Tun2socks

From miki
Revision as of 17:45, 22 September 2017 by Mip (talk | contribs) (Created page with " Using '''[https://github.com/ambrop72/badvpn badvpn-tun2socks]''', one can setup a virtual <code>tun0</code> interface connected to SOCKS proxy (e.g. SSH) and through which w...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Using badvpn-tun2socks, one can setup a virtual tun0 interface connected to SOCKS proxy (e.g. SSH) and through which we will route all internet packets. This way we can setup a transparent SOCKS proxy without the need to configure applications (for instance, it is no longer needed to define http_proxy or proxy settings in these applications).

Build badvpn - tun2socks and badvpn - udpgw

We follow badvpn-tun2socks wiki:

mkdir badvpn-build
cd badvpn-build
cmake /path/to/badvpn -DBUILD_NOTHING_BY_DEFAULT=1 -DBUILD_TUN2SOCKS=1 -DBUILD_UDPGW=1
make
sudo cp tun2socks/badvpn-tun2socks /usr/local/bin
sudo cp udpgw/badvpn-tun2socks /usr/local/bin
Start SSH SOCKS proxy

See SSH. The proxy must run on 127.0.0.1:1080. Typically the command is something like:

ssh -N -n -f -D 127.0.0.1:1080 SSH_SERVER

Create tun0 interface and start badvpn-tun2socks

We follow the wiki. See also issue #50:

ip tuntap add dev tun0 mode tun user BADVPN_USER
ip addr add 10.0.0.1/24 dev tun0 
ip link set tun0 up
su BADVPN_USER -c "setsid badvpn-tun2socks --logger syslog --loglevel warning --tundev tun0 --netif-ipaddr 10.0.0.2 --netif-netmask 255.255.255.0 --socks-server-addr 127.0.0.1:1080"
route add SSH_SERVER gw DEFAULT_GW metric 5

This configuration can be done once for all at boot.

Create the route and set gateway

On a laptop, the route configuration will depend on the network to which the laptop is configured. We must:

  • Add a route to the SSH server through the existing gateway, with a lower metric than the original default route.
  • If the DNS servers are in the Internet (rather than in local network), also add routes for them (like for the SSH server). This is needed because tun2socks does not forward UDP by default (see below)
  • Add default route through the virtual router in the TUN device, with a lower metric than the original default route, but higher than the SSH and DNS routes.
route add SSH_SERVER gw DEFAULT_GW metric 5
# If DNS server not on local network: route add DNS_SERVER gw DEFAULT_GW metric 5
# to collect DNS server ip: nmcli device show eth0 | grep DNS
route add default gw 10.0.10.2 metric 6

UDP forwarding

tun2socks can forward UDP, however this requires a daemon, badvpn-udpgw to run on the remote SSH server. To enable UDP forwarding:

  • On the remote SSH server, start: badvpn-udpgw --listen-addr 127.0.0.1:7300.
  • Add the following arguments to badvpn-tun2socks: --udpgw-remote-server-addr 127.0.0.1:7300.

Create the file /etc/systemd/system/udpgw.service:

[Unit]
Description=UDP forwarding for badvpn-tun2socks
After=nss-lookup.target

[Service]
ExecStart=/usr/local/bin/badvpn-udpgw --listen-addr 127.0.0.1:7300
User=immie

[Install]
WantedBy=multi-user.target

Enable and start the service:

systemctl daemon-reload
systemctl enable udpgw
systemctl start udpgw
systemctl status udpgw
ss -lpn | grep 7300

Troubleshooting

  • Collect the DNS Server:
nmcli device show eth0 | grep DNS
  • View routing table
route -n