Saturday, August 25, 2012

No-downloading inconveniences in the digital age

My country does not allow me to download music/movies for personal use!

While a good number of countries (e.g., The Netherlands, Switzerland) have relatively sane laws that allow the downloading (though not uploading) of music and movies, there are a good number of other countries where even the downloading of music and movies for personal use is forbidden.

Even if one does live (or operates a server) in one of the latter countries, these restrictions are but small inconveniences that are easily worked around.

Case in point here is an Ubuntu Linux server in one of these countries to which somebody wants to download content from the Giganews Usenet provider, where one sets up OpenVPN himself. Note that although this article is written in terms of Linux and Giganews, the general principles readily carry over to other situations.

The solution: OpenVPN

The solution in this case is to hide the fact that your are perusing the service from the country with the backward laws that you happen to be in. A simple mechanism to do this is to use OpenVPN: ones creates an encrypted VPN tunnel over which one tunnels the connections to Giganews.

If one already has an account at Giganews, Giganews offers a branded deal through VyprVPN where you get OpenVPN access for $5 per month.

Step 1: Apply for OpenVPN access at Giganews

Just follow the steps on their website: you can't go wrong there.

Step 2: Install OpenVPN

sudo apt-get install openvpn

(easy enough)

Step 3: Install the VyprVPN root certificate

sudo wget -O /etc/openvpn/ca.vyprvpn.com.crt http://www.giganews.com/vyprvpn/ca.vyprvpn.com.crt

This allows your OpenVPN client to ascertain that it is indeed talking to VyprVPN, and not to some man-in-the-middle attack box your government may have put in place.

Step 4: Create a configuration for your VyperVPN

The easiest way to do this is to create two files: one that contains your Giganews username and password, and one that contains the OpenVPN client configuration. The names are arbitrary, but I happen to use these:

/etc/openvpn/vyprvpn.pass contains:

gn123456
abcd1234

(replace the red content with your actual username and password).

/etc/openvpn/vyprvpn.conf contains:

client
dev tun
proto udp
remote eu1.vpn.giganews.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca ca.vyprvpn.com.crt
tls-remote eu1.vpn.giganews.com
auth-user-pass vyprvpn.pass
comp-lzo
verb 1

(you could replace the eu1 part with several other options, but eu1 is in the Netherlands, where downloading is legal).

Step 5a: Fire and forget

Open boot, your server will now automatically start up your VyperVPN, and route all traffic through it. You can also force it right now by issuing:

sudo /etc/init.d/openvpn restart

If that is not what you want, e.g., because you use the box for other purposes, too, the next step will describe how to route just your Giganews traffic through the VPN.

Step 5b (optional): Route just Giganews traffic through the VPN.

If this is what you want, this is possible, too. Simply add the green content to your /etc/openvpn/vyprvpn.conf file:

client
route-noexec
route-up /etc/openvpn/vyprvpn-route-up.sh
down /etc/openvpn/vyprvpn-route-down.sh
script-security 2
dev tun
proto udp
remote eu1.vpn.giganews.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca ca.vyprvpn.com.crt
tls-remote eu1.vpn.giganews.com
auth-user-pass vyprvpn.pass
comp-lzo
verb 1

The route-noexec option tells OpenVPN to not directly use all route pushes it gets from the VyprVPN server, but to pass options via environment variables to scripts in which you are in control of what happens.

In my case, I wanted to use news-europe.giganews.com for downloading. I used whois to figure out that their IP range in Europe is 216.196.96.0/19. The two scripts mentioned above now contain:

/etc/openvpn/vyprvpn-route-up.sh:

#!/bin/bash

# Route Giganews Europe (216.196.96.0/19), and ONLY Giganews,
# through VyprVPN.
ip route add 216.196.96.0/19 dev $dev

(note that $dev is passed in the environment by OpenVPN).

/etc/openvpn/vyprvpn-route-down.sh:

#!/bin/bash

# Remove routing for Giganews Europe (216.196.96.0/19).
ip route del 216.196.96.0/19

Step 6: Check that things work

Quickly check that your routing to Giganews indeed goes through the VPN:

traceroute news-europe.giganews.com

traceroute to news-europe.giganews.com (216.196.109.144), 30 hops max, 60 byte packets
 1  10.25.0.1 (10.25.0.1)  14.601 ms  14.606 ms  14.611 ms
 2  * * *
 3  vl304.gw1.ams.giganews.com (216.196.108.218)  15.268 ms  15.309 ms  15.274 ms
 4  news-europe.giganews.com (216.196.109.144)  14.964 ms  15.195 ms  15.210 ms

Here, the first hop being on a private subnet (10.25.0.1, on 10.0.0.0/8, which is private) tells you that traffic is routed correctly.

Happy networking!