Routing in socks. Another way
Consider another way to route a local network through a socks proxy. Unlike the previous method with “redsocks”, this will consider the possibility of routing at the network level (the OSI network model), using the “badvpn-tun2socks” package. This article focuses on the creation and continuous use of such a router based on the Debian stretch OS.
Before proceeding to the description of the system settings, I will provide a link to the badvpn sources (maybe someone will need it).
So, after downloading and building the package, I suggest immediately creating a systemd service with the following content:
')
Here, in the launch option " --socks-server-addr 127.0.0.1:1080 " you can see that "tun2socks" will send requests to the address of the socks-proxy server. (For example, ssh-tunnel from the previous method ).
The parameters " --netif-ipaddr 10.0.0.2 " and " --netif-netmask 255.255.255.0 " are responsible for creating a "tun2socks router" with the address 10.0.0.2 to which requests will come from the virtual interface specified in the parameter " - -tundev tun0 ".
For understanding, I will give the modest scheme:
" tun0 " is a virtual interface that needs to be configured on the system, requests from the local network \ host will come to it. Let's make it standard for Debian:
As you can see from the listing created earlier by the “tun2socks” service, it controls the status of the “wlp6s0” interface. This is done because the running service “tun2socks” works in conjunction with the virtual interface “tun0”, therefore, it becomes impossible to delete the virtual interface without stopping the service and as a result of the normal operation of the system initialization of network interfaces.
Pay attention to the lines " up ip route add <dns-server-ip-address> via 192.168.1.1 " and " up ip route add <ssh-server-ip-address> via 192.168.1.1 ". In them, instead of the values " <dns-server-ip-address> " and " <ssh-server-ip-address> ", specify the ip addresses of the DNS and SSH servers used, and replace the ip address of "192.168.1.1" according to the current gateway default.
It does not hurt to include support for routing at the kernel level, in the /etc/sysctl.conf file:
And apply the changes with the command:
On this, the tun2socks configuration will be completed. After restarting the network interface service, all outgoing TCP traffic from the host will be sent through a socks proxy server. The next and final step will be the routing of the local network using the dhcp server, the installation and configuration of which I discussed in the previous method , as well as the NAT configuration using iptables.
You must create a file with the following content:
If necessary, change the names of the interfaces according to your system and use it with the command:
Check the work from the local network, if everything suits, save the rules:
Add script to:
And make it executable:
Now these rules will be applied after booting, and you will have a Debian-based router at your disposal, excellent for circumventing censorship and / or securing LAN connections.
Before proceeding to the description of the system settings, I will provide a link to the badvpn sources (maybe someone will need it).
So, after downloading and building the package, I suggest immediately creating a systemd service with the following content:
')
cat /etc/systemd/system/tun2socks.service [Unit] Description=Start tun2socks [Service] ExecStart=///badvpn-tun2socks --tundev tun0 --netif-ipaddr 10.0.0.2 --netif-netmask 255.255.255.0 --socks-server-addr 127.0.0.1:1080 [Install] WantedBy=multi-user.target Here, in the launch option " --socks-server-addr 127.0.0.1:1080 " you can see that "tun2socks" will send requests to the address of the socks-proxy server. (For example, ssh-tunnel from the previous method ).
The parameters " --netif-ipaddr 10.0.0.2 " and " --netif-netmask 255.255.255.0 " are responsible for creating a "tun2socks router" with the address 10.0.0.2 to which requests will come from the virtual interface specified in the parameter " - -tundev tun0 ".
For understanding, I will give the modest scheme:
+----------+ +-----------+ +----------------+ +------------+ | tun0 |____| tun2socks |___| socks |______| ssh-server | | 10.0.0.1 | | 10.0.0.2 | | 127.0.0.1:1080 | | *pubic ip* | +----------+ +-----------+ +----------------+ +------------+ | +----------+ +-----------+ +----------------+ | NAT |____| dhcpd/ |___| LAN | | iptables | | wlp6s0 | | 192.168.1.0/24 | +----------+ +-----------+ +----------------+ " tun0 " is a virtual interface that needs to be configured on the system, requests from the local network \ host will come to it. Let's make it standard for Debian:
cat /etc/network/interfaces auto lo auto wlp6s0 auto tun0 # iface wlp6s0 inet static address 192.168.1.2 netmask 255.255.255.0 gateway 192.168.1.1 wpa-driver wext wpa-conf /etc/wpa_supplicant.conf # tun2socks pre-down systemctl stop tun2socks # pre-down ip tuntap del dev tun0 mode tun # pre-up ip tuntap add dev tun0 mode tun user root # tun2socks pre-up systemctl start tun2socks & # iface tun0 inet manual # ip pre-up ip addr add dev tun0 10.0.0.1/24 # DNS up ip route add <dns-server-ip-address> via 192.168.1.1 # SSH up ip route add <ssh-server-ip-address> via 192.168.1.1 # up ip route del default # tun2socks up ip route add default via 10.0.0.2 As you can see from the listing created earlier by the “tun2socks” service, it controls the status of the “wlp6s0” interface. This is done because the running service “tun2socks” works in conjunction with the virtual interface “tun0”, therefore, it becomes impossible to delete the virtual interface without stopping the service and as a result of the normal operation of the system initialization of network interfaces.
Pay attention to the lines " up ip route add <dns-server-ip-address> via 192.168.1.1 " and " up ip route add <ssh-server-ip-address> via 192.168.1.1 ". In them, instead of the values " <dns-server-ip-address> " and " <ssh-server-ip-address> ", specify the ip addresses of the DNS and SSH servers used, and replace the ip address of "192.168.1.1" according to the current gateway default.
It does not hurt to include support for routing at the kernel level, in the /etc/sysctl.conf file:
net.ipv4.ip_forward=1 And apply the changes with the command:
sysctl -p /etc/sysctl.conf On this, the tun2socks configuration will be completed. After restarting the network interface service, all outgoing TCP traffic from the host will be sent through a socks proxy server. The next and final step will be the routing of the local network using the dhcp server, the installation and configuration of which I discussed in the previous method , as well as the NAT configuration using iptables.
You must create a file with the following content:
cat /etc/iptables.test.rules *filter -A FORWARD -i tun0 -o wlp6s0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i wlp6s0 -o tun0 -j ACCEPT COMMIT *nat -A POSTROUTING -o tun0 -j MASQUERADE COMMIT If necessary, change the names of the interfaces according to your system and use it with the command:
iptables-restore < /etc/iptables.test.rules Check the work from the local network, if everything suits, save the rules:
iptables-save > /etc/iptables.rules Add script to:
cat /etc/network/if-pre-up.d/iptables #!/bin/sh iptables-restore < /etc/iptables.rules And make it executable:
chmod +x /etc/network/if-pre-up.d/iptables Now these rules will be applied after booting, and you will have a Debian-based router at your disposal, excellent for circumventing censorship and / or securing LAN connections.
Source: https://habr.com/ru/post/347168/
All Articles