LAN routing through transparent socks-proxy
It took the traffic from all home devices, including smartphones, through ssh tunnel.
I advise another way using tun2socks.
There was:
')
The laptop was far from the router (in another room) and used regularly, so I had to find a solution to route traffic using the built-in wireless interface (and without eth0).
Tools:
openssh-client is a standard ssh client for linux.
autossh - allows you to check the connection with the ssh server, and connect at break.
redsocks is a transparent socks proxy server.
isc-dhcp-server - dhcp server.
iptables - I think comments are superfluous.
So let's get started. First, let's raise a DHCP server on the laptop's wireless interface.
Installation:
Configure the desired interface:
You can find the name of the required interface with the command:
Assign DNS:
Next, configure the dhcp server itself:
It must contain a line indicating the required interface:
Daemon setting:
Let's run through the main parameters:
option domain-name-servers - DNS server addresses that clients will receive when they connect. In the case of a local DNS server (like mine), you must specify the interface address 192.168.1.100.
range - the range of assigned IP addresses.
option routers - this address will serve as a gateway for customers.
Configuration is complete, you need to restart the service with the command:
You can check the status with the command:
It remains only to configure the router to use our DHCP server, namely, switch the DHCP mode in the LAN settings to “Relay” and indicate there, the IP address of our DHCP server is 192.168.1.100.
Now all devices that connect to the access point of the router will receive network settings from the laptop's network interface, but you need to configure Internet access. I recall that the task is to traffic all devices, including a laptop wrapped in an ssh-tunnel. In my opinion, ssh tunnel is wiser to run as a service that will receive redsocks from the proxy server.
Install the necessary tools:
If we want to have a permanent ssh tunnel that is activated when the system boots, we need to create a systemd service and enable it. Since we will use autossh, it should be noted that the -f parameter (working in the background), which includes the AUTOSSH_GATETIME = 0 parameter, is not supported in systemd. Therefore, you must specify the use of the AUTOSSH_GATETIME = 0 parameter explicitly. Here is the basic configuration of the service:
We analyze the content:
After = network.target - Start the service if there is a network connection.
Environment = "AUTOSSH_GATETIME = 0" - this tells systemd to work with ssh in the background.
Separately, consider the ExecStart parameter:
Run autossh with the following parameters:
-M - monitoring port. With this parameter, autossh will continuously send requests to the server through the specified ports, if no response is received from the server, autossh reconnects. The specified monitoring port and the port order above (+1) must be free in the system. Since this makes such monitoring not practical, we disable this feature by setting the value to 0.
"- o ServerAliveInterval" and "-o ServerAliveCountMax" are two options that tell the ssh client to send requests to the server directly through the tunnel (what we need) to maintain the connection when it is not active. Also, if there is no response from the server, the connection will be considered broken and autossh will reconnect.
-N - do not send commands to the server.
-D 1080 - open dynamic port on localhost.
user @ server - here you should specify the user and the address (domain name) of the server.
-p 22 - specify the connection port.
Reboot the daemon:
We start the service:
Enable startup at boot time:
So, the DCHP server on the laptop’s wireless interface and a stable ssh tunnel in the system are running; all that remains is to wrap traffic from all devices on the local network into it. We do this with redsocks and iptables.
Installation:
Setup:
Editing section:
Save the config and reboot the service:
It remains, the last trick with the use of iptables. I propose to immediately create a script with the following content:
Now all requests from the local network, including the host, will be sent to the ssh tunnel.
I advise another way using tun2socks.
There was:
')
- TP-LINK router connected to the provider.
- smartphones and laptop connected to a wireless access point of the router.
The laptop was far from the router (in another room) and used regularly, so I had to find a solution to route traffic using the built-in wireless interface (and without eth0).
Tools:
openssh-client is a standard ssh client for linux.
autossh - allows you to check the connection with the ssh server, and connect at break.
redsocks is a transparent socks proxy server.
isc-dhcp-server - dhcp server.
iptables - I think comments are superfluous.
So let's get started. First, let's raise a DHCP server on the laptop's wireless interface.
Installation:
apt install isc-dhcp-server Configure the desired interface:
nano /etc/network/interfaces
# IP DHCP wlan0: auto wlan0 iface wlan0 inet static address 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255 gateway 192.168.1.1
You can find the name of the required interface with the command:
ip a
Assign DNS:
nano /etc/resolv.conf
# DNS Google: nameserver 8.8.8.8 nameserver 8.8.4.4 # ( DNS )
Next, configure the dhcp server itself:
nano /etc/default/isc-dhcp-server
It must contain a line indicating the required interface:
INTERFACESv4="wlan0"
Daemon setting:
nano /etc/dhcp/dhcpd.conf
option domain-name "mydebian"; # DNS Google ( DNS ): option domain-name-servers 8.8.8.8, 8.8.4.4; # : subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.101 192.168.1.254; option subnet-mask 255.255.255.0; option broadcast-address 192.168.1.255; option routers 192.168.1.100; option domain-name-servers home; } default-lease-time 600; max-lease-time 7200;
Let's run through the main parameters:
option domain-name-servers - DNS server addresses that clients will receive when they connect. In the case of a local DNS server (like mine), you must specify the interface address 192.168.1.100.
range - the range of assigned IP addresses.
option routers - this address will serve as a gateway for customers.
Configuration is complete, you need to restart the service with the command:
service isc-dhcp-server restart
You can check the status with the command:
service isc-dhcp-server status
It remains only to configure the router to use our DHCP server, namely, switch the DHCP mode in the LAN settings to “Relay” and indicate there, the IP address of our DHCP server is 192.168.1.100.
Now all devices that connect to the access point of the router will receive network settings from the laptop's network interface, but you need to configure Internet access. I recall that the task is to traffic all devices, including a laptop wrapped in an ssh-tunnel. In my opinion, ssh tunnel is wiser to run as a service that will receive redsocks from the proxy server.
Install the necessary tools:
apt install openssh-client autossh
If we want to have a permanent ssh tunnel that is activated when the system boots, we need to create a systemd service and enable it. Since we will use autossh, it should be noted that the -f parameter (working in the background), which includes the AUTOSSH_GATETIME = 0 parameter, is not supported in systemd. Therefore, you must specify the use of the AUTOSSH_GATETIME = 0 parameter explicitly. Here is the basic configuration of the service:
nano /etc/systemd/system/ssh-tunnel.service
[Unit] Description=AutoSSH tunnel on dynamic port 1080 After=network.target [Service] Environment="AUTOSSH_GATETIME=0" ExecStart=/usr/bin/autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -ND 1080 user@server -p 22 [Install] WantedBy=multi-user.target
We analyze the content:
After = network.target - Start the service if there is a network connection.
Environment = "AUTOSSH_GATETIME = 0" - this tells systemd to work with ssh in the background.
Separately, consider the ExecStart parameter:
/usr/bin/autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -ND 1080 user@server -p 22 -
Run autossh with the following parameters:
-M - monitoring port. With this parameter, autossh will continuously send requests to the server through the specified ports, if no response is received from the server, autossh reconnects. The specified monitoring port and the port order above (+1) must be free in the system. Since this makes such monitoring not practical, we disable this feature by setting the value to 0.
"- o ServerAliveInterval" and "-o ServerAliveCountMax" are two options that tell the ssh client to send requests to the server directly through the tunnel (what we need) to maintain the connection when it is not active. Also, if there is no response from the server, the connection will be considered broken and autossh will reconnect.
-N - do not send commands to the server.
-D 1080 - open dynamic port on localhost.
user @ server - here you should specify the user and the address (domain name) of the server.
-p 22 - specify the connection port.
Reboot the daemon:
systemctl daemon-reload
We start the service:
systemctl start ssh-tunnel
Enable startup at boot time:
systemctl enable ssh-tunnel
So, the DCHP server on the laptop’s wireless interface and a stable ssh tunnel in the system are running; all that remains is to wrap traffic from all devices on the local network into it. We do this with redsocks and iptables.
Installation:
apt install redsocks
Setup:
nano /etc/redsocks.conf
Editing section:
redsocks { /* */ local_ip = 0.0.0.0; local_port = 12345; // ssh . ip = 127.0.0.1; port = 1080; }
Save the config and reboot the service:
service redsocks restart
It remains, the last trick with the use of iptables. I propose to immediately create a script with the following content:
#!/bin/bash iptables -t nat -N REDSOCKS # iptables -t nat -A REDSOCKS -d 192.168.1.1 -j RETURN # -, 192.168.0.0/24, . iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345 # . iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner user -j REDSOCKS # "user". iptables -t nat -A PREROUTING --in-interface wlan0 -p tcp -j REDSOCKS # wlan0.
Now all requests from the local network, including the host, will be sent to the ssh tunnel.
Source: https://habr.com/ru/post/345418/
All Articles