How To Setup OpenVPN In Ubuntu14.04 LXC Behind Nginx Reverse Proxy With Squid Proxy Used As AdBlocker

The objective for today is:

  1. Setup OpenVPN in lxc in Ubuntu 14.04
  2. Setup Squid
  3. Setup Nginx Reverse Proxy
  4. Block Ads With Squid

This is not a step–by-step tutorial but an article full of detailed notes ad resources for the steps I’ve made to get this job done.

So I’ve started from here:

  1. system Ubuntu 14.04 with lxc (linux containers were setup)
  2. I had a fresh ubuntu 14.04 lxc

Clone the lxc container:

lxc-copy -n ubuntu_lxc -N vpnbox_lxc

The commnad above tells lxc to copy the existing lxc to the new lxc container (-N vpn_ubuntu14_lxc).

Activate tun0 for your lxc container

tun0 is used by OpenVPN and you need it in your lxc.

vim /var/lib/lxc/vpnbox_lxc/config

add the line:

lxc.cgroup.devices.allow = c 10:200 rwm

To actually use a tun/tap device it must be created inside the container on every boot, so add the following to your /etc/rc.local inside your container:

if ! [ -c /dev/net/tun ]; then
 mkdir -p /dev/net
 mknod -m 666 /dev/net/tun c 10 200
fi

Resources:

  1. https://blog.felixbrucker.com/2015/10/01/how-to-enable-tuntap-inside-lxc/ (important rc.local)
  2. http://serverfault.com/questions/429461/no-tun-device-in-lxc-guest-for-openvpn
  3. https://wiki.archlinux.org/index.php/OpenVPN_in_Linux_containers#LXC_config (systemd)

Be sure to configure the lxc ip and autostart.

Start the container:

lxc-start -n -d vpnbox_lxc

And attach to it:

lxc-attach -n vpnbox_lxc

Install OpenVPN.

Use the tutorial on how to install OpenVPN from here and respond to the steps.

Configure OpenVPN like this:
  1. use TCP
  2. run on port 443

Set iptables rules on the main system

We need to redirect incoming traffic form our vps IP address to the local lxc running OpenVPN.

Let us assume the local lxc machine is using the ip address: 10.0.3.8 the command would be:

iptables -t nat -I PREROUTING -i eth0 -p TCP -d xxx.xxx.xxx.xxx/32 --dport 443 -j DNAT --to-destination 10.0.3.8:443

Let’s save the iptables rules.

sudo apt-get update && apt-get install iptables-persistent

Save your firewall rules with this command:

sudo invoke-rc.d iptables-persistent save

Define a subdomain for your VPNbox.

I use my vps provider control panel for that (Contabo.com).

For example: vpn.vpsbox.com

Setup Nginx Reverse Proxy

 vim /etc/nginx/conf.d/default.conf

And set Nginx Reverse Proxy Server Block Like This:

server { 
 listen 80; 
 server_name vpn.vpsbox.com; 
 
 location / { 
 proxy_pass http://10.0.3.8:3128; 
 proxy_connect_timeout 300s; 
 proxy_redirect off; 
 proxy_set_header Host $host; 
 proxy_set_header X-Real-IP $remote_addr; 
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
 proxy_buffering off; 
 
 } 
 }

server { 
 listen 3128; 
 server_name vpn.vpsbox.com; 
 
 location / { 
 proxy_pass http://10.0.3.8:3128; 
 proxy_connect_timeout 300s; 
 proxy_redirect off; 
 proxy_set_header Host $host; 
 proxy_set_header X-Real-IP $remote_addr; 
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
 
 proxy_buffering off; 
 
 } 
}

Restart NGINX.

service nginx restart

The above statements are telling Nginx to redirect all port 80 and 3128 traffic to the local lxc machine.

Squid Proxy will listen to 3128 and intercept all that traffic.

Setup Squid Proxy

Now is time to setup squid proxy.

apt-get install squid3

Configure squid proxy.

vim /etc/squid3/squid.conf

You can use and see my conf here:

cat /etc/squid3/squid.conf | curl -F 'clbin=<-' https://clbin.com 
https://clbin.com/U3c6t

Just search for tudor block in the squid.conf file.

This are the important parts:

http_port 3128 intercept 
 
acl ads dstdom_regex "/etc/squid3/ads.txt" 
http_access deny ads 
 
access_log /var/log/squid3/access.log squid 
acl allcomputers src 10.0.3.0/24 10.8.0.0/24 
http_access allow allcomputers

Also setup a cache dir.

cache_dir ufs /var/spool/squid3 1000 16 256

Add iptables rules and save them:

iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Comment out the other list that you don’t have. Read the resources below on how to add lists for squid and automate them with cron jobs.

Get Your First List

curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=noh
tml&showintro=0&mimetype=plaintext" > /etc/squid3/ads.txt

Restart Squid3

squid3 -k reconfigure && service squid3 restart

Automate With Cron

mkdir -p /opt/bin/
vim /opt/bin/ad_servers.sh

#### Calomel.org ad_servers.sh & modified by tudormateescu.com 
# 
## get new ad server list 
curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=noh
tml&showintro=0&mimetype=plaintext" > /etc/squid3/ads.txt 
 
## refresh squid 
/usr/sbin/squid3 -k reconfigure
chmod +x ad_servers.sh
crontab -e
#minute (0-59) 
#| hour (0-23)# Edit this file to introduce tasks to be run by cron. 
#| | day of the month (1-31)# 
#| | | month of the year (1-12 or Jan-Dec)# Each task to run has to be 
#| | | defined through a single line 
#| | | | day of the week (0-6 with 0=Sun or Sun-Sat)# indicating 
#| | | | with different fields when the task will be run 
#| | | | | commands# and what command to run for the task 
#| | | | | |# 
# To define the time you can provide concrete values for minute (m), hour 
# (h), day of month (dom), month (mon), and day of week (dow) or use '*' in 
# these fields (for 'any').# Notice that tasks will be started based on the 
# cron's system daemon's notion of time and timezones. 
#### refresh squid's anti-ad server list# 
35 5 * * */3 /opt/bin/ad_servers.sh >> /dev/null 2>&1

 

Resources:

  1. https://www.lowendtalk.com/discussion/41685/how-to-create-vpn-with-ad-blocker-feature
  2. https://calomel.org/squid_adservers.html

Send your self a copy of openvpn client .ovpn

You can always generate a new client.ovpn by running the ./openvpn_install.sh.

Send that file using mutt.

 

Be sure to permantely set a hostname FQDN for your lxc container

hostname vps.vpsbox.com
 echo vpn.vpsbox.com > /etc/hostname
 cat /etc/hostname
 vpn.vpsbox.com
hostname -f
 vpn.vpsbox.com

 

On the main machine:

vim /var/lib/lxc/vpnbox_lxc/config
#specify hostname for the lxc
lxc.utsname = vpn.vpsbox.com

Next

vim /etc/hosts
10.0.3.8 vpn.vpsbox.com vpn

Next on the vpnbox_lxc

127.0.0.1 vpn.vpsbox.com localhost.localdomain localhost vpn

Test it.

Bare in mind that I’m just a linux enthusiat not a sysadmin. Check the resources and asked the specialized forums for help.

The ideea behind the setup is: iptables on the main machine is redirecting 443 tcp traffic to openvpn. Nginx is dealing with http request and squid with cache and ad blocking.

You can also set in squid.conf or openVPN server.conf DNS name servers – that block ads and other malware sites (check NORTON DNS).

You can add as many lists that you want to block by replicating the ads.txt directives from squid.conf and automate the update of them with cron. Just replicate the lines and add your own lists.

I hope that helps!

1 thought on “How To Setup OpenVPN In Ubuntu14.04 LXC Behind Nginx Reverse Proxy With Squid Proxy Used As AdBlocker

Leave a Comment