Fedora Magazine runs a handy article for anyone using work/corporate VPNs from a home computer – “Using the NetworkManager’s DNSMasq plugin“. This is also not the only use for the DNSMasq plugin. It comes in useful when you work local cluster setups for development or testing. Furthermore, pretty much any setup where you need to route DNS queries to different servers, this can either be used out of the box, or provide good ideas as to how to solve the problem.
SSH vs OpenVPN for Tunneling
I have never particularly liked Virtual Private Networking (VPN). From the old days, when there were a gadzillion of proprietary implementations, each being super slow, resource hungry, and requiring a mess of versions specific requirements, like Java and Firefox. Secure Shell (SSH) has always been my choice for remote connections and tunneling.
Today I came across this article, which also shows that SSH tunnels are much faster than OpenVPN (if one has to use VPN, OpenVPN is probably the best choice around). Needless to say they are also much easier to setup, both manually and automatically.
This adds yet another argument to my SSH vs VPN toolbox.
Is VPN Legal in Your Country?
TheBestVPN.com published a study of whether or not VPNs are legal in 196 countries around the world. There is a summary for each, and some links to details of the research.
VPNs are legal, generally.
It depends largely on the country you’re physically sitting in while using a VPN. But even then, their laws and restrictions are often opaque. What’s legal vs. illegal is not always clear. Some activities, while frowned upon, are still shrouded in grey area. In this research we fact-checked 196 countries laws and their opinions on VPNs.
VPNs are illegal in: China, Turkey, Iraq, United Arab Emirates, Belarus, Oman.
VPNs are some-what illegal in: Iran, North-Korea, Turkmenistan.
P.S.: If you can’t access the links above, VPN is probably illegal (or at least blocked) in your country or region.
Automate OpenVPN client on CentOS 7
I need to setup OpenVPN client to start automatically on a CentOS 7 server for one of our recent projects at work. I’m not well versed in VPN technology, but the majority of the time was spent on something that I didn’t expect.
I go the VPN configuration and all the necessary certificates from the client, installed OpenVPN and tried it out. It seemed to work just fine. But the setting it up to start automatically and without any human intervention took much longer than I though it would.
The first issue that I came across was the necessary input of username and password for the VPN connection to be established. The solution to that is simple (thanks to this comment):
- Create a new text file (for example, /etc/openvpn/auth) with the username being the first line of the file, and the password being the second. Don’t forget to limit the permissions to read-only by root.
- Add the following line to the VPN configuration file (assuming /etc/openvpn/client.conf): “auth-user-pass auth“. Here, the second “auth” is the name of the file, relative to the VPN configuration.
With that, the manual startup of the VPN (openvpn client.conf) was working.
Now, how do we start the service automatically? The old-school knowledge was suggesting “service openvpn start”. But that fails due to openvpn being an uknown service. Weird, right?
“rpm -ql openvpn” pointed to the direction of the systemd service (“systemctl start openvpn”). But that failed too. The name of the service was strangely looking too:
# rpm -ql openvpn | grep service /usr/lib/systemd/system/openvpn@.service
A little (well, not that little after all) digging around, revealed something that I didn’t know. Systemd services can be started with different configuration files. In this case, you can run “systemctl start openvpn@foobar” to start the OpenVPN service using “foobar” configuration file, which should be in “/etc/openvpn/foobar.conf“.
What’s that config file and where do I get it from? Well, the OpenVPN configuration sent from our client had a “email@example.com” file, which is exactly what’s needed. So, renaming “firstname.lastname@example.org” to “client.conf” and moving it together with all the other certificate files into “/etc/openvpn” folder allowed me to do “systemctl start openvpn@client“. All you need now is to make the service start automatically at boot time and you are done.
VPN Comparison Chart
Reddit user ThatOnePrivacyGuy compiled this Google sheet with comparison of 130 VPN services.
It covers a whole lot of metrics for each – from pricing, encryption and configuration options to additional services, activism and jurisdiction. Enjoy!
Updated (May 22, 2017): If you want to learn more about different VPN providers, have a look at Anonymster.com.