTY=unknown ; PWD=/usr/local/lib
Sep 02 20:08:05 torrents sudo[3456]: pam_unix(sudo:session): session opened for
Sep 02 20:08:05 torrents sudo[3456]: pam_unix(sudo:session): session closed for
Sep 02 20:08:05 torrents sudo[3458]:     root : TTY=unknown ; PWD=/usr/local/lib
Sep 02 20:08:05 torrents sudo[3458]: pam_unix(sudo:session): session opened for
Sep 02 20:08:05 torrents sudo[3458]: pam_unix(sudo:session): session closed for
Sep 02 20:08:05 torrents sudo[3460]:     root : TTY=unknown ; PWD=/usr/local/lib
Sep 02 20:08:05 torrents sudo[3460]: pam_unix(sudo:session): session opened for
Sep 02 20:08:05 torrents sudo[3460]: pam_unix(sudo:session): session closed for

When my connection was complete, I verified that the VPN was working by checking my external IP address. As you can see, this is a NordVPN controlled IP address.

doyler@torrents:~$ curl -4 https://ifconfig.co/ip
192.171.29.107

Bonus CIFS Share

With the VPN connection now working, I also installed cifs-utils and created a new directory for my various downloads.

doyler@torrents:~$ sudo apt-get install cifs-utils
[sudo] password for doyler:
Reading package lists... Done
Building dependency tree       

...

doyler@torrents:~$ sudo mkdir /media/torrent

Next, I setup a new mount point in my fstab file to mount my file share as a local directory.

//192.168.5.2/Backup/Torrent /media/torrent cifs credentials=/home/doyler/.smbcredentials,iocharset=utf8,sec=ntlm,vers=2.0 0 0

Once I mounted everything, my /media/torrent directory was now up and working.

doyler@torrents:~$ sudo mount -a
doyler@torrents:~$ ls -al /media/
total 20
drwxr-xr-x   6 root root 4096 Sep  2 20:52 .
drwxr-xr-x  23 root root 4096 Sep  2 18:51 ..
drwxr-xr-x   2 root root 4096 Sep  2 18:47 cdrom
drwxr-x---+  2 root root 4096 Sep  2 19:55 doyler
lrwxrwxrwx   1 root root    7 Sep  2 18:46 floppy -> floppy0
drwxr-xr-x   2 root root 4096 Sep  2 18:46 floppy0
drwxr-xr-x   2 root root    0 Sep  2 18:52 torrent
doyler@torrents:~$ ls -al /media/torrent/
total 4
drwxr-xr-x 2 root root    0 Sep  2 18:52 .
drwxr-xr-x 6 root root 4096 Sep  2 20:52 ..

I then had to update the openpyn.service file, to allow the requisite SMB ports through the firewall rules.

doyler@torrents:~$ sudo cat /etc/systemd/system/openpyn.service
[Unit]
Description=NordVPN connection manager
Wants=network-online.target
After=network-online.target
After=multi-user.target
[Service]
Type=simple
User=root
WorkingDirectory=/usr/local/lib/python3.5/dist-packages/openpyn/
ExecStartPre=/bin/sleep 5
ExecStart=/usr/local/bin/openpyn us -f --allow 137 138 139 445 --p2p
ExecStop=/usr/local/bin/openpyn --kill
StandardOutput=syslog
StandardError=syslog
[Install]
WantedBy=multi-user.target

OpenPYN NordVPN - Conclusion

This was a fairly simple process, and I'm glad that I finally got it working.

I now have an always on VPN box for various testing or troubleshooting.

Let me know if you've used other solutions, or what you think of this configuration!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Principal Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.