A Better Guide(tm) to Secure Browsing and Torrenting

cloverskull · 2017-11-09 20:29:23

Hey guys,

I'd like to propose this post as a replacement for my recent [DEPRECATED]Secure browsing and torrenting howto.

First, a couple of considerations:

I'm using Stretch
OpenVPN in NetworkManager-applet is broken on Jessie
You can still run openvpn configurations from the command line
I'm going to cover configuration options with NordVPN
Your mileage may vary; conduct frequent tests!
Stealing copyrighted stuff is bad, don't do it

Also, one thing I'd like to mention is firejail. In my initial howto, I referenced firejail a lot, but its utility is a pretty contentious topic. It also chained processes together (in my experience) with weird rulesets and made day to day computing a bit more difficult. If you've followed my previous guide and/or run 'firecfg' before, you may want to run 'firecfg --clean' to remove the default rulesets.

The only other difference between this guide and my previous guide is that kernel setting IPV6 to be off doesn't really make a difference, AFAICT. So we'll skip that part as well.

First thing's first: Find a VPN service. I'll reference NordVPN here. Good rules of thumb are to see what their logging policy is (NordVPN does not persist logs) and to see if they allow you to force-select country of origin. I like NordVPN because I can masquerade as someone in the USA for Netflix purposes when traveling abroad, but I can also force my traffic to be routed through countries with better privacy laws than the USA (Swizerland, for example).

Ok, first let's install openvpn

sudo apt-get install openvpn network-manager-openvpn-gnome

And let's bounce our network-manager service

sudo service network-manager restart

Next, let's get our .ovpn files (OpenVPN configuration files) and store them somewhere convenient. In this example I will get configuration files from NordVPN and store them in ~/vpn/

mkdir ~/vpn
cd ~/vpn
wget https://downloads.nordcdn.com/configs/archives/servers/ovpn.zip
unzip ovpn.zip
rm ovpn.zip

Identify which configuration file(s) you'd like to use. With NordVPN, you can check for the server names on this website. Pick from "Standard VPN Servers" and select the country you'd like to transmit from. Note the corresponding .ovpn file (pick either TCP or UDP, I'm unsure if it makes all that much of a difference, but TCP gave me better error control while streaming videos).

Now, let's get a quick baseline. Open up firefox and surf to https://ipleak.net and notice that it can detect your current IP, it can detect WebRTC, it knows a multitude of DNS servers you're accessing, among other things. Another good place to sanity check these things is https://www.dnsleaktest.com - run the extended test. Consider this our baseline for now, we'll refer to these websites again shortly.

The next portion will be broken up into OpenVPN via CLI, or OpenVPN via Network-Manager.

OpenVPN via CLI (jessie users, most likely)
Open up a terminal session. Remember that .ovpn file we previously identified? Invoke openvpn here (as root) and point at it

sudo openvpn [file name]

So, for example

sudo openvpn ~/vpn/ovpn_tcp/us842.nordvpn.com.udp.ovpn

NOTE: You have to keep this terminal session open and alive and manually inspect what's happening in your terminal to make sure the VPN hasn't died.

OpenVPN via Network-Manager (stretch users)

Click on the network icon in your taskbar (this is network-manager-applet or nm-applet), select VPN Connections -> Configure VPN. Pro-tip: you can invoke this from a CLI via 'sudo nm-connection-editor' and then click "Add").

From here you want to "Import a Saved VPN Configuration". Locate your corresponding .ovpn file you'd like to use (commensurate with the server you'd like to use) and configure the login name. You can save your password here as well, but it's something I prefer not to do.

To activate, just click your network manager applet, VPN connection, and select the VPN.

Back to configuration for all users, again:

Let's do another quick sanity check against https://ipleak.net and https://www.dnsleaktest.com - notice that our IP address is different now, but we're still leaking a bit of information. We're going to fix this, but it's going to be down a Firefox path, so as far as configuration in other browsers, YMMV. Also the configuration changes we're making here will also impact traditional Firefox sessions...so you may have some decreased standard browsing utility if Firefox is your every day browser.

We're going to deal with the small scale, browser specific stuff first. DNS fixes will come shortly.

Open Firefox, and in your URL search bar, type about:config and accept the dialog that follows. We need to change a few settings to be non-default. First, find "media.peerconnection.enabled" and set it to false. This should fix the "WebRTC leaks" portion.

Next, let's turn off IPV6 in Firefox. Still in about:config go ahead and find "network.dns.disableIPv6" and set it to true.

We should also turn off location services. While still in about:config find "geo.enabled" and switch it to false.

Ok, now if we reload https://ipleak.net and https://www.dnsleaktest.com it looks like everything but DNS works as expected. DNS leaks suck if you don't want your ISP to know the websites you're looking up. Seems reasonable to me to not want to share every detail of every website I look up, so we'll go ahead and wrap this into our VPN session now.

The fix for DNS leaks is a bit of a mystery to me insofar as how it's actually working. For me, it was a one-liner that solved all of this in the end:

sudo apt-get install openresolv nscd unbound

Somehow this scripted a way to pull DNS information from the OpenVPN session and stick it into a file, and then symlink /etc/resolv.conf to that file. It's some way for multiple services to manage /etc/resolv.conf. I never liked the idea of hardcoding values into that, so this works for me, but I still don't really know how it's all working.

One question I have (for the group) which I'd like to figure out is how to kill certain connections when VPNs die. How do I kill my secure/private Firefox session? How do I kill transmission-gtk?

Snap · 2017-11-10 07:14:16

Nice writeup once again.

Regarding IPv6. If you don't want it or need it, i.e. Your ISP doesn't provide it which is still a common thing, it's a waste of resources and also implies constantly running processes trying to do something that cannot be achived, which might make browsing annoyingly slow in some cases. In these scenarios instead of disabling IPv6 only within the browser, it can be safely disabled globally via GRUB as you pointed in your previous thread. (Or via sysctl if that applies to the system).

martix · 2018-01-30 17:53:04

I really liked the former idea with firejail and blocking every connection on default.

If there is a VPN, it's good to think about how to block every connection if the VPN stopped working. Is this related to your question, i.e. how to kill firefox IF the VPN dies? Or generally? (That would be e.g. pgrep -a and using pkill -x -f pgrepoutput).

Interestingly I dealt with some dns mess-up, found a hint on the net and ended up installing also those three packages (openresolv, nscd, unbound). Everything started working smoothly and sometimes I got the impression that generally I have less traffic (and faster dns resolving).

For checking the correct settings there is one more useful site called doileak.com.

Head_on_a_Stick · 2018-01-30 18:02:38

martix wrote:

ended up installing also those three packages (openresolv, nscd, unbound)

Yes, unbound is brilliant, I have it running on all of my boxen:

alpine:~$ cat /etc/resolv.conf                                                                                                                                                                            
nameserver 127.0.0.1
alpine:~$

I wouldn't mind seeing it as the stock resolver for BunsenLabs, I think Ubuntu run it as standard.

johnraff · 2018-01-31 02:18:08

Head_on_a_Stick wrote:

unbound is brilliant, I have it running on all of my boxen:
alpine:~$ cat /etc/resolv.conf                                                                                                                                                                            
nameserver 127.0.0.1
alpine:~$
I wouldn't mind seeing it as the stock resolver for BunsenLabs, I think Ubuntu run it as standard.

Having just changed my DNS nameservers for a substantial speed boost, find this topic interesting.
Does unbound have any meaning when working through a router?
Could you write - or link to - a simple get-started HOWTO?

Head_on_a_Stick · 2018-01-31 06:59:53

johnraff wrote:

Does unbound have any meaning when working through a router?

Yes because it is a caching resolver so any queries are remembered to save time in future.

It's also DNSSEC capable but I would be surprised if your ISP didn't do that.

johnraff wrote:

Could you write - or link to - a simple get-started HOWTO?

Full configuration instructions here:

http://www.unbound.net/documentation/howto_anchor.html

DNSSEC isn't actually needed to enjoy the caching benefits though so just installing the package and changing /etc/resolv.conf to point to 127.0.0.1 should be enough.

#1 2017-11-09 20:29:23

A Better Guide(tm) to Secure Browsing and Torrenting

#2 2017-11-10 07:14:16

Re: A Better Guide(tm) to Secure Browsing and Torrenting

#3 2018-01-30 17:53:04

Re: A Better Guide(tm) to Secure Browsing and Torrenting

#4 2018-01-30 18:02:38

Re: A Better Guide(tm) to Secure Browsing and Torrenting

#5 2018-01-31 02:18:08

Re: A Better Guide(tm) to Secure Browsing and Torrenting

#6 2018-01-31 06:59:53

Re: A Better Guide(tm) to Secure Browsing and Torrenting

Board footer