This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
dns:vpn [2011/11/27 13:53] alex |
dns:vpn [2012/06/10 09:22] (current) alex |
||
---|---|---|---|
Line 4: | Line 4: | ||
What is unique about our configuration is that we need to run [[:dns:authoritive|nsd]] also on the box for our domain hosting on port 53/udp so how can we run both without paying for more IPv4 space? Well we turn to some iptables magic to detect iodine related traffic and bump incoming traffic to the alternative port (5353/udp) that iodine listens on (the following iptable rules are slipped into ''/etc/iptables.up.rules''): | What is unique about our configuration is that we need to run [[:dns:authoritive|nsd]] also on the box for our domain hosting on port 53/udp so how can we run both without paying for more IPv4 space? Well we turn to some iptables magic to detect iodine related traffic and bump incoming traffic to the alternative port (5353/udp) that iodine listens on (the following iptable rules are slipped into ''/etc/iptables.up.rules''): | ||
iptables -A INPUT -p udp --dport 5353 -j ACCEPT | iptables -A INPUT -p udp --dport 5353 -j ACCEPT | ||
+ | # matches on ".t1.wormnet.eu" as hexdump'ed in wireshark | ||
iptables -t nat -A PREROUTING -p udp --dport 53 -m string --algo bm --from 20 --hex-string "|02743107776f726d6e657402657500|" -j REDIRECT --to-ports 5353 | iptables -t nat -A PREROUTING -p udp --dport 53 -m string --algo bm --from 20 --hex-string "|02743107776f726d6e657402657500|" -j REDIRECT --to-ports 5353 | ||
Line 21: | Line 22: | ||
Once done, type (as root), 'iodine-client-start' when you want to use the DNS VPN service and things should just work after the system has automatically detected and configured everything. | Once done, type (as root), 'iodine-client-start' when you want to use the DNS VPN service and things should just work after the system has automatically detected and configured everything. | ||
- | *N.B.** make sure you use really nothing more than SSH over the tunnel ([[:proxy]] your web traffic) as it is completely //unencrypted// | + | **N.B.** make sure you use really nothing more than SSH over the tunnel ([[:proxy]] your web traffic) as it is completely //unencrypted// |
Disconnecting from the VPN service is a pain though, you have to (as root) type 'pkill iodine' and then restart all your networking (for example reconnect to a wireless AP). | Disconnecting from the VPN service is a pain though, you have to (as root) type 'pkill iodine' and then restart all your networking (for example reconnect to a wireless AP). |