Anonymization of all traffic through VPN + TOR / I2P. We collect middlebox from scratch
This article will explain how to forward all the operating system traffic through TOR so that the operating system does not even suspect the presence of TOR.
This will help not to think about the endless settings of the proxy and onion, stop being afraid of the topic “does the client don’t merge my real IP address with the client, because it doesn’t fully support the proxy?”
')
When I say "TOR", I mean "TOR and I2P". According to a similar technique, any darknet can be connected here.
The article is “purely concrete.” The theory is already well described in the article Pandos ' and habrahabr.ru/post/204266 . This text will be given a detailed instruction "how to make it work."
1. My computer should go to the “all traffic - not Russian” mode by pressing one button.
2. By pressing the second button, it should go to the “all traffic goes through TOR” mode.
3. The third button is for I2P.
4. The input TOR-node must be located abroad.
5. All this should work under linux, windows, android. In advance: OS X and iPhone are also ok, I just don’t have them, so I won’t be able to protest.
Using tor over vpn does not necessarily increase anonymity. Learn more: trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN . This article describes a tool that, however, must be applied wisely.
First of all, we need a relatively cheap VPS, the owners of which are not opposed to TOR (and not Russian, of course). I personally use DigitalOcean. In their ToS, the forbidden traffic is not specified (although if you download pirated torrents directly from their IP, they will be blocked at times. Well, actually, we need TOR for this ...). It costs $ 5 per month.
You can register right here: www.digitalocean.com/?refcode=82e536b1a24d (referral link, you are $ 10, I am $ 25. Do not want to play this business - remove the refcode).
If you know the best or at least not the worst hosting options for such purposes - write in the comments, update the article.
I will not describe the specific procedure for creating a VPS, as it depends on the hosting and is simple. Let's assume that you can finally execute the command,
and get a shell on VPS-ku. I will assume that debian 7 is spinning on a VPS. At least this article was tested on debian 7. It will probably work on ubunt too, probably.
First, some applications that make life easier for us. Do not forget to put your favorite editor, mc if needed, etc.
I2P is not in the debian repository, so you have to add a new source.
Now we will install the main packages - TOR, VPN and I2P. We also need a DNS server. I use unbound.
I will keep all VPN settings in / opt / vpn. First you need to generate certificates for the server and client.
NB We will run several servers (one under tor, the second under normal traffic) and use the same certificate for them. It's not obligatory. It is quite possible (and necessary) to generate an independent certificate or even your own CA for each of the openvpn servers.
Now we will generate a new CA and the necessary certificates.
Examine the / opt / vpn / rsa / keys folder. Now there are several pairs of key + certificate.
ca. {crt, key} - certificate authority
server. {crt, key} - server key
client. {crt, key} - client key.
The client only needs to give ca.crt, client.crt and client.key, other files should remain only on the server.
It's time to write a configuration file for the server. Put it in
Try running openVPN
If it did not work out - you have a bug: bugs.debian.org/cgi-bin/bugreport.cgi?bug=767836#43 Please correct according to the instructions and achieve successful launch of the server.
OK, VPN works. It's time to connect to it. To do this, we will write a config file on the client:
Now try to connect
After the “Initialization Sequence Completed” message appears, you are connected and must successfully ping 10.8.1.1. The Internet will be gone, this is normal.
Suppose we do not want to use TOR, but simply do not want Russian external IP. In this case, with the help of this script:
you will achieve what you want. Rewrite it in /etc/rc.local.
If you have read and completed the previous part - do not forget to clear iptables
Now let's say that you still want VPN via TOR (and the previous item was not executed). Then:
Add at the end of / etc / tor / torrc the following:
also modify our server config file /etc/openvpn/00-standard.conf. Change DNS from Google to local. Remember to restart openvpn.
Finally, the following construct on bash will redirect all incoming vpn traffic through tor
By the way, remember this design. This is a universal way to redirect all traffic from a given network card through a transparent proxy. I2P will be added in the same way.
Is done. Connect to VPN. Make sure you have a TOR IP address. Go to some .onion site to check: dns also works.
With I2P difficulty. They do not have their own DNS server, so you have to make your own.
Open /etc/unbound/unbound.conf and add to the end:
After that, any (!) Domain will be revealed in the obviously non-existent IP address 10.191.0.1. It remains to “catch” such traffic and redirect to localhost: 8118 - this is where I2P listens.
By the way, so far not listening. Execute
and set the flag to start at boot.
Stop tor. Run unbound.
Now we will configure privoxy in a sheaf in I2P. Add to the end / etc / privoxy / config
and restarting privoxy
In the same way as in the case of TOR, change the DNS to the local one in the vpn-server configuration:
If you have already tried to redirect TOR - do not forget to clean iptables:
It remains to perform the redirect:
Familiar, right? The only difference is the port number of the proxy.
Connect to VPN. You are in I2P. Open epsilon.i2p, make sure the network is working.
Then you have to make sure that they do not conflict. Instead of one server / etc / openvpn / 00-standard, make three: 00-standard for normal traffic, 01-tor for tor, and 02-i2p for i2p. Assign them different subnets (for example, 10.8.2. * For tor and 10.8.3. * For i2p). After that, tor and unbound will cease to conflict, and you can connect to any of the three simultaneously working networks.
In addition, now the client does not verify the server certificate. This can be corrected.
And you can also sip the virtual machine, for which roll out tun0, the traffic of which goes through TOR, after which the virtual team will not even know about VPN. And in the host of this virtualka register routing so that without a VPN is not connected at all.
And still it is necessary to deliver a speed limit in I2P. And the VPN logs are not rotated. And there is no web muzzle.
And also ... and I will definitely describe all this - in other articles. Wherefore - thank you for your attention!
trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
grepular.com/Transparent_Access_to_Tor_Hidden_Services
This will help not to think about the endless settings of the proxy and onion, stop being afraid of the topic “does the client don’t merge my real IP address with the client, because it doesn’t fully support the proxy?”
')
When I say "TOR", I mean "TOR and I2P". According to a similar technique, any darknet can be connected here.
The article is “purely concrete.” The theory is already well described in the article Pandos ' and habrahabr.ru/post/204266 . This text will be given a detailed instruction "how to make it work."
Formulation of the problem
1. My computer should go to the “all traffic - not Russian” mode by pressing one button.
2. By pressing the second button, it should go to the “all traffic goes through TOR” mode.
3. The third button is for I2P.
4. The input TOR-node must be located abroad.
5. All this should work under linux, windows, android. In advance: OS X and iPhone are also ok, I just don’t have them, so I won’t be able to protest.
Disclaimer
Using tor over vpn does not necessarily increase anonymity. Learn more: trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN . This article describes a tool that, however, must be applied wisely.
Hosting
First of all, we need a relatively cheap VPS, the owners of which are not opposed to TOR (and not Russian, of course). I personally use DigitalOcean. In their ToS, the forbidden traffic is not specified (although if you download pirated torrents directly from their IP, they will be blocked at times. Well, actually, we need TOR for this ...). It costs $ 5 per month.
You can register right here: www.digitalocean.com/?refcode=82e536b1a24d (referral link, you are $ 10, I am $ 25. Do not want to play this business - remove the refcode).
If you know the best or at least not the worst hosting options for such purposes - write in the comments, update the article.
I will not describe the specific procedure for creating a VPS, as it depends on the hosting and is simple. Let's assume that you can finally execute the command,
ssh root@1.2.3.4 and get a shell on VPS-ku. I will assume that debian 7 is spinning on a VPS. At least this article was tested on debian 7. It will probably work on ubunt too, probably.
Package installation
First, some applications that make life easier for us. Do not forget to put your favorite editor, mc if needed, etc.
apt-get update apt-get upgrade # -- ! apt-get install fail2ban unattended-upgrades etckeeper # I2P is not in the debian repository, so you have to add a new source.
echo "deb http://deb.i2p2.no/ wheezy main" >> /etc/apt/sources.list.d/i2p.list echo "deb-src http://deb.i2p2.no/ wheezy main" >> /etc/apt/sources.list.d/i2p.list apt-get update apt-get install i2p-keyring apt-get update Now we will install the main packages - TOR, VPN and I2P. We also need a DNS server. I use unbound.
apt-get install tor i2p unbound openvpn privoxy VPN configuration
I will keep all VPN settings in / opt / vpn. First you need to generate certificates for the server and client.
NB We will run several servers (one under tor, the second under normal traffic) and use the same certificate for them. It's not obligatory. It is quite possible (and necessary) to generate an independent certificate or even your own CA for each of the openvpn servers.
mkdir /opt/vpn mkdir /opt/vpn/log cp -rf /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /opt/vpn/rsa # . , . Now we will generate a new CA and the necessary certificates.
cd /opt/vpn/rsa . ./vars ./clean-all ./build-ca # . . ./build-key-server server # . . ./build-key --batch client # . . ./build-dh Examine the / opt / vpn / rsa / keys folder. Now there are several pairs of key + certificate.
ca. {crt, key} - certificate authority
server. {crt, key} - server key
client. {crt, key} - client key.
The client only needs to give ca.crt, client.crt and client.key, other files should remain only on the server.
It's time to write a configuration file for the server. Put it in
/etc/openvpn/00-standard.conf port 1201 proto udp dev tun ca /opt/vpn/rsa/keys/ca.crt cert /opt/vpn/rsa/keys/server.crt key /opt/vpn/rsa/keys/server.key dh /opt/vpn/rsa/keys/dh1024.pem # Server Routing # server-bridge 10.8.1.1 255.255.255.0 10.8.1.50 10.8.1.100 server 10.8.1.0 255.255.255.0 #Client configuration push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" keepalive 10 120 comp-lzo persist-key persist-tun log /opt/vpn/log/server-standard.log status /opt/vpn/log/status-standard.log verb 3 Try running openVPN
/etc/init.d/openvpn restart If it did not work out - you have a bug: bugs.debian.org/cgi-bin/bugreport.cgi?bug=767836#43 Please correct according to the instructions and achieve successful launch of the server.
OK, VPN works. It's time to connect to it. To do this, we will write a config file on the client:
client dev tun proto udp # IP remote 1.2.3.4 1201 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf <ca> [ ca.crt] </ca> <cert> [ client.crt] </cert> <key> [ client.key] </key> Now try to connect
sudo openvpn --config client.conf --script-security 2 After the “Initialization Sequence Completed” message appears, you are connected and must successfully ping 10.8.1.1. The Internet will be gone, this is normal.
Internet setup
Suppose we do not want to use TOR, but simply do not want Russian external IP. In this case, with the help of this script:
#!/bin/bash SUBNET=10.8.1.0/24 echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s $SUBNET -o eth0 -j MASQUERADE you will achieve what you want. Rewrite it in /etc/rc.local.
TOR setting
If you have read and completed the previous part - do not forget to clear iptables
iptables -F iptables -t nat -F Now let's say that you still want VPN via TOR (and the previous item was not executed). Then:
Add at the end of / etc / tor / torrc the following:
VirtualAddrNetworkIPv4 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 9040 TransListenAddress 10.8.1.1 DNSPort 53 DNSListenAddress 10.8.1.1 AccountingStart day 0:00 AccountingMax 10 GBytes RelayBandwidthRate 100 KBytes RelayBandwidthBurst 500 KBytes also modify our server config file /etc/openvpn/00-standard.conf. Change DNS from Google to local. Remember to restart openvpn.
push "dhcp-option DNS 10.8.1.1" Finally, the following construct on bash will redirect all incoming vpn traffic through tor
#!/bin/sh _trans_port="9040" _int_if="tun0" iptables -t nat -A PREROUTING -i $_int_if -p udp --dport 53 -j REDIRECT --to-ports 53 iptables -t nat -A PREROUTING -i $_int_if -p tcp --syn -j REDIRECT --to-ports $_trans_port /etc/init.d/tor restart By the way, remember this design. This is a universal way to redirect all traffic from a given network card through a transparent proxy. I2P will be added in the same way.
Is done. Connect to VPN. Make sure you have a TOR IP address. Go to some .onion site to check: dns also works.
I2P setup
With I2P difficulty. They do not have their own DNS server, so you have to make your own.
Open /etc/unbound/unbound.conf and add to the end:
interface: 10.8.1.1 logfile: "/etc/unbound/unbound.log" local-zone: "i2p" redirect local-data: "i2p A 10.191.0.1" access-control: 127.0.0.0/8 allow access-control: 10.0.0.0/8 allow local-zone: "." redirect local-data: ". A 10.191.0.1" local-zone: "*" redirect local-data: "* A 10.191.0.1" After that, any (!) Domain will be revealed in the obviously non-existent IP address 10.191.0.1. It remains to “catch” such traffic and redirect to localhost: 8118 - this is where I2P listens.
By the way, so far not listening. Execute
dpkg-reconfigure i2p and set the flag to start at boot.
Stop tor. Run unbound.
/etc/init.d/tor stop /etc/init.d/unbound restart Now we will configure privoxy in a sheaf in I2P. Add to the end / etc / privoxy / config
accept-intercepted-requests 1 forward / 127.0.0.1:4444 listen-address 10.8.1.1:8118 and restarting privoxy
In the same way as in the case of TOR, change the DNS to the local one in the vpn-server configuration:
push "dhcp-option DNS 10.8.1.1" If you have already tried to redirect TOR - do not forget to clean iptables:
iptables -F iptables -t nat -F It remains to perform the redirect:
#!/bin/sh _trans_port="8118" _int_if="tun0" iptables -t nat -A PREROUTING -i $_int_if -p udp --dport 53 -j REDIRECT --to-ports 53 iptables -t nat -A PREROUTING -i $_int_if -p tcp --syn -j REDIRECT --to-ports $_trans_port Familiar, right? The only difference is the port number of the proxy.
Connect to VPN. You are in I2P. Open epsilon.i2p, make sure the network is working.
What's next?
Then you have to make sure that they do not conflict. Instead of one server / etc / openvpn / 00-standard, make three: 00-standard for normal traffic, 01-tor for tor, and 02-i2p for i2p. Assign them different subnets (for example, 10.8.2. * For tor and 10.8.3. * For i2p). After that, tor and unbound will cease to conflict, and you can connect to any of the three simultaneously working networks.
In addition, now the client does not verify the server certificate. This can be corrected.
And you can also sip the virtual machine, for which roll out tun0, the traffic of which goes through TOR, after which the virtual team will not even know about VPN. And in the host of this virtualka register routing so that without a VPN is not connected at all.
And still it is necessary to deliver a speed limit in I2P. And the VPN logs are not rotated. And there is no web muzzle.
And also ... and I will definitely describe all this - in other articles. Wherefore - thank you for your attention!
Used sources
trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
grepular.com/Transparent_Access_to_Tor_Hidden_Services
Source: https://habr.com/ru/post/245435/
All Articles