Mutt
Professional
- Messages
- 1,056
- Reaction score
- 643
- Points
- 113
With this device you can connect any pc / smartphones, wrap traffic first in VPN, then in Tor, obfuscate it using obfs-proxy and send it to a remote VPN server.
What we need?
1) Any single board computer. In my case, this is a Raspberry Pi model B +.
2) Raspbian OS.
3) Micro SD.
4) Card reader.
5) Wireless adapter or ethernet to usb adapter.
6) Remote OpenVPN server.
Connection diagrams
eth-eth
wlan-eth
wlan-wlan
eth-wlan
Designations
1. SBC - single board computer;
2. CR is a device through which the Internet is accessed. The device may not necessarily be directly connected to the SBC port;
3. PC - any computer (or mobile device) connected to the SBC;
4. VPN-server - target VPN server;
5. Input interface - the physical interface where the client traffic comes;
6. Egress interface - the physical interface from which traffic goes to the Internet.
Assumptions
The article deals with the case when parameters for a link to the Internet come via DHCP or are set statically. For cases with obtaining parameters for a link via L2TP, PPPoE or other situations, the setting will be different. We will also assume that for convenient operation, the VPN server acts as a DNS relay.
System installation and connection
The official Rasbian website has very detailed instructions for capturing an image for Linux, Mac OS and Windows, so I won't clutter up the article with too much. Use a card of at least 16GB.
There may be several options for connecting to the board after recording the image and turning it on:
1. If you have a special screen / monitor / TV with hdmi support, then it is enough to connect it via hdmi;
2. If there is no screen, but the parameters to the physical interface are received via DHCP, then you can scan the network with nmap from another computer and connect via ssh. Pi user, raspberry password;
3. If there is no DHCP, then you can edit the file / etc / network / interfaces and register the addresses there manually.
Forwarding traffic
In order for traffic to be forwarded from one interface to another, the corresponding Linux kernel parameter must be enabled. This can be done with the command:
To check, you can use the command:
It should return "1".
iptables
In order to simplify traffic routing, let's enable mascarding for the tunnel interface using iptables:
Instead, you could write static routes and a static address for the client. Or use ccd.
Installing packages
Update repositories and get updates:
Installing from repositories:
sudo apt-get install python2.7 python-pip python-dev build-essential tor openvpn obfs-proxy
If you want a scheme with an access point, then in addition to this, we will install hostapd and a DHCP server:
Any other can be used instead of isc-dhcp-server. The repositories often contain less than the latest versions, so you can build packages from source, but if you need a quick solution, then installing from the repository will do.
Setting up a network connection
Eth-eth scheme:
This option is the simplest. On the physical interface of the Raspberry Pi to which the PC connects, it is enough to set up a static address. Also set the parameters manually on the PC. You can also configure isc-dhcp-server to provide parameters. On a Linux client machine, for initial configuration, just run the commands:
And add an entry to the / etc / resolv.conf file:
Wlan-eth scheme:
In this diagram, the input interface will be the wireless interface operating in the access point mode. Instead of full access point mode, you can configure Ad-hoc mode.
To organize a wi-fi access point with DHCP, I used a bundle of hostapd and isc-dhcp-server, but it is not necessary to use this particular bundle. Habré has several very detailed articles on setting up various options in Linux.
Here is an example of my settings:
interface = wlan0 # Interface
driver = rtl871xdrv # Driver used
ssid = AP # Access point name
hw_mode = g # Access point standard
channel = 6 # Frequency range
macaddr_acl = 0 # Do not use access lists
auth_algs = 1 # Use WPA
wpa = 2 # Protocol version
wpa_passphrase = raspberry # Password for connection
wpa_key_mgmt = WPA-PSK # Authentication method
wpa_pairwise = TKIP # Algorithms for working with keys and encryption
rsn_pairwise = CCMP
/ etc / dhcp / dhcpd.conf
# Setting the subnet for which this DHCP server will work
subnet 10.5.5.0 netmask 255.255.255.0 {
range 10.5.5.2 10.5.5.4; # Range of addresses
option broadcast-address 10.5.5.255; # Broadcast address
option routers 10.5.5.1; # Default gateway
default-lease-time 600; # Standard address hold
max-lease-time 7200; # Maximum retention time of the address
option domain-name "local"; # Domain name
option domain-name-servers 10.8.0.1;} # List of DNS servers.
It should be noted right away that some may have problems with the drivers and the operation of the wireless card in the access point mode. Better to ask about such things in advance. I had such a problem for one of my cards while working together with hostapd from the repository. The problem was solved by the hostapd patch.
Wlan-wlan scheme:
The part with configuring the input interface is no different from the previous diagram. The output interface must be connected to the access point. Connection example using nmcli utility:
Eth-wlan schema:
The input interface is configured as in the eth-eth scheme, and the output interface is configured as in wlan-wlan.
Tor + obfsproxy
To mask Tor traffic, we will use obfsproxy.
Here is an example of configuring Tor:
SocksPort 9050
RunAsDaemon 1
VirtualAddrNetwork 172.16.0.0/12
DNSPort 53
DNSListenAddress 127.0.0.1
AutomapHostsOnResolve 1
BridgeRelay 1
Exitpolicy reject *: *
ServerTransportPlugin obfs3 exec / usr / bin / obfsproxy managed
obfs3 port: <address1>
port: managed obfs3 <address1:> port1: port:> <key2>
obfs3 <address3: port3> <key3>
Data for connecting to obfsproxy servers can be found here.
OpenVPN
To organize a VPN, we will use OpenVPN over TCP and in L3 mode (tap interface). TCP is used because Tor only works with TCP traffic. Any traffic can be allowed into the VPN tunnel itself. In order to direct VPN traffic to Tor, we will "proxy" all VPN traffic through Tor. OpenVPN supports this feature.
Here is an example of configuring the OpenVPN client side with detailed comments:
сlient # Client name
dev tun # Use L3 interface
proto tcp # Set TCP as transport protocol
socks-proxy 127.0.0.1 9050 # Use Tor as Socks-proxy.
socks-proxy-retry # Try to connect multiple times
# External IP on or behind which the OpenVPN server is located and the port (on the server or on a network device on which port forwarding to the server is configured)
remote 1.1.1.1 443 # The port is specially selected in this way, to match the port used by the https protocol.
resolv-retry infinite # Connect until a connection is made.
ca / etc / openvpn / keys / ca.crt # Server certificate
cert / etc / openvpn / keys / client.crt # Client certificate
key / etc / openvpn / keys / client.key # Client private key
tls-client # Use TLS protocol tls
-auth / etc / openvpn / keys / ta.key 1 # Key for TLS authentication
auth SHA1 # Set SHA1 as hashing algorithm
cipher AES-128-CBC # Set the basic encryption algorithm to AES with a key length of 128 bits in block concatenation mode.
There are a lot of instructions on setting up the server on the Internet. The key in the configuration is the coincidence of the parameters and the presence of the line "push" redirect-gateway def "" in the server config. It is necessary for the client to establish a default route for passing traffic, which points to the VPN server.
Conclusion
Potential pitfalls:
What we need?
1) Any single board computer. In my case, this is a Raspberry Pi model B +.
2) Raspbian OS.
3) Micro SD.
4) Card reader.
5) Wireless adapter or ethernet to usb adapter.
6) Remote OpenVPN server.
Connection diagrams
eth-eth
wlan-eth
wlan-wlan
eth-wlan
Designations
1. SBC - single board computer;
2. CR is a device through which the Internet is accessed. The device may not necessarily be directly connected to the SBC port;
3. PC - any computer (or mobile device) connected to the SBC;
4. VPN-server - target VPN server;
5. Input interface - the physical interface where the client traffic comes;
6. Egress interface - the physical interface from which traffic goes to the Internet.
Assumptions
The article deals with the case when parameters for a link to the Internet come via DHCP or are set statically. For cases with obtaining parameters for a link via L2TP, PPPoE or other situations, the setting will be different. We will also assume that for convenient operation, the VPN server acts as a DNS relay.
System installation and connection
The official Rasbian website has very detailed instructions for capturing an image for Linux, Mac OS and Windows, so I won't clutter up the article with too much. Use a card of at least 16GB.
There may be several options for connecting to the board after recording the image and turning it on:
1. If you have a special screen / monitor / TV with hdmi support, then it is enough to connect it via hdmi;
2. If there is no screen, but the parameters to the physical interface are received via DHCP, then you can scan the network with nmap from another computer and connect via ssh. Pi user, raspberry password;
3. If there is no DHCP, then you can edit the file / etc / network / interfaces and register the addresses there manually.
Forwarding traffic
In order for traffic to be forwarded from one interface to another, the corresponding Linux kernel parameter must be enabled. This can be done with the command:
Code:
sysctl -w net.ipv4.ip_forward=1
or
echo 1 > /proc/sys/net/ipv4/ip_forwardTo check, you can use the command:
Code:
cat /proc/sys/net/ipv4/ip_forwardIt should return "1".
iptables
In order to simplify traffic routing, let's enable mascarding for the tunnel interface using iptables:
Code:
iptables -t nat -A POSTROUTING -s 10.5.5.0/24 -o tun0 -j MASQUERADEInstead, you could write static routes and a static address for the client. Or use ccd.
Installing packages
Update repositories and get updates:
Code:
sudo apt-get update
sudo apt-get upgradeInstalling from repositories:
sudo apt-get install python2.7 python-pip python-dev build-essential tor openvpn obfs-proxy
If you want a scheme with an access point, then in addition to this, we will install hostapd and a DHCP server:
Code:
sudo apt-get install hostapd isc-dhcp-serverAny other can be used instead of isc-dhcp-server. The repositories often contain less than the latest versions, so you can build packages from source, but if you need a quick solution, then installing from the repository will do.
Setting up a network connection
Eth-eth scheme:
This option is the simplest. On the physical interface of the Raspberry Pi to which the PC connects, it is enough to set up a static address. Also set the parameters manually on the PC. You can also configure isc-dhcp-server to provide parameters. On a Linux client machine, for initial configuration, just run the commands:
Code:
ip a add 10.5.5.2/24 dev <interface>
ip route add default gw 10.5.5.1And add an entry to the / etc / resolv.conf file:
Code:
nameserver 10.8.0.1Wlan-eth scheme:
In this diagram, the input interface will be the wireless interface operating in the access point mode. Instead of full access point mode, you can configure Ad-hoc mode.
To organize a wi-fi access point with DHCP, I used a bundle of hostapd and isc-dhcp-server, but it is not necessary to use this particular bundle. Habré has several very detailed articles on setting up various options in Linux.
Here is an example of my settings:
Code:
/ etc / hostapd / hostapd.confinterface = wlan0 # Interface
driver = rtl871xdrv # Driver used
ssid = AP # Access point name
hw_mode = g # Access point standard
channel = 6 # Frequency range
macaddr_acl = 0 # Do not use access lists
auth_algs = 1 # Use WPA
wpa = 2 # Protocol version
wpa_passphrase = raspberry # Password for connection
wpa_key_mgmt = WPA-PSK # Authentication method
wpa_pairwise = TKIP # Algorithms for working with keys and encryption
rsn_pairwise = CCMP
/ etc / dhcp / dhcpd.conf
# Setting the subnet for which this DHCP server will work
subnet 10.5.5.0 netmask 255.255.255.0 {
range 10.5.5.2 10.5.5.4; # Range of addresses
option broadcast-address 10.5.5.255; # Broadcast address
option routers 10.5.5.1; # Default gateway
default-lease-time 600; # Standard address hold
max-lease-time 7200; # Maximum retention time of the address
option domain-name "local"; # Domain name
option domain-name-servers 10.8.0.1;} # List of DNS servers.
It should be noted right away that some may have problems with the drivers and the operation of the wireless card in the access point mode. Better to ask about such things in advance. I had such a problem for one of my cards while working together with hostapd from the repository. The problem was solved by the hostapd patch.
Wlan-wlan scheme:
The part with configuring the input interface is no different from the previous diagram. The output interface must be connected to the access point. Connection example using nmcli utility:
Code:
nmcli d wifi connect <point SSID> password <password> iface <interface>Eth-wlan schema:
The input interface is configured as in the eth-eth scheme, and the output interface is configured as in wlan-wlan.
Tor + obfsproxy
To mask Tor traffic, we will use obfsproxy.
Here is an example of configuring Tor:
Code:
/ etc / tor / torrcSocksPort 9050
RunAsDaemon 1
VirtualAddrNetwork 172.16.0.0/12
DNSPort 53
DNSListenAddress 127.0.0.1
AutomapHostsOnResolve 1
BridgeRelay 1
Exitpolicy reject *: *
ServerTransportPlugin obfs3 exec / usr / bin / obfsproxy managed
obfs3 port: <address1>
port: managed obfs3 <address1:> port1: port:> <key2>
obfs3 <address3: port3> <key3>
Data for connecting to obfsproxy servers can be found here.
OpenVPN
To organize a VPN, we will use OpenVPN over TCP and in L3 mode (tap interface). TCP is used because Tor only works with TCP traffic. Any traffic can be allowed into the VPN tunnel itself. In order to direct VPN traffic to Tor, we will "proxy" all VPN traffic through Tor. OpenVPN supports this feature.
Here is an example of configuring the OpenVPN client side with detailed comments:
Code:
/etc/openvpn/client.confсlient # Client name
dev tun # Use L3 interface
proto tcp # Set TCP as transport protocol
socks-proxy 127.0.0.1 9050 # Use Tor as Socks-proxy.
socks-proxy-retry # Try to connect multiple times
# External IP on or behind which the OpenVPN server is located and the port (on the server or on a network device on which port forwarding to the server is configured)
remote 1.1.1.1 443 # The port is specially selected in this way, to match the port used by the https protocol.
resolv-retry infinite # Connect until a connection is made.
ca / etc / openvpn / keys / ca.crt # Server certificate
cert / etc / openvpn / keys / client.crt # Client certificate
key / etc / openvpn / keys / client.key # Client private key
tls-client # Use TLS protocol tls
-auth / etc / openvpn / keys / ta.key 1 # Key for TLS authentication
auth SHA1 # Set SHA1 as hashing algorithm
cipher AES-128-CBC # Set the basic encryption algorithm to AES with a key length of 128 bits in block concatenation mode.
There are a lot of instructions on setting up the server on the Internet. The key in the configuration is the coincidence of the parameters and the presence of the line "push" redirect-gateway def "" in the server config. It is necessary for the client to establish a default route for passing traffic, which points to the VPN server.
Conclusion
Potential pitfalls:
- Time synchronization. Since tor performs cryptooperations with checking timestamps, the time must be synchronized. Unfortunately, the time will need to be synchronized every time the board is turned off.
- Mtu size. The DF bit in sent packets can lead to traffic being "cut" if packet fragmentation is prohibited somewhere along the way, and the mtu value is less than yours.
- Using VPN throught Tor and obfsproxy is not a panacea for everything.
