Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Tut] How to be „Better Safe Than Sorry“ when becoming an Exit Node (VPS/VPN Setup)
#1
Once I heard about Skycoin, I was instantly hooked. I wanted to participate, but I was worried about becoming an „Exit Node“. Where I live (Germany/EU), local laws make me personally liable for everything illegal that is done by „me“ (my IP), so that was a big turn-off. Since I was using a Russian VPS hoster for VPN tunelling sporadically for the last couple of years, I knew what to do: I wanted to route all Skywire traffic through my VPN so that my actual personal IP wouldn’t show up anywhere. Better safe than sorry, right?
I noticed several other people having the same concerns over and over again, so I thought I’d make a „quick“ tutorial on how to setup the VPN. Keep in mind though, that in this tutorial we will create our own VPN service on a VPS (Virtual Private Server) instead of using a dedicated VPN hoster. It’s a hell of a lot more work but there are several upsides: It’s dirt cheap, IP’s aren’t blacklisted, it’s stable and you can use your VPS for anything you want. Plus, you can use your newly created VPN for an unlimited amount of devices as well.

For the sake of the Tutorial, I will use the combination that I’ve been using for the last several years: A VPS with the Russian Hoster „VEESP“ (former „Vstoike“) combined with SoftetherVPN Server.
You can switch out the hoster for pretty much anyone else (just make sure they DO NOT work closely with EU/American Authorities when it comes to DMCA/Copyright stuff or worse!), but you can’t use any other VPN Software if you want to follow this Tutorial




Requirements:
-         Already pre-configured and running Skyminer Setup (Personally, I have followed this guide here https://skywug.net/forum/Thread-Raspberr...TNET-READY)
-         Router that is capable of running a VPN
-         6+ Bucks via Paypal or Bitcoin for the VPS Hoster

Note: I have no idea if this setup works with the "official" Skyminer since I only have a DIY Raspberry Pi one. So take this Tut with a grain of salt if you're on the official Miner!
 
With that being said, let’s get started!



1. Setting up the VPS

At first, you need to buy the VPS. Go visit VEESP or the Hoster of your choice. Select the option that you want. I can recommend the „Linux HDD VPS – HDD 1“ because it has unlimited Traffic and 50GB of storage in case you want to run and/or download several things on it. It’s 6€ Monthly, you get 10/20/30 percent off if you pay Quarterly, Semi-Annually or Annually. Choose the option you’re comfortable with. If you decide to go with VEESP, I'd appreciate it if you'd use my Referral since I get a small commission (it doesn't cost you any extra). Ref-Link  Non-Ref-Link
Regarding the Hostname: Just choose any name, it’s not important. Go with „anydomainname1.com“ or something. After you’ve paid the Invoice, the VPS is pretty much instantly available and you can get right to it. 
Go to „Client Area“, then select your VPS. Open Putty (or any other SSH Terminal) and log into your VPS with your login credentials. At first, make an update.

Code:
apt-get update && apt-get upgrade -y

This could take a while.


Then either stay logged in as "root" or just add another user and grant Sudo privileges (replace "Bob" with your actual Username or just copy+paste this one):
Code:
adduser Bob
adduser Bob sudo
Logout, then login as "Bob".




2. Setting up the VPN Server on our VPS

 install Lynx:
Code:
sudo apt-get install lynx -y

Use Lynx to download Softether VPNserver
Code:
lynx http://www.softether-download.com/files/softether/
and chose the appropriate Version (Latest RTM -> Linux -> Softether VPN Server -> 64bit Intel x64 or AMD64). Press "D" and then Enter to "Save to Disk". I went with the Version
softether-vpnserver-v4.25-9656-rtm-2018.01.15-linux-x64-64bit.tar.gz. After saving, you can just press "Q" to quit.


Now unpack the file:
Code:
tar xzvf softether-vpnserver-v4.25-9656-rtm-2018.01.15-linux-x64-64bit.tar.gz

Now make sure the appropriate tools are installed:
Code:
sudo apt-get install build-essential -y



Now switch to the "vpnserver" directory and install it (press "yes" / "1" for all):
Code:
cd vpnserver
sudo make

Move the vpnserver directory and change file permissions:
Code:
cd ..
mv vpnserver /usr/local
cd /usr/local/vpnserver/

sudo chmod 600 *
sudo chmod 700 vpnserver
sudo chmod 700 vpncmd

The next step is to make Vpnserver run at startup (optional, but strongly advised!)
Code:
sudo nano /etc/init.d/vpnserver

paste the following into the file:
Code:
#!/bin/sh
# chkconfig: 2345 99 01
# description: SoftEther VPN Server
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
Press Ctrl+X to exit, Y to save and then Enter.


Make a new directory (if not existing already)
Code:
mkdir /var/lock/subsys

and change the permissions for the vpnserver and the startup script:
Code:
chmod 755 /etc/init.d/vpnserver && /etc/init.d/vpnserver start

Now you've successfully installed Vpnserver. Check if everything is working:
Code:
cd /usr/local/vpnserver
./vpncmd
press 3 (VPN Tools) and then type "check".
If everything is working fine, you should get a couple of "PASS" messages. Exit the VPN Tools by writing "exit".


Run "./vpncmd" again and press "1". The following step is not "official" but any other way gave me an error: 
Regarding the "Hostname of IP Address of Destination"... type in YOURSERVERIP:5555 and press Enter ("official" guides tell you to leave everything blank but it didn't work for me. Only typing in the IP and Port 5555 worked!). Leave the next field Blank and press Enter.
Then, configure your (VPN)Server Password:
Code:
ServerPasswordSet

Idea How the next step is done comes down to personal preference. You can do it my way or follow strictly Terminal-based guides. Personally, I find the Windows Manager WAY more easy and intuitive than the SSH-Terminal-one.

After setting up my Server Password, I log out of Putty and do the rest via the Program "Softether VPN Server Manager for Windows" (Link Here).
Go to "New Setting" and type in YOUR VPS IP  and YOUR VPNSERVER PASSWORD and then "connect".
You don't necessarily need to create a Virtual Hub but you can create as many Hubs and Users as you want. For the sake of the Tutorial, we'll go with the Default one.
Setup your "DEFAULT" Virtual Hub with a click on "Manage Virtual Hub". VERY IMPORTANT: Click on "Virtual Hub Properties" and check the Box that says "No Enumerate to Anonymous Users"! 

Also, make sure you enable Virtual Nat and Virtual DHCP-Server. Visit the Virtual NAT Settings. Click on "Secure Nat Configuration". Very Important: Write down the "Default Gateway Address" (i.e. 192.168.30.1) on the right bottom side. You'll need it later.

Now create at least one User via "Manage Users" -> "new". Fill out the "User Name", leave everything on the left side blank. On the right side, just configure the Password for your User.
In the Main Menu of your DEFAULT Hub, activate IPsec and LT2P.

That's it! Your VPN is now ready to rock n roll!



3. Configuring your Subnet and your VPN Tunnel.

Now it gets a little more tricky (because every router and home setup is different) and I'll try and do my best to explain everything.

Let's assume you have the follwing Setup right now:
Your ISP Router: 192.168.2.100
Your Skyminer-Router: 192.168.2.160
Your Skyminer IP's: 192.168.2.161, 192.168.2.162, .......163, ........164 etc.

What I wanted to do is create a completely seperate Subnet WITHOUT any Port Forwarding rules. That means we have to create another Subnet (i.e. 192.168.0.1 ++). Since I can only connect to one Subnet at a time with one PC (without forwarding), I connect to the Skyminer-Router only via a different Machine (in my Case: Macbook via WiFi). So make sure you don't lock yourself out of any of your devices!


First, we need to change the IP-, Router-, and Gateway-Setting for the Skyminer Nodes via logging into each one and typing:
Code:
sudo nano /etc/dhcpcd.conf

Assuming you had the above setup with a .2.xxx Subnet, you'll need to change it to something like this (put in your respective desired IP's of course!):

Code:
interface eth0
static ip_address=192.168.0.100 #THIS IS YOUR SKYMINERS IP
static routers=192.168.0.1   #THIS IS YOUR SKYMINER-ROUTERS IP
static domain_name_servers=192.168.30.1 #THIS IS THE DNS OF YOUR VPN's VIRTUAL NAT (which you wrote down earlier)
Close Nano with Ctrl.+X, then Y, then Enter. Then reboot the Node with "sudo reboot".

Configure all existing Nodes like the above until you're done (with a different static IP for each node, of course). Note: They will not be available/online until you've configured your Skyminer-Router as well, so make sure you finish the setup completely until they're back up again!
When you're done configuring your Nodes, edit the static IP of your Skyminer-Router accordingly (in this case: 192.168.0.1). Make sure you have physical (LAN) and/or Wifi access to your Skyminer-Router! Because after you've changed the IP, you'll get kicked out (different subnet, from XXX.XXX.2.XXX to XXX.XXX.0.XXX) and need to reconnect!

After you've successfully reconnected to your Skyminer-Router you should be able to connect to your Skyminer-Nodes. You should NOT be able to access them from anywhere outside of this subnet (your "regular" home network) and vice versa. 

Now that your freshly created Subnet is working like a charm internally, you need to configure your Skyminer-Router to connect to the Internet Via your VPN-Tunnel. Unfortunately, I can't explain this step in detail because every Router is different but I'll try. I'll post my personal setup, only edited to match the IP's for this Tutorial

Connection Type: L2TP
Username: YOUR VPN USERNAME (The User you created for the DEFAULT Hub)
Password: YOUR VPN USER PASSWORD (The password for said User)

Addressing Type: Dynamic IP (it's only the IP that's given to our Router from our VPS, NOT our Internal IP!)

Server IP Address: YOUR VPS SERVER'S IP
Subnet: 255.255.255.0
Gateway: 192.168.2.100 (This is your ISP's Router)
DNS Server: 192.168.2.100 (This is your ISP's Router)

Internet IP Address: 192.168.30.10 (this is the IP that the DHCP on our VPS has given us, you don't need to change this)
Internet DNS: 192.168.30.1 (This is the "DNS-Server" from our VPS which you've written down earlier)



And that is it, folks. You can test your external IP when if you visit a site like "whatismyip.com" (when your PC/Mac is connected to your Skyminer-Router) and you'll see if it's working correctly. The Website should output that you're connecting from Russia (or wherever your VPS sits).
With this setup, everything in your "regular" home network is running just as before and has your residential IP (which is good because everyday services don't like it if you login with IPs from another country/continent!), and everything behind your Skyminer-Router will get tunneled through the VPN. Magnificent!


I wrote this Tutorial mostly at the top of my head (because I've already set up everything), so if there are any HUGE flaws, just tell me Smile




[-] The following 4 users say Thank You to Clownstick for this post:
  • adhaelon, I Am You, Lancek, skyguy
Reply
#2
Awesome stuff man. I like what you did here. Insead of Linx, could you not use wget?
Reply
#3
(06-12-2018, 01:27 PM)I Am You Wrote: Awesome stuff man. I like what you did here. Insead of Linx, could you not use wget?

Thanks mate Smile

I've learned some Linux basics years ago and we always used Lynx. 
Just tried wget and all I get is and index.html with the same URL as used above.

If someone's used to wget I'm sure he can do it this way as well... but I'm not used to it, so...  Big Grin
1
Reply
#4
What are the advantages of this as opposed to just changing the DNS: https://github.com/skycoin/skywire/wiki/...ial-images
Reply
#5
(06-14-2018, 08:12 PM)Marcus Wrote: What are the advantages of this as opposed to just changing the DNS: https://github.com/skycoin/skywire/wiki/...ial-images

DNS: Think about a sort of "Phone Book" for the internet. You type in a name (i.e. Google.com) and the DNS gives you the number (the IP address of Googles Server) because no one would remember 95.223.157.216.
OpenDNS for example blocks adult/gambling/sensitive content so that the "Phone Book" aka DNS returns an Error. That's about it.
If someone would Download Torrents etc. over your IP, the DNS wouldn't be of much help to avoid that. Or someone could host nasty stuff on his PC, or could send death threats, or could do say the wrong words on Facebook (think about "Hate Speech" laws for example) etc etc etc.

A VPN routes ALL traffic (regardless of the port) through your VPN Server. Not only is the traffic itself encrypted, your actual IP wouldn't show up anywhere as opposed to a different DNS. So if you want to protect yourself against someone doing weird shit with your IP, a VPN is the way to go. 
For me personally, I couldn't sleep if I was running a VPN service with my actual IP. It's like going on vacation and leaving your doors and windows open.

Of course every VPN/VPS provider only has a certain tolerance when it comes to illegal stuff. If they send out freaking Interpol, you'd be screwed no matter who you choose... but I'm thinking more about Copyright and "Hate Speech" stuff.
Reply
#6
This is great.  Hope somebody can do this for protonvpn as protonvpn has a free one device policy, and I have premium protonvpn for not much more than $10/month....would be great to know what steps r needed to get protonvpn to work with adhaelon's rpi images.

the official guide uses protonvpn,
https://github.com/skycoin/skywire/wiki/...connection
but it states it only works with official images, and i'd rather not have to reflash the whole thing if something goes awry as im not technically savvy
Reply
#7
(06-23-2018, 11:40 PM)dee_el_hugely Wrote: This is great.  Hope somebody can do this for protonvpn as protonvpn has a free one device policy, and I have premium protonvpn for not much more than $10/month....would be great to know what steps r needed to get protonvpn to work with adhaelon's rpi images.

the official guide uses protonvpn,
https://github.com/skycoin/skywire/wiki/...connection
but it states it only works with official images, and i'd rather not have to reflash the whole thing if something goes awry as im not technically savvy

Still very early days at the moment. It should work very well on unoffical images, may require a little bit of tweaking but overall should be fine. There are so many OS's and differences in hardware that most of this is done for either Orange or Raspberry Pi's. We are still very early testing days at the moment all of this will be solid and stable and easy in the future.
Reply
#8
(06-29-2018, 07:21 PM)Matto Wrote: [...] but I really think a better way is to have the router tunnel the traffic through a VPN (the router must be DD-WRT or ASUS-WRT). This only takes 1 vpn connection (free or paid), and your router can route many devices through it.

Yeah well, my guide does EXACTLY that Big Grin

Edit: Just double-checked and my VPN Manager shows only 1 incoming connection from all my nodes, so my guide is pretty much what you want Smile
Plus, if you go with running a VPN Service on a VPS, you can make pretty much unlimited connections anyway.
Reply
#9
(07-02-2018, 12:13 PM)Matto Wrote:
(07-02-2018, 12:30 AM)Clownstick Wrote:
(06-29-2018, 07:21 PM)Matto Wrote: [...] but I really think a better way is to have the router tunnel the traffic through a VPN (the router must be DD-WRT or ASUS-WRT). This only takes 1 vpn connection (free or paid), and your router can route many devices through it.

Yeah well, my guide does EXACTLY that Big Grin

Edit: Just double-checked and my VPN Manager shows only 1 incoming connection from all my nodes, so my guide is pretty much what you want Smile
Plus, if you go with running a VPN Service on a VPS, you can make pretty much unlimited connections anyway.

Ah! Sorry! I guess I didn't think about it--I run more than one miner and was wimping-out at the work of setting up the VPN connection on each miner's manager. Upside_down 

I've never done a VPS VPN... Is the main benefit of that, cost-savings? (as opposed to a VPN service)

Yeah I like the flexibilty of it. You can run unlimited devices plus you can run all sorts of stuff on your VPS (if you have any use for it). And it's extremely cheap if you book ~1 year (around $30, which equals $2.50 per month - that's almost unbeatable if you look at what you're getting "bang for buck"-wise Big Grin )
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)