Tun2socks: Difference between revisions

From miki
Jump to navigation Jump to search
 
Line 20: Line 20:
make
make
sudo cp tun2socks/badvpn-tun2socks /usr/local/bin
sudo cp tun2socks/badvpn-tun2socks /usr/local/bin
sudo cp udpgw/badvpn-tun2socks /usr/local/bin
sudo cp udpgw/badvpn-udpgw /usr/local/bin
</source>
</source>



Latest revision as of 09:07, 8 March 2019

Using badvpn-tun2socks, one can setup a virtual tun0 interface connected to SOCKS proxy (e.g. SSH) and through which we will route all internet packets. This way we can setup a transparent SOCKS proxy without the need to configure applications (for instance, it is no longer needed to define http_proxy or proxy settings in these applications).

Related

Build badvpn - tun2socks and badvpn - udpgw

We follow badvpn-tun2socks wiki:

# Install dependencies and clone repository
sudo apt install cmake
git clone https://github.com/ambrop72/badvpn.git
cd badvpn


mkdir badvpn-build
cd badvpn-build
cmake /path/to/badvpn -DBUILD_NOTHING_BY_DEFAULT=1 -DBUILD_TUN2SOCKS=1 -DBUILD_UDPGW=1
make
sudo cp tun2socks/badvpn-tun2socks /usr/local/bin
sudo cp udpgw/badvpn-udpgw /usr/local/bin
Start SSH SOCKS proxy

See SSH. The proxy must run on 127.0.0.1:1080. Typically the command is something like:

ssh -N -n -f -D 127.0.0.1:1080 SSH_SERVER

Create tun0 interface and start badvpn-tun2socks

We follow the wiki. See also issue #50:

ip tuntap add dev tun0 mode tun user BADVPN_USER
ip addr add 10.0.0.1/24 dev tun0 
ip link set tun0 up
su BADVPN_USER -c "setsid badvpn-tun2socks --logger syslog --loglevel warning --tundev tun0 --netif-ipaddr 10.0.0.2 --netif-netmask 255.255.255.0 --socks-server-addr 127.0.0.1:1080"
route add SSH_SERVER gw DEFAULT_GW metric 5

This configuration can be done once for all at boot.

Create the route and set gateway

On a laptop, the route configuration will depend on the network to which the laptop is configured. We must:

  • Add a route to the SSH server through the existing gateway, with a lower metric than the original default route.
  • If the DNS servers are in the Internet (rather than in local network), also add routes for them (like for the SSH server). This is needed because tun2socks does not forward UDP by default (see below)
  • Add default route through the virtual router in the TUN device, with a lower metric than the original default route, but higher than the SSH and DNS routes.
route add SSH_SERVER gw DEFAULT_GW metric 5
# If DNS server not on local network: route add DNS_SERVER gw DEFAULT_GW metric 5
# to collect DNS server ip: nmcli device show eth0 | grep DNS
route add default gw 10.0.10.2 metric 6

UDP forwarding

tun2socks can forward UDP, however this requires a daemon, badvpn-udpgw to run on the remote SSH server. To enable UDP forwarding:

  • On the remote SSH server, start: badvpn-udpgw --listen-addr 127.0.0.1:7300.
  • Add the following arguments to badvpn-tun2socks: --udpgw-remote-server-addr 127.0.0.1:7300.

Create the file /etc/systemd/system/udpgw.service:

[Unit]
Description=UDP forwarding for badvpn-tun2socks
After=nss-lookup.target

[Service]
ExecStart=/usr/local/bin/badvpn-udpgw --listen-addr 127.0.0.1:7300
User=immie

[Install]
WantedBy=multi-user.target

Enable and start the service:

systemctl daemon-reload
systemctl enable udpgw
systemctl start udpgw
systemctl status udpgw
ss -lpn | grep 7300

Tun2socks-manager

tun2socks-manager is a small utility to manage SOCKS tunnel created by tun2socks.

Troubleshooting

Administration

  • Collect the DNS Server:
nmcli device show eth0 | grep DNS
  • View routing table
route -n

Issues

INFO(udpgw): client (127.0.0.1:42964): connection 29: UDP error
We get many errors like these in /var/log/syslog.
Sep 22 15:31:25 prime badvpn-udpgw[567]: ERROR(BDatagram): send failed
Sep 22 15:31:25 prime badvpn-udpgw[567]: INFO(udpgw): client (127.0.0.1:42964): connection 29: UDP error
Sep 22 15:31:25 prime badvpn-udpgw[567]: ERROR(BDatagram): send failed
Sep 22 15:31:25 prime badvpn-udpgw[567]: INFO(udpgw): client (127.0.0.1:42964): connection 29: UDP error
To troubleshoot these, we add option --loglevel debug to the service line.