How to use openvpn for browsing

3

2

I'm just starting out with VPN and OpenVPN. What I understand is that I when I have a vpn connection, it's like I'm on the same network as the server. Then I should be able to connect to the server via the local address (10.8.x.x). Next to that I should be able to browse the internet via the server.

I have my own server in the cloud for personal stuff. I can use it for whatever I like. It runs on Debian 7. I installed openvpn and can connect to it from my laptop. I thought this would change my IP-address to the one of the server, but when I open whatismyip.com in the browser, I still see my normal IP.

This is the output for ifconfig:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
    options=3<RXCSUM,TXCSUM>
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    options=27<RXCSUM,TXCSUM,VLAN_MTU,TSO4>
    ether 00:23:df:89:81:82
    media: autoselect
    status: inactive
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    ether 00:23:6c:8f:4f:47
    inet6 fe80::223:6cff:fe8f:4f47%en1 prefixlen 64 scopeid 0x5
    inet 192.168.1.22 netmask 0xffffff00 broadcast 192.168.1.255
    media: autoselect
    status: active
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
    ether 02:23:6c:8f:4f:47
    media: autoselect
    status: inactive
tun0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    inet 10.8.0.6 --> 10.8.0.5 netmask 0xffffffff
    open (pid 909)

So I'm a bit lost here. Do I have to configure a proxy in the browser? If so, that's only the browser. Is there a way to set a switch to connect via vpn only? And in case I misunderstand the way vpn works, please explain.

SPRBRN

Posted 2013-08-11T22:53:12.293

Reputation: 5 185

Answers

4

Instead of using OpenVPN, use SSH tunneling. This works better and is much easier to setup ans is also encrypted. One additional bonus is that unlike OpenVPN, if the connection is closed, you will no longer be able to browse the internet. With OpenVPN, if the connection is closed you will automatically be put back on your own network and be allowed to continue browsing without warning. Nothing needs to be changed on your server.

If you run Windows on your computer:

  1. Download PuTTY (if you don't have it already)
  2. In the Category side panel, go Connection>SSH and check Enable Compression
  3. In the Category side panel, go Connection>SSH>Tunnels and enter a number in the source port field. I typically use 3456. Then select Dynamic and finally click Add.
  4. In the Category side panel, go back to Session. Enter your username@hostname (replacing your_username with your username on the system and hostname with the domain or IP address of your server) in the hostname field and then save the session.
  5. Click Open and then enter your password.
  6. Download Firefox if you don't already have it.
  7. In Firefox, go Firefox>Options and then Advanced>Network>Settings.
  8. Select Manual proxy configuration and then delete everything in all of the editable boxes.
  9. Enter localhost as the SOCKS Host and enter 3456 (or whatever port you used in step 3) as the Port.
  10. Click Ok for both open Firefox configuration windows.
  11. Enter about:config in Firefox's location bar and press enter. Tell Firefox that you will be careful.
  12. Search for network.proxy.socks_remote_dns and double click on it to set it to true.

If you run Linux or Mac OS on your home computer:

  1. Open a terminal and type ssh -CD:3456 your_username@hostname (replacing your_username with your username on the system and hostname with the domain or IP address of your server) and press enter.
  2. Download Firefox if you don't already have it.
  3. In Firefox, go Edit>Preferences and then Advanced>Network>Settings.
  4. Select Manual proxy configuration and then delete everything in all of the editable boxes.
  5. Enter localhost as the SOCKS Host and enter 3456 (or whatever port you used in step 3) as the Port.
  6. Click Ok for both open Firefox configuration windows.
  7. Enter about:config in Firefox's location bar and press enter. Tell Firefox that you will be careful.
  8. Search for network.proxy.socks_remote_dns and double click on it to set it to true.

When you are done, close PuTTY or the terminal and set Firefox to use No proxy instead of the manual one you configured. Next time you want to connect, just run your saved PuTTY session or run the command line command and set Firefox to use the Manual proxy configuration option. Firefox will remember your proxy settings.

Ian

Posted 2013-08-11T22:53:12.293

Reputation: 191

I have used tunnels before to connect my local database client to the database on the server. I have created a special user on the server for this and can make a connection. Browsing results in the browser reporting that the connection is reset. So it doesn't work. I can ping to yahoo.com when logged into the server via ssh, so DNS works. Maybe it's what @davidgo says, and I have to configure iptables. I'm using UFW and prefer to avoid iptables if possible. – SPRBRN – 2013-08-14T15:19:03.457

I got it working on my Android phone, using SSH Tunnel. When I open whatismyip.com, I see the IP of the server. – SPRBRN – 2013-08-14T15:28:04.637

1

(Note that where I have given examples they are minimal, and you need to satisfy yourself you understand how they work and flesh them out our you could lock yourself out your box. Also, these instructions are not permanant - so you can at least reboot to make the problem go away if you do something stupid.) I'm not convinced that a proxy of this nature is a good idea as an always-on solution because of complexity, reduced speed and curveball problems it will throw at you.

You don't need to configure a proxy. What you do need to ensure is that your OpenVPN server provides a default route (and with a lower metric so its preferred) via the OpenVPN server.

push "redirect-gateway XXXX def1"

You will probably also need tell the OpenVPN server to NAT the connection so that it will share the IP address of the server - as 10.x.x.x is not globally routed. You can do this by adding the command (on the server)

iptables -t NAT -A POSTROUTING -o ethX -j MASQUERADE

If you want to ensure you connect via OpenVPN you would want to put a firewall on your VPN client preventing traffic going out via the normal interface (except traffic to the OpenVPN server).

iptables -I INPUT -j DROP
iptables -I INPUT -s SERVER.IP -j ACCEPT

davidgo

Posted 2013-08-11T22:53:12.293

Reputation: 49 152

I like the ssh-tunnel solution to start with. When using that I have the same problem, I can connect but not browse. Is that the same issue? – SPRBRN – 2013-08-14T15:20:58.793

I just got it working on my phone, using SSH Tunnel, so that's great. – SPRBRN – 2013-08-14T15:28:34.200

Asked: 2013-08-11T22:53:12.293

Viewed: 4 809 times

Active: 2013-08-12T03:24:53.620