⬆️ ⬇️

VPS as an anonymous proxy and not only ...

Today, every Internet user can purchase a VPS and use a remote server, for example, to host their own website or organize a DNS server. In this post I will talk about the non-standard use of VPS: how to create a personal anonymous proxy server and provide backup access to existing services.



Initial data:





Access to the Internet resource through an anonymous proxy server



Client ---> Internet Gateway (PF) --rdr -> Local Proxy Server (SQUID) --vpn -> VPS Proxy Server (SQUID) ---> Internet



PF Firewall on the Internet Gateway


For anonymous access to certain resources, we will create a special PF ip address table:

table <anonymous> persist file "/etc/pf/iplists/anonymsites.txt" 


In our scheme, the client uses a transparent proxy, so in PF you need to create a redirect:

 $ext_ip="xxx.xxx.xxx.xxx" $int_if=" " rdr on $int_if proto tcp from $clients to <anonymous> port 80 -> $ext_ip port 3129 rdr on $int_if proto tcp from $clients to <anonymous> port 443 -> $ext_ip port 3129 


We redirect traffic from clients on ports 80, 443 to certain resources through a local proxy server (port 3129).



Local proxy server SQUID


In the standard SQUID2.7 configuration, as a proxy for the local network, the following directives should be made:

 http_port 3129 #    header_access From deny all header_access Server deny all header_access User-Agent deny all header_access WWW-Authenticate deny all header_access Link deny all header_access X-Forwarded-For deny all header_access Via deny all header_access Cache-Control deny all forwarded_for off #          VPS  vpn- cache_peer 10.10.10.250 parent 3128 0 no-query no-digest cache_peer_access 10.10.10.250 allow all never_direct allow all 


OpenVPN based tunnel


Create a vpn-tunnel between the Internet gateway and the VPS by installing the openvpn server (10.10.10.1) on the gateway and the client on the VPS (10.10.10.250).

 # OpenVPN  mode server tls-server port 2080 proto udp dev tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh1024.pem tls-auth /etc/openvpn/keys/ta.key 0 topology subnet ifconfig 10.10.10.1 255.255.255.0 keepalive 10 120 max-clients 10 comp-lzo cipher DES-EDE3-CBC user nobody group nogroup persist-key persist-tun verb 4 mute 20 client-to-client client-config-dir /etc/openvpn/ccd status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log 


 # OpenVPN  client dev tun proto udp remote xxx.xxx.xxx.xxx 2080 pull topology subnet user nobody group nobody persist-key persist-tun ca /usr/local/etc/openvpn/keys/ca.crt cert /usr/local/etc/openvpn/keys/vps.crt key /usr/local/etc/openvpn/keys/vps.key tls-client tls-auth /usr/local/etc/openvpn/keys/ta.key 1 cipher DES-EDE3-CBC comp-lzo verb 3 status /var/log/openvpn-status.log log /var/log/openvpn.log mute 20 


VPS proxy server SQUID


Standard configuration SQUID2.7 with anonymous access.

 http_port 3128 #   header_access From deny all header_access Server deny all header_access User-Agent deny all header_access WWW-Authenticate deny all header_access Link deny all header_access X-Forwarded-For deny all header_access Via deny all header_access Cache-Control deny all forwarded_for off 


')

Backup access to servers (HTTP, HTTPs) from outside



Internet ---> VPS (PF) --vpn + stunnel -> Internet Gateway (PF) ---> local server (HTTP, HTTPs)



PF Firewall on VPS


Add a redirect to the PF firewall on the VPS:

 $ext_if=" " rdr on $ext_if proto tcp from any to $ext_if port 80 -> 127.0.0.1 port 8180 rdr on $ext_if proto tcp from any to $ext_if port 443 -> 127.0.0.1 port 4443 


We will redirect traffic destined for the web server behind the Internet gateway to the local loop address ports 8180 and 4443, on which Stunnel runs.



Stunnel Tunnel


It was possible, of course, to do without Stunnel, simply adding a static route and forwarding ports on the PF to the local server, but decided to experiment. In this case, Stunnel is required for proxying external traffic to the local web server (192.168.XXX.YYY). Stunnel configuration on VPS and Internet gateway:

 #stunnel.conf  VPS pid = /var/run/stunnel.pid debug = 4 output = /var/log/stunnel.log cert = /usr/local/etc/stunnel/stunnel.cert key = /usr/local/etc/stunnel/stunnel.key sslVersion = SSLv3 options = DONT_INSERT_EMPTY_FRAGMENTS ciphers = AES256-SHA socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 compression = rle [http] client = yes accept = 8180 connect = 10.10.10.1:8180 TIMEOUTclose = 0 [https] client = yes accept = 4443 connect = 10.10.10.1:4443 TIMEOUTclose = 0 


 #stunnel.conf  - pid = /var/run/stunnel.pid debug = 4 output = /var/log/stunnel.log cert = /usr/local/etc/stunnel/stunnel.cert key = /usr/local/etc/stunnel/stunnel.key sslVersion = SSLv3 options = DONT_INSERT_EMPTY_FRAGMENTS ciphers = AES256-SHA socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 compression = rle [http] accept = 8180 connect = 192.168.XXX.YYY:80 TIMEOUTclose = 0 [https] accept = 4443 connect = 192.168.XXX.YYY:443 TIMEOUTclose = 0 


So, you can provide backup access to the service via an additional white ip. For example, the example.com domain in DNS can map the main external ip, and the subdomain www.example.com www.example.com (often an alias for the main one) - ip of the remote VPS.

Source: https://habr.com/ru/post/217629/



All Articles