OpenPYN NordVPN – Always on Linux VPN

I recently setup OpenPYN NordVPN in my homelab, and I wanted to share how simple it is.

OpenPYN NordVPN – Introduction

If you haven’t played with OpenPYN NordVPN yet, then you can find it in the GitHub repository.

I went with NordVPN because it was recently on sale, and I had heard good things about their service. This isn’t really a post about the best VPN provider or who to choose though.

I wanted to set up a Linux box with an always-on VPN, and programmatically access it if I needed to. This covered my use case, and has worked great so far.

Preparation

First, I setup a new Ubuntu server box.

I went through the entire setup process like normal, and just enabled a few services here and there.

Next, I installed and configured ubuntu-desktop, so that I’d be able to use the UI for applications.

[email protected]:~$ sudo apt-get update && sudo apt-get install ubuntu-desktop

Finally, I upgraded all the packages on the system, and installed any necessary patches.

Installation and Configuration

With my OS setup, I installed all the necessary prerequisites.

[email protected]:~$ sudo apt install openvpn unzip wget python3-setuptools python3-pip
[sudo] password for doyler:
Reading package lists... Done
Building dependency tree       
Reading state information... Done

Next, I installed the openpyn python module via pip

[email protected]:~$ sudo python3 -m pip install --upgrade openpyn
The directory '/home/doyler/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/doyler/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting openpyn

When the installation completed, I initialized the script using the –init flag.

[email protected]:~$ sudo openpyn --init
Enter your username for NordVPN, i.e [email protected]: [email protected]
Enter the password for NordVPN:
--2018-09-02 20:05:39--  https://downloads.nordcdn.com/configs/archives/servers/ovpn.zip
Resolving downloads.nordcdn.com (downloads.nordcdn.com)... 2400:cb00:2048:1::6812:6d0e, 2400:cb00:2048:1::6812:6e0e, 2400:cb00:2048:1::6812:700e, ...
Connecting to downloads.nordcdn.com (downloads.nordcdn.com)|2400:cb00:2048:1::6812:6d0e|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20352464 (19M) [application/zip]
Saving to: ‘/usr/local/lib/python3.5/dist-packages/openpyn/ovpn.zip’

ovpn.zip            100%[===================>]  19.41M  39.2MB/s    in 0.5s    

2018-09-02 20:05:39 (39.2 MB/s) - ‘/usr/local/lib/python3.5/dist-packages/openpyn/ovpn.zip’ saved [20352464/20352464]


Enter Openpyn options to be stored in systemd service file (/etc/systemd/system/openpyn.service, Default(Just Press Enter) is, uk : us
2018-09-02 20:05:57 [INFO] To see usage options type: "openpyn -h" or "openpyn --help"

Next, I modified the new service file based on the examples from the repository.

[email protected]:~$ sudo cat /etc/systemd/system/openpyn.service
[Unit]
Description=NordVPN connection manager
Wants=network-online.target
After=network-online.target
After=multi-user.target
[Service]
Type=simple
User=root
WorkingDirectory=/usr/local/lib/python3.5/dist-packages/openpyn/
ExecStartPre=/bin/sleep 5
ExecStart=/usr/local/bin/openpyn us -f --p2p
ExecStop=/usr/local/bin/openpyn --kill
StandardOutput=syslog
StandardError=syslog
[Install]
WantedBy=multi-user.target

OpenPYN NordVPN – Verification

With my service file created, I restarted the openpyn service.

[email protected]:~$ systemctl restart openpyn
[email protected]:~$ systemctl status openpyn
● openpyn.service - NordVPN connection manager
   Loaded: loaded (/etc/systemd/system/openpyn.service; disabled; vendor preset:
   Active: active (running) since Sun 2018-09-02 20:08:05 EDT; 2s ago
  Process: 3414 ExecStartPre=/bin/sleep 5 (code=exited, status=0/SUCCESS)
Main PID: 3423 (openpyn)
    Tasks: 3
   Memory: 36.0M
      CPU: 523ms
   CGroup: /system.slice/openpyn.service
           ├─3423 /usr/bin/python3 /usr/local/bin/openpyn us -f --p2p
           ├─3467 ping -n -i .2 -c 3 us1087.nordvpn.com
           └─3468 grep -B 1 min/avg/max/

Sep 02 20:08:05 torrents sudo[3446]: pam_unix(sudo:session): session closed for
Sep 02 20:08:05 torrents sudo[3456]:     root : TTY=unknown ; PWD=/usr/local/lib
Sep 02 20:08:05 torrents sudo[3456]: pam_unix(sudo:session): session opened for
Sep 02 20:08:05 torrents sudo[3456]: pam_unix(sudo:session): session closed for
Sep 02 20:08:05 torrents sudo[3458]:     root : TTY=unknown ; PWD=/usr/local/lib
Sep 02 20:08:05 torrents sudo[3458]: pam_unix(sudo:session): session opened for
Sep 02 20:08:05 torrents sudo[3458]: pam_unix(sudo:session): session closed for
Sep 02 20:08:05 torrents sudo[3460]:     root : TTY=unknown ; PWD=/usr/local/lib
Sep 02 20:08:05 torrents sudo[3460]: pam_unix(sudo:session): session opened for
Sep 02 20:08:05 torrents sudo[3460]: pam_unix(sudo:session): session closed for

When my connection was complete, I verified that the VPN was working by checking my external IP address. As you can see, this is a NordVPN controlled IP address.

[email protected]:~$ curl -4 https://ifconfig.co/ip
192.171.29.107

Bonus CIFS Share

With the VPN connection now working, I also installed cifs-utils and created a new directory for my various downloads.

[email protected]:~$ sudo apt-get install cifs-utils
[sudo] password for doyler:
Reading package lists... Done
Building dependency tree       

...

[email protected]:~$ sudo mkdir /media/torrent

Next, I setup a new mount point in my fstab file to mount my file share as a local directory.

//192.168.5.2/Backup/Torrent /media/torrent cifs credentials=/home/doyler/.smbcredentials,iocharset=utf8,sec=ntlm,vers=2.0 0 0

Once I mounted everything, my /media/torrent directory was now up and working.

[email protected]:~$ sudo mount -a
[email protected]:~$ ls -al /media/
total 20
drwxr-xr-x   6 root root 4096 Sep  2 20:52 .
drwxr-xr-x  23 root root 4096 Sep  2 18:51 ..
drwxr-xr-x   2 root root 4096 Sep  2 18:47 cdrom
drwxr-x---+  2 root root 4096 Sep  2 19:55 doyler
lrwxrwxrwx   1 root root    7 Sep  2 18:46 floppy -> floppy0
drwxr-xr-x   2 root root 4096 Sep  2 18:46 floppy0
drwxr-xr-x   2 root root    0 Sep  2 18:52 torrent
[email protected]:~$ ls -al /media/torrent/
total 4
drwxr-xr-x 2 root root    0 Sep  2 18:52 .
drwxr-xr-x 6 root root 4096 Sep  2 20:52 ..

I then had to update the openpyn.service file, to allow the requisite SMB ports through the firewall rules.

[email protected]:~$ sudo cat /etc/systemd/system/openpyn.service
[Unit]
Description=NordVPN connection manager
Wants=network-online.target
After=network-online.target
After=multi-user.target
[Service]
Type=simple
User=root
WorkingDirectory=/usr/local/lib/python3.5/dist-packages/openpyn/
ExecStartPre=/bin/sleep 5
ExecStart=/usr/local/bin/openpyn us -f --allow 137 138 139 445 --p2p
ExecStop=/usr/local/bin/openpyn --kill
StandardOutput=syslog
StandardError=syslog
[Install]
WantedBy=multi-user.target

OpenPYN NordVPN – Conclusion

This was a fairly simple process, and I’m glad that I finally got it working.

I now have an always on VPN box for various testing or troubleshooting.

Let me know if you’ve used other solutions, or what you think of this configuration!

Ray Doyle

Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.