STRLCPY/dnstt

Add SSH SOCKS and Tor bridge instructions.
David Fifield committed 4 years ago

e8647f61

1 parent a0a4d6c6

Total 1 files

■ ■ ■ ■ ■ ■

README

		skipped 60 lines
61	61
62	62		Compile the server:
63	63		```
64		-	$ cd dnstt-server
65		-	$ go build
	64	+	tunnel-server$ cd dnstt-server
	65	+	tunnel-server$ go build
66	66		```
67	67
68	68		First you need to generate the server keypair that will be used to
69	69		authenticate the server and encrypt the tunnel.
70	70		```
71		-	$ ./dnstt-server -gen-key -privkey-file server.key -pubkey-file server.pub
	71	+	tunnel-server$ ./dnstt-server -gen-key -privkey-file server.key -pubkey-file server.pub
72	72		privkey written to server.key
73	73		pubkey written to server.pub
74	74		```
		skipped 3 lines
78	78		the DNS zone (`t.example.com`), and a TCP address to which incoming
79	79		tunnel streams will be forwarded (`127.0.0.1:8000`).
80	80		```
81		-	$ ./dnstt-server -udp :5300 -privkey-file server.key t.example.com 127.0.0.1:8000
	81	+	tunnel-server$ ./dnstt-server -udp :5300 -privkey-file server.key t.example.com 127.0.0.1:8000
82	82		```
83	83
84	84		The tunnel server needs to be able to receive packets on an external
		skipped 3 lines
88	88		(`:5300` above), and port-forward port 53 to it. On Linux, use these
89	89		commands to forward external port 53 to localhost port 5300:
90	90		```
91		-	# iptables -I INPUT -p udp --dport 5300 -j ACCEPT
92		-	# iptables -t nat -I PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-ports 5300
93		-	# ip6tables -I INPUT -p udp --dport 5300 -j ACCEPT
94		-	# ip6tables -t nat -I PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-ports 5300
	91	+	tunnel-server$ sudo iptables -I INPUT -p udp --dport 5300 -j ACCEPT
	92	+	tunnel-server$ sudo iptables -t nat -I PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-ports 5300
	93	+	tunnel-server$ sudo ip6tables -I INPUT -p udp --dport 5300 -j ACCEPT
	94	+	tunnel-server$ sudo ip6tables -t nat -I PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-ports 5300
95	95		```
96	96
97	97		You need to also run something for the tunnel server to connect to. It
98	98		can be a proxy server or anything else. For testing, you can use an
99	99		Ncat listener:
100	100		```
101		-	$ ncat -lkv 127.0.0.1 8000
	101	+	tunnel-server$ ncat -lkv 127.0.0.1 8000
102	102		```
103	103
104	104
		skipped 1 lines
106	106
107	107		Compile the client:
108	108		```
109		-	$ cd dnstt-client
110		-	$ go build
	109	+	tunnel-client$ cd dnstt-client
	110	+	tunnel-client$ go build
111	111		```
112	112
113	113		Copy the server.pub file from the server to the client. You don't need
		skipped 13 lines
127	127		the local TCP port that will receive connections and forward them
128	128		through the tunnel (`127.0.0.1:7000`):
129	129		```
130		-	$ ./dnstt-client -doh https://doh.example/dns-query -pubkey-file server.pub t.example.com 127.0.0.1:7000
	130	+	tunnel-client$ ./dnstt-client -doh https://doh.example/dns-query -pubkey-file server.pub t.example.com 127.0.0.1:7000
131	131		```
132	132
133	133		For DoT, it's the same, but use the `-dot` option instead:
134	134		```
135		-	$ ./dnstt-client -dot dot.example:853 -pubkey-file server.pub t.example.com 127.0.0.1:7000
	135	+	tunnel-client$ ./dnstt-client -dot dot.example:853 -pubkey-file server.pub t.example.com 127.0.0.1:7000
136	136		```
137	137
138	138		Once the tunnel client is running, you can connect to the local end of
139	139		the tunnel, type something, and see it appear at the remote end.
140	140		```
141		-	$ ncat -v 127.0.0.1 7000
	141	+	tunnel-client$ ncat -v 127.0.0.1 7000
142	142		```
143	143
144	144		The client also has a plaintext UDP mode that can work through a
		skipped 4 lines
149	149
150	150		## How to make a proxy
151	151
152		-	You can make the tunnel into a general-purpose proxy by running a proxy
153		-	server and connecting the server end of the tunnel to it. For example,
154		-	Ncat has a built-in simple HTTP/HTTPS proxy:
	152	+	dnstt is only a tunnel; it's up to you what you want to connect to it.
	153	+	You can make the tunnel work like an ordinary SOCKS or HTTP proxy by
	154	+	having the tunnel server forward to a standard proxy server. There are
	155	+	many ways to set it up; here are some examples.
	156	+
	157	+
	158	+	### Ncat HTTP proxy
	159	+
	160	+	Ncat has a simple built-in HTTP/HTTPS proxy, good for testing. Be aware
	161	+	that Ncat's proxy isn't intended for use by untrusted clients; it won't
	162	+	prevent them from connecting to localhost ports on the tunnel server,
	163	+	for example.
	164	+
155	165		```
156		-	$ ncat -lkv --proxy-type http 127.0.0.1 8000
157		-	$ ./dnstt-server -udp :5300 -privkey-file server.key t.example.com 127.0.0.1:8000
	166	+	tunnel-server$ ncat -lkv --proxy-type http 127.0.0.1 8000
	167	+	tunnel-server$ ./dnstt-server -udp :5300 -privkey-file server.key t.example.com 127.0.0.1:8000
158	168		```
159	169
160	170		On the client, have the tunnel client listen on 127.0.0.1:7000, and configure
161		-	your applications to use http://127.0.0.1:7000/ as an HTTP proxy.
	171	+	your applications to use 127.0.0.1:7000 as an HTTP proxy.
	172	+
	173	+	```
	174	+	tunnel-client$ ./dnstt-client -doh https://doh.example/dns-query -pubkey-file server.pub t.example.com 127.0.0.1:7000
	175	+	tunnel-client$ curl --proxy http://127.0.0.1:7000/ https://wtfismyip.com/text
	176	+	```
	177	+
	178	+
	179	+	### SSH SOCKS proxy
	180	+
	181	+
	182	+	OpenSSH has a built-in SOCKS proxy. If you run an SSH server on the
	183	+	tunnel server, you can use dnstt to tunnel the SSH connection, the SSH
	184	+	server will proxy connections for you. Let's assume you have the SSH
	185	+	details configured so that you can run `ssh tunnel-server` on the tunnel
	186	+	client. Make sure `AllowTcpForwarding` is set to `yes` (the default
	187	+	value) in sshd_config.
162	188
163	189		```
164		-	$ ./dnstt-client -doh https://doh.example/dns-query -pubkey-file server.pub t.example.com 127.0.0.1:7000
165		-	$ curl -x http://127.0.0.1:7000/ http://example.com/
	190	+	tunnel-server$ ./dnstt-server -udp :5300 -privkey-file server.key t.example.com 127.0.0.1:22
	191	+	```
	192	+
	193	+	The `HostKeyAlias` ssh option lets you connect to `tunnel-server` as if
	194	+	it were located at 127.0.0.1:2222. Replace `tunnel-server` with the
	195	+	hostname or IP address of the SSH server.
	196	+
	197	+	```
	198	+	tunnel-client$ ./dnstt-client -doh https://doh.example/dns-query -pubkey-file server.pub t.example.com 127.0.0.1:2222
	199	+	tunnel-client$ ssh -v -N -D 127.0.0.1:7000 -o HostKeyAlias=tunnel-server -p 2222 127.0.0.1
	200	+	tunnel-client$ curl --proxy http://127.0.0.1:7000/ https://wtfismyip.com/text
166	201		```
	202	+
	203	+
	204	+	### Tor bridge
	205	+
	206	+	You can run a Tor bridge on the tunnel server and tunnel the connection
	207	+	to the bridge with dnstt, using dnstt as like a pluggable transport. The
	208	+	Tor client provides a SOCKS interface that other programs can use. Let's
	209	+	say your Tor bridge's ORPort is 9001.
	210	+
	211	+	```
	212	+	tunnel-server$ ./dnstt-server -udp :5300 -privkey-file server.key t.example.com 127.0.0.1:9001
	213	+	```
	214	+
	215	+	```
	216	+	tunnel-client$ ./dnstt-client -doh https://doh.example/dns-query -pubkey-file server.pub t.example.com 127.0.0.1:7000
	217	+	```
	218	+
	219	+	Add a Bridge line to /etc/tor/torrc, or paste it into Tor Browser. You
	220	+	can get `FINGERPRINT` from /var/lib/tor/fingerprint on the bridge.
	221	+
	222	+	```
	223	+	Bridge 127.0.0.1:7000 FINGERPRINT
	224	+	```
	225	+
	226	+	If you use a system tor, the client SOCKS port will be 127.0.0.1:9050.
	227	+	If you use Tor Browser, it will be 127.0.0.1:9150.
167	228
168	229
169	230		## Covertness
		skipped 116 lines

Add SSH SOCKS and Tor bridge instructions.