User Tools

Site Tools


dns:vpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
dns:vpn [2011/11/27 13:51]
alex
dns:vpn [2012/06/10 09:22] (current)
alex
Line 2: Line 2:
 It is rather handy to have a DNS VPN service available so that you can get naughtly some free Internet access via a pay-hotspot. ​ When you use such a hotspot Internet access is blocked until a redirected web browser session is used where you hand over some cash.  For technical reasons, DNS is typically still permitted and is not tampered with thus providing you with a manner in which to tunnel your Internet traffic over a DNS based VPN service. ​ Neat eh?  This is all done with [[http://​code.kryo.se/​iodine/​|iodine]] and I will not go into much as it is all on the authors website. It is rather handy to have a DNS VPN service available so that you can get naughtly some free Internet access via a pay-hotspot. ​ When you use such a hotspot Internet access is blocked until a redirected web browser session is used where you hand over some cash.  For technical reasons, DNS is typically still permitted and is not tampered with thus providing you with a manner in which to tunnel your Internet traffic over a DNS based VPN service. ​ Neat eh?  This is all done with [[http://​code.kryo.se/​iodine/​|iodine]] and I will not go into much as it is all on the authors website.
  
-What is unique about our configuration is that we need to run [[:​dns:​authoritive|nsd]] also on the box for our domain hosting on port 53/udp so how can we run both without paying for more IPv4 space? ​ Well we turn to some iptables magic to detect iodine related traffic and bump incoming traffic to the alternative port (5353/udp) that iodine listens on (''/​etc/​iptables.up.rules''​):​ +What is unique about our configuration is that we need to run [[:​dns:​authoritive|nsd]] also on the box for our domain hosting on port 53/udp so how can we run both without paying for more IPv4 space? ​ Well we turn to some iptables magic to detect iodine related traffic and bump incoming traffic to the alternative port (5353/udp) that iodine listens on (the following iptable rules are slipped into ''/​etc/​iptables.up.rules''​):​ 
-  ​*filter +  ​iptables ​       -A INPUT      -p udp --dport 5353                                                                               -j ACCEPT 
-   +  ​# matches on "​.t1.wormnet.eu"​ as hexdump'​ed in wireshark 
-  ​[snipped]+  ​iptables -t nat -A PREROUTING -p udp --dport 53   -m string --algo bm --from 20 --hex-string "​|02743107776f726d6e657402657500|"​ -j REDIRECT --to-ports 5353
  
-  # iodine (udp only service) +''​iodined''​ is then configured by adding "''​-p 5353''"​ to ''/​etc/​default/​iodine'':​ 
-  -A INPUT -p udp --dport ​5353 -j ACCEPT +  ​START_IODINED="​true"​ 
-   +  ​IODINED_ARGS="​-c -l 188.246.204.87 -p 5353 192.168.99.1 ​t1.wormnet.eu"​ 
-  ​*nat +  ​IODINED_PASSWORD="[ahem]"
-   +
-  [snipped] +
-   +
-  # iodine ​matches on ".t1.wormnet.eu" ​as in wireshark +
-  ​-A PREROUTING -p udp --dport 53 -m string --algo bm --from 20 --hex-string ​"|02743107776f726d6e657402657500|" ​-j REDIRECT --to-ports 5353+
  
 ===== Client Configuration ===== ===== Client Configuration =====
Line 27: Line 22:
 Once done, type (as root), '​iodine-client-start'​ when you want to use the DNS VPN service and things should just work after the system has automatically detected and configured everything. Once done, type (as root), '​iodine-client-start'​ when you want to use the DNS VPN service and things should just work after the system has automatically detected and configured everything.
  
-*N.B.** make sure you use really nothing more than SSH over the tunnel ([[:proxy]] your web traffic) as it is completely //​unencrypted//​+**N.B.** make sure you use really nothing more than SSH over the tunnel ([[:proxy]] your web traffic) as it is completely //​unencrypted//​
  
 Disconnecting from the VPN service is a pain though, you have to (as root) type 'pkill iodine'​ and then restart all your networking (for example reconnect to a wireless AP). Disconnecting from the VPN service is a pain though, you have to (as root) type 'pkill iodine'​ and then restart all your networking (for example reconnect to a wireless AP).
dns/vpn.1322401877.txt.gz · Last modified: 2011/11/27 13:51 by alex