A Simple VPN Implementation

[enrique]

@OscarTalks thanks for considering our suggestion.

I am not sure if you have Firewall Setup 0.7 by Alien Bob. The one that comes with most Puppys. Look at the Tray Menu. When you do Right-Click you have:
*Quit Firewall( I guess exit)
*Firewall Setup
*Firewall Remove
*Firewall ON

What I suggest is similar approach.
*Exit - to close openvpn and remove tray Icon
*openvpn setup -where we can either select ovpn or ask to rotate between the ones we have store at /etc/vpn-onoff
*Test openvpn no Browser- just as we suggest
*Test openvpn with Browser
*username/password entry
*Turn ON/OFF (Toggle) - where we turn it On if Off, or Off if where On. But NOT leaving the tray icon. Tray Icon should change color to demonstrate is on or off.

Just as you said we users have to consider that this is a freeservice "most of the servers are operated by volunteers on their own ISP's connections,". Best option is to have more that 10 .ovpn files. Then automate the process so that when we leave a new .ovpn is selected by our vpnconfig. I personally will be trying that for your the vpn-stop script. New VPN server every time we go in.

Edit1:

And yes your suggestion is good. A daemon to test when our Public IP change and we lost openvpn connection. I wonder if openvpn should have some default on this? I guess this should be a common need(standard) by all.

[d4rkn1ght]

I made this simple widget so I can have the two vpn-start and vpn-stop, password changing, and config files in a single place. I just wanted a simple GUI with all these shortcuts. I also added jafadmin Geolocation great script.

Please do as you wish with this. I'm sure someone here can make this better.

This works great in Tahrpup64 and Bionicpup64. I think it should work on Xenialpup, but I haven't tested other puppies.

---Updated---

Just added a few simple features and performance improvements. Hopefully it's a little more useful.

Download here.

[enrique]

@d4rkn1ght at 1rst I could not make it work. As always I uninstall all previous versions to start clean. This means vpn-onoff too. So I did not work. Now I see. While having OscarTalks's vpn-onooff installed, then we install vpn-switch.pet. And it will open a window with you nice app. I guess we all have our best choise. I like OscarTalks's vpn-onooff. I know he has put 2 startup apps in Internet folder. I do not see that as a problem. If not that is an advantage. If something goes wrong and programs stop to work(hangup) we can use vpn-stop as a killall rescue, no need for task manager or another terminal.

Now, Do not get me wrong. What you done is beautiful. I will have it store with my other yad/gtkdialog apps. It contains a full app function with menus submenus, etc in gtkdialog. I will be studding that even when I am trying to stick to only one of this dialog. I do not know if I am wrong but I had personally selected yad over zenith and gtkdialog. I am starting to learn bash, learning only yad should allow me to learn faster. To all keep the good work.

[d4rkn1ght]

@d4rkn1ght at 1rst I could not make it work. As always I uninstall all previous versions to start clean. This means vpn-onoff too. So I did not work. Now I see. While having OscarTalks's vpn-onooff installed, then we install vpn-switch.pet. And it will open a window with you nice app. I guess we all have our best choise. I like OscarTalks's vpn-onooff. I know he has put 2 startup apps in Internet folder. I do not see that as a problem. If not that is an advantage. If something goes wrong and programs stop to work(hangup) we can use vpn-stop as a killall rescue, no need for task manager or another terminal.

Glad you got it working. This is just a simple GUI with shortcuts to Oscar's vpn-start and stop scripts. For example, when you press Disconnect, it's like clicking on the vpn-stop script.

Now, Do not get me wrong. What you done is beautiful. I will have it store with my other yad/gtkdialog apps. It contains a full app function with menus submenus, etc in gtkdialog. I will be studding that even when I am trying to stick to only one of this dialog. I do not know if I am wrong but I had personally selected yad over zenith and gtkdialog. I am starting to learn bash, learning only yad should allow me to learn faster. To all keep the good work.

I don't have that much experience with gtkdialog or the others you mention. My knowledge comes from designing and making websites back in the old HTML 3.2 days, long long time ago. I just started making little simple gtkdialog scripts just for learning purposes, and this is one of them.

Feel free to do what ever you want with the script.

[enrique]

I been sending PM to OscarTalks for 3 days. I know new year eve is coming. Well as I said I use this as an excuse to practice/learn bash. I love OscarTalks 's vpn-onoff but to my like it need to show its correct status ( up or down) and simplify the choosing of ovpn. I was hopping to allow OscarTalks to decide if he likes my suggestions. But since he has not been around I will expose this to all. I will not give you a new pet, I will instead suggest you try it without installing but just from your Home folder. Please notice that all are scripts and no binary is provided. You can navigate thru the files and open them with your prefer editor and read whats is in it. When you are finished you do not have to worry about uninstalling. You ONLY need to erase the folder /root/vpn-onoff-test as all the propose files will be there only.
To test I will do just as you will do. Here are suggested steps to test:

1-For this test I am using peebee's LxPupBionic-18.05 and created a new/blank puppy save to make sure all works. ( I am not saying you need this puppy. You will try it in yours)
2-I downloaded then OscarTalks 's vpn-onoff from

Code: Select all

http://smokey01.com/OscarTalks/vpn-onoff-0.2-i686-bionic.pet

3-Then I test it just to make sure all works just as oscar wanted. Well there is the usual bad connection to the VPN server.
Please notice that this are cause by the provider vpn server. OscarTalks 's vpn-onoff works perfect.
Well this trouble is the one motivating me to make an improve. So 1rst make sure you OscarTalks 's vpn-onoff is install and working as is.
4-Now download the attachment vpn-onoff-test.tar.xz.gz and copy it to /root folder.
Open a terminal and:

Code: Select all

cd \root
mv vpn-onoff-test.tar.xz.gz vpn-onoff-test.tar.xz
tar -xf vpn-onoff-test.tar.xz

Now you have in folder \root

Code: Select all

VPN-Start-test
VPN-Stop-test
vpn-onoff-test
vpn-onoff-test.tar.xz

NOTE:
a-If in the future you want to remove this suggestion, you will only need to delete this 4 files.
b-To prevent any confusion, this is will not interact with the original OscarTalks 's files & setups. All will be contain inside to just /root/vpn-onoff-test
c-This will then ignore all your config at /etc/vpn-onoff, so if you need you special ovpn just copy from /etc/vpn-onoff and install it to /root/vpn-onoff-test/ovpn.
d-In any case I suggest you go to

Code: Select all

https://www.vpngate.net/en/

There you can get free volunteer servers from all around the word. But mostly from asia. You meed to download from the 5ft Column OpenVPN
Config file.
e-I strongly suggest you download 5 or more ovpn. So that your load gets spread on multiple different servers. Again store this ovpn in /root/vpn-onoff-test/ovpn
f-You can copy/move the VPN-Start-test & VPN-Start-test. But please leave the main folder in /root/vpn-onoff-test. If you will like to move the folder to other location you can try editing /root/vpn-onoff-test/scripts and modify VPNONOFF="/root/vpn-onoff-test"to new location. It should work even when I have not test it.
g-When you are done uninstall by just deleting the 3 files + folder I mention before.

Hope you like it.
enrique

[enrique]

So whats new.
*You do not have to create anymore the symlink
*You can add more than one opvn to /root/vpn-onoff-test/ovpn and the program will automatically rotate/select a new one.
*Instead of a daemon for openvpn it runs in xterm. So you can see what is doing or status.
*If openvpn fail to connect and drop from xterm, then a popup warning will show and the Auto retry with next ovpn.
*If openvpn hangs just trying, you can Click on Xterm then [CTRL]-[C]. Again this will Auto retry. At the moment I set retry for 3. But you can change this with RETRY=3 by editing /root/vpn-onoff-test/scripts/vpn-onoff-config.
*vpn-onoff icon will stay RED as long as openvpn reports a down conection. It will change to normal BLUE once it working.
*Does not use Browser to test Public IP. Instead uses jafadmin's script.

Hi enrique
I made your suggested changes but my lxterminal opens without any output. Check my attached vpn-start.

I did miss your question before. But I am pretty sure I did correct this as I test it in Puppy bionic this time.

[Gera]

enrique, I've tried your script. It worked well with freevpn set of ovpn files, but didn't work with vpnbook and vpngate.
With all vpngate files I had same error:

VERIFY ERROR: depth=1, error=unable to get local issuer certificate: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Organization Validation Secure Server CA
...
TLS error: TLS handshake failed

My idea was to have all passwords in 1 file because every 1-2 weeks passwords are changed and it will be convenient to edit only 1 file. For now I have separate username-password files for each freevpn' ovpn file.
That 1 file with passwords may look like this:
#ovpn filename mask Username,Password

vpnbk* vpnbook,temppass
vpngate* vpn,vpn
fvpn-be.ovpn freevpn.be,temppass
fvpn-se.ovpn freevpn.se,temppass
...

Files that have same password are grouped with asterisk(*): vpnbk-pl,vpnbk-us1,...

[enrique]

Gera

1rst of all I thanks again OscarTalks for this nice project. I am a happy user of it. I only submitted what I think is possible upgrades for his consideration on future releases.

Regards vpngate configs.
I seen in the past problems connecting on just a few servers. I did assume in the past was a server issue. Sadly it seems now there are more falling than connecting. So I assume now is it the Client (we the users). I am not sure what is the final problem; ca-certificates, openssl or openvpn?

I am no expert. My best guess is that our openssl is not finding valid ca-certificates and the fact that we run as root. I am using BusterDog64.

What Puppy are you using?
What is the content of your /etc/ssl/certs

I made a small change. I hope you want to try it. See attachement. What I need you to do is to rename vpn-onoff-test/scripts/vpn-onoff-openvpn to vpn-onoff-test/scripts/vpn-onoff-openvpn.bck. Then copy the attached file to vpn-onoff-test/scripts/vpn-onoff-openvpn

See if that helps. If that fail the we may have to update your ca-certificates. But first try that file and let us know.

If you want to know what I did was to add --capath /etc/ssl/certs to the line:

Code: Select all

xterm -T "Openvpn" -si -sb -fg white -bg SkyBlue4 -geometry 80x22 -e sh -c "openvpn --config $VPNONOFF/vpnconfig --script-security 2 --up $VPNUPSCRIPT --down $VPNDOWNSCRIPT --capath /etc/ssl/certs"

[Gera]

In /etc/ssl/certs folder I have many *.pem, *.crt, *.0 files.

All in all, with your scripts I managed to connect to at least 1 of vpngate, vpnbook and freevpn servers at least once.

Your script connected only to one of 30 vpngate servers. With that 1 server and RETRY=6 setting without addition (--capath /etc/ssl/certs") I connected in 3 of 4 attempts (most time with last 5th/6th try), but with addition in 0 of 4 attempts.

For those few vpnbook .ovpn files that are working from time to time with OscarTalks VPN-Start, it often takes 15-60 seconds before IP will be changed(and icon of active interface in tray will change from green).
With your script it connected to vpnbook server twice(from 6-7 attempts) both times after 2nd retry. When I couldn't connect with your script at the same time with OscarTalks VPN-Start I connected to that vpnbook server in 15 seconds. Probably it is because 5 seconds waiting time in your script is not enough.

For FreeVPN servers yesterday I managed to connect with your script, but today openvpn fails every time after "Peer Connection Initiated" line, with and without addition(--capath /etc/ssl/certs"):

VERIFY KU OK
...
VERIFY EKU OK
...
[www.FreeVPN.im] Peer Connection Initiated with [AF_INET] 212.129.4.6:443

For 1 FreeVPN server openvpn fails right after the call without any trace.

[enrique]

Gera
Just for your knowledge, After the change I have no trouble connecting fast. And my Puppy is in fact BusterDog64.

You never told me what Puppy you are using.

I am guessing the problem is not with vpn-onoff or my suggested scripts. It almost has nothing to do with VPN. But instead with initial TSL handshake where normal user/password is provided. I know we are not doing user/password. But it is at that stage. It is Openssl the one failing.

WARNING: I am no expert. I do not know the perfect way to correct this. I can only suggest possible solutions. Now If you use you Puppy for Financial/Banking or Important personal USER/PASS situation. STOP Please create a backup of your Puppy Save to test in a different Save file.

To do our test just ignore vpn-onoff or the suggested scripts I provided. For now on lets just open a terminal and do manual commands. This will allow you to see the error and then you can post what you see. Mean while I will try to create a solution to offer you. But I need to know your Puppy version.

1rst command. Lest see what errors show OpenSSL it self

Code: Select all

openssl s_client -connect google.com:443 </dev/null | openssl verify

I am attaching a sample config I had test. I know it works. IMPORTANT: If you are reading this please go to https://www.vpngate.net/en/ and get your own config. This people are volunteers, please do not ALL at once try to connect to same VPN server. There are Hundreds to chose at https://www.vpngate.net/en/. This exception is for a test for gena.
This will be how we will test OpenVPN. IMPORTANT, this free service is up so that people can bridge any government firewalls. PLEASE do not use for movies or Netflix. We need to consider this volunteers.

Code: Select all

openvpn --config vpngate.ovpn --script-security 2 --capath /etc/ssl/certs

You should see Initialization Sequence Completed Fast with almost or none retry.

Now I am on Debian. So to update my CA I only have to do:

Code: Select all

apt install ca-certificates
dpkg-reconfigure ca-certificates

On Puppy you may have to go to PPM and search for ca-certificates. The install. Lets us know if it works for you.

[Gera]

enrique,
I don't want to take any chances and system-level risk. I am not proficient in Linux. Maybe I will try your advices later. Thanks for help anyway.

[enrique]

I am sorry if I did scare you with the warning it was not my intention. Please notice that this commands are just normal uses. WE are only using openssl and openvpn via command line. Command line because we want to see the response to find the problem. That is all. No changes are made. I am talking about:

This command ONLY ask openssl to establish a secure connection (HTTPS) with google.com. Purpose is to see if it does completes without errors.

Code: Select all

openssl s_client -connect google.com:443 </dev/null | openssl verify

At the end you need to do [CTRL]-C to close it or close the Terminal Window..


This command ONLY connect to a vpngate server using OpenVPN terminal. Again Purpose to look at the errors.

Code: Select all

openvpn --config vpngate.ovpn --script-security 2 --capath /etc/ssl/certs

At the end you need to do [CTRL]-C to close it or close the Terminal Window..

Up to here no changes to the system are made. Now the CA installation procedure do change your settings. I will be around. You can always send me a PM to wake me up if I do not response.

[markv]

I try your file and works perfect.

You need to make sure you new Kodi VPN-start and your netinfo.yad are executable and store at /usr/bin

Code: Select all

chmod + /usr/bin/netinfo.yad
chmod + /usr/bin/vpn-start

You should mod also vpn-start so that it also call netinfo.yad instaed of the browser.

I forget about netinfo.yad, thanks!

[OscarTalks]

OpenVPN latest release is now 2.4.9
OpenVPN works in conjunction with OpenSSL and it is always good to have your versions of both as recent as possible.

OPENSSL VERSIONS
Debian and Ubuntu compile their openssl with versioning symbols so you have to be careful when compiling and installing openssl from source, otherwise programs complain about "No Version Information" in the library. By tailoring your build environment you can install latest openssl (eg 1.1.1g) from source and then link openvpn against that. Libraries of openssl which have different numbers can co-exist in your system, but openssl 1.1.0 and openssl 1.1.1 both have the number suffix 1.1 so in the case of some Puppies which have 1.1.0 it is probably not good to upgrade to 1.1.1 system-wide from source?
Bionic is a dilemma because early .isos have 1.1.0 but later .isos have a 1.1.1 upgrade. Probably best to install latest via PPM.
In Tahr, openvpn gives an error against latest openssl which does not happen in other Puppies.
In older Puppies which are earlier than openssl 1.1.0 you can add latest 1.1.1g from source alongside as there are no conflicts. Works fine in Wheezy and Slacko 14.0/14.1
I am open to further clarification on this.

CRYPTOFREE VPN
I am looking at this free service from cryptostorm.is
They provide configs which use Ed25519 or Ed448 encryption which is supposedly extremely secure, but openssl must be at least version 1.1.1
It is working well in my tests. Data amount is unlimited but download speeds are restricted to around 1.6 to 1.8 Mbps (not 160kbps as some reports say). User name and password are wildcard so can be anything.

EXPERIMENTAL PACKAGES
Folks are advised to study this thread and build their own programs in accordance with their needs and wishes, but I am also still putting together some test packages compiled in different Puppies. These are mostly now at version 0.4.0 but should not be regarded as stable releases.

OpenVPN version 2.4.9
OpenSSL version 1.1.1g libs added if 1.1.1 not in the Puppy already (Bionic??)
Configs for CryptoFree added
New configs for freevpn.me which has been reduced to 2 servers now
Network info provided by script (thanks to jafadmin) rather than opening a browser
Different DNS handling avoids messy pushing and pulling and resolvconf - script uses reputable Cloudflare and then restores on disconnect

http://smokey01.com/OscarTalks

[nilsonmorales]

gettexted version for tahrpup here, please checkit first
cheers.
Spanish locales in other attachment

[phredo]

Regarding protonvpn:

Since my username and password are 1) encrypted and 2) don't change over time, instead of linking the auth-user-pass setting to /etc/vpn-onoff/vpnpass, is there a way to hard code them into the ovpn files?
That way when using Proton one wouldn't need to go to the trouble of changing the vpnpass file.

Tip: Having so many ovpn files in one directory became confusing, so I created separate sub directories for the different groups. Just need to be sure the new vpnconfig link goes to the proper directory, which is a simple matter of deleting out the sub directory name in the provided path. I notice that one does not have to delete the old vpnconfig file but can just choose to replace it when creating the new link. This way also ensures you are selecting the correct name and location because you get the "replace?" prompt therefore knowing you are replacing the file that exists.

[OscarTalks]

@phredo
Not sure if there is a way to put the username and password directly in the .ovpn file.
What you could do is create another passfile just for Proton.
For example /etc/vpn-onoff/protonpass
Best if this file does not have any write permissions.
Put your Proton login details in that.
Then set auth-user-pass to /etc/vpn-onoff/protonpass in the Proton .ovpn file.
Then so long as vpnconfig is a link to the Proton .ovpn file, everything is set and needs no editing.
This leaves the original vpnpass passfile for use with the others if ever you are switching to those.

[phredo]

Thanks, what a simple, elegant idea! I take it making the file read only is just to keep me from inadvertently changing it?

I notice that freevpn.me reduced their servers to two and find neither of them seem to work much of the time. The next to last time I visited the site, I saw that there were separate passwords for the two servers, and the last time I visited, The link to Server2 didn't work. Is that me, or has anyone else problems with freevpn.me?

[OscarTalks]

OpenVPN throws a warning if the passfile has write permissions because it regards it as a security vulnerability. I think it still works and you may not see any warning unless you are looking at it in terminal. Running as root you can still change the login details anyway in fact.

Yes, the freevpn.me service is now down to 2 servers. The link (or tab) for Server 2 account details refuses to load in some browsers but works in others. I think it must be a javascript thing which they have not got quite right. For a time the servers were a bit unreliable and I think there was some confusion about the passwords on the site being wrong, but on the occasions I have tried more recently the 2 servers have both loaded and worked OK.

[festus]

Thank you, Oscar, for these new versions of vpn-onoff-0.4.0.

I use both the 32 & 64 bit pets and for me this version is your best by far.

I do thank you again...

bliss, festus