I’ve developed a Python application which rotates VPN gateways from one or more providers. This will change your outbound IP address, and optionally VPN provider(s), on a random basis within a given time period (eg, every 2-4 hours). This uses Docker, the Gluetun VPN client, virtual machines, and optionally HAProxy, MQTT, InfluxDB and Unbound DNS.

I’d really appreciate feedback from members of this subreddit, whether that’s in regards to the general concept, the example architecture I’ve included in the repo (below), the code itself, or whatever else you might have!

Randomizer supports all providers supported by the Gluetun VPN client including custom providers. The randomizer project has been biased towards Wireguard and Linux, with OpenVPN and other OSes in near-term consideration. It’s my intention to keep the project as flexible as possible allowing ease in adopting personal modifications.

https://github.com/ingestbot/randomizer

  • ajicles@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Could probably do this easier with PFsense and setup all of the VPN clients on the firewall and write a script to stop and start each vpn service. I use PFsense for torrents to allow load balancing and to increase throughput. I have three openvpn clients setup into a gateway group and tunnel the traffic out.

    • ingestbot@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Supporting appliance based tunnels would probably be a clear path for this project. Challenges may involve key handling and gateway/provider management. If there were a dependable, native API this could make it all the easier.

      My little project so far has been biased towards (a surplus of) redundant commodity hardware. The environment where this evolved includes a very early MIPS32 based router so tunneling/proxying/resolving were not an option there.

      I’m most definitely inspired here to see about supporting this kind of configuration! pfsense/opnsense have been on my list for years.

    • nocsupport@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      pfSense can just keep all the VPN sessions up. You make gateway groups that can be triggered by timers. "At 12:37 these clients should use this gw group which favors this VPN "

    • ingestbot@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Thank you very much. In fact, the more challenging comments and questions inspire new ideas and shine light on knowledge gaps. Some of the funner comments help sharpen my dulling wit.

  • Brilliant_Sound_5565@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Nice project, couldn’t see me using it myself as I’m not sure why I’d want my VPN to randomly change every 24hrs say? You say the router is a spof, but that’s still going to be the case here isn’t it?

  • ErnLynM@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    That’s cool AF. Do you have any moments of connectivity in between VPN switches?

    • ingestbot@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      A most excellent question and an issue just recently addressed.

      Gluetun includes a control server which allows state changes to the VPN connection. Early on I would send a stopped and let the healthcheck take care of the recovery. At some point I found that 6 second lapse to cause a bit of trouble so I played with sending a stopped and immediate running. The result is a near instantaneous recovery (and random reallocation) of the tunnel.

      Here’s are a couple of examples:

      2023-11-20T14:42:31Z INFO [vpn] stopping
      2023-11-20T14:42:31Z INFO [http server] 200 PUT /status wrote 22B to 172.21.0.1:40896 in 129.856648ms
      2023-11-20T14:42:31Z INFO [vpn] starting
      2023-11-20T14:42:31Z INFO [wireguard] Connecting to 188.241.176.194:2049
      2023-11-20T14:42:31Z INFO [http server] 200 PUT /status wrote 22B to 172.21.0.1:40902 in 108.677199ms
      2023-11-20T14:42:32Z INFO [ip getter] Public IP address is 188.241.176.241 (Canada, Quebec, Montréal)
      ---
      2023-11-20T14:43:56Z INFO [vpn] stopping
      2023-11-20T14:43:56Z INFO [http server] 200 PUT /status wrote 22B to 172.21.0.1:52474 in 129.197494ms
      2023-11-20T14:43:56Z INFO [vpn] starting
      2023-11-20T14:43:56Z INFO [wireguard] Connecting to 198.54.131.98:2049
      2023-11-20T14:43:56Z INFO [http server] 200 PUT /status wrote 22B to 172.21.0.1:52482 in 108.371437ms
      2023-11-20T14:43:56Z INFO [ip getter] Public IP address is 198.54.131.120 (United States, Washington, Fairwood)
      

      You’ve raised a great point here and it’s something I may look into further (as in soon). It wouldn’t be to difficult to measure the entire sequence in milliseconds and offer that up as a metric.

  • pyotrdevries@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Since I’m not seeing anyone else say it; I think it’s a cool concept and the first time I’ve seen someone make this. I can imagine this being added to one of those ultra privacy focused bootable Linux distro’s. Nice work!

    • peca89@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      But this is not privacy. This is creating false sense of privacy.

      One could even argue that it is reducing privacy by intentionally giving your browsing habits away to more than one entity, thereby increasing the chance of actually being spied on.

      For education is perfect, though. Kudos to that.

      • pyotrdevries@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I was thinking more along the lines of people who don’t care about some random vpn companies knowing fragments of their browsing habits as opposed to the government of their country knowing it, in order not to get arrested or killed.

  • Diavolo_Rosso@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Cool idea but a lot of work for nothing. Every provider offer multiple gateway around the world with a couple of click

  • Intransigient@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Have you thought to encrypt and segment each data frame then send them out in a random order over those multiple gateways, for decryption and reassembly at their destination? Two endpoints set up in this manner could provide significant security, since not only would each frame be encrypted, but the reassembly order would not be determinable via en-route packet sniffing.

  • SystemSalt@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I haven’t looked too deeply into it yet, looks interesting. Does your original IP leak when the tunnel is changing?

  • peca89@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    This is very good as a proof of concept and education. Otherwise, I don’t see a real life benefit except for a few corner cases. In fact, it is going to ruin your everyday browsing experience if VPNs just randomly disconnect every 2 hours.

  • AionicusNL@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I just use VPNgate with its 100-300 vpn’s to rotate if needed. But in general when using python , 99% of the time you can do just fine with a rotating proxy setup (socks5) , just bit of scraping online and et voila.