Building a secure, simple VPN connection

Automation

DSVPN remains true to its motto in many areas: There is neither a tool for creating the key file nor a user administration tool. The developer is also reluctant to integrate the program into the system as a service. However, his aversion to the init system does not mean that DSVPN cannot be managed with systemd: You just have to create the corresponding service files manually.

Based on templates by Greek developer Evaggelos Balaskas, this can be done quickly [4]. Under /etc/systemd/system/ create the dsvpn_server.service and dsvpn_client.service files, and fill them with the content from Listing 5 (Server) and Listing 6 (Client). Don't forget to adjust the path to the key file, the server IP address, and the WiFi router port number to the ports forwarded to the DSVPN server.

Listing 5

Server Service

 

Listing 6

Client Service

 

Next, you have to update the system configuration on both the client and the server with:

sudo systemctl daemon-reload

Afterwards the connection can be enabled manually or automatically during the boot process (Listing 7). To disable the automatic start, replace enable in the last two commands with disable.

Listing 7

Automatically Enabling the Connection

 

Firewall

For the greatest possible security, you must prevent data leaks from the VPN to the Internet. This requires a firewall that intercepts all data packets flowing past the VPN. See Balaskas' blog for a description of implementing such a firewall with iptables [5].

Conclusions

DSVPN fills a gap left open by other VPN solutions. For example, it works in isolated environments that only allow TCP/80 and TCP/443 ports to roam the Internet. WireGuard and other lean VPN solutions, such as Glorytun [6], also require UDP, since one TCP port alone is not enough. With DSVPN, the connection between the client and the server is established with a single command, while OpenVPN requires a lengthy configuration.

In practical use, DSVPN shows its strengths if you rarely need a VPN and OpenVPN's long configuration is not worth the effort. One drawback is that DSVPN is only available for Linux and macOS. In many situations, however, you might want to tunnel your Android or iOS smartphone through the VPN to a secure network. The developer states that DSVPN is not intended as a replacement for classic tools like WireGuard. DSVPN solved an existing problem for the developer; perhaps it can solve one for you.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • WireGuard

    A recent addition to the Linux kernel, WireGuard lets you build a VPN tunnel that relies on encryption to reduce potential security issues.

  • Mistborn

    Mistborn bundles important Internet services on your home network and secures them with a WireGuard VPN tunnel, Pi-hole, iptables rules, and separate containers.

  • Admin Workshop: inetd & xinetd

    If you have many daemons running on your server, it can be quite difficult to keep track of them all. inetd and xinetd manage these services centrally and also take care of exchanges with your clients, allowing programs without network code to operate as Internet servers.

  • Socks 5

    Socks is a universal proxy protocol for TCP and UDP that allows internal hosts to securely pass the firewall and authenticates users. This article describes the latest version of the Socks proxy protocol and shows how to implement it.

  • Admin Workshop Identd

    In last month’s issue of Admin Workshop, we introduced tools that help admins get services up and running. This month, we will show how you can use the Ident protocol to associate a user name with a TCP connection.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News