HideMyAss VPN

Friday, May 17, 2013

How to Use Proxyserver as VPN router alternative

By running a proxy server on a Linux device, you can let multiple devices use your VPN connection without the need of getting a VPN router.
This works on any Linux-based device, e.g. Raspberry Pi, Linux-on-Android (e.g. via Linux Deploy) or even on a virtual machine.
If you want even more security, prevent fallsbacks to your real IP and ensure that your whole system is using the VPN, check this:

Tutorials:Using local PPTP server as VPN router alternative


Advantages:
  • you can even let devices use the VPN that only support proxies
  • you can let an unlimited number of devices use the VPN
  • you can use the VPN from anywhere, even on places where VPN is blocked
  • you don't need a VPN router

Example scenarios of use:
  • Your router does not support VPN: But using a local proxy server on your Linux device, you can just let all your devices connect to the proxy in order to have them protected by HMA Pro VPN.
  • You have devices that do not support VPN, but do support proxies. Now they can be protected by the VPN as well!
  • You don't want to use internet connection sharing or purchase a VPN router to protect all your devices by the VPN.
  • HMA's servers are blocked on a public or on your mobile connection. Using the local proxyserver you can now use the VPN from anywhere, since you are still able to connect to your home IP.



This tutorial is using tinyproxy as proxy server.
Basic Linux knowledge is required though!

Contents



Step 1: Install necessary packages


apt-get install wget curl sed tinyproxy openvpn iptables nano


Step 2: Modify /etc/tinyproxy.conf


nano /etc/tinyproxy.conf

Scroll down to this part:

# Allow: Customization of authorization controls. If there are any
# access control keywords then the default action is to DENY. Otherwise,
# the default action is ALLOW.
#
# The order of the controls are important. All incoming connections are
# tested against the controls based on order.
#
Allow 127.0.0.1

Here you can add IPs or subnets that are allowed to use the proxy.
So if you want to let only client IP 192.168.0.35 use the proxy, add:
Allow 192.168.0.35

If you want to let the whole subnet 192.168.0.x use the proxy, add:
Allow 192.168.0.0/24

Now, scroll down to this part:
# ConnectPort: This is a list of ports allowed by tinyproxy when the
# CONNECT method is used.  To disable the CONNECT method altogether, set
# the value to 0.  If no ConnectPort line is found, all ports are
# allowed (which is not very secure.)
#
# The following two ports are used by SSL.
#
ConnectPort 443
ConnectPort 563

Comment the "ConnectPort 443" line, so it looks like this:
# ConnectPort 443
Of course you can also remove it.
This is required, otherwise the proxy can't be used while the VPN is connected via OpenVPN-TCP on port 443.

Save the file, exit nano.

Now, enable forwarding if you wish to have access to your entire home network while away.
Edit the ‘sysctl’ file.
nano /etc/sysctl.conf
Find “net.ipv4.ip_forward=1” and uncomment it (or change =0 to =1) to enable forwarding.
Now, execute the following command to apply changes:
sysctl -p

Step 3: Testing the proxy


Start tinyproxy by running "tinyproxy".

Now get onto your client to test the proxy.
Set it to use the IP of the device where tinyproxy is running, at standard port 8888.
This is easily done in Windows by opening Internet Explorers menu:
Tools - Internet Options - Connections - LAN settings
Check: Use a proxy server for your LAN
Address: IP of the device where tinyproxy is running on
Port: If not configured in tinyprox.conf otherwise, its 8888
Click OK.

Browse to e.g. ipaddress.com
If you get an error page, tinyproxy.conf wasn't properly configured to allow you access.
If you can browse, tinyproxy is working.


Step 4: Connecting to VPN


Now download the HideMyAss OpenVPN connection script:
wget http://hmastuff.com/hma-vpn.sh

Make it executable:
chmod +x hma-vpn.sh

Connect to the VPN (e.g. "./hma-vpn.sh -p tcp Texas")
When the VPN is connected, go to ipaddress.com on your client computer and check location again.
It should now show you the location of the VPN server. Thats all!
Now you can set any device to use the proxy server, and it will automatically use the VPN connection.


Notes


  • If you get any permission denied errors, or can't modify file contents in the editor, make sure you have root access.
    Do so either by first running "su" and then proceed, or prefix each command with "sudo".
  • To use the proxyserver from outside of our local network, you'll need to create a port forwarding rule on your router
    for the port the proxyserver is running on (in this example, TCP port 8888) to the IP of the linux device.
    Here's a list of tutorials for various routers on how to create port forwarding rules.
    Since you may not always know your external IP, consider using a Dynamic DNS service on it.
  • When running the proxyserver on a virtual machine, you will have to use a bridged network setup in your virtualization software,
    so that the device fetches its own IP from your networks DHCP server.
  • To prevent non-proxified traffic, you could forbid all traffic that is not coming from / going to the proxy servers IP, e.g. with Windows or Comodo Firewall.
    For links on how IP binding rules are created, see the article IP Binding
  • Having trouble with this tutorial? Have suggestions, improvements, questions? Feel free to email in at wiki@hmastuff.com

Internet Explorer Proxy configuration

1 comment: