This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
dns:vpn [2011/11/27 13:51] alex |
dns:vpn [2012/06/10 09:22] (current) alex |
||
---|---|---|---|
Line 2: | Line 2: | ||
It is rather handy to have a DNS VPN service available so that you can get naughtly some free Internet access via a pay-hotspot. When you use such a hotspot Internet access is blocked until a redirected web browser session is used where you hand over some cash. For technical reasons, DNS is typically still permitted and is not tampered with thus providing you with a manner in which to tunnel your Internet traffic over a DNS based VPN service. Neat eh? This is all done with [[http://code.kryo.se/iodine/|iodine]] and I will not go into much as it is all on the authors website. | It is rather handy to have a DNS VPN service available so that you can get naughtly some free Internet access via a pay-hotspot. When you use such a hotspot Internet access is blocked until a redirected web browser session is used where you hand over some cash. For technical reasons, DNS is typically still permitted and is not tampered with thus providing you with a manner in which to tunnel your Internet traffic over a DNS based VPN service. Neat eh? This is all done with [[http://code.kryo.se/iodine/|iodine]] and I will not go into much as it is all on the authors website. | ||
- | What is unique about our configuration is that we need to run [[:dns:authoritive|nsd]] also on the box for our domain hosting on port 53/udp so how can we run both without paying for more IPv4 space? Well we turn to some iptables magic to detect iodine related traffic and bump incoming traffic to the alternative port (5353/udp) that iodine listens on (''/etc/iptables.up.rules''): | + | What is unique about our configuration is that we need to run [[:dns:authoritive|nsd]] also on the box for our domain hosting on port 53/udp so how can we run both without paying for more IPv4 space? Well we turn to some iptables magic to detect iodine related traffic and bump incoming traffic to the alternative port (5353/udp) that iodine listens on (the following iptable rules are slipped into ''/etc/iptables.up.rules''): |
- | *filter | + | iptables -A INPUT -p udp --dport 5353 -j ACCEPT |
- | + | # matches on ".t1.wormnet.eu" as hexdump'ed in wireshark | |
- | [snipped] | + | iptables -t nat -A PREROUTING -p udp --dport 53 -m string --algo bm --from 20 --hex-string "|02743107776f726d6e657402657500|" -j REDIRECT --to-ports 5353 |
- | # iodine (udp only service) | + | ''iodined'' is then configured by adding "''-p 5353''" to ''/etc/default/iodine'': |
- | -A INPUT -p udp --dport 5353 -j ACCEPT | + | START_IODINED="true" |
- | + | IODINED_ARGS="-c -l 188.246.204.87 -p 5353 192.168.99.1 t1.wormnet.eu" | |
- | *nat | + | IODINED_PASSWORD="[ahem]" |
- | + | ||
- | [snipped] | + | |
- | + | ||
- | # iodine - matches on ".t1.wormnet.eu" as in wireshark | + | |
- | -A PREROUTING -p udp --dport 53 -m string --algo bm --from 20 --hex-string "|02743107776f726d6e657402657500|" -j REDIRECT --to-ports 5353 | + | |
===== Client Configuration ===== | ===== Client Configuration ===== | ||
Line 27: | Line 22: | ||
Once done, type (as root), 'iodine-client-start' when you want to use the DNS VPN service and things should just work after the system has automatically detected and configured everything. | Once done, type (as root), 'iodine-client-start' when you want to use the DNS VPN service and things should just work after the system has automatically detected and configured everything. | ||
- | *N.B.** make sure you use really nothing more than SSH over the tunnel ([[:proxy]] your web traffic) as it is completely //unencrypted// | + | **N.B.** make sure you use really nothing more than SSH over the tunnel ([[:proxy]] your web traffic) as it is completely //unencrypted// |
Disconnecting from the VPN service is a pain though, you have to (as root) type 'pkill iodine' and then restart all your networking (for example reconnect to a wireless AP). | Disconnecting from the VPN service is a pain though, you have to (as root) type 'pkill iodine' and then restart all your networking (for example reconnect to a wireless AP). |