How to setup headless (No GUI/CLI Only) ubuntu
v3 - Perfected and good to go
OK, so if you're like me, you like to SSH into your server and get to typing... This guide does NOT require SSH, you can set this up on a command line from a machine with a monitor/keyboard/etc just the same, so don't ask me about SSH, google it.
No step is optional unless EXPLICITLY stated otherwise. If you can't install basic tools you might need but not yet have (such as the zip utility) this guide is probably over your head, otherwise it should be a cakewalk.
If you absolutely need a way to thank me via donation, I'll use it to replace the days I lost trying to set this up lol:
Bitcoin: 1BX3JJ1Fw8xiqrhnmAz27zkJCHPmygJSX5
Step 1: Install deluge
Firstly we need two components to setup deluge for access remotely, deluged and deluge-webui. Just use these commands to do so:
sudo adduser --disabled-password --system --home /var/lib/deluge --gecos "deluge server" --group deluge
sudo touch /var/log/deluged.log
sudo touch /var/log/deluge-web.log
sudo chown deluge:deluge /var/log/deluge*
sudo apt-get update
sudo apt-get install deluged
sudo apt-get install deluge-webui
sudo vi /etc/init/deluged.conf
Then in vi, press i for insert and paste the following:
description "Deluge daemon"Then press the Escape key and type ":wq" without the quotes and hit enter.
author "Deluge Team"
start on filesystem and static-network-up
stop on runlevel [016]
respawn
respawn limit 5 30
env uid=deluge
env gid=deluge
env umask=000
exec start-stop-daemon -S -c $uid:$gid -k $umask -x /usr/bin/deluged -- -d
sudo vi /etc/init/deluge-web.conf
sudo reboot -h nowThen in vi, press i for insert and paste the following:start on started delugedThen press the Escape key and type ":wq" without the quotes and hit enter.
stop on stopping deluged
respawn
respawn limit 5 30
env uid=deluge
env gid=deluge
env umask=027
exec start-stop-daemon -S -c $uid:$gid -k $umask -x /usr/bin/deluge-web
That's it, deluge is now setup with it's own web ui at port 8112 on that machine. Don't mess with it yet though.
Step 2: Install OpenVPN
Now we install and configure OpenVPN, do the following commands:
sudo apt-get install openvpn
cd /etc/openvpn
sudo unzip openvpn.zip
This next part, you can use whatever vpn connection you like, I use the netherlands for example, continue with the following commands:
sudo cp Netherlands.ovpn pia-nl.conf
sudo vi pia-nl.conf
Change:
auth-user-passTo:
sudo vi login.confauth-user-pass login.conf
sudo chmod 400 login.confThen in vi, press i for insert and paste the following:yourPIAusernameyourPIApasswordThen press the Escape key and type ":wq" without the quotes and hit enter.
sudo vi /etc/default/openvpn
Add an AUTOSTART entry for pia-nl, .conf is not needed, do NOT put a # in front example:
sudo reboot -r nowAUTOSTART="pia-nl"
After the restart is done, you should be automatically connected to the VPN, check with the following command:
wget -q -O - ipecho.net/plain
the output from that command should be an IP address, but it should NOT be YOUR PUBLIC IP ADDRESS, it should, in this example, be one of the netherlands IPs from PIA. As long as an IP shows up and it's not your own IP, you can assume everything is ok and continue.
Step 3: Create iptables to prevent leaks
An easy way is to create a service .conf that will persist any iptables rules you like.
You can install a package to do this, but the manual way is as such:
sudo vi /etc/init/persist-iptables.conf
You can name it whatever you like, just make sure it's in /etc/init/ and ends with .conf
Then you want to insert the following lines:
description "Persist IPTables on Boot"
start on runlevel [2345]
script
# Accept all loopback traffic localhost or 127.0.0.1
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Accept any DNS traffic, I use a DD-WRT router with
# Force DNS Redirection to a non-logging DNS
iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT
iptables -A INPUT -s 255.255.255.255 -j ACCEPT
# Accept all local traffic from 192.168.1.1-192.168.1.255
iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
# Forward all eth0, eth1, etc through tun interfaces
iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT
# Postroute masquerade through tun interfaces
iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
# Drop any other traffic through eth adapters
iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP
end script
Now when your system reboots (which clears your IP tables) this will run automatically to update the iptables again. You can also call it yourself with sudo service persist-iptables start
This file will allow all localhost traffic, allow all DNS traffic (it's up to you to make sure it's the RIGHT dns coming from your router), allow all local traffic, forward traffic from eth adapters to tun adapter and postroute masq it, and finally drop any other traffic.
Comments
sudo cp UK_Southampton.ovpn pia-uk.conf
What is the destination a.b.c.d supposed to be?
Edit: Some google-fu led me to the following Reddit page which helped solve the issue:
https://www.reddit.com/r/HomeNetworking/comments/61jany/persistent_ip_tables_for_my_linux_headless_server/
openvpnand take a look at the AUR-packagepia. When built it contains a working service file, an executable that sets your credentials in the correct path and config files for all countries. And just in case you do not want to have the OpenVPN via PIA as your default route you have to add the optionroute-nopullto your config file.privateinternetaccess ubuntu headless.