The objective for today is:
- Setup OpenVPN in lxc in Ubuntu 14.04
- Setup Squid
- Setup Nginx Reverse Proxy
- Block Ads With Squid
This is not a step–by-step tutorial but an article full of detailed notes ad resources for the steps I’ve made to get this job done.
So I’ve started from here:
- system Ubuntu 14.04 with lxc (linux containers were setup)
- I had a fresh ubuntu 14.04 lxc
Clone the lxc container:
lxc-copy -n ubuntu_lxc -N vpnbox_lxc
The commnad above tells lxc to copy the existing lxc to the new lxc container (-N vpn_ubuntu14_lxc).
Activate tun0 for your lxc container
tun0 is used by OpenVPN and you need it in your lxc.
vim /var/lib/lxc/vpnbox_lxc/config add the line: lxc.cgroup.devices.allow = c 10:200 rwm
To actually use a tun/tap device it must be created inside the container on every boot, so add the following to your /etc/rc.local
inside your container:
if ! [ -c /dev/net/tun ]; then mkdir -p /dev/net mknod -m 666 /dev/net/tun c 10 200 fi
Resources:
- https://blog.felixbrucker.com/2015/10/01/how-to-enable-tuntap-inside-lxc/ (important rc.local)
- http://serverfault.com/questions/429461/no-tun-device-in-lxc-guest-for-openvpn
- https://wiki.archlinux.org/index.php/OpenVPN_in_Linux_containers#LXC_config (systemd)
Be sure to configure the lxc ip and autostart.
Start the container:
lxc-start -n -d vpnbox_lxc And attach to it: lxc-attach -n vpnbox_lxc
Install OpenVPN.
Use the tutorial on how to install OpenVPN from here and respond to the steps.
Configure OpenVPN like this:
- use TCP
- run on port 443
Set iptables rules on the main system
We need to redirect incoming traffic form our vps IP address to the local lxc running OpenVPN.
Let us assume the local lxc machine is using the ip address: 10.0.3.8 the command would be:
iptables -t nat -I PREROUTING -i eth0 -p TCP -d xxx.xxx.xxx.xxx/32 --dport 443 -j DNAT --to-destination 10.0.3.8:443
Let’s save the iptables rules.
sudo apt-get update && apt-get install iptables-persistent
Save your firewall rules with this command:
sudo invoke-rc.d iptables-persistent save
Define a subdomain for your VPNbox.
I use my vps provider control panel for that (Contabo.com).
For example: vpn.vpsbox.com
Setup Nginx Reverse Proxy
vim /etc/nginx/conf.d/default.conf
And set Nginx Reverse Proxy Server Block Like This:
server { listen 80; server_name vpn.vpsbox.com; location / { proxy_pass http://10.0.3.8:3128; proxy_connect_timeout 300s; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_buffering off; } } server { listen 3128; server_name vpn.vpsbox.com; location / { proxy_pass http://10.0.3.8:3128; proxy_connect_timeout 300s; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_buffering off; } }
Restart NGINX.
service nginx restart
The above statements are telling Nginx to redirect all port 80 and 3128 traffic to the local lxc machine.
Squid Proxy will listen to 3128 and intercept all that traffic.
Setup Squid Proxy
Now is time to setup squid proxy.
apt-get install squid3
Configure squid proxy.
vim /etc/squid3/squid.conf
You can use and see my conf here:
cat /etc/squid3/squid.conf | curl -F 'clbin=<-' https://clbin.com https://clbin.com/U3c6t
Just search for tudor block in the squid.conf file.
This are the important parts:
http_port 3128 intercept acl ads dstdom_regex "/etc/squid3/ads.txt" http_access deny ads access_log /var/log/squid3/access.log squid acl allcomputers src 10.0.3.0/24 10.8.0.0/24 http_access allow allcomputers
Also setup a cache dir.
cache_dir ufs /var/spool/squid3 1000 16 256
Add iptables rules and save them:
iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Comment out the other list that you don’t have. Read the resources below on how to add lists for squid and automate them with cron jobs.
Get Your First List
curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=noh tml&showintro=0&mimetype=plaintext" > /etc/squid3/ads.txt
Restart Squid3
squid3 -k reconfigure && service squid3 restart
Automate With Cron
mkdir -p /opt/bin/ vim /opt/bin/ad_servers.sh #### Calomel.org ad_servers.sh & modified by tudormateescu.com # ## get new ad server list curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=noh tml&showintro=0&mimetype=plaintext" > /etc/squid3/ads.txt ## refresh squid /usr/sbin/squid3 -k reconfigure
chmod +x ad_servers.sh
crontab -e
#minute (0-59) #| hour (0-23)# Edit this file to introduce tasks to be run by cron. #| | day of the month (1-31)# #| | | month of the year (1-12 or Jan-Dec)# Each task to run has to be #| | | defined through a single line #| | | | day of the week (0-6 with 0=Sun or Sun-Sat)# indicating #| | | | with different fields when the task will be run #| | | | | commands# and what command to run for the task #| | | | | |# # To define the time you can provide concrete values for minute (m), hour # (h), day of month (dom), month (mon), and day of week (dow) or use '*' in # these fields (for 'any').# Notice that tasks will be started based on the # cron's system daemon's notion of time and timezones. #### refresh squid's anti-ad server list# 35 5 * * */3 /opt/bin/ad_servers.sh >> /dev/null 2>&1
Resources:
- https://www.lowendtalk.com/discussion/41685/how-to-create-vpn-with-ad-blocker-feature
- https://calomel.org/squid_adservers.html
Send your self a copy of openvpn client .ovpn
You can always generate a new client.ovpn by running the ./openvpn_install.sh.
Send that file using mutt.
Be sure to permantely set a hostname FQDN for your lxc container
hostname vps.vpsbox.com echo vpn.vpsbox.com > /etc/hostname cat /etc/hostname vpn.vpsbox.com
hostname -f vpn.vpsbox.com
On the main machine:
vim /var/lib/lxc/vpnbox_lxc/config
#specify hostname for the lxc lxc.utsname = vpn.vpsbox.com
Next
vim /etc/hosts
10.0.3.8 vpn.vpsbox.com vpn
Next on the vpnbox_lxc
127.0.0.1 vpn.vpsbox.com localhost.localdomain localhost vpn
Test it.
Bare in mind that I’m just a linux enthusiat not a sysadmin. Check the resources and asked the specialized forums for help.
The ideea behind the setup is: iptables on the main machine is redirecting 443 tcp traffic to openvpn. Nginx is dealing with http request and squid with cache and ad blocking.
You can also set in squid.conf or openVPN server.conf DNS name servers – that block ads and other malware sites (check NORTON DNS).
You can add as many lists that you want to block by replicating the ads.txt directives from squid.conf and automate the update of them with cron. Just replicate the lines and add your own lists.
I hope that helps!
1 thought on “How To Setup OpenVPN In Ubuntu14.04 LXC Behind Nginx Reverse Proxy With Squid Proxy Used As AdBlocker”