4x Affordable, 99.95% SLA, 24x& Video Support, 100+ Countires

3 Ways For Securely Browse The Internet With Openvpn On Debian 8


Reasons for browsing the Internet with more isolation vary as much as the ways to attain it.

In this tutorial we will inform in detail how to set up a realistic independent network (VPN) on a server so it secures three all-important elements of your Internet browsing experience:

  • Privatize your web traffic by obtaining unencrypted traffic, preventing cookies and other trackers, and masking your local computer's IP addresses
  • Prevent your local ISP from logging DNS queries, by sending them from the VPN continuous to Google's DNS servers
  • Scan for and prevent accesses to viruses and malicious applications

By running your own VPN server rather than using a commercial one, you can also evade logging your browsing history (unless you specify to do so). Finally, you get to specify its animal area, so you can minimize latency. However, using a vpn is usually sedate than using a direct Internet connection.

We'll do this by installing and configuring the following applications on your Debian 8 server:

  • ClamAV is an open source antivirus engine for detecting trojans, viruses, malware, other malicious threats

  • Dnsmasq is a software package that provides DNS (and few more) services. We will use it only as a DNS cache

  • HAVP HTTP AntiVirus proxy is a proxy with an anti-virus filter. It does not cache or filter content. It scans all the traffic with third-party antivirus engines. In this tutorial we will use HAVP as a Transparent Proxy and series HAVPand Privoxy together

  • OpenVPN Community Edition is a popular VPN server. It provides a secure connection to your trusted server, and can also push DNS Server settings to its clients. In this tutorial the term OpenVPN will be used as the shortened form of the VPN server's name

  • Privoxy is, from the official website, a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk

After finishing this tutorial, you will have an isolation gateway that:

  • Secures your connection when using public WiFi spots
  • obstructions advertisements and tracking features from web sites
  • accelerates up web page loading times by caching server-side DNS responses
  • Scans the pages you stop by and records you download for known viruses

How It Works

The following drawing displays the route that a web ask follows through the VPN we will set up in this tutorial.

The ways with chromatic backdrops are the elements of the VPN server. chromatic blows represent the ask levels, and chromatic and chromatic blows represent the response levels.

Flow chart of web request through VPN server

The traffic between your computer and the isolation server will flow through a vpn tunnel. When you ajar a web page in your browser, your question will be transferred to the VPN server. On the VPN server, your question will be redirected to HAVP and subsequently to Privoxy.

Privoxy will match the url against its database of patterns. If the url matches, it will block the url and return a binding but empty response.

If the url is not blocked, Privoxy acts as a non-caching proxy server to query DNS and retrieve the communication of the url. DNS queries are handled and cached by Dnsmasq.

HAVP receives the communication from Privoxy and performs a virus scan via ClamAV. If any virus is found it returns an error page.


Please make convinced you finish the following prerequisites:

System Requirements

The server we will configure will be easy on CPU, RAM, and disk space. Select a machine with at least 1GB of thrust and that provides enough bandwidth to accommodate your browsing needs.

The directing system of preference for this tutorial is Debian 8. It should also work more or less the same route for other Debian-based linux distros like Ubuntu.


All of the program used in this tutorial is accessible from Debian repositories and subject to Debian contracts.


This server will point all of your HTTP questions. Someone who takes regulate of this server could act as a man-in-the-middle and observe all of your HTTP traffic, redirect DNS questions, etc. You do need to obtain your server. Please refer to the sessions mentioned in the starting of this portion to set up sudo accesses and a firewall as a first stage of protection.

Step 1 Installing OpenVPN and Other Prerequisites

If you have not yet installed OpenVPN please do so now.

You can follow the tutorial How To Set Up an openvpn Server on Debian 8.

In the following stages we will install a few packages. To make convinced your package indexes are up to date, please kill the following control.

  • sudo apt-get update

If you have not yet enabled ssh in your UFW firewall setup, pease do so with the following controls.

  • sudo ufw allow ssh
  • sudo ufw enable

Step 2 Installing Dnsmasq

In this step we will install and configure Dnsmasq. Our isolation proxy server will use Dnsmasq to speed up and obtain its DNS queries.

Every moment you connect to a web page, your computer tries to resolve the Internet addresses of that server by questioning a dns (Domain Name System) server. Your computer uses the DNS servers of your ISP by failure.

Using your own DNS server has the following merits:

  • Your ISP will not have any knowledge of the host names you connect to
  • Your ISP cannot redirect your questions to other servers, which is one of the important modes of counterintelligence
  • Your DNS operation speed will upgrade

The DNS servers you choose will know about all the DNS requests you make to them and can use this information to profile your browsing habits, redirect your searches to their own engines, or prevent your access to unapproved web sites. Choose your DNS servers wisely. OpenDNS and Google DNS servers are generally considered safe.

On a debian system, nameserver configuration is kept in a file labelled /etc/resolv.conf.

check your actual nameserver configuration with the following control.

  • cat /etc/resolv.conf


# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)

As you can see, the failure nameservers on this system are set to Google's DNS servers.

Now install dnsmasq with the following control:

  • sudo apt-get install dnsmasq

After the package is installed check your configuration again:

  • cat /etc/resolv.conf


# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)

The failure nameserver is set to, which is the local interface Dnsmasq runs on.

You can test the installation with the following regulate. Take note of the query moment in the output.

  • dig fxdata.cloud @localhost


. . . ;; Query time: 20 msec ;; SERVER: . . .

Now run the same control again and check the query moment:

  • dig fxdata.cloud @localhost


. . . ;; Query time: 1 msec ;; SERVER: . . .

Our ordinal query is replied by dnsmasq from cache. The response moment went down from 20 milliseconds to 1 millisecond. being on the load of your system, the cached results are usually returned in under 1 millisecond.

Step 3 Installing ClamAV

Let's install our antivirus scanner so our VPN will safeguard us from known malicious downloads.

Install ClamAV

ClamAV is a widely used open-source antivirus scanner.

Install ClamAV and its scanner deamon:

  • sudo apt-get install clamav clamav-daemon

Update Virus Database

ClamAV will modify its database right after the installation and check for updates every hour.

ClamAV logs its database modify states to /var/log/clamav/freshclam.log. You can check this file to see how its autoloading updates are processing.

Now we will wait until autoloading updates are finished ; otherwise, our scanning proxy (HAVP) will complain and will not begin.

  • sudo tail -f /var/log/clamav/freshclam.log

During modify progress, the actual states will be written to screen.

Fri Jun 19 12:56:03 2015 -> ClamAV update process started at Fri Jun 19 12:56:03 2015 Fri Jun 19 12:56:12 2015 -> Downloading main.cvd [100%] Fri Jun 19 12:56:21 2015 -> main.cvd updated (version: 55, sigs: 2424225, f-level: 60, builder: neo) Fri Jun 19 12:56:28 2015 -> Downloading daily.cvd [100%] Fri Jun 19 12:56:34 2015 -> daily.cvd updated (version: 20585, sigs: 1430267, f-level: 63, builder: neo) Fri Jun 19 12:56:35 2015 -> Downloading bytecode.cvd [100%] Fri Jun 19 12:56:35 2015 -> bytecode.cvd updated (version: 260, sigs: 47, f-level: 63, builder: shurley) Fri Jun 19 12:56:41 2015 -> Database updated (3854539 signatures) from db.local.clamav.net (IP: Fri Jun 19 12:56:55 2015 -> Clamd successfully informed about the modify. Fri Jun 19 12:56:55 2015 -> --------------------------------------

Wait until you see the matter marked in chromatic, Clamd successfully informed about the modify..

Press CTRL+C on your device to exit the tail. This will return you to the control prompt.

You can continue with the Configure ClamAV portion if everything went normally.

(Optional) Troubleshooting

If the virus modify takes too long, you can invoke it manually. This will not be needed in normal circumstances.

Stop the autoupdate service.

  • sudo service clamav-freshclam stop

Invoke the updater manually and wait for its completion. Download progress will be shown in assets.

  • sudo freshclam

begin the autoupdate service:

  • sudo service clamav-freshclam start

Configure ClamAV

Now we will allow other factions to accesses ClamAV. This is needed because we will configure a virus scanning proxy (HAVP) to use ClamAV in the following stages.

Edit the ClamAV configuration file clamd.conf with your best-loved matter editor.

  • sudo vi /etc/clamav/clamd.conf

Set the following parameter to true.

AllowSupplementaryGroups true

Save the configuration and exit.

Restart clamav-daemon

  • sudo service clamav-daemon restart

Step 4 Installing HAVP

HAVP is a virus scanning proxy server. It scans every symbol on the pages you drop by and obstructions malicious communication. HAVP does not include a virus scanner motor but can use quite a few third party motors. In this tutorial we will configure it with ClamAV.

Install HAVP from Debian repositories.

  • sudo apt-get install havp

If there is not enough memory for ClamAV libraries, HAVP might not start. You can ignore this error (for now) and continue with the setup.

Installation will take a while, so please be patient.

Editing the Configuration File

Load HAVP's configuration file in your beloved editor:

  • sudo vi /etc/havp/havp.config

We will need to set a few configuration actions to make HAVP run with the ClamAV daemon.

HAVP can work with the ClamAV libraries (by default) or the ClamAV daemon. Library mode requires much more RAM than daemon (socket scanner) mode. If your machine has 4 GB or more of thrust, you can set ENABLECLAMLIB to true and use library method.

Otherwise, use these environments, located near the bottom of the configuration file.


. . .


HAVP's failure configuration might interfere with some video streaming sites. To allow HTTP Range questions, set the following parameter.

RANGE true

a lot of communication on the Internet consists of pictures. Although there are some exploits that uses pictures as vectors, it is more or less fail-safe not to scan pictures.

We recommend setting SCANIMAGES to mendacious, but you can leave this setting as true if you want HAVP to scan illustrations.

SCANIMAGES mendacious

Do not scan records that have illustration, video, and audio mime symbols. This setting will enhance performance and enable you to watch streaming video communication (given the VPN as a whole has enough bandwidth). Uncomment this line to enable it.

SKIPMIME image/* video/* audio/*

There is one more parameter that we will action.

This parameter will tell HAVP not to log boffo asks to the log file at /var/log/havp/accesses.log. Leave the failure ideal (true) if you want to check the accesses logs to see if HAVP is working. For production, set this parameter to mendacious in order to enhance performance and isolation.

LOG_OKS mendacious

Save your actions and exit the file.

User Configuration

Remember when we configured ClamAV to be accessed by other teams?

Now, we will increase the clamav user to the havp faction and allow HAVP to accesses ClamAV. kill the following control:

  • sudo gpasswd -a clamav havp


Adding user clamav to group havp

We need to restart clamav-daemon for our actions to teams to take effect.

  • sudo service clamav-daemon restart

Now that we've configured HAVP, we can start it with the following control:

  • sudo service havp restart

Service restart regulates should finish silently; there should be no communications shown on the console.

Checking the Logs

HAVP accumulations its log records in the /var/log/havp directory. Error and initialization communications goes into the error.log file. You can check the states of HAVP by checking this file.

  • sudo tail /var/log/havp/error.log

The tail regulate displays the last few lines of the file. If HAVP has began successfully, you will see something like the output shown below. Of course, the date and moment will be your system's:

17/06/2015 12:48:13 === Starting HAVP Version: 0.92 17/06/2015 12:48:13 Running as user: havp, group: havp 17/06/2015 12:48:13 --- Initializing Clamd Socket Scanner 17/06/2015 12:48:22 Clamd Socket Scanner passed EICAR virus test (Eicar-Test-Signature) 17/06/2015 12:48:22 --- All scanners initialized 17/06/2015 12:48:22 Process ID: 3896

Step 5 Testing HAVP

In this portion we'll make convinced HAVP is actually blocking viruses.

The log shown above mentions something labelled the EICAR virus test.

On initialization HAVP experiments the virus scanner motors with a specially constructed virus signature. All virus scanner program detects records that include this (harmless) signature as a virus. You can get more information about EICAR on the EICAR Intended Use page.

Let's do our own manual test with the EICAR file and see that HAVP and ClamAV block it.

We will use the wget control line utility to download file from EICAR web page.

First, download the EICAR test file without using a proxy:

  • wget http://www.eicar.org/download/eicar.com -O /tmp/eicar.com

Your server will download the file without objection:

converted 'http://www.eicar.org/download/eicar.com' (ISO-8859-1) -> 'http://www.eicar.org/download/eicar.com' (UTF-8) --2015-06-16 13:53:41-- http://www.eicar.org/download/eicar.com Resolving www.eicar.org (www.eicar.org)... Connecting to www.eicar.org (www.eicar.org)||:80... connected. HTTP request sent, awaiting response... 200 OK Length: 68 [application/octet-stream] Saving to: '/tmp/eicar.com' /tmp/eicar.com 100%[=====================>] 68 --.-KB/s in 0s 2015-06-16 13:53:41 (13.7 MB/s) - '/tmp/eicar.com' saved [68/68]

As you can see, wget transferred the test file including the virus signature without any objections.

Now let's attempt to download the same file with our newly-configured proxy. We will set the environment variable http_proxy to our HAVP addresses and port.

  • http_proxy= wget http://www.eicar.org/download/eicar.com -O /tmp/eicar.com


converted 'http://www.eicar.org/download/eicar.com' (ISO-8859-1) -> 'http://www.eicar.org/download/eicar.com' (UTF-8) --2015-06-25 20:47:38-- http://www.eicar.org/download/eicar.com Connecting to connected. Proxy request sent, awaiting response... 403 Virus found by HAVP 2015-06-25 20:47:39 ERROR 403: Virus found by HAVP.

Our proxy successfully intercepted the download and blocked the virus.

EICAR also provides a virus signature file hidden inside a zip compressed file.

You can test that HAVP scans files inside ZIP archives with the following control:

  • http_proxy= wget http://www.eicar.org/download/eicarcom2.zip -O /tmp/eicarcom2.zip


converted 'http://www.eicar.org/download/eicarcom2.zip' (ISO-8859-1) -> 'http://www.eicar.org/download/eicarcom2.zip' (UTF-8) --2015-06-25 20:48:28-- http://www.eicar.org/download/eicarcom2.zip Connecting to connected. Proxy request sent, awaiting response... 403 Virus found by HAVP 2015-06-25 20:48:28 ERROR 403: Virus found by HAVP.

HAVP (with ClamAV) found the virus again.

Step 6 Installing Privoxy

So far we have configured a proxy server to scan web pages for viruses. What about ads and tracking cookies? In this step we will install and configure Privoxy.

Blocking advertisements is harmful to the web sites that rely on advertisements to cover operational costs. Please consider adding exceptions to the sites that you trust and frequent.

Use the following regulate to install Privoxy:

  • sudo apt-get install privoxy

Privoxy's configuration resides in the file /etc/privoxy/config. We need to set two parameters before we commence using Privoxy.

ajar the config file in your beloved editor.

  • sudo vi /etc/privoxy/config

Now uncomment and set the following two parameters:


. . .

hostname your_server

The parameter listen-address determines on which IP and port privoxy runs. The failure ideal is localhost:8118; we will action this to

The parameter hostname specifies the host Privoxy runs on and logs; set this to the hostname or DNS addresses of your server. It can be any binding hostname.

Now, restart Privoxy with its brand-new configuration.

  • sudo service privoxy restart

Step 7 Chaining HAVP to Privoxy

HAVP and Privoxy both are essentially HTTP proxy servers. We will now series these two proxies so that, when your case asks a web page from HAVP, it will forward this ask to Privoxy. Privoxy will retrieve the questioned web page, remove the isolation hazards and ads, and then HAVP will further processes the response and remove viruses and malicious code.

Load the HAVP configuration file into your best-loved matter editor:

  • sudo vi /etc/havp/havp.config

Uncomment the following lines (remove the # character at the starting of the lines) and set their belief Synonyms/Hypernyms as shown below. Privoxy runs on IP and port 8118.


Save your actions and exit the file.

Restart HAVP for the actions to take effect:

  • sudo service havp restart

check HAVP's error log, taking note of the Use parent proxy: communication.

  • sudo tail /var/log/havp/error.log


17/06/2015 12:57:37 === Starting HAVP Version: 0.92 17/06/2015 12:57:37 Running as user: havp, group: havp 17/06/2015 12:57:37 Use parent proxy: 17/06/2015 12:57:37 --- Initializing Clamd Socket Scanner 17/06/2015 12:57:37 Clamd Socket Scanner passed EICAR virus test (Eicar-Test-Signature) 17/06/2015 12:57:37 --- All scanners initialized 17/06/2015 12:57:37 Process ID: 4646

Our proxy server configuration is now finish. Lets test it again with the EICAR virus test.

  • http_proxy= wget http://www.eicar.org/download/eicarcom2.zip -O /tmp/eicarcom2.zip

If your configuration is good, you should again see the ERROR 403: Virus found by HAVP communication.

Step 8 Setting DNS Options for OpenVPN Server

Although the failure configuration of OpenVPN Server is adequate for our needs, it is viable to upgrade it a small bit more.

Load the OpenVPN server's configuration file in a matter editor:

  • sudo vi /etc/openvpn/server.conf

OpenVPN is configured to use OpenDNS's servers by failure. If you want to action it to use Google's DNS servers, action the dhcp-option DNS parameters as below.

increase the brand-new line push "register-dns", which some windows cases might need in order to use the DNS servers.

Also, increase the brand-new line push "block-ipv6" to block IPv6 while connected to VPN. (IPv6 traffic can avoid our VPN server.)

Here's what this portion should look like:

push "dhcp-option DNS"
push "dhcp-option DNS"
push "register-dns"
push "block-ipv6"

If you want to allow aggregate cases to connect with the same ovpn file, uncomment the following line. (This is handy but NOT more obtain!)


Restart the OpenVPN service for actions to take effect.

  • sudo service openvpn restart

Step 9 Configuring Your Transparent Proxy

We will now set up our isolation server to point the HTTP traffic between its cases (your browser) and the internet.

Enable Packet Forwarding

For our server to forward HTTP traffic to the proxy server, we need to enable message forwarding. You should have enabled it already in the OpenVPN setup tutorial.

Test the configuration with the following control.

  • sudo sysctl -p

It should display the changed parameters as below. If it does not, please return the OpenVPN tutorial.

net.ipv4.ip_forward = 1

Configure UFW

We need to forward HTTP messages that become from OpenVPN cases to HAVP. We will use ufw for this purpose.

First we need to allow traffic becoming from OpenVPN cases

  • sudo ufw allow in on tun0 from

In the OpenVPN tutorial, you should have changed the /etc/ufw/before.rules file and increased some rules for OpenVPN. Now we will return the same file and configure port redirection for the clear proxy.

  • sudo vi /etc/ufw/before.rules

action the lines you have increased in the OpenVPN configuration as shown below. increase the lines in chromatic.

 # NAT table rules
# clear proxy
-A PREROUTING -i tun+ -p tcp --dport 80 -j REDIRECT --to-port 8080
 # Allow traffic from OpenVPN client to eth0

Reload your firewall configuration.

  • sudo ufw reload

check UFW's states:

  • sudo ufw status


Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 1194/udp ALLOW Anywhere Anywhere on tun0 ALLOW 22 ALLOW Anywhere (v6) 1194/udp ALLOW Anywhere (v6)

Enable HAVP's Transparent Mode

In the preceding levels, we forced all HTTP messages to go through HAVP. This configuration is labelled a clear proxy.

We need to configure HAVP as such.

  • sudo vi /etc/havp/havp.config

Set the following parameter:


Restart the HAVP service:

  • sudo service havp restart

Our server is now prepared to use.

Step 10 Testing Client Configuration

On your case (windows, OS X, paper ...) connect your case to your OpenVPN server. Note that you can use the same .ovpn file from the genuine OpenVPN tutorial; all the actions are on the server side.

For detailed setup instructions for your OpenVPN client, please see Installing the Client Profile in the Ubuntu 14.04 tutorial.

After the VPN connection is established, you should see your desirable DNS environments in the OpenVPN case logs. The following sample is taken from the IOS case.

DNS Servers
Search Domains:

If you use Tunnelblick, you might see a line like this:

Changed DNS ServerAddresses setting from '' to ''

To test your configuration, go to the [EICAR test page](www.eicar.org) in your browser and try to download the EICAR test file. You should see a HAVP - accesses Denied page.

  • http://www.eicar.org/download/eicarcom2.zip
  • http://www.eicar.org/85-0-Download.html

HAVP - accesses Denied

Step 11 Troubleshooting

This portion will support you troubleshoot some communal issues.

Cannot watch videos or use my favorite site

Privoxy can be configured to be less exact with sites that are loading too slowly. This behavior is configured in the user.action configuration file.

Load the user action file in your beloved matter editor.

  • sudo vi /etc/privoxy/user.action

Go to the end of file and increase the following communication with the extra site addresses you want.

{ fragile -deanimate-gifs }

After these actions, you do not need to restart Privoxy. However, you should clear your browser's cache and refresh a few times.

If you still experience difficulties, increase whitelisted domains to the HAVP whitelist file. HAVP will check this file and not perform a virus scan if the host name matches.

  • vi /etc/havp/whitelist

increase your sites at the end of the file.

# Whitelist Windowsupdate, so RANGE is allowed too


Browser stops responding during heavy use of Internet

If you ajar aggregate web pages at once, your server's memory might not be enough for HAVP to scan all your asks.

You can strive to increase your machine's thrust and/or increase swap memory. Please refer to the How To Configure realistic Memory (Swap File) on a vps article.

Keep in mind that increasing a vpn to your browsing experience will increase some latency in most cases.


After following this tutorial, you'll have taken your VPN use to the next stage with browsing isolation and security.

Reference: digitalocean