3 Ways to Securely Browse the Internet with OpenVPN on Debian 8

We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers. Learn more →

Introduction

Reasons for browsing the Internet with more privacy vary as much as the ways to achieve it.

In this tutorial we will explain in detail how to set up a virtual private network (VPN) on a server so it secures three important components of your Internet browsing experience:

• Privatize your web traffic by securing unencrypted traffic, preventing cookies and other trackers, and masking your local computer's IP address
• Prevent your local ISP from logging DNS queries, by sending them from the VPN straight to Google's DNS servers
• Scan for and prevent access to viruses and malicious applications

By running your own VPN server rather than using a commercial one, you can also avoid logging your browsing history (unless you choose to do so). Finally, you get to choose its physical location, so you can minimize latency. However, using a VPN is usually slower than using a direct Internet connection.

We'll do this by installing and configuring the following applications on your Debian 8 server:

• ClamAV is an open source antivirus engine for detecting trojans, viruses, malware, other malicious threats
• Dnsmasq is a software package that provides DNS (and few more) services. We will use it only as a DNS cache
• HAVP HTTP AntiVirus proxy is a proxy with an anti-virus filter. It does not cache or filter content. It scans all the traffic with third-party antivirus engines. In this tutorial we will use HAVP as a Transparent Proxy and chain HAVPand Privoxy together
• OpenVPN Community Edition is a popular VPN server. It provides a secure connection to your trusted server, and can also push DNS Server settings to its clients. In this tutorial the term OpenVPN will be used as the shortened form of the VPN server's name
• Privoxy is, from the official website, a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk

After completing this tutorial, you will have a privacy gateway that:

• Secures your connection when using public WiFi spots
• Blocks advertisements and tracking features from web sites
• Speeds up web page loading times by caching server-side DNS responses
• Scans the pages you visit and files you download for known viruses

How It Works

The following diagram displays the path that a web request follows through the VPN we will set up in this tutorial.
The lanes with green backgrounds are the components of the VPN server. Green boxes represent the request steps, and blue and red boxes represent the response steps.

The traffic between your computer and the privacy server will flow through a VPN tunnel. When you open a web page in your browser, your request will be transferred to the VPN server. On the VPN server, your request will be redirected to HAVP and subsequently to Privoxy.

Privoxy will match the URL against its database of patterns. If the URL matches, it will block the URL and return a valid but empty response.

If the URL is not blocked, Privoxy acts as a non-caching proxy server to query DNS and retrieve the content of the URL. DNS queries are handled and cached by Dnsmasq.

HAVP receives the content from Privoxy and performs a virus scan via ClamAV. If any virus is found it returns an error page.

Prerequisites

Please make sure you complete the following prerequisites:

• Debian 8 Droplet with 1 GB of RAM
• Initial Server Setup with Debian 8
• How To Set Up an OpenVPN Server on Debian 8

System Requirements

The server we will configure will be easy on CPU, RAM, and disk space. Select a Droplet with at least 1GB of RAM and that provides enough bandwidth to accommodate your browsing needs.

The operating system of choice for this tutorial is Debian 8. It should also work more or less the same way for other Debian-based Linux distros like Ubuntu.

Licenses
All of the software used in this tutorial is available from Debian repositories and subject to Debian policies.
Security
This server will intercept all of your HTTP requests. Someone who takes control of this server could act as a man-in-the-middle and monitor all of your HTTP traffic, redirect DNS requests, etc. You do need to secure your server. Please refer to the tutorials mentioned in the beginning of this section to set up sudo access and a firewall as an initial level of protection.

Step 1 — Installing OpenVPN and Other Prerequisites

If you have not yet installed OpenVPN please do so now.

You can follow the tutorial How To Set Up an OpenVPN Server on Debian 8.

In the following steps we will install a few packages. To make sure your package indexes are up to date, please execute the following command.

sudo apt-get update

If you have not yet enabled ssh in your UFW firewall setup, pease do so with the following commands.

sudo ufw allow ssh

sudo ufw enable

Step 2 — Installing Dnsmasq

In this step we will install and configure Dnsmasq. Our privacy proxy server will use Dnsmasq to speed up and secure its DNS queries.
Every time you connect to a web page, your computer tries to resolve the Internet address of that server by asking a DNS (Domain Name System) server. Your computer uses the DNS servers of your ISP by default.
Using your own DNS server has the following advantages:

• Your ISP will not have any knowledge of the host names you connect to
• Your ISP cannot redirect your requests to other servers, which is one of the main methods of censorship
• Your DNS lookup speed will improve

The DNS servers you choose will know about all the DNS requests you make to them and can use this information to profile your browsing habits, redirect your searches to their own engines, or prevent your access to unapproved web sites. Choose your DNS servers wisely. OpenDNS and Google DNS servers are generally considered safe.

On a Debian system, nameserver configuration is kept in a file named /etc/resolv.conf.
Check your current nameserver configuration with the following command.

cat /etc/resolv.conf

Output:

/etc/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 8.8.8.8
nameserver 8.8.4.4

As you can see, the default nameservers on this system are set to Google's DNS servers.

Now install dnsmasq with the following command:

sudo apt-get install dnsmasq

After the package is installed check your configuration again:

cat /etc/resolv.conf

Output:

/etc/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1

The default nameserver is set to 127.0.0.1, which is the local interface Dnsmasq runs on.
You can test the installation with the following command. Take note of the query time in the output.

dig digitalocean.com @localhost

Output:

Output
. . .
;; Query time: 20 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
. . .

Now run the same command again and check the query time:

dig digitalocean.com @localhost

Output:

Output
. . .
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
. . .

Our second query is answered by dnsmasq from cache. The response time went down from 20 milliseconds to 1 millisecond. Depending on the load of your system, the cached results are usually returned in under 1 millisecond.

Step 3 — Installing ClamAV

Let's install our antivirus scanner so our VPN will protect us from known malicious downloads.

Install ClamAV

ClamAV is a widely used open-source antivirus scanner.
Install ClamAV and its scanner deamon:

sudo apt-get install clamav clamav-daemon

Update Virus Database

ClamAV will update its database right after the installation and check for updates every hour.
ClamAV logs its database update status to /var/log/clamav/freshclam.log. You can check this file to see how its automatic updates are processing.
Now we will wait until automatic updates are completed; otherwise, our scanning proxy (HAVP) will complain and will not start.

sudo tail -f /var/log/clamav/freshclam.log

During update progress, the current status will be written to screen.

Output
Fri Jun 19 12:56:03 2015 -> ClamAV update process started at Fri Jun 19 12:56:03 2015
Fri Jun 19 12:56:12 2015 -> Downloading main.cvd [100%]
Fri Jun 19 12:56:21 2015 -> main.cvd updated (version: 55, sigs: 2424225, f-level: 60, builder: neo)
Fri Jun 19 12:56:28 2015 -> Downloading daily.cvd [100%]
Fri Jun 19 12:56:34 2015 -> daily.cvd updated (version: 20585, sigs: 1430267, f-level: 63, builder: neo)
Fri Jun 19 12:56:35 2015 -> Downloading bytecode.cvd [100%]
Fri Jun 19 12:56:35 2015 -> bytecode.cvd updated (version: 260, sigs: 47, f-level: 63, builder: shurley)
Fri Jun 19 12:56:41 2015 -> Database updated (3854539 signatures) from db.local.clamav.net (IP: 200.236.31.1)
Fri Jun 19 12:56:55 2015 -> 

Clamd successfully notified about the update.
Fri Jun 19 12:56:55 2015 -> --------------------------------------

Wait until you see the text marked in red,

Clamd successfully notified about the update.

. Press CTRL+C on your keyboard to exit the tail. This will return you to the command prompt.
You can continue with the Configure ClamAV section if everything went normally.

(Optional) Troubleshooting

If the virus update takes too long, you can invoke it manually. This will not be needed in normal circumstances.
Stop the autoupdate service.

sudo service clamav-freshclam stop

Invoke the updater manually and wait for its completion. Download progress will be shown in percentages.

sudo freshclam

Start the autoupdate service:

sudo service clamav-freshclam start

Configure ClamAV

Now we will allow other groups to access ClamAV. This is needed because we will configure a virus scanning proxy (HAVP) to use ClamAV in the following steps.
Edit the ClamAV configuration file clamd.conf with your favorite text editor.

sudo vi /etc/clamav/clamd.conf

Set the following parameter to true.

/etc/clamav/clamd.conf

AllowSupplementaryGroups true

Save the configuration and exit.

Restart clamav-daemon

sudo service clamav-daemon restart

Step 4 — Installing HAVP

HAVP is a virus scanning proxy server. It scans every item on the pages you visit and blocks malicious content. HAVP does not contain a virus scanner engine but can use quite a few third party engines. In this tutorial we will configure it with ClamAV.
Install HAVP from Debian repositories.

sudo apt-get install havp

If there is not enough memory for ClamAV libraries, HAVP might not start. You can ignore this error (for now) and continue with the setup.

Installation will take a while, so please be patient.

Editing the Configuration File

Load HAVP's configuration file in your favorite editor:

sudo vi /etc/havp/havp.config

We will need to set a few configuration options to make HAVP run with the ClamAV daemon.

HAVP can work with the ClamAV libraries (by default) or the ClamAV daemon. Library mode requires much more RAM than daemon (socket scanner) mode. If your Droplet has 4 GB or more of RAM, you can set ENABLECLAMLIB to true and use library mode.

Otherwise, use these settings, located near the bottom of the configuration file.

/etc/havp/havp.config

ENABLECLAMLIB false
. . .
ENABLECLAMD true

HAVP's default configuration might interfere with some video streaming sites. To allow HTTP Range Requests, set the following parameter.

/etc/havp/havp.config

RANGE true

A lot of content on the Internet consists of images. Although there are some exploits that uses images as vectors, it is more or less safe not to scan images.

We recommend setting SCANIMAGES to false, but you can leave this setting as true if you want HAVP to scan images.

/etc/havp/havp.config

SCANIMAGES false

Do not scan files that have image, video, and audio MIME types. This setting will improve performance and enable you to watch streaming video content (provided the VPN as a whole has enough bandwidth). Uncomment this line to enable it.

/etc/havp/havp.config

SKIPMIME image/* video/* audio/*

There is one more parameter that we will change.
This parameter will tell HAVP not to log successful requests to the log file at /var/log/havp/access.log. Leave the default value (true) if you want to check the access logs to see if HAVP is working. For production, set this parameter to false in order to improve performance and privacy.

/etc/havp/havp.config

LOG_OKS false

Save your changes and exit the file.

User Configuration

Remember when we configured ClamAV to be accessed by other groups?
Now, we will add the clamav user to the havp group and allow HAVP to access ClamAV. Execute the following command:

sudo gpasswd -a clamav havp

Output:

Output
Adding user clamav to group havp

We need to restart clamav-daemon for our changes to groups to take effect.

sudo service clamav-daemon restart

Now that we've configured HAVP, we can start it with the following command:

sudo service havp restart

Service restart commands should complete silently; there should be no messages displayed on the console.

Checking the Logs

HAVP stores its log files in the /var/log/havp directory. Error and initialization messages goes into the error.log file. You can check the status of HAVP by checking this file.

sudo tail /var/log/havp/error.log

The tail command displays the last few lines of the file. If HAVP has started successfully, you will see something like the output shown below. Of course, the date and time will be your system's:

Output
17/06/2015 12:48:13 === Starting HAVP Version: 0.92
17/06/2015 12:48:13 Running as user: havp, group: havp
17/06/2015 12:48:13 --- Initializing Clamd Socket Scanner
17/06/2015 12:48:22 Clamd Socket Scanner passed EICAR virus test (Eicar-Test-Signature)
17/06/2015 12:48:22 --- All scanners initialized
17/06/2015 12:48:22 Process ID: 3896

Step 5 — Testing HAVP

In this section we'll make sure HAVP is actually blocking viruses.
The log shown above mentions something called the EICAR virus test.
On initialization HAVP tests the virus scanner engines with a specially constructed virus signature. All virus scanner software detects files that contain this (harmless) signature as a virus. You can get more information about EICAR on the EICAR Intended Use page.
Let's do our own manual test with the EICAR file and see that HAVP and ClamAV block it.
We will use the wget command line utility to download file from EICAR web page.
First, download the EICAR test file without using a proxy:

wget http://www.eicar.org/download/eicar.com -O /tmp/eicar.com

Your server will download the file without complaint:

Output
converted 'http://www.eicar.org/download/eicar.com' (ISO-8859-1) -> 'http://www.eicar.org/download/eicar.com' (UTF-8)
--2015-06-16 13:53:41-- http://www.eicar.org/download/eicar.com
Resolving www.eicar.org (www.eicar.org)... 188.40.238.250
Connecting to www.eicar.org (www.eicar.org)|188.40.238.250|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68 [application/octet-stream]
Saving to: '/tmp/eicar.com'
/tmp/eicar.com 100%[=====================>] 68 --.-KB/s in 0s
2015-06-16 13:53:41 (13.7 MB/s) - '/tmp/eicar.com' saved [68/68]

As you can see, wget downloaded the test file containing the virus signature without any complaints.

Now let's try to download the same file with our newly-configured proxy. We will set the environment variable http_proxy to our HAVP address and port.

http_proxy=127.0.0.1:8080 wget http://www.eicar.org/download/eicar.com -O /tmp/eicar.com

Output:

Output
converted 'http://www.eicar.org/download/eicar.com' (ISO-8859-1) -> 'http://www.eicar.org/download/eicar.com' (UTF-8)
--2015-06-25 20:47:38-- http://www.eicar.org/download/eicar.com
Connecting to 127.0.0.1:8080... connected.
Proxy request sent, awaiting response... 403 Virus found by HAVP
2015-06-25 20:47:39 

ERROR 403: Virus found by HAVP.

Our proxy successfully intercepted the download and blocked the virus.
EICAR also provides a virus signature file hidden inside a ZIP compressed file.
You can test that HAVP scans files inside ZIP archives with the following command:

http_proxy=127.0.0.1:8080 wget http://www.eicar.org/download/eicarcom2.zip -O /tmp/eicarcom2.zip

Output:

Output
converted 'http://www.eicar.org/download/eicarcom2.zip' (ISO-8859-1) -> 'http://www.eicar.org/download/eicarcom2.zip' (UTF-8)
--2015-06-25 20:48:28-- http://www.eicar.org/download/eicarcom2.zip
Connecting to 127.0.0.1:8080... connected.
Proxy request sent, awaiting response... 403 Virus found by HAVP
2015-06-25 20:48:28 

ERROR 403: Virus found by HAVP.

HAVP (with ClamAV) found the virus again.

Step 6 — Installing Privoxy

So far we have configured a proxy server to scan web pages for viruses. What about ads and tracking cookies? In this step we will install and configure Privoxy.

Blocking advertisements is harmful to the web sites that rely on advertisements to cover operational costs. Please consider adding exceptions to the sites that you trust and frequent.

Use the following command to install Privoxy:

sudo apt-get install privoxy

Privoxy's configuration resides in the file /etc/privoxy/config. We need to set two parameters before we start using Privoxy.
Open the config file in your favorite editor.

sudo vi /etc/privoxy/config

Now uncomment and set the following two parameters:

/etc/privoxy/config

listen-address 127.0.0.1:8118
. . .
hostname your_server

The parameter listen-address determines on which IP and port privoxy runs. The default value is localhost:8118; we will change this to 127.0.0.1:8118.
The parameter hostname specifies the host Privoxy runs on and logs; set this to the hostname or DNS address of your server. It can be any valid hostname.
Now, restart Privoxy with its new configuration.

sudo service privoxy restart

Step 7 — Chaining HAVP to Privoxy

HAVP and Privoxy both are essentially HTTP proxy servers. We will now chain these two proxies so that, when your client requests a web page from HAVP, it will forward this request to Privoxy. Privoxy will retrieve the requested web page, remove the privacy threats and ads, and then HAVP will further process the response and remove viruses and malicious code.
Load the HAVP configuration file into your favorite text editor:

sudo vi /etc/havp/havp.config

Uncomment the following lines (remove the # character at the beginning of the lines) and set their values as shown below. Privoxy runs on IP 127.0.0.1 and port 8118.

/etc/havp/havp.config

PARENTPROXY 127.0.0.1
PARENTPORT 8118

Save your changes and exit the file.
Restart HAVP for the changes to take effect:

sudo service havp restart

Check HAVP's error log, taking note of the Use parent proxy: 127.0.0.1:8118 message.

sudo tail /var/log/havp/error.log

Output:

Output
17/06/2015 12:57:37 === Starting HAVP Version: 0.92
17/06/2015 12:57:37 Running as user: havp, group: havp
17/06/2015 12:57:37 

Use parent proxy: 127.0.0.1:8118
17/06/2015 12:57:37 --- Initializing Clamd Socket Scanner
17/06/2015 12:57:37 Clamd Socket Scanner passed EICAR virus test (Eicar-Test-Signature)
17/06/2015 12:57:37 --- All scanners initialized
17/06/2015 12:57:37 Process ID: 4646

Our proxy server configuration is now complete. Lets test it again with the EICAR virus test.

http_proxy=127.0.0.1:8080 wget http://www.eicar.org/download/eicarcom2.zip -O /tmp/eicarcom2.zip

If your configuration is good, you should again see the ERROR 403: Virus found by HAVP message.

Step 8 — Setting DNS Options for OpenVPN Server

Although the default configuration of OpenVPN Server is adequate for our needs, it is possible to improve it a little bit more.
Load the OpenVPN server's configuration file in a text editor:

sudo vi /etc/openvpn/server.conf

OpenVPN is configured to use OpenDNS's servers by default. If you want to change it to use Google's DNS servers, change the dhcp-option DNS parameters as below.

Add the new line push "register-dns", which some Windows clients might need in order to use the DNS servers.
Also, add the new line push "block-ipv6" to block IPv6 while connected to VPN. (IPv6 traffic can bypass our VPN server.)
Here's what this section should look like:

/etc/openvpn/server.conf

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "register-dns"
push "block-ipv6"

If you want to allow multiple clients to connect with the same ovpn file, uncomment the following line. (This is convenient but NOT more secure!)

/etc/openvpn/server.conf

duplicate-cn

Restart the OpenVPN service for changes to take effect.

sudo service openvpn restart

Step 9 — Configuring Your Transparent Proxy

We will now set up our privacy server to intercept the HTTP traffic between its clients (your browser) and the internet.

Enable Packet Forwarding

For our server to forward HTTP traffic to the proxy server, we need to enable packet forwarding. You should have enabled it already in the OpenVPN setup tutorial.
Test the configuration with the following command.

sudo sysctl -p

It should display the changed parameters as below. If it does not, please revisit the OpenVPN tutorial.

Output
net.ipv4.ip_forward = 1

Configure UFW

We need to forward HTTP packets that originate from OpenVPN clients to HAVP. We will use ufw for this purpose.
First we need to allow traffic originating from OpenVPN clients

sudo ufw allow in on tun0 from 10.8.0.0/24

In the OpenVPN tutorial, you should have changed the /etc/ufw/before.rules file and added some rules for OpenVPN. Now we will revisit the same file and configure port redirection for the transparent proxy.

sudo vi /etc/ufw/before.rules

Change the lines you have added in the OpenVPN configuration as shown below. Add the lines in red.

/etc/ufw/before.rules

 # START OPENVPN RULES
 # NAT table rules
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# transparent proxy

-A PREROUTING -i tun+ -p tcp --dport 80 -j REDIRECT --to-port 8080
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
 # END OPENVPN RULES

Reload your firewall configuration.

sudo ufw reload

Check UFW's status:

sudo ufw status

Output:

Output
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
1194/udp ALLOW Anywhere
Anywhere on tun0 ALLOW 10.8.0.0/24
22 ALLOW Anywhere (v6)
1194/udp ALLOW Anywhere (v6)

Enable HAVP's Transparent Mode

In the previous steps, we forced all HTTP packets to go through HAVP. This configuration is called a transparent proxy.

We need to configure HAVP as such.

sudo vi /etc/havp/havp.config

Set the following parameter:

/etc/havp/havp.config

TRANSPARENT true

Restart the HAVP service:

sudo service havp restart

Our server is now ready to use.

Step 10 — Testing Client Configuration

On your client (Windows, OS X, tablet ...) connect your client to your OpenVPN server. Note that you can use the same .ovpn file from the original OpenVPN tutorial; all the changes are on the server side.

For detailed setup instructions for your OpenVPN client, please see Installing the Client Profile in the Ubuntu 14.04 tutorial.

After the VPN connection is established, you should see your preferred DNS settings in the OpenVPN client logs. The following sample is taken from the IOS client.

DNS Servers
 8.8.8.8
 8.8.4.4
Search Domains:

If you use Tunnelblick, you might see a line like this:

Changed DNS ServerAddresses setting from '8.8.8.8 208.67.222.222 8.8.4.4' to '8.8.8.8 8.8.4.4'

To test your configuration, go to the [EICAR test page](www.eicar.org) in your browser and attempt to download the EICAR test file. You should see a HAVP - Access Denied page.

• http://www.eicar.org/download/eicarcom2.zip
• http://www.eicar.org/85-0-Download.html

Step 11 — Troubleshooting

This section will help you troubleshoot some common issues.

Cannot watch videos or use my favorite site

Privoxy can be configured to be less strict with sites that are loading too slowly. This behavior is configured in the user.action configuration file.

Load the user action file in your favorite text editor.

sudo vi /etc/privoxy/user.action

Go to the end of file and add the following content with the additional site addresses you want.

/etc/privoxy/user.action

{ fragile -deanimate-gifs }
.googlevideo.com
.youtube.com
.imgur.com
.example.com

After these changes, you do not need to restart Privoxy. However, you should clear your browser's cache and refresh a few times.

If you still experience problems, add whitelisted domains to the HAVP whitelist file. HAVP will check this file and not perform a virus scan if the host name matches.

vi /etc/havp/whitelist

Add your sites at the end of the file.

/etc/havp/whitelist

# Whitelist Windowsupdate, so RANGE is allowed too
*.microsoft.com/*
*.windowsupdate.com/*
*.youtube.com/*

If you open multiple web pages at once, your server's memory might not be enough for HAVP to scan all your requests.

You can try to increase your Droplet's RAM and/or add swap memory. Please refer to the How To Configure Virtual Memory (Swap File) on a VPS article.

Keep in mind that adding a VPN to your browsing experience will add some latency in most cases.

Conclusion

After following this tutorial, you'll have taken your VPN use to the next level with browsing privacy and security.