Tun2socks
Using badvpn-tun2socks, one can setup a virtual tun0
interface connected to SOCKS proxy (e.g. SSH) and through which we will route all internet packets. This way we can setup a transparent SOCKS proxy without the need to configure applications (for instance, it is no longer needed to define http_proxy
or proxy settings in these applications).
Build badvpn - tun2socks and badvpn - udpgw
We follow badvpn-tun2socks wiki:
mkdir badvpn-build
cd badvpn-build
cmake /path/to/badvpn -DBUILD_NOTHING_BY_DEFAULT=1 -DBUILD_TUN2SOCKS=1 -DBUILD_UDPGW=1
make
sudo cp tun2socks/badvpn-tun2socks /usr/local/bin
sudo cp udpgw/badvpn-tun2socks /usr/local/bin
- Start SSH SOCKS proxy
See SSH. The proxy must run on 127.0.0.1:1080
.
Typically the command is something like:
ssh -N -n -f -D 127.0.0.1:1080 SSH_SERVER
Create tun0 interface and start badvpn-tun2socks
We follow the wiki. See also issue #50:
ip tuntap add dev tun0 mode tun user BADVPN_USER
ip addr add 10.0.0.1/24 dev tun0
ip link set tun0 up
su BADVPN_USER -c "setsid badvpn-tun2socks --logger syslog --loglevel warning --tundev tun0 --netif-ipaddr 10.0.0.2 --netif-netmask 255.255.255.0 --socks-server-addr 127.0.0.1:1080"
route add SSH_SERVER gw DEFAULT_GW metric 5
This configuration can be done once for all at boot.
- Create the route and set gateway
On a laptop, the route configuration will depend on the network to which the laptop is configured. We must:
- Add a route to the SSH server through the existing gateway, with a lower metric than the original default route.
- If the DNS servers are in the Internet (rather than in local network), also add routes for them (like for the SSH server). This is needed because tun2socks does not forward UDP by default (see below)
- Add default route through the virtual router in the TUN device, with a lower metric than the original default route, but higher than the SSH and DNS routes.
route add SSH_SERVER gw DEFAULT_GW metric 5
# If DNS server not on local network: route add DNS_SERVER gw DEFAULT_GW metric 5
# to collect DNS server ip: nmcli device show eth0 | grep DNS
route add default gw 10.0.10.2 metric 6
UDP forwarding
tun2socks can forward UDP, however this requires a daemon, badvpn-udpgw to run on the remote SSH server. To enable UDP forwarding:
- On the remote SSH server, start:
badvpn-udpgw --listen-addr 127.0.0.1:7300
. - Add the following arguments to badvpn-tun2socks:
--udpgw-remote-server-addr 127.0.0.1:7300
.
Create the file /etc/systemd/system/udpgw.service:
[Unit]
Description=UDP forwarding for badvpn-tun2socks
After=nss-lookup.target
[Service]
ExecStart=/usr/local/bin/badvpn-udpgw --listen-addr 127.0.0.1:7300
User=immie
[Install]
WantedBy=multi-user.target
Enable and start the service:
systemctl daemon-reload
systemctl enable udpgw
systemctl start udpgw
systemctl status udpgw
ss -lpn | grep 7300
Troubleshooting
Administration
- Collect the DNS Server:
nmcli device show eth0 | grep DNS
- View routing table
route -n
Issues
INFO(udpgw): client (127.0.0.1:42964): connection 29: UDP error
- We get many errors like these in /var/log/syslog.
Sep 22 15:31:25 prime badvpn-udpgw[567]: ERROR(BDatagram): send failed
Sep 22 15:31:25 prime badvpn-udpgw[567]: INFO(udpgw): client (127.0.0.1:42964): connection 29: UDP error
Sep 22 15:31:25 prime badvpn-udpgw[567]: ERROR(BDatagram): send failed
Sep 22 15:31:25 prime badvpn-udpgw[567]: INFO(udpgw): client (127.0.0.1:42964): connection 29: UDP error
- To troubleshoot these, we add option
--loglevel debug
to the service line.