OpenVPN clienct randomly select/switch vpn servers

openvpn

#1

I have an account with a VPN service provider and I have set up all outbound lan to use it. I have many VPN client files (.ovpn) that the service provider supplied me. The contents are connection details including a single ip for the VPN server and cert keys etc specific to that server.

Therefore although I have my router connected to a client I am connected to the same server all the time. I would hope that part benefit of using a vpn would be to not be geolocated in the same place all the time.

I would like the router to switch vpn servers periodically but I’m not sure of the best way.

Open VPN client configs can take a number of IP addresses and you can instruct to pick one at random but there is no way of dealing with different keys per ip address afaik.

I could create more clients and switch them manually but I was hoping there would be a more elegant and automated solution.

Does anyone know how to cycle through or randomly select/switch clients or servers where each server has different keys?


#2

Simplified the question: does anyone else cycle through connecting to VPN servers (IPs) that have different cert/key files?


#3

If you want this automated you would need a script and perhaps a timer that invokes the script. Some VPN providers supply such for certain router distros.

This is basically similar to any of those user-land apps offered by various VPN providers for various OS that feature endpoint rotation.


#4

Thanks that’s what I thought I might do - I do have a couple of questions, not sure if you can help:

  1. is it normal/best practice to want to cycle through servers? (I only want to protect my privacy from my isp and any commercial tracking)

  2. I’ve set up an interface called vpn_client and a device called tun0 and I’ve created a firewall zone and fowarding rules (src lan, dest vpn_client) the question is: how does my openvpn client know to route through this network interface? as I can’t see a config setting relating to it anywhere


#5

These are 2 different issues.

  1. The ISP tracking is sufficed by using a VPN, unless they are able to decrypt packages (e.g. middle boxes for TLS version < 1.3).

  2. ip geo tracking is only one of many ways that can be deployed by the remote end points to track a user and there are other user tracking methods that are much more subtle and more accurate. You might want to consider:

a) many end points are aware of VPN ips and often deploy (counter) measures like captcha (how many fire hydrants, buses, traffic lights, etc can you be forced to click before admitted to the site content :weary:)

b) suppose that tracking prevention is meant for foreground apps like a web browser than it might be better to deploy anti-tracking measures in the app, the more entropy the less tracking (there are various extensions for various browsers)

c) geo ip can be better confused with header manipulation in the browser (there are various extensions for various browsers)

d) as ip geo location is often used by vendors to display different prices for the same product it would be easier/faster and more convenient to change ip with a proxy (extension) in the browser. The proxy traffic would be riding on top of the VPN, if routed accordingly.


It does not unless you specify the route for each client/subnet. See