Building a secure, simple VPN connection
Automation
DSVPN remains true to its motto in many areas: There is neither a tool for creating the key file nor a user administration tool. The developer is also reluctant to integrate the program into the system as a service. However, his aversion to the init system does not mean that DSVPN cannot be managed with systemd: You just have to create the corresponding service files manually.
Based on templates by Greek developer Evaggelos Balaskas, this can be done quickly [4]. Under /etc/systemd/system/
create the dsvpn_server.service
and dsvpn_client.service
files, and fill them with the content from Listing 5 (Server) and Listing 6 (Client). Don't forget to adjust the path to the key file, the server IP address, and the WiFi router port number to the ports forwarded to the DSVPN server.
Listing 5
Server Service
Listing 6
Client Service
Next, you have to update the system configuration on both the client and the server with:
sudo systemctl daemon-reload
Afterwards the connection can be enabled manually or automatically during the boot process (Listing 7). To disable the automatic start, replace enable
in the last two commands with disable
.
Listing 7
Automatically Enabling the Connection
Firewall
For the greatest possible security, you must prevent data leaks from the VPN to the Internet. This requires a firewall that intercepts all data packets flowing past the VPN. See Balaskas' blog for a description of implementing such a firewall with iptables [5].
Conclusions
DSVPN fills a gap left open by other VPN solutions. For example, it works in isolated environments that only allow TCP/80 and TCP/443 ports to roam the Internet. WireGuard and other lean VPN solutions, such as Glorytun [6], also require UDP, since one TCP port alone is not enough. With DSVPN, the connection between the client and the server is established with a single command, while OpenVPN requires a lengthy configuration.
In practical use, DSVPN shows its strengths if you rarely need a VPN and OpenVPN's long configuration is not worth the effort. One drawback is that DSVPN is only available for Linux and macOS. In many situations, however, you might want to tunnel your Android or iOS smartphone through the VPN to a secure network. The developer states that DSVPN is not intended as a replacement for classic tools like WireGuard. DSVPN solved an existing problem for the developer; perhaps it can solve one for you.
Infos
- WireGuard: https://www.wireguard.com
- DSVPN: https://github.com/jedisct1/dsvpn
- FreeDNS: https://freedns.afraid.org
- Scripts for DSVPN: https://github.com/ebal/scripts/tree/master/dsvpn
- "A Dead Simple VPN": https://balaskas.gr/blog/2019/07/20/a-dead-simple-vpn/
- Glorytun: https://github.com/angt/glorytun
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs