| skipped 60 lines |
61 | 61 | | |
62 | 62 | | Compile the server: |
63 | 63 | | ``` |
64 | | - | $ cd dnstt-server |
65 | | - | $ go build |
| 64 | + | tunnel-server$ cd dnstt-server |
| 65 | + | tunnel-server$ go build |
66 | 66 | | ``` |
67 | 67 | | |
68 | 68 | | First you need to generate the server keypair that will be used to |
69 | 69 | | authenticate the server and encrypt the tunnel. |
70 | 70 | | ``` |
71 | | - | $ ./dnstt-server -gen-key -privkey-file server.key -pubkey-file server.pub |
| 71 | + | tunnel-server$ ./dnstt-server -gen-key -privkey-file server.key -pubkey-file server.pub |
72 | 72 | | privkey written to server.key |
73 | 73 | | pubkey written to server.pub |
74 | 74 | | ``` |
| skipped 3 lines |
78 | 78 | | the DNS zone (`t.example.com`), and a TCP address to which incoming |
79 | 79 | | tunnel streams will be forwarded (`127.0.0.1:8000`). |
80 | 80 | | ``` |
81 | | - | $ ./dnstt-server -udp :5300 -privkey-file server.key t.example.com 127.0.0.1:8000 |
| 81 | + | tunnel-server$ ./dnstt-server -udp :5300 -privkey-file server.key t.example.com 127.0.0.1:8000 |
82 | 82 | | ``` |
83 | 83 | | |
84 | 84 | | The tunnel server needs to be able to receive packets on an external |
| skipped 3 lines |
88 | 88 | | (`:5300` above), and port-forward port 53 to it. On Linux, use these |
89 | 89 | | commands to forward external port 53 to localhost port 5300: |
90 | 90 | | ``` |
91 | | - | # iptables -I INPUT -p udp --dport 5300 -j ACCEPT |
92 | | - | # iptables -t nat -I PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-ports 5300 |
93 | | - | # ip6tables -I INPUT -p udp --dport 5300 -j ACCEPT |
94 | | - | # ip6tables -t nat -I PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-ports 5300 |
| 91 | + | tunnel-server$ sudo iptables -I INPUT -p udp --dport 5300 -j ACCEPT |
| 92 | + | tunnel-server$ sudo iptables -t nat -I PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-ports 5300 |
| 93 | + | tunnel-server$ sudo ip6tables -I INPUT -p udp --dport 5300 -j ACCEPT |
| 94 | + | tunnel-server$ sudo ip6tables -t nat -I PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-ports 5300 |
95 | 95 | | ``` |
96 | 96 | | |
97 | 97 | | You need to also run something for the tunnel server to connect to. It |
98 | 98 | | can be a proxy server or anything else. For testing, you can use an |
99 | 99 | | Ncat listener: |
100 | 100 | | ``` |
101 | | - | $ ncat -lkv 127.0.0.1 8000 |
| 101 | + | tunnel-server$ ncat -lkv 127.0.0.1 8000 |
102 | 102 | | ``` |
103 | 103 | | |
104 | 104 | | |
| skipped 1 lines |
106 | 106 | | |
107 | 107 | | Compile the client: |
108 | 108 | | ``` |
109 | | - | $ cd dnstt-client |
110 | | - | $ go build |
| 109 | + | tunnel-client$ cd dnstt-client |
| 110 | + | tunnel-client$ go build |
111 | 111 | | ``` |
112 | 112 | | |
113 | 113 | | Copy the server.pub file from the server to the client. You don't need |
| skipped 13 lines |
127 | 127 | | the local TCP port that will receive connections and forward them |
128 | 128 | | through the tunnel (`127.0.0.1:7000`): |
129 | 129 | | ``` |
130 | | - | $ ./dnstt-client -doh https://doh.example/dns-query -pubkey-file server.pub t.example.com 127.0.0.1:7000 |
| 130 | + | tunnel-client$ ./dnstt-client -doh https://doh.example/dns-query -pubkey-file server.pub t.example.com 127.0.0.1:7000 |
131 | 131 | | ``` |
132 | 132 | | |
133 | 133 | | For DoT, it's the same, but use the `-dot` option instead: |
134 | 134 | | ``` |
135 | | - | $ ./dnstt-client -dot dot.example:853 -pubkey-file server.pub t.example.com 127.0.0.1:7000 |
| 135 | + | tunnel-client$ ./dnstt-client -dot dot.example:853 -pubkey-file server.pub t.example.com 127.0.0.1:7000 |
136 | 136 | | ``` |
137 | 137 | | |
138 | 138 | | Once the tunnel client is running, you can connect to the local end of |
139 | 139 | | the tunnel, type something, and see it appear at the remote end. |
140 | 140 | | ``` |
141 | | - | $ ncat -v 127.0.0.1 7000 |
| 141 | + | tunnel-client$ ncat -v 127.0.0.1 7000 |
142 | 142 | | ``` |
143 | 143 | | |
144 | 144 | | The client also has a plaintext UDP mode that can work through a |
| skipped 4 lines |
149 | 149 | | |
150 | 150 | | ## How to make a proxy |
151 | 151 | | |
152 | | - | You can make the tunnel into a general-purpose proxy by running a proxy |
153 | | - | server and connecting the server end of the tunnel to it. For example, |
154 | | - | Ncat has a built-in simple HTTP/HTTPS proxy: |
| 152 | + | dnstt is only a tunnel; it's up to you what you want to connect to it. |
| 153 | + | You can make the tunnel work like an ordinary SOCKS or HTTP proxy by |
| 154 | + | having the tunnel server forward to a standard proxy server. There are |
| 155 | + | many ways to set it up; here are some examples. |
| 156 | + | |
| 157 | + | |
| 158 | + | ### Ncat HTTP proxy |
| 159 | + | |
| 160 | + | Ncat has a simple built-in HTTP/HTTPS proxy, good for testing. Be aware |
| 161 | + | that Ncat's proxy isn't intended for use by untrusted clients; it won't |
| 162 | + | prevent them from connecting to localhost ports on the tunnel server, |
| 163 | + | for example. |
| 164 | + | |
155 | 165 | | ``` |
156 | | - | $ ncat -lkv --proxy-type http 127.0.0.1 8000 |
157 | | - | $ ./dnstt-server -udp :5300 -privkey-file server.key t.example.com 127.0.0.1:8000 |
| 166 | + | tunnel-server$ ncat -lkv --proxy-type http 127.0.0.1 8000 |
| 167 | + | tunnel-server$ ./dnstt-server -udp :5300 -privkey-file server.key t.example.com 127.0.0.1:8000 |
158 | 168 | | ``` |
159 | 169 | | |
160 | 170 | | On the client, have the tunnel client listen on 127.0.0.1:7000, and configure |
161 | | - | your applications to use http://127.0.0.1:7000/ as an HTTP proxy. |
| 171 | + | your applications to use 127.0.0.1:7000 as an HTTP proxy. |
| 172 | + | |
| 173 | + | ``` |
| 174 | + | tunnel-client$ ./dnstt-client -doh https://doh.example/dns-query -pubkey-file server.pub t.example.com 127.0.0.1:7000 |
| 175 | + | tunnel-client$ curl --proxy http://127.0.0.1:7000/ https://wtfismyip.com/text |
| 176 | + | ``` |
| 177 | + | |
| 178 | + | |
| 179 | + | ### SSH SOCKS proxy |
| 180 | + | |
| 181 | + | |
| 182 | + | OpenSSH has a built-in SOCKS proxy. If you run an SSH server on the |
| 183 | + | tunnel server, you can use dnstt to tunnel the SSH connection, the SSH |
| 184 | + | server will proxy connections for you. Let's assume you have the SSH |
| 185 | + | details configured so that you can run `ssh tunnel-server` on the tunnel |
| 186 | + | client. Make sure `AllowTcpForwarding` is set to `yes` (the default |
| 187 | + | value) in sshd_config. |
162 | 188 | | |
163 | 189 | | ``` |
164 | | - | $ ./dnstt-client -doh https://doh.example/dns-query -pubkey-file server.pub t.example.com 127.0.0.1:7000 |
165 | | - | $ curl -x http://127.0.0.1:7000/ http://example.com/ |
| 190 | + | tunnel-server$ ./dnstt-server -udp :5300 -privkey-file server.key t.example.com 127.0.0.1:22 |
| 191 | + | ``` |
| 192 | + | |
| 193 | + | The `HostKeyAlias` ssh option lets you connect to `tunnel-server` as if |
| 194 | + | it were located at 127.0.0.1:2222. Replace `tunnel-server` with the |
| 195 | + | hostname or IP address of the SSH server. |
| 196 | + | |
| 197 | + | ``` |
| 198 | + | tunnel-client$ ./dnstt-client -doh https://doh.example/dns-query -pubkey-file server.pub t.example.com 127.0.0.1:2222 |
| 199 | + | tunnel-client$ ssh -v -N -D 127.0.0.1:7000 -o HostKeyAlias=tunnel-server -p 2222 127.0.0.1 |
| 200 | + | tunnel-client$ curl --proxy http://127.0.0.1:7000/ https://wtfismyip.com/text |
166 | 201 | | ``` |
| 202 | + | |
| 203 | + | |
| 204 | + | ### Tor bridge |
| 205 | + | |
| 206 | + | You can run a Tor bridge on the tunnel server and tunnel the connection |
| 207 | + | to the bridge with dnstt, using dnstt as like a pluggable transport. The |
| 208 | + | Tor client provides a SOCKS interface that other programs can use. Let's |
| 209 | + | say your Tor bridge's ORPort is 9001. |
| 210 | + | |
| 211 | + | ``` |
| 212 | + | tunnel-server$ ./dnstt-server -udp :5300 -privkey-file server.key t.example.com 127.0.0.1:9001 |
| 213 | + | ``` |
| 214 | + | |
| 215 | + | ``` |
| 216 | + | tunnel-client$ ./dnstt-client -doh https://doh.example/dns-query -pubkey-file server.pub t.example.com 127.0.0.1:7000 |
| 217 | + | ``` |
| 218 | + | |
| 219 | + | Add a Bridge line to /etc/tor/torrc, or paste it into Tor Browser. You |
| 220 | + | can get `FINGERPRINT` from /var/lib/tor/fingerprint on the bridge. |
| 221 | + | |
| 222 | + | ``` |
| 223 | + | Bridge 127.0.0.1:7000 FINGERPRINT |
| 224 | + | ``` |
| 225 | + | |
| 226 | + | If you use a system tor, the client SOCKS port will be 127.0.0.1:9050. |
| 227 | + | If you use Tor Browser, it will be 127.0.0.1:9150. |
167 | 228 | | |
168 | 229 | | |
169 | 230 | | ## Covertness |
| skipped 116 lines |