A config to randomize the VPN endpoint via cron

[ghost]

Here is my (simple) setup to randomize the VPN endpoint every X minutes. It assumes you have qubes-vpn-support correctly installed and working with your vpn configs somewhere below /rw/config/vpn. I am using /rw/config/vpn/configs to store ovpn files.

Files

/rw/config/vpn/countries- contains a list of country filenames

/rw/config/vpn/country_servers - contains a list of ovpn profiles that correspond to the country. You need a filename per line that corresponds to a country.

For example: /rw/config/vpn/germany_servers has a list of ovpn files, the servers of which are located in Germany. You will need a *_servers file for each country in your countries files.

/rw/config/vpn/change-server- script that changes the connection by prodding qubes-vpn-handler

Setup

All files are in /rw/config/vpn.

countries contains something like this:

norway_servers
denmark_servers
germany_servers

norway_servers contains something like this:

/rw/config/vpn/configs/norway_server_1.ovpn
/rw/config/vpn/configs/norway_server_2.ovpn
/rw/config/vpn/configs/norway_server_3.ovpn
/rw/config/vpn/configs/norway_server_4.ovpn
/rw/config/vpn/configs/norway_server_5.ovpn
/rw/config/vpn/configs/norway_server_6.ovpn

each country file should have a list of the ovpn files corresponding that country.

change-server is a small bash script that more or less randomly chooses a country and then an ovpn profile from that country, sets up the symbolic link, then restarts the qubes-vpn-handler service via systemctl:

#!/bin/bash

country=`shuf -n 1 /rw/config/vpn/countries`
echo $country
server=`shuf -n 1 /rw/config/vpn/$country`
echo $server
config_file=$server
echo $config_file
sudo rm -f /rw/config/vpn/vpn-client.conf
sudo ln -s $config_file /rw/config/vpn/vpn-client.conf 
sudo systemctl stop qubes-vpn-handler
sleep 8
sudo systemctl start qubes-vpn-handler

last step is to enable cron in the vpn qube and add a crontab using crontab -e

edit /rw/config/rc.local and add these lines at the bottom:

mkdir /var/run/qubes-service/crond
systemctl start cron

And either restart the cube or enter these commands in a vpn qube terminal window. You can confirm cron started correctly by issuing a systemctl status cron in a vpn qube terminal window.

I am using a debian template so this might be different for whatever template you're using.

Next set up a cron job viacrontab -e and add an entry to poke the /rw/config/vpn/change-server script:

*/16 * * * * /rw/config/vpn/change-server

In this case every 16 minutes the server will change. You should see the notifications from the notification daemon. Watch /var/log/daemon.log in the vpn qube to see fine details of what openvpn is up to.

Bonus

Small script called /rw/config/vpn/make_servers_lists that works for my setup to gather country profiles into the correct country_servers file. You have to manually add lines to correspond with the countries you have in your countries file.

#!/bin/bash
cd /rw/config/vpn/
rm -rf norway_servers
find "$(pwd)" -name "no*udp*" -print | sudo tee /rw/config/vpn/norway_servers
rm -rf denmark_servers
find "$(pwd)" -name "dk*udp*" -print | sudo tee /rw/config/vpn/denmark_servers
rm -rf germany_servers
find "$(pwd)" -name "de*udp*" -print | sudo tee /rw/config/vpn/germany_servers

Caveats and Follow-on

• The vpn provider seems to change their servers often. When this happens, some profiles are obsolete and systemd/openvpn combination will try to connect in an endless loop.

• Next step would be to download the latest ovpn profiles automatically, put them in the correct place and remake all the country files.

• This system will work for ovpn files that contain a single ip address or multiple ip addresses that openvpn chooses at random. In the latter case, a single ovpn file in the country_servers file is fine.

[tasket]

@fogmtv I know some people will find this useful... Thanks!

People may wish to customize the cron settings. For example, if you only want to shuffle the servers at system startup. This makes sense if you don't want your connection broken in the middle of some account-app based activity.

AFAIK there is no standard VPN server list update format. Unless, of course you consider DNS. I think that's why some services that used to publish configs with IP addresses now use domain names.

[ghost]

@tasket You're welcome.

I haven't found a standard list format either. The VPN providers I've tried have published large zip files of ovpn files. I choose the IP address version of these files as the vpn qube doesn't seem to allow DNS queries through for some reason. Any ideas?

I updated my i3status bar to show which vpn I'm connected to - pretty handy.

Thanks again for this repository and your work to maintain it.

[tasket]

@fogmtv You should try the DNS configs with the 1.4.1 branch as the firewall settings have been revised to be friendlier to vpn software link management.