How to setup headless (No GUI/CLI Only) ubuntu

edited November 2015 in VPN Setup Support Posts: 3

v3 - Perfected and good to go


First off, if this saves ONE PERSON the DAYS of frustration I spent trying complex solutions to set this up, it was ALL worth it... PLEASE PIA Staff feel free to sticky this...

OK, so if you're like me, you like to SSH into your server and get to typing... This guide does NOT require SSH, you can set this up on a command line from a machine with a monitor/keyboard/etc just the same, so don't ask me about SSH, google it.

No step is optional unless EXPLICITLY stated otherwise. If you can't install basic tools you might need but not yet have (such as the zip utility) this guide is probably over your head, otherwise it should be a cakewalk.

If you absolutely need a way to thank me via donation, I'll use it to replace the days I lost trying to set this up lol:
Bitcoin: 1BX3JJ1Fw8xiqrhnmAz27zkJCHPmygJSX5

Step 1: Install deluge

Firstly we need two components to setup deluge for access remotely, deluged and deluge-webui. Just use these commands to do so:

sudo adduser --disabled-password --system --home /var/lib/deluge --gecos "deluge server" --group deluge

sudo touch /var/log/deluged.log

sudo touch /var/log/deluge-web.log

sudo chown deluge:deluge /var/log/deluge*

sudo apt-get update

sudo apt-get install deluged

sudo apt-get install deluge-webui

sudo vi /etc/init/deluged.conf

Then in vi, press i for insert and paste the following:
description "Deluge daemon"
author "Deluge Team"

start on filesystem and static-network-up
stop on runlevel [016]

respawn
respawn limit 5 30

env uid=deluge
env gid=deluge
env umask=000

exec start-stop-daemon -S -c $uid:$gid -k $umask -x /usr/bin/deluged -- -d
Then press the Escape key and type ":wq" without the quotes and hit enter.

sudo vi /etc/init/deluge-web.conf

Then in vi, press i for insert and paste the following:
start on started deluged
stop on stopping deluged

respawn
respawn limit 5 30

env uid=deluge
env gid=deluge
env umask=027

exec start-stop-daemon -S -c $uid:$gid -k $umask -x /usr/bin/deluge-web
Then press the Escape key and type ":wq" without the quotes and hit enter.

sudo reboot -h now

That's it, deluge is now setup with it's own web ui at port 8112 on that machine. Don't mess with it yet though.

Step 2: Install OpenVPN

Now we install and configure OpenVPN, do the following commands:

sudo apt-get install openvpn

cd /etc/openvpn


sudo unzip openvpn.zip

This next part, you can use whatever vpn connection you like, I use the netherlands for example, continue with the following commands:

sudo cp Netherlands.ovpn pia-nl.conf

sudo vi pia-nl.conf

Change:
auth-user-pass
To:
auth-user-pass login.conf

sudo vi login.conf
Then in vi, press i for insert and paste the following:
yourPIAusername
yourPIApassword
Then press the Escape key and type ":wq" without the quotes and hit enter.

sudo chmod 400 login.conf

sudo vi /etc/default/openvpn

Add an AUTOSTART entry for pia-nl, .conf is not needed, do NOT put a # in front example:
AUTOSTART="pia-nl"

sudo reboot -r now

After the restart is done, you should be automatically connected to the VPN, check with the following command:

wget -q -O - ipecho.net/plain

the output from that command should be an IP address, but it should NOT be YOUR PUBLIC IP ADDRESS, it should, in this example, be one of the netherlands IPs from PIA. As long as an IP shows up and it's not your own IP, you can assume everything is ok and continue.

Step 3: Create iptables to prevent leaks

An easy way is to create a service .conf that will persist any iptables rules you like.

You can install a package to do this, but the manual way is as such:

sudo vi /etc/init/persist-iptables.conf

You can name it whatever you like, just make sure it's in /etc/init/ and ends with .conf

Then you want to insert the following lines:

description "Persist IPTables on Boot"

start on runlevel [2345]

script
# Accept all loopback traffic localhost or 127.0.0.1
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Accept any DNS traffic, I use a DD-WRT router with
# Force DNS Redirection to a non-logging DNS
iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT
iptables -A INPUT -s 255.255.255.255 -j ACCEPT

# Accept all local traffic from 192.168.1.1-192.168.1.255
iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT

# Forward all eth0, eth1, etc through tun interfaces
iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT

# Postroute masquerade through tun interfaces
iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE

# Drop any other traffic through eth adapters
iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP
end script

Now when your system reboots (which clears your IP tables) this will run automatically to update the iptables again. You can also call it yourself with sudo service persist-iptables start

This file will allow all localhost traffic, allow all DNS traffic (it's up to you to make sure it's the RIGHT dns coming from your router), allow all local traffic, forward traffic from eth adapters to tun adapter and postroute masq it, and finally drop any other traffic.

Post edited by p1243960 on

Comments

  • Posts: 1
    Is there a way to restrict this so that only deluge uses the OPENVPN and not the entire server? Like set up a network interface for the OPENVPN so you can set that interface in deluge to use, yet allow the rest of the server to work with the original interface without VPN access?
  • Posts: 1
    Hi,

    Thanks for this guide. I have one question about this part:  sudo cp Netherlands.ovpn pia-nl.conf  

    If I wanted to use a UK server, would I also change those letters to UK? Like this:  

    sudo cp UK_Southampton.ovpn pia-uk.conf 

  • In this line iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP

    What is the destination a.b.c.d supposed to be?
  • Posts: 1
    I made an account for the sole purpose of thanking you for this guide. I'm one of those ones that you saved days of frustration for. Working flawlessly for me :)
  • edited July 21 Posts: 1
    Thanks for this. It would have taken me quite a while to figure this out. I am having an issue at the last step converting the init script to systemd. Can anyone lend a hand?

    Edit: Some google-fu led me to the following Reddit page which helped solve the issue:

    https://www.reddit.com/r/HomeNetworking/comments/61jany/persistent_ip_tables_for_my_linux_headless_server/


    Post edited by p6150210 on
  • Posts: 1
    wget -q -O - ipecho.net/plain just returns my IP address so I assume something isn't working properly. What do I have to do then? 

Sign In or Register to comment.