Some magical little debian configuration notes for networking tricks with VPNS and TOR
unbound (DNS)
Unbound is a DNS server that can be used next to Bind on the same system. In my use case, I put Unbound in place as a cache and forwarder for Tor DNS calls with a forward to look up local LAN addresses from another DNS server.
apt-get install unbound
config file /etc/unbound/unbound.conf
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
#include: "/etc/unbound/unbound.conf.d/*.conf"
server:
do-not-query-localhost: no #Enable local lookups to loop back on self
interface: 172.16.1.252 #Listen on this IP
outgoing-interface: 172.16.1.252 #Reply from this IP
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
access-control: 172.16.1.0/24 allow # Limit lookup to this subnet
logfile: /var/log/unbound
hide-identity: yes
hide-version: yes
domain-insecure: * #Disable DNS SEC (doesnt work on TOR)
forward-zone:
name: "lan" #Forward names ending lan to internal DNS
forward-addr: 172.16.1.10@53
forward-zone:
name: "." #ANY name lookup from TOR DNS port on loopback
forward-addr: 127.0.0.1@53
PPTP VPN GATEWAY
Unlike a TOR gateway using PPTP brings up a PPP0 adapter, therefore, IP routeing is enabled. It is important to stop the ICMP redirect, and control packet flows with IPTABLES when PPP0 is down. DNS is not covered in this configuration, be mindful of where your clients are calling to DNS and where that DNS server is calling on the internet. While the data transfer is via the VPN, the DNS calls could track via the local internet connection!
Setup the VPN Client, have it dial on boot, persist and replace the default route when connection is up. (DONT USE WEBMIN PPTP-CLIENT)
Enable IP routeing and disable ICMP redirects (can cause leaks)
Config file /etc/sysctl.conf
Setup the VPN Client, have it dial on boot, persist and replace the default route when connection is up. (DONT USE WEBMIN PPTP-CLIENT)
Enable IP routeing and disable ICMP redirects (can cause leaks)
Config file /etc/sysctl.conf
net.ipv4.conf.all.arp_notify=1
net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv6.conf.all.send_redirects=0
IPTABLEs, love it hate it we need it. We don't want to FORWARD packets anywhere, just between our LAN and the PPP0 tunnel.
Change the default action on FORWARD to DROP on both FILTER and MANGLE. Add a pair of rules to permit traffic from ETH0 to PPP0 and PPP0 to ETH0, do this on both FILTER and MANGLE.
NAT need to be setup on PPP0 POSTROUTING.
Action: MasqueradeIf output interface is ppp0
Final rule IF you install SQUID(3) Proxy, we don't want SQUID to be sending packets if PPP0 is off. There for you only want it to send packet to the LAN subnet via ETH0 if the username is proxy (Assuming SQUID runs on the proxy account)
This rule needs to be created on FILTER OUTPUT (output is packets generated from the host), the action is DROP.
Action: DropIf destination is not 172.16.1.0/24 and output interface is eth0 and sender is user proxy
Change the default action on FORWARD to DROP on both FILTER and MANGLE. Add a pair of rules to permit traffic from ETH0 to PPP0 and PPP0 to ETH0, do this on both FILTER and MANGLE.
NAT need to be setup on PPP0 POSTROUTING.
Action: MasqueradeIf output interface is ppp0
Final rule IF you install SQUID(3) Proxy, we don't want SQUID to be sending packets if PPP0 is off. There for you only want it to send packet to the LAN subnet via ETH0 if the username is proxy (Assuming SQUID runs on the proxy account)
This rule needs to be created on FILTER OUTPUT (output is packets generated from the host), the action is DROP.
Action: DropIf destination is not 172.16.1.0/24 and output interface is eth0 and sender is user proxy
pptp vpn (client)
DONT USE WEBMIN'S PPTP MODULE! Some stupid reason it hangs up the connection after connecting on boot, no idea why.
Command line:
Command line:
apt-get install pptp-linux
Create the basics of your VPN provider config (all settings will be in this file, the options file wont be linked)
Command line:
Command line:
pptpsetup --create [CONNECTION NAME] --server [NAME or IP] --username [USERNAME] --password [PASSWORD]--encrypt
This will produce a configuration file as below
Configuration file: /etc/ppp/peers/[CONNECTION NAME]
Configuration file: /etc/ppp/peers/[CONNECTION NAME]
# written by pptpsetupptypty
pty "[NAME or IP] --nolaunchpppd"
lock
noauth
nobsdcomp
nodeflate
name [USERNAME]
remotename [CONNECTION NAME]
ipparam [CONNECTION NAME]require-mppe-128
Append some little goodies to the bottom of this file, to make the connection persistent, no max retries, updetach (fork to background), and most importantly make a default route out over the VPN and replace the current default route!
Configuration file: /etc/ppp/peers/[CONNECTION NAME]
Configuration file: /etc/ppp/peers/[CONNECTION NAME]
persist
maxfail 0
updetach
defaultroute
replacedefaultroute
Tor gateway
A guide to setting up a TOR transparent gateway, socks5 proxy and TOR DNS. Uses TOR and IPTables, can be combined with SQUID to add HTTP/HTTPS proxy.
Install the following components, TOR and TOR-ARM (Console monitor for TOR)
Command line:
Install the following components, TOR and TOR-ARM (Console monitor for TOR)
Command line:
apt-get install tor tor-arm
Main configuration is in /etc/tor/torrc, break down of the lines in the config file.
VirtualAddrNetwork 10.192.0.0/10 [OR] VirtualAddrNetwork 172.16.0.0/12 - When providing proxy server services to a network of computers the internal working space of TOR needs to be modified
AutomapHostsOnResolve 1 - When this option is enabled, and we get a request to resolve an address that ends with one of the suffixes in AutomapHostsSuffixes, we map an unused virtual address to that address, and return the new virtual address. This is handy for making ".onion" addresses work with applications that resolve an address and then connect to it. (Default: 0)
Transport "IP":"port" - Opens a transparent proxy port can be used more than once, IPTables required (TCP only, 9040) does not require routing to be enable
SocksPort "IP":"port" - Opens a socks proxy port, can be used more than once. (9050)
DNSPort "IP":"port" - Opens a DNS for UDP DNS requests from clients. Only handles A, AAAA, and PTR requests. Its is not a full DNS server or service! (53 or 9053)
ReachableAddresses "accept/reject" "IP/*":"PORT" - Use ReachableAddresses to control the inital connection to the tor network, accept/reject "IP":"PORT". Example accept *:443 to send all tor traffic over the initial hop over https through a firewall/proxy or hide as https traffic.
DisableDebuggerAttachment "0/1" - Needs to be set to 0 for TOR-ARM to function
Configuration file: /etc/tor/torrc
VirtualAddrNetwork 10.192.0.0/10 [OR] VirtualAddrNetwork 172.16.0.0/12 - When providing proxy server services to a network of computers the internal working space of TOR needs to be modified
AutomapHostsOnResolve 1 - When this option is enabled, and we get a request to resolve an address that ends with one of the suffixes in AutomapHostsSuffixes, we map an unused virtual address to that address, and return the new virtual address. This is handy for making ".onion" addresses work with applications that resolve an address and then connect to it. (Default: 0)
Transport "IP":"port" - Opens a transparent proxy port can be used more than once, IPTables required (TCP only, 9040) does not require routing to be enable
SocksPort "IP":"port" - Opens a socks proxy port, can be used more than once. (9050)
DNSPort "IP":"port" - Opens a DNS for UDP DNS requests from clients. Only handles A, AAAA, and PTR requests. Its is not a full DNS server or service! (53 or 9053)
ReachableAddresses "accept/reject" "IP/*":"PORT" - Use ReachableAddresses to control the inital connection to the tor network, accept/reject "IP":"PORT". Example accept *:443 to send all tor traffic over the initial hop over https through a firewall/proxy or hide as https traffic.
DisableDebuggerAttachment "0/1" - Needs to be set to 0 for TOR-ARM to function
Configuration file: /etc/tor/torrc
VirtualAddrNetwork "IP/MASK"
AutomapHostsOnResolve 1
Transport "IP":"port"
SocksPort "IP":"port"
DNSPort "IP":"port"
ReachableAddresses "accept/reject" "IP/*":"PORT"
DisableDebuggerAttachment "0/1"
Depending on the requirements, additional configuration is required with IPTables to get a transparent proxy working. DNS and socks services can be used without IPTables. The official guide linked at the bottom expands on possible configurations. Rules need to be created to take packets from the network/clients and push them to port 9040 where the transport port is open. The Kernel routing flag does not need to be enabled for Tor Transparent routing using IPTables.
IPTables -t nat -A PREROUTING -p tcp -m tcp -s 172.16.1.91 -i eth0 -j REDIRECT --to-ports 9040
With in the NAT rules, redirect TCP packets from a given IP received on ETH0 to port 9040.
Tor project website
https://www.torproject.org
Tor project manual
https://www.torproject.org/docs/tor-manual.html.en
Tor official guide to Transparent proxy
https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
Tor project website
https://www.torproject.org
Tor project manual
https://www.torproject.org/docs/tor-manual.html.en
Tor official guide to Transparent proxy
https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
TCPDUMP - network packet inspector (host-only)
Command line method for checking packet flows, hand when working with proxy and gateway configs
Command line:
Command line:
apt-get install tcpdump
Usage :
tcpdump -i "interface"
-i interface
-n turn off name resolution
-c # capture # number of packets
-s # capture # bytes of the packets
-e display mac addresses
-v -vv -vvv 3 levels of verbose output
-s display in absolute sequence order
-w "filename.pcap" capture to file (read later with wireshark or tcpdump)
-r "filename.pcap" read a captured file
port # packets heading to port #
'port !#' Ignore packets heading to port #
host #.#.#.# show packet for (any direction) host #.#.#.#
src host #.#.#.# show packets from host #.#.#.#
dst host #.#.#.# show packets to host #.#.#.#
icmp filter icmp
tcp filter tcp
udp filter udp
arp filter arp
&& or and for AND
# tcpdump -i eth0 '((icmp) and (host #.#.#.#))' or tcpdump -i eth0 icmp and host #.#.#.#
|| or or for OR
# tcpdump -i eth0 '((icmp) or (host #.#.#.#))' or tcpdump -i eth0 icmp or host #.#.#.#
tcpdump -i "interface"
-i interface
-n turn off name resolution
-c # capture # number of packets
-s # capture # bytes of the packets
-e display mac addresses
-v -vv -vvv 3 levels of verbose output
-s display in absolute sequence order
-w "filename.pcap" capture to file (read later with wireshark or tcpdump)
-r "filename.pcap" read a captured file
port # packets heading to port #
'port !#' Ignore packets heading to port #
host #.#.#.# show packet for (any direction) host #.#.#.#
src host #.#.#.# show packets from host #.#.#.#
dst host #.#.#.# show packets to host #.#.#.#
icmp filter icmp
tcp filter tcp
udp filter udp
arp filter arp
&& or and for AND
# tcpdump -i eth0 '((icmp) and (host #.#.#.#))' or tcpdump -i eth0 icmp and host #.#.#.#
|| or or for OR
# tcpdump -i eth0 '((icmp) or (host #.#.#.#))' or tcpdump -i eth0 icmp or host #.#.#.#
Squid Proxy (webmin)
Squid can be installed webmin as a webgui for managing the settings.
Squid3 is the only supported release under development.
See the Webmin installation documentation for instructions on installing webmin.
Webmin uses squid3 not squid (older), adding squid from within webmin module will install the legacy squid. Therefore you must install using the package manager in webmin or apt-get.
Command line:
Squid3 is the only supported release under development.
See the Webmin installation documentation for instructions on installing webmin.
Webmin uses squid3 not squid (older), adding squid from within webmin module will install the legacy squid. Therefore you must install using the package manager in webmin or apt-get.
Command line:
apt-get install squid3
Post installation you need to allow remote connections to use the proxy server, by default only localhost is allowed.
In Webmin find the squid module (may need to refresh modules list to move from not used)
Access Control
Access control lists tab, a new ACL can be created. Set the drop down menu next to the green "Create new ACL" button to the correct type. Typically client IP address to enable a client or Subnet.
Proxy restrictions tab, Add proxy restrictions button at bottom of the list.
Set the action to Allow (or Deny)
Set Match ACLs to the ACL you created.
Edit the ACL list to enable connections from external hosts
E.g. Create an ACL called Local_LAN containing the client IP range from x.x.x.0 to x.x.x.255 subnet 255.255.255.0. Then proxy restrictions are set to ALLOW, match ACLs Local_LAN. Any computer on the subnet can now use squid proxy.
In Webmin find the squid module (may need to refresh modules list to move from not used)
Access Control
Access control lists tab, a new ACL can be created. Set the drop down menu next to the green "Create new ACL" button to the correct type. Typically client IP address to enable a client or Subnet.
Proxy restrictions tab, Add proxy restrictions button at bottom of the list.
Set the action to Allow (or Deny)
Set Match ACLs to the ACL you created.
Edit the ACL list to enable connections from external hosts
E.g. Create an ACL called Local_LAN containing the client IP range from x.x.x.0 to x.x.x.255 subnet 255.255.255.0. Then proxy restrictions are set to ALLOW, match ACLs Local_LAN. Any computer on the subnet can now use squid proxy.
Chaining, or up stream proxying
Using Webmin, from the squid module the settings are located under "Other Caches"
First step is to Deny "fetch directly" if you don't want squid to connect directly to a site when requested. ACL lists are used to control the clients that are able or unable to get squid to make a direct fetch request.
Cache Selection Options
Edit Cache Host
Add Cache Host
Free internet proxy servers (distorting proxy replaces sender ip)
http://www.xroxy.com/proxylist.php?port=&type=Distorting&ssl=ssl&country=&latency=&reliability=#table
Test IP round robin with
http://www.showmyip.co.uk/
http://www.showmyip.gr/
First step is to Deny "fetch directly" if you don't want squid to connect directly to a site when requested. ACL lists are used to control the clients that are able or unable to get squid to make a direct fetch request.
Cache Selection Options
- ACLs never to fetch directly - ALL (Squid will not connect to a site for any one)
- ACLs to fetch directly - none (can be used to force direct connections)
Edit Cache Host
Add Cache Host
- Hostname (or IP)
- Port
- ICP port - 0 (disable ICP cache lookup)
- Round-robin cache - Yes (if planning on using more than one)
- Connection timeout for host - 5 (seconds)
Free internet proxy servers (distorting proxy replaces sender ip)
http://www.xroxy.com/proxylist.php?port=&type=Distorting&ssl=ssl&country=&latency=&reliability=#table
Test IP round robin with
http://www.showmyip.co.uk/
http://www.showmyip.gr/
Tunnel out going traffic through local TOR installation
Burying the traffic through a VPN or TOR connection will bypass any ISP or local network blocks/filters/detection. To do this we ipTables to redirect outbound traffic from the Proxy user account (account that squid runs under).
Install Tor, and Tor-Arm (optional)
Command line:
Install Tor, and Tor-Arm (optional)
Command line:
apt-get install tor tor-arm
Important point to note is Squid will be running as proxy user and will send all of its traffic out lo adaptor, to 127.0.0.1:9040/53 for transmission over TOR.
Edit configuration file: /etc/tor/torrc
Edit configuration file: /etc/tor/torrc
VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040 #127.0.0.9040 for Transport
DNSPort 53 #127.0.0.1:53 for DNS
DisableDebuggerAttachment 0 #TOR ARM
ReachableAddresses accept *:443 #Outbound TOR connections too look like HTTPS
# Optional extras to open ports for network access
SocksPort "IP":9050
TransPort "IP":9040
DNSPort "IP":53
Create some IPTable rules
Command line:
Command line:
iptables -t nat -A OUTPUT ! -o lo -p tcp -m tcp -m owner --uid-owner proxy -j REDIRECT --to-ports 9040
iptables -t nat -A OUTPUT ! -o lo -p udp -m udp --dport 53 -m owner --uid-owner proxy -j REDIRECT --to-ports 53
iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner proxy -m tcp --dport 9040 -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m owner --uid-owner proxy -m udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT ! -d "ip/subnet" -o eth0 -m owner --uid-owner proxy -j DROP
Explanation: The first rule redirects HTTP (actually, TCP) traffic to the local port where TOR is listening. The second rule redirects DNS (actually, UDP) traffic to the local port 53 where TOR is listening for DNS queries. Followed with 2 accept rules to ensure 9040 and 53 connect. The last drop rule must have the -d "ip/subnet" completed correctly or proxy won't be able to talk to the local subnet!
WARNING: Ping (ICMP) is not blocked because ping packets have no "owner" the rule could match against. Either accept this as a risk for possible leaks or globally block ICMP with:
WARNING: Ping (ICMP) is not blocked because ping packets have no "owner" the rule could match against. Either accept this as a risk for possible leaks or globally block ICMP with:
iptables -A OUTPUT -p icmp -j REJECT
If DNS is leaking then set DNS to 127.0.0.1 in /etc/resolve.conf
Assuming TOR is installed on the local host and 9040 is the Transport port and 53 DNS then nothing else is needed.
Having used command line to insert rules into the live iptable save using. (as root)
Command line:
Assuming TOR is installed on the local host and 9040 is the Transport port and 53 DNS then nothing else is needed.
Having used command line to insert rules into the live iptable save using. (as root)
Command line:
iptables-save > /etc/iptables.up.rules
Edit /etc/network/interfaces to make sure the rules load on start up
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address x.x.x.x
netmask x.x.x.x
gateway x.x.x.x
post-up iptables-restore < /etc/iptables.up.rules
Using a Transparent Tor router
If you have another machine acting as a Tor Router you need to change the default gateway on your squid to point to your Tor router. This will direct the traffic to the Tor router for transporting. After trying for hours, you can not DNAT using IPTables to redirect the outbound traffic from squid to another IP to transport. By setting the default gateway packet will be sent to the IP of your Tor router in a state of wanting to be routed.
On the Tor router you need to setup an IPTable rule to capture packets from squid and redirect them into port 9040.
Command line:
On the Tor router you need to setup an IPTable rule to capture packets from squid and redirect them into port 9040.
- net pre-routing
- Action Redirect to 9040
- If protocol is TCP and source is 172.16.1.100 and input interface is eth0
Command line:
iptables -A PREROUTING -p tcp -m tcp -s 172.16.1.100 -i eth0 -j REDIRECT --to-ports 9040
Wake on lan
Linux wake on lan, sets the nic (eth0) for WOL enabled on boot using rc.local and ethtool.
Command line:
Command line:
echo '/sbin/ethtool -s eth0 wol g' >> /etc/rc.d/rc.local