Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
I recently setup OpenPYN NordVPN in my homelab, and I wanted to share how simple it is.
OpenPYN NordVPN – Introduction
If you haven’t played with OpenPYN NordVPN yet, then you can find it in the GitHub repository.
I went with NordVPN because it was recently on sale, and I had heard good things about their service. This isn’t really a post about the best VPN provider or who to choose though.
I wanted to set up a Linux box with an always-on VPN, and programmatically access it if I needed to. This covered my use case, and has worked great so far.
Preparation
First, I setup a new Ubuntu server box.
I went through the entire setup process like normal, and just enabled a few services here and there.
Next, I installed and configured ubuntu-desktop, so that I’d be able to use the UI for applications.
[email protected]:~$ sudo apt-get update && sudo apt-get install ubuntu-desktop
Finally, I upgraded all the packages on the system, and installed any necessary patches.
Installation and Configuration
With my OS setup, I installed all the necessary prerequisites.
[email protected]:~$ sudo apt install openvpn unzip wget python3-setuptools python3-pip [sudo] password for doyler: Reading package lists... Done Building dependency tree Reading state information... Done
Next, I installed the openpyn python module via pip
[email protected]:~$ sudo python3 -m pip install --upgrade openpyn The directory '/home/doyler/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag. The directory '/home/doyler/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag. Collecting openpyn
When the installation completed, I initialized the script using the –init flag.
[email protected]:~$ sudo openpyn --init Enter your username for NordVPN, i.e [email protected]urmail.com: [email protected] Enter the password for NordVPN: --2018-09-02 20:05:39-- https://downloads.nordcdn.com/configs/archives/servers/ovpn.zip Resolving downloads.nordcdn.com (downloads.nordcdn.com)... 2400:cb00:2048:1::6812:6d0e, 2400:cb00:2048:1::6812:6e0e, 2400:cb00:2048:1::6812:700e, ... Connecting to downloads.nordcdn.com (downloads.nordcdn.com)|2400:cb00:2048:1::6812:6d0e|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 20352464 (19M) [application/zip] Saving to: '/usr/local/lib/python3.5/dist-packages/openpyn/ovpn.zip' ovpn.zip 100%[===================>] 19.41M 39.2MB/s in 0.5s 2018-09-02 20:05:39 (39.2 MB/s) - '/usr/local/lib/python3.5/dist-packages/openpyn/ovpn.zip' saved [20352464/20352464] Enter Openpyn options to be stored in systemd service file (/etc/systemd/system/openpyn.service, Default(Just Press Enter) is, uk : us 2018-09-02 20:05:57 [INFO] To see usage options type: "openpyn -h" or "openpyn --help"
Next, I modified the new service file based on the examples from the repository.
[email protected]:~$ sudo cat /etc/systemd/system/openpyn.service [Unit] Description=NordVPN connection manager Wants=network-online.target After=network-online.target After=multi-user.target [Service] Type=simple User=root WorkingDirectory=/usr/local/lib/python3.5/dist-packages/openpyn/ ExecStartPre=/bin/sleep 5 ExecStart=/usr/local/bin/openpyn us -f --p2p ExecStop=/usr/local/bin/openpyn --kill StandardOutput=syslog StandardError=syslog [Install] WantedBy=multi-user.target
OpenPYN NordVPN – Verification
With my service file created, I restarted the openpyn service.
[email protected]:~$ systemctl restart openpyn [email protected]:~$ systemctl status openpyn -- openpyn.service - NordVPN connection manager Loaded: loaded (/etc/systemd/system/openpyn.service; disabled; vendor preset: Active: active (running) since Sun 2018-09-02 20:08:05 EDT; 2s ago Process: 3414 ExecStartPre=/bin/sleep 5 (code=exited, status=0/SUCCESS) Main PID: 3423 (openpyn) Tasks: 3 Memory: 36.0M CPU: 523ms CGroup: /system.slice/openpyn.service ""3423 /usr/bin/python3 /usr/local/bin/openpyn us -f --p2p ""3467 ping -n -i .2 -c 3 us1087.nordvpn.com """3468 grep -B 1 min/avg/max/ Sep 02 20:08:05 torrents sudo[3446]: pam_unix(sudo:session): session closed for Sep 02 20:08:05 torrents sudo[3456]: root : TTY=unknown ; PWD=/usr/local/lib Sep 02 20:08:05 torrents sudo[3456]: pam_unix(sudo:session): session opened for Sep 02 20:08:05 torrents sudo[3456]: pam_unix(sudo:session): session closed for Sep 02 20:08:05 torrents sudo[3458]: root : TTY=unknown ; PWD=/usr/local/lib Sep 02 20:08:05 torrents sudo[3458]: pam_unix(sudo:session): session opened for Sep 02 20:08:05 torrents sudo[3458]: pam_unix(sudo:session): session closed for Sep 02 20:08:05 torrents sudo[3460]: root : TTY=unknown ; PWD=/usr/local/lib Sep 02 20:08:05 torrents sudo[3460]: pam_unix(sudo:session): session opened for Sep 02 20:08:05 torrents sudo[3460]: pam_unix(sudo:session): session closed for
When my connection was complete, I verified that the VPN was working by checking my external IP address. As you can see, this is a NordVPN controlled IP address.
[email protected]:~$ curl -4 https://ifconfig.co/ip 192.171.29.107
Bonus CIFS Share
With the VPN connection now working, I also installed cifs-utils and created a new directory for my various downloads.
[email protected]:~$ sudo apt-get install cifs-utils [sudo] password for doyler: Reading package lists... Done Building dependency tree ... [email protected]:~$ sudo mkdir /media/torrent
Next, I setup a new mount point in my fstab file to mount my file share as a local directory.
//192.168.5.2/Backup/Torrent /media/torrent cifs credentials=/home/doyler/.smbcredentials,iocharset=utf8,sec=ntlm,vers=2.0 0 0
Once I mounted everything, my /media/torrent directory was now up and working.
[email protected]:~$ sudo mount -a [email protected]:~$ ls -al /media/ total 20 drwxr-xr-x 6 root root 4096 Sep 2 20:52 . drwxr-xr-x 23 root root 4096 Sep 2 18:51 .. drwxr-xr-x 2 root root 4096 Sep 2 18:47 cdrom drwxr-x---+ 2 root root 4096 Sep 2 19:55 doyler lrwxrwxrwx 1 root root 7 Sep 2 18:46 floppy -> floppy0 drwxr-xr-x 2 root root 4096 Sep 2 18:46 floppy0 drwxr-xr-x 2 root root 0 Sep 2 18:52 torrent [email protected]:~$ ls -al /media/torrent/ total 4 drwxr-xr-x 2 root root 0 Sep 2 18:52 . drwxr-xr-x 6 root root 4096 Sep 2 20:52 ..
I then had to update the openpyn.service file, to allow the requisite SMB ports through the firewall rules.
[email protected]:~$ sudo cat /etc/systemd/system/openpyn.service [Unit] Description=NordVPN connection manager Wants=network-online.target After=network-online.target After=multi-user.target [Service] Type=simple User=root WorkingDirectory=/usr/local/lib/python3.5/dist-packages/openpyn/ ExecStartPre=/bin/sleep 5 ExecStart=/usr/local/bin/openpyn us -f --allow 137 138 139 445 --p2p ExecStop=/usr/local/bin/openpyn --kill StandardOutput=syslog StandardError=syslog [Install] WantedBy=multi-user.target
OpenPYN NordVPN – Conclusion
This was a fairly simple process, and I’m glad that I finally got it working.
I now have an always on VPN box for various testing or troubleshooting.
Let me know if you’ve used other solutions, or what you think of this configuration!
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.
4 Comments
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Hi Ray,
your setup look great and I’ve used openpyn before but I’m interested
to get your comments on using this as a vpn gateway so that any user
who points his/her “gateway=xxx.xxx.xxx.xxx” at the server’s ip address
can access the vpn tunnel
I don’t think that OpenPYN will work as a gateway, but someone suggested that I give this a try.
https://github.com/mrahmadt/SmartGW
[…] keeping with the VPN theme, here’s a quick guide on setting up a DigitalOcean VPN with […]
[…] I use NordVPN, and even have a NordVPN and OpenPYN setup for always-on Linux […]