VPS as an anonymous proxy and not only ...
Today, every Internet user can purchase a VPS and use a remote server, for example, to host their own website or organize a DNS server. In this post I will talk about the non-standard use of VPS: how to create a personal anonymous proxy server and provide backup access to existing services.
Client ---> Internet Gateway (PF) --rdr -> Local Proxy Server (SQUID) --vpn -> VPS Proxy Server (SQUID) ---> Internet
For anonymous access to certain resources, we will create a special PF ip address table:
In our scheme, the client uses a transparent proxy, so in PF you need to create a redirect:
We redirect traffic from clients on ports 80, 443 to certain resources through a local proxy server (port 3129).
In the standard SQUID2.7 configuration, as a proxy for the local network, the following directives should be made:
Create a vpn-tunnel between the Internet gateway and the VPS by installing the openvpn server (10.10.10.1) on the gateway and the client on the VPS (10.10.10.250).
Standard configuration SQUID2.7 with anonymous access.
')
Internet ---> VPS (PF) --vpn + stunnel -> Internet Gateway (PF) ---> local server (HTTP, HTTPs)
Add a redirect to the PF firewall on the VPS:
We will redirect traffic destined for the web server behind the Internet gateway to the local loop address ports 8180 and 4443, on which Stunnel runs.
It was possible, of course, to do without Stunnel, simply adding a static route and forwarding ports on the PF to the local server, but decided to experiment. In this case, Stunnel is required for proxying external traffic to the local web server (192.168.XXX.YYY). Stunnel configuration on VPS and Internet gateway:
So, you can provide backup access to the service via an additional white ip. For example, the
Initial data:
- VPS in Europe (FreeBSD8.3 OS) with white ip (yyy.yyy.yyy.yyy)
- Internet gateway in Russia (FreeBSD8.1 OS) with white ip (xxx.xxx.xxx.xxx)
- Local network behind the gateway with servers (HTTP-SERVER, HTTPS-SERVER, PROXY-SERVER)
Access to the Internet resource through an anonymous proxy server
Client ---> Internet Gateway (PF) --rdr -> Local Proxy Server (SQUID) --vpn -> VPS Proxy Server (SQUID) ---> Internet
PF Firewall on the Internet Gateway
For anonymous access to certain resources, we will create a special PF ip address table:
table <anonymous> persist file "/etc/pf/iplists/anonymsites.txt" In our scheme, the client uses a transparent proxy, so in PF you need to create a redirect:
$ext_ip="xxx.xxx.xxx.xxx" $int_if=" " rdr on $int_if proto tcp from $clients to <anonymous> port 80 -> $ext_ip port 3129 rdr on $int_if proto tcp from $clients to <anonymous> port 443 -> $ext_ip port 3129
We redirect traffic from clients on ports 80, 443 to certain resources through a local proxy server (port 3129).
Local proxy server SQUID
In the standard SQUID2.7 configuration, as a proxy for the local network, the following directives should be made:
http_port 3129 # header_access From deny all header_access Server deny all header_access User-Agent deny all header_access WWW-Authenticate deny all header_access Link deny all header_access X-Forwarded-For deny all header_access Via deny all header_access Cache-Control deny all forwarded_for off # VPS vpn- cache_peer 10.10.10.250 parent 3128 0 no-query no-digest cache_peer_access 10.10.10.250 allow all never_direct allow all
OpenVPN based tunnel
Create a vpn-tunnel between the Internet gateway and the VPS by installing the openvpn server (10.10.10.1) on the gateway and the client on the VPS (10.10.10.250).
# OpenVPN mode server tls-server port 2080 proto udp dev tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh1024.pem tls-auth /etc/openvpn/keys/ta.key 0 topology subnet ifconfig 10.10.10.1 255.255.255.0 keepalive 10 120 max-clients 10 comp-lzo cipher DES-EDE3-CBC user nobody group nogroup persist-key persist-tun verb 4 mute 20 client-to-client client-config-dir /etc/openvpn/ccd status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log
# OpenVPN client dev tun proto udp remote xxx.xxx.xxx.xxx 2080 pull topology subnet user nobody group nobody persist-key persist-tun ca /usr/local/etc/openvpn/keys/ca.crt cert /usr/local/etc/openvpn/keys/vps.crt key /usr/local/etc/openvpn/keys/vps.key tls-client tls-auth /usr/local/etc/openvpn/keys/ta.key 1 cipher DES-EDE3-CBC comp-lzo verb 3 status /var/log/openvpn-status.log log /var/log/openvpn.log mute 20
VPS proxy server SQUID
Standard configuration SQUID2.7 with anonymous access.
http_port 3128 # header_access From deny all header_access Server deny all header_access User-Agent deny all header_access WWW-Authenticate deny all header_access Link deny all header_access X-Forwarded-For deny all header_access Via deny all header_access Cache-Control deny all forwarded_for off
')
Backup access to servers (HTTP, HTTPs) from outside
Internet ---> VPS (PF) --vpn + stunnel -> Internet Gateway (PF) ---> local server (HTTP, HTTPs)
PF Firewall on VPS
Add a redirect to the PF firewall on the VPS:
$ext_if=" " rdr on $ext_if proto tcp from any to $ext_if port 80 -> 127.0.0.1 port 8180 rdr on $ext_if proto tcp from any to $ext_if port 443 -> 127.0.0.1 port 4443
We will redirect traffic destined for the web server behind the Internet gateway to the local loop address ports 8180 and 4443, on which Stunnel runs.
Stunnel Tunnel
It was possible, of course, to do without Stunnel, simply adding a static route and forwarding ports on the PF to the local server, but decided to experiment. In this case, Stunnel is required for proxying external traffic to the local web server (192.168.XXX.YYY). Stunnel configuration on VPS and Internet gateway:
#stunnel.conf VPS pid = /var/run/stunnel.pid debug = 4 output = /var/log/stunnel.log cert = /usr/local/etc/stunnel/stunnel.cert key = /usr/local/etc/stunnel/stunnel.key sslVersion = SSLv3 options = DONT_INSERT_EMPTY_FRAGMENTS ciphers = AES256-SHA socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 compression = rle [http] client = yes accept = 8180 connect = 10.10.10.1:8180 TIMEOUTclose = 0 [https] client = yes accept = 4443 connect = 10.10.10.1:4443 TIMEOUTclose = 0
#stunnel.conf - pid = /var/run/stunnel.pid debug = 4 output = /var/log/stunnel.log cert = /usr/local/etc/stunnel/stunnel.cert key = /usr/local/etc/stunnel/stunnel.key sslVersion = SSLv3 options = DONT_INSERT_EMPTY_FRAGMENTS ciphers = AES256-SHA socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 compression = rle [http] accept = 8180 connect = 192.168.XXX.YYY:80 TIMEOUTclose = 0 [https] accept = 4443 connect = 192.168.XXX.YYY:443 TIMEOUTclose = 0
So, you can provide backup access to the service via an additional white ip. For example, the
example.com domain in DNS can map the main external ip, and the subdomain www.example.com www.example.com (often an alias for the main one) - ip of the remote VPS.
Source: https://habr.com/ru/post/217629/
All Articles