Howdy all.
So I found out about this thing called Hola the other day that allowed me to use my computer to connect to a vpn and appear from Canada, or the U.K. What I thought was interesting was the movie choices, it was a whole different movie selection.
This made me question my sanity and I think I connected and disconnected from Hola about 3 or 4 times. Anyways it was true and I could access a whole different movie selection from Canada, and what was weird is the movies tended to be newer!! I thought, “Hmm I wander if I can get my Google TV to do this” I was doing a separate project on arm machines and stumbled across. http://utilite-computer.com/web/home cool cheap machines. I order 2 of them (one for this other project, and one for this Google TV project). I proceeded to install Gentoo on the box (worked awesome). I have an openvpn account already with access to Canada servers, so I was good there, then I just needed to write the code. I decided on 2 iptables scripts, to force the traffic down whatever was connected.
This is my default non tunnel script.
#!/bin/bash /sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -P INPUT ACCEPT /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -P FORWARD DROP export LAN=enp1s0 export WAN=eth0 /sbin/iptables -I INPUT 1 -i ${LAN} -j ACCEPT /sbin/iptables -I INPUT 1 -i ${WAN} -j ACCEPT /sbin/iptables -I INPUT 1 -i lo -j ACCEPT /sbin/iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT /sbin/iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT /sbin/iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT /sbin/iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP /sbin/iptables -A FORWARD -i ${LAN} -o ${WAN} -j ACCEPT /sbin/iptables -A FORWARD -i ${WAN} -o ${LAN} -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE /sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done |
This is my tunnel script.
#!/bin/bash /sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -P INPUT ACCEPT /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -P FORWARD DROP export LAN=enp1s0 export WAN=tun0 export MYWAN=eth0 /sbin/iptables -I INPUT 1 -i ${LAN} -j ACCEPT /sbin/iptables -I INPUT 1 -i lo -j ACCEPT /sbin/iptables -A INPUT -i ${MYWAN} -j ACCEPT /sbin/iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT /sbin/iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT /sbin/iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT /sbin/iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP /sbin/iptables -A FORWARD -i ${LAN} -o ${MYWAN} -d 192.168.250.0/24 -j ACCEPT /sbin/iptables -A FORWARD -i ${MYWAN} -o ${LAN} -s 192.168.250.0/24 -j ACCEPT /sbin/iptables -A FORWARD -i ${LAN} -o ${WAN} -j ACCEPT /sbin/iptables -A FORWARD -i ${WAN} -o ${LAN} -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -o ${MYWAN} -j MASQUERADE /sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done |
You can see there are some subtle differences here:
export MYWAN=eth0 <- this is to allow my plex to run via the local ethernet when the tunnel is connected.
/sbin/iptables -A FORWARD -i ${LAN} -o ${MYWAN} -d 192.168.250.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -i ${MYWAN} -o ${LAN} -s 192.168.250.0/24 -j ACCEPT <- Also to make it so my plex can connect locally (my local ip block is 192.168.250.0/24)
/sbin/iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o ${MYWAN} -j MASQUERADE <- this allows me masquerade as whatever interface I am going out on.
When I connect to Canada I type
/etc/init.d/openvpn.canada start /root/ipt-tun |
And to disconnect I type
/etc/init.d/openvpn.canada stop /root/ipt |
That’s it. Here is a video of it (and a small button web app to connect and disconnect it)
–John
Lights Camera Action!