ProHoster > Π‘Π»ΠΎΠ³ > Administrasi > Nggawe dalan ing SOCKS ing laptop nganggo Debian 10

Nggawe dalan ing SOCKS ing laptop nganggo Debian 10

Kanggo setaun (utawa rong taun) aku nolak nerbitake artikel iki amarga alasan utama - aku wis nerbitake rong artikel ing ngendi aku nerangake proses nggawe router ing SOCKS saka laptop sing biasa banget karo Debian.

Nanging, wiwit iku versi stabil saka Debian wis dianyari kanggo Buster, nomer cekap saka wong wis hubungi kula pribadi njaluk bantuan karo persiyapan, kang tegese artikel sandi sadurungΓ© ora exhaustive. Ya, aku dhewe ngira yen cara sing digarisake ing dheweke ora mbukak kabeh kerumitan nyetel Linux kanggo nuntun ing SOCKS. Kajaba iku, ditulis kanggo Debian Stretch, lan sawise nganyarke menyang Buster, ing sistem init systemd, aku weruh owah-owahan cilik ing interaksi layanan. Lan ing artikel kasebut, aku ora nggunakake systemd-networkd, sanajan paling cocog kanggo konfigurasi jaringan sing kompleks.

Saliyane owah-owahan ing ndhuwur, layanan ing ngisor iki ditambahake menyang konfigurasi: hostapd - layanan kanggo virtualisasi titik akses, ntp kanggo nyinkronake wektu klien jaringan lokal, dnscrypt-proxy kanggo ndhelik sambungan liwat DNS lan mateni pariwara ing klien jaringan lokal, lan uga, kaya sing wis dakcritakake sadurunge, systemd-jaringand kanggo ngatur antarmuka jaringan.

Punika diagram pemblokiran prasaja saka struktur internal router kasebut.

Nggawe dalan ing SOCKS ing laptop nganggo Debian 10

Dadi, aku ngelingake sampeyan apa tujuan saka seri artikel iki:

  1. Rute kabeh sambungan OS menyang SOCKS, uga sambungan saka kabeh piranti ing jaringan sing padha karo laptop.
  2. Laptop ing kasusku kudu tetep mobile. Yaiku, kanggo menehi kesempatan kanggo nggunakake lingkungan desktop lan ora diikat menyang lokasi fisik.
  3. Titik pungkasan nuduhake sambungan lan nuntun mung liwat antarmuka nirkabel sing dibangun.
  4. Inggih, lan mesthi, nggawe pandhuan lengkap, uga analisis teknologi sing cocog kanggo paling apik saka kawruh andhap asor.

Apa sing bakal dibahas ing artikel iki:

  1. Go - download repositori proyek kaos kaki tun2dibutuhake kanggo rute lalu lintas TCP kanggo SOCKS, lan nggawe_ap β€” script kanggo ngotomatisasi persiyapan saka titik akses virtual nggunakake hostapd.
  2. kaos kaki tun2 - mbangun lan nginstal layanan systemd ing sistem.
  3. systemd-jaringand - ngatur antarmuka nirkabel lan virtual, tabel rute statis lan pangalihan paket.
  4. nggawe_ap - nginstal layanan systemd ing sistem, ngatur lan miwiti titik akses virtual.

Langkah opsional:

  • ntp - nginstal lan ngatur server kanggo nyinkronake wektu ing klien titik akses virtual.
  • dnscrypt-proxy β€” kita bakal encrypt panjalukan DNS, rute menyang SOCKS lan mateni domain iklan kanggo jaringan lokal.

Kenapa kabeh iki?

Iki minangka salah sawijining cara kanggo ngamanake sambungan TCP ing jaringan lokal. Ing kauntungan utama iku kabeh sambungan digawe ing SOCKS, kajaba rute statis dibangun kanggo wong-wong mau liwat gateway asli. Iki tegese sampeyan ora perlu kanggo nemtokake setelan server SOCKS kanggo program individu utawa klien ing jaringan lokal - kabeh padha pindhah menyang SOCKS minangka standar, awit iku gateway standar nganti kita nunjukakΓ© liya.

Ateges kita nambahake router encrypting kapindho minangka laptop ing ngarepe router asli lan nggunakake sambungan Internet router asli kanggo panjalukan SOCKS laptop kang wis ndhelik, kang siji rute lan encrypts panjalukan saka klien LAN.

Saka sudut pandang panyedhiya, kita terus nyambung menyang siji server kanthi lalu lintas sing dienkripsi.

Mulane, kabeh piranti disambungake menyang titik akses virtual laptop.

Instal tun2socks ing sistem

Anggere mesin sampeyan duwe internet, download kabeh alat sing dibutuhake.

apt update
apt install git make cmake

Unduh paket badvpn

git clone https://github.com/ambrop72/badvpn

Folder bakal katon ing sistem sampeyan badvpn. Nggawe folder kapisah kanggo mbangun

mkdir badvpn-build

Pindhah menyang

cd badvpn-build

Nglumpukake tun2socks

cmake ../badvpn -DBUILD_NOTHING_BY_DEFAULT=1 -DBUILD_TUN2SOCKS=1

Instal ing sistem

make install
  • Parameter -DBUILD_NOTHING_BY_DEFAULT=1 mateni mbangun kabeh komponen gudang badvpn.
  • -DBUILD_TUN2SOCKS=1 kalebu komponen ing perakitan kaos kaki tun2.
  • make install - bakal nginstal binar tun2socks ing sistem sampeyan ing /usr/local/bin/badvpn-tun2socks.

Instal layanan tun2socks ing systemd

Nggawe file /etc/systemd/system/tun2socks.service kanthi isi ing ngisor iki:

[Unit]
Description=SOCKS TCP Relay

[Service]
ExecStart=/usr/local/bin/badvpn-tun2socks --tundev tun2socks --netif-ipaddr 172.16.1.1 --netif-netmask 255.255.255.0 --socks-server-addr 127.0.0.1:9050

[Install]
WantedBy=multi-user.target
  • --tundev - njupuk jeneng antarmuka virtual sing kita initialize karo systemd-networkd.
  • --netif-ipaddr - alamat jaringan "router" tun2socks sing disambungake antarmuka virtual. Luwih becik dipisahake subnet dilindhungi undhang-undhang.
  • --socks-server-addr - nampa socket (адрСс:ΠΏΠΎΡ€Ρ‚ server SOCKS).

Yen server SOCKS mbutuhake otentikasi, sampeyan bisa nemtokake paramèter --username и --password.

Sabanjure, ndhaptar layanan kasebut

systemctl daemon-reload

Lan nguripake

systemctl enable tun2socks

Sadurunge miwiti layanan kasebut, kita bakal menehi antarmuka jaringan virtual.

Ngalih menyang systemd-networkd

We kalebu systemd-networkd:

systemctl enable systemd-networkd

Pateni layanan jaringan sing saiki.

systemctl disable networking NetworkManager NetworkManager-wait-online
  • NetworkManager-ngenteni-online minangka layanan sing ngenteni sambungan jaringan sing bisa digunakake sadurunge systemd terus miwiti layanan liyane sing gumantung saka anane jaringan. Kita mateni nalika ngalih menyang analog systemd-networkd.

Ayo langsung aktifake:

systemctl enable systemd-networkd-wait-online

Setel antarmuka jaringan nirkabel

Nggawe file konfigurasi systemd-networkd kanggo antarmuka jaringan nirkabel /etc/systemd/network/25-wlp6s0.network.

[Match]
Name=wlp6s0

[Network]
Address=192.168.1.2/24
IPForward=yes
  • jeneng iku jeneng antarmuka nirkabel sampeyan. Ngenali karo printah ip a.
  • IPForward - arahan sing mbisakake pangalihan paket ing antarmuka jaringan.
  • Alamat tanggung jawab kanggo nemtokake alamat IP kanggo antarmuka nirkabel. Kita nemtokake statis amarga kanthi arahan sing padha DHCP=yes, systemd-networkd nggawe gateway standar ing sistem. Banjur kabeh lalu lintas bakal liwat gateway asli, lan ora liwat antarmuka virtual mangsa ngarep ing subnet beda. Sampeyan bisa mriksa gateway standar saiki kanthi printah ip r

Nggawe rute statis kanggo server SOCKS remot

Yen server SOCKS sampeyan ora lokal, nanging adoh, sampeyan kudu nggawe rute statis. Kanggo nindakake iki, nambah bagean Route nganti pungkasan file konfigurasi antarmuka nirkabel sing digawe kanthi isi ing ngisor iki:

[Route]
Gateway=192.168.1.1
Destination=0.0.0.0
  • Gateway β€” iki gateway gawan utawa alamat titik akses asli sampeyan.
  • Destination - Alamat server SOCKS.

Konfigurasi wpa_supplicant kanggo systemd-networkd

systemd-networkd nggunakake wpa_supplicant kanggo nyambung menyang titik akses sing aman. Nalika nyoba "ngunggahake" antarmuka nirkabel, systemd-networkd miwiti layanan kasebut wpa_supplicant@имяngendi Deleng iku jeneng antarmuka nirkabel. Yen sampeyan durung nggunakake systemd-networkd sadurunge titik iki, layanan iki mbokmenawa ora ana ing sistem sampeyan.

Dadi nggawe karo printah:

systemctl enable wpa_supplicant@wlp6s0

tak nggo wlp6s0 minangka jeneng antarmuka nirkabel. Jeneng sampeyan bisa uga beda. Sampeyan bisa ngenali karo printah ip l.

Saiki layanan digawe wpa_supplicant@wlp6s0 bakal diluncurake nalika antarmuka nirkabel "diunggahake", nanging, bakal golek setelan SSID lan sandhi titik akses ing file kasebut. /etc/wpa_supplicant/wpa_supplicant-wlp6s0. Mulane, sampeyan kudu nggawe nggunakake sarana wpa_passphrase.

Kanggo nindakake iki, jalanake printah:

wpa_passphrase SSID password>/etc/wpa_supplicant/wpa_supplicant-wlp6s0.conf

ngendi SSID iku jeneng titik akses, sandi iku sandi, lan wlp6s0 - jeneng antarmuka nirkabel sampeyan.

Miwiti antarmuka virtual kanggo tun2socks

Nggawe file kanggo initialize antarmuka virtual anyar ing sistem/etc/systemd/network/25-tun2socks.netdev

[NetDev]
Name=tun2socks
Kind=tun
  • jeneng iku jeneng sing systemd-networkd bakal nemtokake kanggo antarmuka virtual mangsa nalika iku initialized.
  • Kind minangka jinis antarmuka virtual. Saka jeneng layanan tun2socks, sampeyan bisa guess sing nggunakake antarmuka kaya tun.
  • netdev iku extension saka file sing systemd-networkd Migunakake kanggo miwiti antarmuka jaringan virtual. Alamat lan setelan jaringan liyane kanggo antarmuka kasebut ditemtokake ing .jaringan- file.

Nggawe file kaya iki /etc/systemd/network/25-tun2socks.network kanthi isi ing ngisor iki:

[Match]
Name=tun2socks

[Network]
Address=172.16.1.2/24
Gateway=172.16.1.1
  • Name - jeneng antarmuka virtual sing sampeyan nemtokake netdev-file.
  • Address - Alamat IP sing bakal ditugasake menyang antarmuka virtual. Kudu ana ing jaringan sing padha karo alamat sing sampeyan nemtokake ing layanan tun2socks
  • Gateway - Alamat IP "router" kaos kaki tun2, sing sampeyan nemtokake nalika nggawe layanan systemd.

Dadi antarmuka kaos kaki tun2 duwe alamat 172.16.1.2, lan layanan kaos kaki tun2 - 172.16.1.1, yaiku, iku gateway kanggo kabeh sambungan saka antarmuka virtual.

Nggawe titik akses virtual

Instal dependensi:

apt install util-linux procps hostapd iw haveged

Ngundhuh repositori nggawe_ap menyang mobil sampeyan:

git clone https://github.com/oblique/create_ap

Pindhah menyang folder repositori ing mesin sampeyan:

cd create_ap

Instal ing sistem:

make install

Konfigurasi bakal katon ing sistem sampeyan /etc/create_ap.conf. Mangkene pilihan panyuntingan utama:

  • GATEWAY=10.0.0.1 - iku luwih apik kanggo nggawe subnet reserved kapisah.
  • NO_DNS=1 - mateni, amarga parameter iki bakal dikelola dening antarmuka virtual systemd-networkd.
  • NO_DNSMASQ=1 - mateni kanthi alasan sing padha.
  • WIFI_IFACE=wlp6s0 - antarmuka nirkabel laptop.
  • INTERNET_IFACE=tun2socks - antarmuka virtual digawe kanggo tun2socks.
  • SSID=hostapd - jeneng titik akses virtual.
  • PASSPHRASE=12345678 - sandi.

Aja lali ngaktifake layanan:

systemctl enable create_ap

Aktifake server DHCP ing systemd-networkd

Layanan create_ap initializes antarmuka virtual ing sistem ap0. Ing teori, dnsmasq macet ing antarmuka iki, nanging kok nginstal layanan ekstra yen systemd-networkd ngemot server DHCP dibangun ing?

Kanggo ngaktifake, kita bakal nemtokake setelan jaringan kanggo titik virtual. Kanggo nindakake iki, nggawe file /etc/systemd/network/25-ap0.network kanthi isi ing ngisor iki:

[Match]
Name=ap0

[Network]
Address=10.0.0.1/24
DHCPServer=yes

[DHCPServer]
EmitDNS=yes
DNS=10.0.0.1
EmitNTP=yes
NTP=10.0.0.1

Sawise layanan create_ap initializes antarmuka virtual ap0, systemd-networkd bakal kanthi otomatis menehi alamat IP lan ngaktifake server DHCP.

strings EmitDNS=yes ΠΈ DNS=10.0.0.1 ngirim setelan server DNS menyang piranti sing disambungake menyang titik akses.

Yen sampeyan ora rencana nggunakake server DNS lokal - ing kasusku iku dnscrypt-proxy - sampeyan bisa nginstal DNS=10.0.0.1 Π² DNS=192.168.1.1ngendi 192.168.1.1 - alamat gateway asli sampeyan. Banjur panjaluk DNS kanggo host lan jaringan lokal bakal ora dienkripsi liwat server panyedhiya.

EmitNTP=yes ΠΈ NTP=192.168.1.1 nransfer setelan NTP.

Padha dadi kanggo baris NTP=10.0.0.1.

Instal lan konfigurasi server NTP

Instal ing sistem:

apt install ntp

Ngowahi konfigurasi /etc/ntp.conf. Komentar alamat blumbang standar:

#pool 0.debian.pool.ntp.org iburst
#pool 1.debian.pool.ntp.org iburst
#pool 2.debian.pool.ntp.org iburst
#pool 3.debian.pool.ntp.org iburst

Tambah alamat server umum, contone Google Public NTP:

server time1.google.com ibrust
server time2.google.com ibrust
server time3.google.com ibrust
server time4.google.com ibrust

Nyedhiyani akses menyang server menyang klien ing jaringan sampeyan:

restrict 10.0.0.0 mask 255.255.255.0

Aktifake siaran menyang jaringan:

broadcast 10.0.0.255

Pungkasan, tambahake alamat server kasebut menyang tabel rute statis. Kanggo nindakake iki, bukak file konfigurasi antarmuka nirkabel /etc/systemd/network/25-wlp6s0.network lan nambah menyang mburi bagean Route.

[Route]
Gateway=192.168.1.1
Destination=216.239.35.0

[Route]
Gateway=192.168.1.1
Destination=216.239.35.4

[Route]
Gateway=192.168.1.1
Destination=216.239.35.8

[Route]
Gateway=192.168.1.1
Destination=216.239.35.12

Sampeyan bisa ngerteni alamat server NTP sampeyan nggunakake sarana kasebut host kaya mangkene:

host time1.google.com

Instal dnscrypt-proxy, mbusak iklan lan ndhelikake lalu lintas DNS saka panyedhiya sampeyan

apt install dnscrypt-proxy

Kanggo nglayani pitakon DNS host lan jaringan lokal, sunting soket /lib/systemd/system/dnscrypt-proxy.socket. Ganti baris ing ngisor iki:

ListenStream=0.0.0.0:53
ListenDatagram=0.0.0.0:53

Wiwiti maneh systemd:

systemctl daemon-reload

Ngowahi konfigurasi /etc/dnscrypt-proxy/dnscrypt-proxy.toml:

server_names = ['adguard-dns']

Kanggo nuntun sambungan dnscrypt-proxy liwat tun2socks, tambahake ing ngisor iki:

force_tcp = true

Ngowahi konfigurasi /etc/resolv.conf, sing ngandhani server DNS menyang host.

nameserver 127.0.0.1
nameserver 192.168.1.1

Baris pisanan mbisakake panggunaan dnscrypt-proxy, baris kapindho nggunakake gateway asli yen server dnscrypt-proxy ora kasedhiya.

Rampung!

Urip maneh utawa mungkasi layanan jaringan:

systemctl stop networking NetworkManager NetworkManager-wait-online

Lan miwiti maneh kabeh sing perlu:

systemctl restart systemd-networkd tun2socks create_ap dnscrypt-proxy ntp

Sawise urip maneh utawa miwiti maneh, sampeyan bakal duwe jalur akses kapindho sing ngarahake host lan piranti LAN menyang SOCKS.

Iki minangka output sing katon ip a laptop biasa:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: tun2socks: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 500
    link/none 
    inet 172.16.1.2/24 brd 172.16.1.255 scope global tun2socks
       valid_lft forever preferred_lft forever
    inet6 fe80::122b:260:6590:1b0e/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
3: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether e8:11:32:0e:01:50 brd ff:ff:ff:ff:ff:ff
4: wlp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 4c:ed:de:cb:cf:85 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global wlp6s0
       valid_lft forever preferred_lft forever
    inet6 fe80::4eed:deff:fecb:cf85/64 scope link 
       valid_lft forever preferred_lft forever
5: ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 4c:ed:de:cb:cf:86 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.1/24 brd 10.0.0.255 scope global ap0
       valid_lft forever preferred_lft forever
    inet6 fe80::4eed:deff:fecb:cf86/64 scope link 
       valid_lft forever preferred_lft forever

Ing pungkasan

  1. Panyedhiya mung ndeleng sambungan sing dienkripsi menyang server SOCKS, tegese ora weruh apa-apa.
  2. Nanging ndeleng panjaluk NTP sampeyan, kanggo nyegah iki, mbusak rute statis kanggo server NTP. Nanging, ora mesthi server SOCKS sampeyan ngidini protokol NTP.

Kruk katon ing Debain 10

Yen sampeyan nyoba miwiti maneh layanan jaringan saka console, bakal gagal karo kesalahan. Iki amarga kasunyatan manawa bagean kasebut ing wangun antarmuka virtual diikat menyang layanan tun2socks, sing tegese digunakake. Kanggo miwiti maneh layanan jaringan, sampeyan kudu mungkasi layanan tun2socks dhisik. Nanging, aku mikir, yen sampeyan maca nganti pungkasan, iki mesthi ora dadi masalah kanggo sampeyan!

referensi

  1. Nuntun statis ing Linux - IBM
  2. systemd-networkd.service - Freedesktop.org
  3. Tun2socks Β· ambrop72/badvpn Wiki Β· GitHub
  4. oblique / create_ap: Skrip iki nggawe Titik Akses WiFi NATed utawa Bridged.
  5. dnscrypt-proxy 2 - Proksi DNS sing fleksibel, kanthi dhukungan kanggo protokol DNS sing dienkripsi.

Source: www.habr.com