User Tools

Site Tools


dns:vpn

DNS based VPN

It is rather handy to have a DNS VPN service available so that you can get naughtly some free Internet access via a pay-hotspot. When you use such a hotspot Internet access is blocked until a redirected web browser session is used where you hand over some cash. For technical reasons, DNS is typically still permitted and is not tampered with thus providing you with a manner in which to tunnel your Internet traffic over a DNS based VPN service. Neat eh? This is all done with iodine and I will not go into much as it is all on the authors website.

What is unique about our configuration is that we need to run nsd also on the box for our domain hosting on port 53/udp so how can we run both without paying for more IPv4 space? Well we turn to some iptables magic to detect iodine related traffic and bump incoming traffic to the alternative port (5353/udp) that iodine listens on (the following iptable rules are slipped into /etc/iptables.up.rules):

iptables        -A INPUT      -p udp --dport 5353                                                                               -j ACCEPT
# matches on ".t1.wormnet.eu" as hexdump'ed in wireshark
iptables -t nat -A PREROUTING -p udp --dport 53   -m string --algo bm --from 20 --hex-string "|02743107776f726d6e657402657500|" -j REDIRECT --to-ports 5353

iodined is then configured by adding “-p 5353” to /etc/default/iodine:

START_IODINED="true"
IODINED_ARGS="-c -l 188.246.204.87 -p 5353 192.168.99.1 t1.wormnet.eu"
IODINED_PASSWORD="[ahem]"

Client Configuration

On a Debian box this is all dead easy:

host:~# aptitude install iodine dnsutils fping gawk ipcalc iproute
host:~# cat <<'EOF' > /etc/default/iodine-client
subdomain=t1.wormnet.eu
passwd=[look at marmot:/etc/default/iodine for the password]
EOF  

Once done, type (as root), 'iodine-client-start' when you want to use the DNS VPN service and things should just work after the system has automatically detected and configured everything.

N.B. make sure you use really nothing more than SSH over the tunnel (proxy your web traffic) as it is completely unencrypted

Disconnecting from the VPN service is a pain though, you have to (as root) type 'pkill iodine' and then restart all your networking (for example reconnect to a wireless AP).

dns/vpn.txt · Last modified: 2012/06/10 10:22 by alex