⬆️ ⬇️

LAN routing through transparent socks-proxy

It took the traffic from all home devices, including smartphones, through ssh tunnel.



I advise another way using tun2socks.



There was:

')



The laptop was far from the router (in another room) and used regularly, so I had to find a solution to route traffic using the built-in wireless interface (and without eth0).



Tools:



openssh-client is a standard ssh client for linux.

autossh - allows you to check the connection with the ssh server, and connect at break.

redsocks is a transparent socks proxy server.

isc-dhcp-server - dhcp server.

iptables - I think comments are superfluous.



So let's get started. First, let's raise a DHCP server on the laptop's wireless interface.



Installation:



apt install isc-dhcp-server 


Configure the desired interface:



 nano /etc/network/interfaces 


 #   IP   DHCP   wlan0: auto wlan0 iface wlan0 inet static address 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255 gateway 192.168.1.1 


You can find the name of the required interface with the command:



 ip a 


Assign DNS:



 nano /etc/resolv.conf 


 #  DNS  Google: nameserver 8.8.8.8 nameserver 8.8.4.4 # ( DNS  ) 


Next, configure the dhcp server itself:



 nano /etc/default/isc-dhcp-server 


It must contain a line indicating the required interface:



 INTERFACESv4="wlan0" 


Daemon setting:



 nano /etc/dhcp/dhcpd.conf 


 option domain-name "mydebian"; #  DNS  Google ( DNS  ): option domain-name-servers 8.8.8.8, 8.8.4.4; #  : subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.101 192.168.1.254; option subnet-mask 255.255.255.0; option broadcast-address 192.168.1.255; option routers 192.168.1.100; option domain-name-servers home; } default-lease-time 600; max-lease-time 7200; 


Let's run through the main parameters:



option domain-name-servers - DNS server addresses that clients will receive when they connect. In the case of a local DNS server (like mine), you must specify the interface address 192.168.1.100.



range - the range of assigned IP addresses.



option routers - this address will serve as a gateway for customers.



Configuration is complete, you need to restart the service with the command:



 service isc-dhcp-server restart 


You can check the status with the command:



 service isc-dhcp-server status 




It remains only to configure the router to use our DHCP server, namely, switch the DHCP mode in the LAN settings to “Relay” and indicate there, the IP address of our DHCP server is 192.168.1.100.



Now all devices that connect to the access point of the router will receive network settings from the laptop's network interface, but you need to configure Internet access. I recall that the task is to traffic all devices, including a laptop wrapped in an ssh-tunnel. In my opinion, ssh tunnel is wiser to run as a service that will receive redsocks from the proxy server.



Install the necessary tools:



 apt install openssh-client autossh 


If we want to have a permanent ssh tunnel that is activated when the system boots, we need to create a systemd service and enable it. Since we will use autossh, it should be noted that the -f parameter (working in the background), which includes the AUTOSSH_GATETIME = 0 parameter, is not supported in systemd. Therefore, you must specify the use of the AUTOSSH_GATETIME = 0 parameter explicitly. Here is the basic configuration of the service:



 nano /etc/systemd/system/ssh-tunnel.service 


 [Unit] Description=AutoSSH tunnel on dynamic port 1080 After=network.target [Service] Environment="AUTOSSH_GATETIME=0" ExecStart=/usr/bin/autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -ND 1080 user@server -p 22 [Install] WantedBy=multi-user.target 


We analyze the content:



After = network.target - Start the service if there is a network connection.

Environment = "AUTOSSH_GATETIME = 0" - this tells systemd to work with ssh in the background.



Separately, consider the ExecStart parameter:



  /usr/bin/autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -ND 1080 user@server -p 22 - 


Run autossh with the following parameters:



-M - monitoring port. With this parameter, autossh will continuously send requests to the server through the specified ports, if no response is received from the server, autossh reconnects. The specified monitoring port and the port order above (+1) must be free in the system. Since this makes such monitoring not practical, we disable this feature by setting the value to 0.



"- o ServerAliveInterval" and "-o ServerAliveCountMax" are two options that tell the ssh client to send requests to the server directly through the tunnel (what we need) to maintain the connection when it is not active. Also, if there is no response from the server, the connection will be considered broken and autossh will reconnect.



-N - do not send commands to the server.

-D 1080 - open dynamic port on localhost.

user @ server - here you should specify the user and the address (domain name) of the server.

-p 22 - specify the connection port.



Reboot the daemon:



 systemctl daemon-reload 


We start the service:



 systemctl start ssh-tunnel 


Enable startup at boot time:



 systemctl enable ssh-tunnel 


So, the DCHP server on the laptop’s wireless interface and a stable ssh tunnel in the system are running; all that remains is to wrap traffic from all devices on the local network into it. We do this with redsocks and iptables.



Installation:



 apt install redsocks 


Setup:



 nano /etc/redsocks.conf 


Editing section:



 redsocks { /*       */ local_ip = 0.0.0.0; local_port = 12345; //    ssh . ip = 127.0.0.1; port = 1080; } 


Save the config and reboot the service:



 service redsocks restart 


It remains, the last trick with the use of iptables. I propose to immediately create a script with the following content:



 #!/bin/bash iptables -t nat -N REDSOCKS #    iptables -t nat -A REDSOCKS -d 192.168.1.1 -j RETURN #    -,  192.168.0.0/24,    . iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345 #     . iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner user -j REDSOCKS #     "user". iptables -t nat -A PREROUTING --in-interface wlan0 -p tcp -j REDSOCKS #       wlan0. 


Now all requests from the local network, including the host, will be sent to the ssh tunnel.

Source: https://habr.com/ru/post/345418/



All Articles