I recently signed up for VPN service through IP Vanish (well, several providers, but that’s the one that stuck). While I like their client software, I was mildly annoyed with having to start and stop the thing when I wanted to run traffic through it, and with having it run ALL my traffic when that’s not necessarily what I wanted.
My solution was to spin up an Archlinux Hyper-V virtual machine on Windows Server 2012 server, and configure it to be a Squid caching proxy and VPN. Then I just pointed the applications that I wanted at it and let it proxy my traffic through the VPN. I went one step further by abandoning uTorrent and installing Deluge and BrickyBox’s Sick-Beard clone for torrent management and saving data to my Drobo-FS.
Note: I have removed all of the comments from these configuration files since most of them were in the default files to begin so you can still really read them if you want, and aren’t relevant to the configurations themselves. I encourage you to understand what these files are actually doing, not just pasting them in to your configs.
Configuring PPP for the IPVanish VPN
Dependencies
Configuration
/etc/ppp/chap-secrets:
# Secrets for authentication using CHAP
YOUR_USER_NAME SERVER_ALIAS PASSWORD BIND_IPS
Obviously, replace YOUR_USER_NAME
, SERVER_ALIAS
, and PASSWORD
with your specific information. For BIND_IPS
, I used an asterisk to bind to all ip addresses. You can be more specific here if you’d like.
/etc/ppp/peers/ipvanish:
persist
maxfail 0
pty "pptp sea-a01.ipvanish.com --nolaunchpppd"
name YOUR_USER_NAME
remotename SERVER_ALIAS
require-mppe-128
file /etc/ppp/options.pptp
ipparam SERVER_ALIAS
updetach
Again, change YOUR_USER_NAME
to reflect your IP Vanish username, make sure that SERVER_ALIAS
matches what you put in chap-secrets, and use the server that you want to connect to for the pty
parameter.
/etc/ppp/options.pptp:
lock
noauth
nobsdcomp
nodeflate
Enable traffic routing
Now that we have a functioning VPN, we want to route all of our traffic through it. Be sure to chmod +x
both of these.
/etc/ppp/ip-up.d/10-start-all-to-tunnel-routing.sh:
PRIMARY=eth0
SERVER=$5
GATEWAY="192.168.1.1"
CONNECTION=$6
if [ "${CONNECTION}" = "" ]; then CONNECTION=${PPP_IPPARAM}; fi
TUNNEL=$1
if [ "${TUNNEL}" = "" ]; then TUNNEL=${PPP_IFACE}; fi
if [ "${CONNECTION}" = "ipvanish" ] ; then
ip route del ${SERVER} dev ${TUNNEL}
if [ "${GATEWAY}" = "" ] ; then
ip route add -host ${SERVER} dev ${PRIMARY}
else
ip route add -host ${SERVER} gw ${GATEWAY} dev ${PRIMARY}
fi
ip route del default ${PRIMARY}
ip route add default dev ${TUNNEL}
fi
/etc/ppp/ip-down.d/80-stop-all-to-tunnel-routing.sh:
PRIMARY=eth0
SERVER=$5
GATEWAY="192.168.1.1"
CONNECTION=$6
if [ "${CONNECTION}" = "" ]; then CONNECTION=${PPP_IPPARAM}; fi
TUNNEL=$1
if [ "${TUNNEL}" = "" ]; then TUNNEL=${PPP_IFACE}; fi
if [ "${CONNECTION}" = "ivanish" ] ; then
# direct packets back to the original interface
ip route del default ${TUNNEL}
ip route del ${SERVER} dev eth0
if [ "${GATEWAY}" = "" ] ; then
ip route add default dev ${PRIMARY}
else
ip route add default gw ${GATEWAY} dev ${PRIMARY}
fi
fi
Creating a custom systemctl unit
To help facilitate automation, I create a custom systemctl unit for the VPN so I wouldn’t have to manually start and stop it all the time.
/usr/lib/systemd/system/ipvanish.service:
[Unit]
Description=IPVanish Proxy
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
PIDFile=/run/ipvanish.pid
ExecStart=/usr/bin/pon ipvanish
ExecStop=/usr/bin/poff ipvanish
[Install]
WantedBy=multi-user.target
After you create the unit, you can start and stop the proxy with systemctl start ipvanish
and systemctl stop ipvanish
respectively. You can also make it start at boot with systemctl enable ipvanish
.
Installing Squid
Dependencies
Configuration
The Squid package will automatically create a proxy
user for you, as well as the necessary systemd units. The only changes that are necessary are in the /etc/squid/squid.conf
file. A lot of those changes are going to be predicated on your caching needs. I’m not going to go in to too much detail here, and just show the two lines that you need in your squid config to make this work. The rest of the stuff for actually storing objects and ACLs and the like, I’ll leave as an exercise to the reader.
/etc/squid/squid.conf:
tcp_outgoing_address 172.20.0.3 # This is the IP of your VPN
http_port 192.168.1.126:3128 # This is the IP of your machine
Mounting network shares
Dependencies
pacman -S smbclient autofs
I am mounting my network shares with AutoFS so they’ll come up as soon as someone (deluged) tries to use them. This will mount the one share specified in my auto.media
file as /mnt/MOUNT_NAME
. Be sure to change NAS_IP
, NAS_PATH
, and MOUNT_NAME
to reflect your setup. In the credentials
file, set your USERNAME
and PASSWORD
for the user that you’ll be connecting to the NAS as. The dir_mode
and file_mode
directives are the UMASK for the mount points. Mine are set to 777 so that everybody has write access to them, specifically the deluged
user.
/etc/autofs/auto.master:
/mnt /etc/autofs/auto.media
MOUNT_NAME -fstype=cifs,file_mode=0777,dir_mode=0777,credentials=/etc/samba/credentials,workgroup=WORKGROUP ://NAS_IP/NAS_PATH
/etc/samba/credentials:
username=USERNAME
password=PASSWORD
Installing Deluge
Dependencies
pacman -S deluge python-mako
This was incredibly trivial. Just install the packages from the Arch repository. I did some light configuration through the web-ui to point deluged at my mounted NAS shares, and I was off to the races.