Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

How to create VPN with ad blocker feature?
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

How to create VPN with ad blocker feature?

Hello,

I see some VPN services are included with some extra feature like ad blocker, both on PPTP or OpenVPN service

Does anyone know how to create that kind of feature? Do we just need to install kind of firewall for example spf? Or maybe there some special application need to be installed?

Thanks..

Tagged:

Comments

  • if your vpn service has an application then you could add code to modify the windows HOSTS file to redirect known ad servers to 127.0.0.1 - this causes to stop ads from loading. im using this tactic myself without any issues, the only downside is that you have to wireshark server communications to find the ad servers.

  • Idk if the hosts file of the OpenVPN server applies to people connected to it, but it sounds like the easiest solution.

    (((o(゚▽゚)o))) If privacy is outlawed, only outlaws will have privacy. (((o(゚▽゚)o)))

    ヽ(`Д´)ノ Everyone should run Tor on their idle servers.

  • You could also create a DNS server (which forwards everything to OpenDNS or Google's DNS) with the hosts added to the deny list.

  • @Mark_R said: if your vpn service has an application then you could add code to modify the windows HOSTS file to redirect known ad servers to 127.0.0.1 - this causes to stop ads from loading. im using this tactic myself without any issues, the only downside is that you have to wireshark server communications to find the ad servers.

    https://adaway.org/hosts.txt

    Life is better when you're smiling

  • @4n0nx said: Idk if the hosts file of the OpenVPN server applies to people connected to it, but it sounds like the easiest solution.

    Yeah same here, but it definitly works on PPTP.

  • Thanks for the reply...

    Actually I have an idle VPS installed with pptp and openvpn.. Just imagine if I can add some ads blocker feature on my VPN. It's all for my personal usage only.

    Using DNS from openDNS seems one good option.. never taught about that.. anyway any other solution maybe?

    Thanks...

  • You can use iptables to drop packets to ad servers. or use a dns server you can control For HTTP, you can use squid intercept to get url based control.

  • setup your own dns on vpn server and force vpn client to use your dns. If you ask me, I prefer Unbound DNS

    Let's bet which dot-name will collapse first ;)

  • RC5 cracker since 1998!

    Thanked by 1dtoker
  • Update your hosts file from the link above so it blocks ads at hosts file level. By default though the OpenVPN doesn't read the /etc/hosts file you need to install DNSMASQ then simply edit /etc/dnsmasq.conf to point the listen-address to the OpenVPN server's IP.

    I won't recommend PPTP although easy to setup(also highly known to be insecure) I ran into issues using multiple device on a single router. OpenVPN is fairly straightforward to setup and much more flexible.

  • Mark_RMark_R Member
    edited January 2015

    @dtoker said: Update your hosts file from the link above so it blocks ads at hosts file level. By default though the OpenVPN doesn't read the /etc/hosts file you need to install DNSMASQ then simply edit /etc/dnsmasq.conf to point the listen-address to the OpenVPN server's IP.

    I won't recommend PPTP although easy to setup(also highly known to be insecure) I ran into issues using multiple device on a single router. OpenVPN is fairly straightforward to setup and much more flexible.

    too bad that openvpn requires an extra ethernet adapter to function, this is bypassable for applications (gaining real ip from default internet adapter instead of tun/tap).. i wouldn't call that more secure.

  • 4n0nx4n0nx Member
    edited January 2015

    Mark_R said: too bad that openvpn requires an extra ethernet adapter to function, this is bypassable for applications (gaining real ip from default internet adapter instead of tun/tap).. i wouldn't call that more secure.

    Eh? I know nothing about this, but from my knowledge OpenVPN creates a default route once the user connects to it. I'd assume a user needs root/admin rights to change this and when anyone has root/admin access then the device is not secure either way...

    (((o(゚▽゚)o))) If privacy is outlawed, only outlaws will have privacy. (((o(゚▽゚)o)))

    ヽ(`Д´)ノ Everyone should run Tor on their idle servers.

  • @4n0nx said: Eh? I know nothing about this, but from my knowledge OpenVPN creates a default route once the user connects to it. I'd assume a user needs root/admin rights to change this and when anyone has root/admin access then the device is not secure either way...

    Aslong OpenVPN doesn't reconfigure the default ethernet adapter it will be bypassable by applications that ignore tun/tap adapters. An example would be STEAM http://store.steampowered.com/about/ they ignore OVPN.

    You can test this by initiating a p2p voicecall from steam to a OVPN user in your list, you will see his real IP appear in the list instead of the VPN. PPTP does reconfigure your default adapter so it will cover everything.

  • Mark_R said: Aslong OpenVPN doesn't reconfigure the default ethernet adapter it will be bypassable by applications that ignore tun/tap adapters. An example would be STEAM http://store.steampowered.com/about/ they ignore OVPN.

    You can test this by initiating a p2p voicecall from steam to a OVPN user in your list, you will see his real IP appear in the list instead of the VPN. PPTP does reconfigure your default adapter so it will cover everything.

    O? Whenever I connect to OpenVPN, Steam disconnects and logs back in. Does not look to me like it ignores it..

    (((o(゚▽゚)o))) If privacy is outlawed, only outlaws will have privacy. (((o(゚▽゚)o)))

    ヽ(`Д´)ノ Everyone should run Tor on their idle servers.

  • @4n0nx said: O? Whenever I connect to OpenVPN, Steam disconnects and logs back in. Does not look to me like it ignores it..

    Feel free to test it. I recommend capturing the p2p call with wireshark.

  • Mark_R said:

    Feel free to test it. I recommend capturing the p2p call with wireshark.

    I just did and as far as I can see in netstat, all connections are using the VPN interface (even during a call).

    (((o(゚▽゚)o))) If privacy is outlawed, only outlaws will have privacy. (((o(゚▽゚)o)))

    ヽ(`Д´)ノ Everyone should run Tor on their idle servers.

  • UltraParanoidUltraParanoid Member
    edited February 2015

    Here's what I did to get my own ad/malware free, http page caching VPN:

    • Install some VPS with some Linux distro.

    • Install & configure OpenVPN to VPS.

    • Install & configure Squid caching proxy to same VPS.

    • Add the following iptable rules (it is assumed here that your incoming VPN connection is from tun0 and outgoing Internet connection to eth0. Also, this might not work in other than KVM or Xen VPS. Haven't tried...):

    iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j REDIRECT --to-port 3128
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    
    acl ads dstdom_regex "/etc/squid/ads.txt"
    http_access deny ads
    

    For malware blocking you can check these sites for lists:

    http://www.malwareblacklist.com/showMDL.php http://www.selectrealsecurity.com/public-block-lists http://www.malwaredomainlist.com/forums/index.php?topic=3270.0 http://www.malwaredomainlist.com/hostslist/hosts.txt http://malc0de.com/database/

    Note: some of those malware block list are in hosts form, meaning that they have 127.0.0.1 (or sometimes 0.0.0.0) in front of them.

    You can save the list(s) somewhere and convert it/them to squid "form" with following command:

    sed 's/\(127.0.0.1\)[[:space:]]*\(.*\)/\2/g' saved_malwarelist.txt > /etc/squid/malware.txt
    

    Then add the following again to squid.conf and restart squid:

    acl malware dstdom_regex "/etc/squid/malware.txt"
    http_access deny malware
    

    Done!

    Note: If you want to make your VPN more secure and prevent DNS leaks, you could add your own DNS server too to VPS and then configure OpenVPN to send that address to VPN clients instead of using ISP DNS or some public DNS (like Google's). Bind is a good, not too complicated DNS server software for setting up private resolving caching DNS server.

    Here's my Bind conf: https://www.dropbox.com/s/fiv5wub6r3tzm4h/named.conf?dl=0

    Most important part is

    acl "trusted" {
        127.0.0.0/8;
        ::1/128;
        10.8.0.0/24;
    };
    

    That tells what IP addresses are allowed to make DNS queries (here 10.8.0.0/24 is the subnet of OpenVPN server. So all OpenVPN clients are automatically allowed to make DNS queries)

    One more thing: After making sure that you can connect to your OpenVPN server and that you can surf normally go to the following page: http://openresolver.com/ and give your VPS public IP and click test. If it says something like: " Recursive resolver is not detected on xxx.xxx.xxx.xxx

    IP address xxx.xxx.xxx.xxx is not vulnerable to DNS Amplification attacks."

    Then everything is fine and your DNS server is not open to public.

  • I use Softether and dnsmasq. With a cron script I download multiple hosts files for adblocking and malware sites then combine and remove duplicates with it.

    Dnsmasq automatically looks for hosts file. The primary dns I send to clients is the VPS's IP, so when I'm connected I don't have any ads. BTW my dnsmasq only listens to my Vpn bridge so no extra firewall rules are necessary.

    I never turn down help on improving my Nginx Configuration Template ;)
    NameSilo.com coupons: CheapDoms or Discounted

  • UltraParanoid said: Bind is a good, not too complicated DNS server software for setting up private resolving caching DNS server.

    Thanks for sharing your config.

    Regarding dns, pdnsd is pretty nice too, it can resolve from the root servers and is caching hence pretty fast...

  • @Nomad said: I use Softether and dnsmasq. With a cron script I download multiple hosts files for adblocking and malware sites then combine and remove duplicates with it.

    Dnsmasq automatically looks for hosts file. The primary dns I send to clients is the VPS's IP, so when I'm connected I don't have any ads. BTW my dnsmasq only listens to my Vpn bridge so no extra firewall rules are necessary.

    Can you share your config?

    Yes, I'm a happy Catholic and want to be a priest. Can you pray for me? :D | my personal website (in portuguese) | :: | I recommend scaleway | Proud member of Ekaaty Linux: Linux made by Brazilians.

  • Sure, it's nothing special, mostly the basic stuff, but if that might help you somehow why not... I will upload it today once I'm home and free.

    I never turn down help on improving my Nginx Configuration Template ;)
    NameSilo.com coupons: CheapDoms or Discounted

  • @EkaatyLinux,

    Here is my solution for an Adblocking VPN with Softether + DNSMasq.

    First of all I should add that I run Softether via a bridge connection. Not SecureNAT. Second, with this config I am giving a unique, real IPv6 to all clients via the IPv6 tunnel I setup from HE TunnelBroker.

    Also... This setup needs a bit of cleanup and improvement. Especially the way I handle IPv6 is worse than crude but hey... It works ^^ So if anyone is going to critisize, please come with a solution. Because when it comes to IPv6 and iptables, I suck...

    1. DNSMasq.conf
      https://raw.githubusercontent.com/nomadturk/vpn-adblock/master/etc/dnsmasq.conf
      This is my DNSMasq config. REPLACE the IP addresses with your own. I use DNSMasq and Softether to
      • Create a network between my server and clients.
      • Give them an ad-free internet access
      • Set their DNS to my VPN and Google DNS
      • Give them IPv6 addresses from my IPv6 tunnel
      • Cache DNS requests
    2. Softether init file.
      https://github.com/nomadturk/vpn-adblock/blob/master/etc/init.d/vpnserver
    3. Bash script for getting and compiling a Hosts file. https://raw.githubusercontent.com/nomadturk/vpn-adblock/master/updateHosts.sh
      You can place this to any folder and call it from cron.
      • It downloads a number of hosts files over the internet.
      • Combines them to one.
      • Replaces all their IP's with 0.0.0.0
      • Removes any duplicates
      • and save it as /etc/hosts.supp`
    4. Cron scripts to ensure IPv6 addresses are there.
      I don't know why but I realized that sometimes IPv6 addresses were disappearing from tap_softether interface. Thus I couldn't get an IPv6 address. To prevent that I am running command below to ensure they're there.
      If they are not, another script runs to re-assign them
      https://raw.githubusercontent.com/nomadturk/vpn-adblock/master/cron/vpn-ip-verify-int
      https://raw.githubusercontent.com/nomadturk/vpn-adblock/master/cron/vpn-ip-verify-ipv6
      https://raw.githubusercontent.com/nomadturk/vpn-adblock/master/cron/vpn-ip-verify-ipv6-2

    Maybe @rm_ can give it a look and point me in the right direction for ipv6 parts since he's so eager to "rape" all into ipv6.

    I never turn down help on improving my Nginx Configuration Template ;)
    NameSilo.com coupons: CheapDoms or Discounted

  • @Nomad

    I'm on mobile. It's kinda hard to read.

    DNSMasq config - question:

    dhcp-range=2001:470:XXXX:YYYY::1,2001:470:XXXX:YYYY::ff,constructor:he-ipv6, slaac,ra-only,64,24h

    Can you explain the XXXX:YYYY?

    The ::1 = :0000:0001 I understand that. But my IPv6 doesn't have :0000:0001

    What if my IPv6 is:

    2207:ffe8:102:213:1234:1234:db80:b29e

    How do I put in the dhcp-range?

  • Why don't you just try adding your IPv6 instead of those two?

    In my example, I used the XXXX:YYYY in order to not write my own IPv6 block. Also since I have a block I am giving every connecting client an IPv6 of their own. So far it is successful. When I am connected to my VPN I get a local IP for my VPN connection, my VPS's external IP and a real IPv6 address.

    For your instance, why don't you try changing this line: dhcp-range=2001:470:XXXX:YYYY::1,2001:470:XXXX:YYYY::ff,constructor:he-ipv6, slaac,ra-only,64,24h

    to this line: dhcp-range=2207:ffe8:102:213:1234:1234:db80:b29e, slaac,ra-only,64,24h

    and give it a go?

    But, you HAVE TO read. Without reading you can't achieve nothing. Also, you have to change the iptables rules accordingly and add your IPv6 address to the softether tap bridge.

    Oh, also... You need to add a few lines to your sysctl:

    net.ipv6.conf.all.forwarding=1
    net.ipv6.conf.default.forwarding = 1
    
    net.ipv6.conf.tap_softether.accept_ra=2
    net.ipv6.conf.all.accept_ra = 1
    
    net.ipv6.conf.all.accept_source_route=1
    
    net.ipv4.conf.all.accept_redirects = 1
    net.ipv6.conf.all.accept_redirects = 1
    

    Well, it is not a tutorial but maybe I should write one of my own.

    I never turn down help on improving my Nginx Configuration Template ;)
    NameSilo.com coupons: CheapDoms or Discounted

  • @Nomad

    How do I find the "internal IP"?

    Yours is:

    Let's give the connecting clients an internal IP

    dhcp-range=tap_softether,10.0.13.13,10.0.13.213,ra-stateless,slaac,12h

    This guide is:

    http://blog.lincoln.hk/blog/2013/05/17/softether-on-vps-using-local-bridge/

    dhcp-range=tap_soft,192.168.7.50,192.168.7.60,12h

  • Those lines are the one part of config that gives an internal IP to connecting clients. In my example I want my clients to have an internal IP between ranges of 10.0.13.13 and 10.0.13.213 whereas that guide chose to give a range between 192.168.7.50 to 192.168.7.60.

    It all depends on your preference. For my example, I set my tap_softether interface to act as the dhcp server and give an IP from within that range to the clients. But I set the IP for tap_softether as 10.0.13.1 manually.

    I never turn down help on improving my Nginx Configuration Template ;)
    NameSilo.com coupons: CheapDoms or Discounted

  • @Nomad

    Does this mean I can pick 10.0.13.13,10.0.13.213 or 192.168.7.50,192.168.7.60

    It doesn't matter?

    I understand they are for Client IP Range. I just don't know where to find those "internal IP" in the first place.

  • NomadNomad Member
    edited February 2015

    Chuck said: It doesn't matter?

    Yep, choose it at your convenience. You can see it in the guide, how he sets up that kind of an IP and how he does add rules to the iptables.

    I never turn down help on improving my Nginx Configuration Template ;)
    NameSilo.com coupons: CheapDoms or Discounted

    Thanked by 1Chuck
  • @Nomad

    Question in

    IPv6

    ip route add 2001:470:XXXX:YYYY::/64 dev tap_softether

    ip route add 2001:470:XXXX:YYYY::1/64 dev tap_softether

    If my IPv6 is:

    2207:ffe8:102:213:1234:1234:db80:b29e

    How do I replace the above?

  • ip route add 2207:ffe8:102:213:1234:1234:db80:b29e/64 dev tap_softether

    I never turn down help on improving my Nginx Configuration Template ;)
    NameSilo.com coupons: CheapDoms or Discounted

  • @Nomad said: ip route add 2207:ffe8:102:213:1234:1234:db80:b29e/64 dev tap_softether

    If I have 2 diff IPv6, can I do:

    ip route add 2207:ffe8:102:213:1234:1234:db80:b29e/64 dev tap_softether

    ip route add 2207:ffe8:102:213:1234:1234:ac0b:2f64/64 dev tap_softether

    ?

  • Well, naturally you do that. Why don't you first try and ask if it doesn't work?

    I never turn down help on improving my Nginx Configuration Template ;)
    NameSilo.com coupons: CheapDoms or Discounted

  • murataimuratai Member
    edited August 2015

    I managed to get ipv6 address via dhcp, but it can't connect anywhere with ipv6. Can't ping aswell.

    IPV6_ADDR=2400:6180:0:X0::44:XXX1 # You can also assign this as DNS server in dnsmasq config. IPV6_SUBNET=2400:6180:0:X0::/64 # Used to assign IPv6 to connecting clients. Remember to use the same subnet in dnsmasq.conf

    my ip -6 route show | grep tap is:

    2400:6180:0:X0::44:XXX1 dev tap_vpn proto kernel metric 256

    2400:6180:0:X0::/64 dev tap_vpn proto kernel metric 256

    fe80::/64 dev tap_vpn proto kernel metric 256

  • Then you're doing something wrong...

    You should be able to use and ping ipv6 on your machine before using it on your VPN.

    I never turn down help on improving my Nginx Configuration Template ;)
    NameSilo.com coupons: CheapDoms or Discounted

Sign In or Register to comment.