TOR exit for LAN2LAN #57
Comments
|
@blubbbiz Okay I'll try to explain this as best as I can. You'll need to gain some familiarity with iptable rules. Wiregate ships with the four Configurations with their own distinct preset iptable rules via shell scripts called by the post up/down feilds in the interface config files. Can be modifed in the dashboard buy changing file path.
For example:
Btw, you should check out that branch. Its double masking traffic into the sever and out of the sever. AmneziaWG is obfuscated wireguard running in userspace. To Deep Packet Inspection, it looks like regualar encrypted UDP traffic by scrabbling the wireguard headers. # Masquerade WireGuard LAN Internal Services
iptables -t nat -I POSTROUTING -o $MASQUERADE_INTERFACE -d 10.2.0.4 -p tcp -m multiport --dports 80,443 -j MASQUERADE -s $WIREGUARD_LAN
iptables -t nat -A PREROUTING -i $WIREGUARD_INTERFACE -d 10.2.0.4 -j RETURN
# lets say you had another container running at 10.2.0.12 on the same docker network for simplicity sake.
# You would have to also allow Masurading to that addres by adding the following lines.
iptables -t nat -I POSTROUTING -o $MASQUERADE_INTERFACE -d 10.2.0.12 -p tcp -m multiport --dports 80,443 -j MASQUERADE -s $WIREGUARD_LAN
iptables -t nat -A PREROUTING -i $WIREGUARD_INTERFACE -d 10.2.0.12 -j RETURN# lets say i had another service at 10.2.0.32 but i need to acces it at port 3000.
# You would add something like this.
iptables -t nat -I POSTROUTING -o $MASQUERADE_INTERFACE -d 10.2.0.12 -p tcp -m multiport --dports 3000 -j MASQUERADE -s $WIREGUARD_LAN
iptables -t nat -A PREROUTING -i $WIREGUARD_INTERFACE -d 10.2.0.12 -j RETURN
# Wiregate ships with secure default firewall rules but its your ship after that.
# Configure to your hearts desire
TIPS: https://gist.github.com/qdm12/4e0e4f9d1a34db9cf63ebb0997827d0d |
|
hey thanks for that long answer :) seems like i need to study docker more first as i just dont get it to work with your howto over here. any more hints or instructions on how i could setup the amnezia on ubuntu host with tor exit (dont care which plugin etc. but it would be nice if its not the slowest). i understood then that i have to modify the iptable rules to show the internal services, which worked :) but then i didnt had access to the internet with the clients. maybe the tor proxy didnt work. |
|
@blubbbiz I got lazy writing the reply. Download and watch the video below instead |
that was again very nice from you and it helped me instantly to get dockers running. BUT i couldnt scan the QR with the ios app from the amnezia vpn app and it also had no connection to the internet. now i am looking back how i got it running first time and hope i get it to work at least with wireguard... |
|
@blubbbiz the amneziavpn app need the config tobe manually selected. thtere another app called amneziawg that works. |
NOXCIS
added
documentation
|
got it to work "mostly" :D ./stackscript.sh -b main -r E-A-C -t Tor-snow -n default got me a semi working build, i can connect with ios, vms and it goes out over tor. laggy but somehow ok. but now i got the feedback android isnt working. then i tried emulator android and it didnt work too. so seems an adroid issue, maybe you have a hint in the right direction? and if you have an optimized torrc file it would be nice too :) |
|
@blubbbiz try using this for your dnscrypt config. and set the tor exit nodes closer to your actual country. Im still working on optimizations. listen_addresses = ['0.0.0.0:5053']
proxy = 'socks5://wiregate:9053'
max_clients = 250
ipv4_servers = true
ipv6_servers = true
dnscrypt_servers = true
#doh_servers = true
require_dnssec = false
require_nolog = true
require_nofilter = false
force_tcp = true
timeout = 2500
cert_refresh_delay = 240
dnscrypt_ephemeral_keys = true
#fallback_resolvers = ['81.17.31.34:53', '163.172.34.56:53']
ignore_system_dns = true
block_ipv6 = false
cache = true
cache_size = 4200
cache_min_ttl = 600
cache_max_ttl = 86400
cache_neg_ttl = 60
[sources]
[sources.'public-resolvers']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resol>
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
cache_file = 'public-resolvers.md'
[sources.'cs-resolvers']
urls = ['https://cryptostorm.is/cs-resolvers.md', 'https://raw.githubusercontent.com/cryptost>
cache_file = 'cs-resolvers.md'
minisign_key = 'RWTzXTWKLLKfM3fRQW0CUwSN17U3YMsVcVdfi3ERraxuttv2tL8dsdUE'
refresh_delay = 72
[sources.'cs-relays']
urls = ['https://cryptostorm.is/cs-relays.md', 'https://raw.githubusercontent.com/cryptostorm>
cache_file = 'cs-relays.md'
minisign_key = 'RWTzXTWKLLKfM3fRQW0CUwSN17U3YMsVcVdfi3ERraxuttv2tL8dsdUE'
prefix = '' |
|
ok great, will try :) is this for the android issue? or the "laggy
connection" issue? as the android issue is the "neckbreaker" also i dont
get it why "normal" (by package manager apt) installed wireguard server
instance has no problem with the android client, but this one has. i assume
because of docker but need to get my graphene phone later today/this week
to try on here myself.
Am Mo., 25. Nov. 2024 um 19:35 Uhr schrieb Noxcis ***@***.***
…:
@blubbbiz <https://github.com/blubbbiz> try using this for your dnscrypt
config. and set the tor exit nodes closer to your actual country. Im still
working on optimizations.
listen_addresses = ['0.0.0.0:5053']proxy = 'socks5://wiregate:9053'max_clients = 250ipv4_servers = trueipv6_servers = truednscrypt_servers = true#doh_servers = truerequire_dnssec = falserequire_nolog = truerequire_nofilter = falseforce_tcp = truetimeout = 2500cert_refresh_delay = 240dnscrypt_ephemeral_keys = true#fallback_resolvers = ['81.17.31.34:53', '163.172.34.56:53']ignore_system_dns = trueblock_ipv6 = falsecache = truecache_size = 4200cache_min_ttl = 600cache_max_ttl = 86400cache_neg_ttl = 60
[sources]
[sources.'public-resolvers']urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resol>minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'cache_file = 'public-resolvers.md'
[sources.'cs-resolvers']urls = ['https://cryptostorm.is/cs-resolvers.md', 'https://raw.githubusercontent.com/cryptost>cache_file = 'cs-resolvers.md'minisign_key = 'RWTzXTWKLLKfM3fRQW0CUwSN17U3YMsVcVdfi3ERraxuttv2tL8dsdUE'refresh_delay = 72
[sources.'cs-relays']urls = ['https://cryptostorm.is/cs-relays.md', 'https://raw.githubusercontent.com/cryptostorm>cache_file = 'cs-relays.md'minisign_key = 'RWTzXTWKLLKfM3fRQW0CUwSN17U3YMsVcVdfi3ERraxuttv2tL8dsdUE'prefix = ''
—
Reply to this email directly, view it on GitHub
<#57 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BB4J4GOMVJIK53NCFT5BBU32CNUYNAVCNFSM6AAAAABSF4EIHOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIOJYG43DENRRGY>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@blubbbiz Not sure about your android issue but the changing the dns crypt setup will imporve your latency. So facr ive tsted across all the mojor and no mojor operating sysytems with no issues? Would you be able to provide more detail? |
|
The container is running an alpine distro, but ive used my moms android for testing and she hasnt been able to tell its even running on even phone. So i would like to know what causing your issue. |
|
@blubbbiz You dont have to reinstall the the whole thing each time. its a containerized network stack at the end of the day. |
yeah need to find out that part when it all runs smoothly :) for now i got it to work 90% i just need to find out how to allow access to port range 40000-65535 udp and tcp on a service for the other members. will look into your iptables link now. with single ports it works perfect :) |
@blubbbiz Send me your docker compose and Members iptables. |
just sent you an email :) also i didnt found any donate links from you. maybe you have one? and maybe publish it on your pages as well, i can think that by this high quality level of support, other users want to donate smth too :) |
Hi
i have a problem that i need to access internal services on the internal VPN Lan. Now when i use LANP2P i can see the needed services BUT the traffic isnt going out via tor, but i need this option. vice versa when i use Members i cant see the services but im going out through tor like expected. How can i see the other members in the subnet AND going out through tor? as i want the clients have access to internal services but use the tor exit so that the server IP is hidden. Thanks for pushing me in the right direction :)
The text was updated successfully, but these errors were encountered: