Setting up OpenVPN for free Internet access in airports, hotels, and cafes

From Nick Jenkins
Revision as of 05:15, 2 October 2008 by Nickj (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Note: All this information is currently undergoing testing, and these instructions may be deleted or revised based on the outcome of this testing.

When you go to a airport, hotel, or cafe, frequently you will need to pay for net access, but DNS requests (port 53 UDP) are allowed. You can (potentially) use this to get free (but slow) internet access. You need to set this up before finding yourself in this situation, so it's probably only worth it if you travel frequently.

Requirements

You'll need:

  • A Linux machine that's permanently connected to the internet, with a static IP address. We'll call this the server.
  • A Linux machine (almost always a laptop) that wants internet access, and which can connect to a wifi or wired network, but which can only use port 53 UDP for free. We'll call this the client.
  • You, who wants internet access, usually for something small, like checking your email or reading a web page, for which paying $20 for 10 minutes of use strikes you as somewhat exorbitant.

You can test whether you have port 53 UDP by pinging something, e.g.:

ping google.com

.. and if you get an IP address back for google.com, then you've most probably got port 53 UDP traffic allowed.

Setup beforehand

Install openvpn on the server and client:

sudo aptitude install openvpn

Then, generate a static key on the server, and copy this key to the laptop:

cd /etc/openvpn/
openvpn --genkey --secret static.key
rsync /etc/openvpn/static.key   laptop:/etc/openvpn/

Do on both server and client:

sudo mkdir /var/log/openvpn
sudo chown nobody.nogroup /var/log/openvpn

Do on the server to allow forwarding traffic:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

On the client do:

sudo nano /etc/openvpn/rA.example.net.conf

... and paste in these contents:

# openvpn config for client p2p
# clientp2p.conf
#
# address of the server
remote server.whatever.org 53
# set the door of communication on the door 1194
proto udp
port 53
# assign to client 10.8.0.2 and to server the ip 10.8.0.1 
ifconfig 10.8.0.2 10.8.0.1
# level of detail for the log
verb 5
# assign tun like device for the vpn
dev tun0
# authentication file
secret /etc/openvpn/static.key
# creates a file of log
log-append /var/log/openvpn/openvpn.log
# compression
comp-lzo
# other options - no pinging, persistence, and user nobody for security:
ping-restart 0
nobind
user nobody
group nogroup
persist-key
persist-tun
# make this our default gateway when it is running.
redirect-gateway def1

... and replace "server.whatever.org" with the domain name or IP address of your server machine, and save.

For the server, do this:

sudo nano /etc/openvpn/server.whatever.org.conf 

... and paste in these contents:

port 53
proto udp
dev tun0
comp-lzo
# assign to server the ip 10.8.0.1 and to  client 10.8.0.2
ifconfig 10.8.0.1 10.8.0.2
# authentication file
secret /etc/openvpn/static.key
push "redirect-gateway def1"
ping-restart 0
user nobody
group nobody
persist-key
persist-tun
# the type of detail of the log
verb 5
# logging
status /var/log/openvpn/rB.example.net.log
log-append /var/log/openvpn/rB.example.net.log

... and save.

Then on the server, start this service and leave it running permanently:

sudo /etc/init.d/openvpn restart

Testing if it works correctly

First check the logs on the server:

cat /var/log/openvpn/rB.example.net.log

... and check that there are no serious looking errors, and rectify these if there are any.

Then on the client, an easy way to test if it's working is compare a traceroute before and after. So do this on the client:

sudo tracert telstra.com

On the client do:

sudo /etc/init.d/openvpn start

Then see the "after" results:

sudo tracert telstra.com

... if it's working then the after will be different from the before - in particular, the first line will show "10.8.0.1" (i.e. our internet traffic is going via this IP address), and secondly the route will be longer (e.g. my tracert was 18 instead of 13 hops, i.e. the openvpn adds 5 extra hops).

Once it's working, stop openvpn on the client:

sudo /etc/init.d/openvpn start

When you want to use it

On the client, do this when you're in your airport, hotel, or cafe:

sudo /etc/init.d/openvpn start

When you are finished, and want your networking to go back to normal, do this on the client:

sudo /etc/init.d/openvpn stop