 proxychains (Linux) |
Table of Content |
JonDo Interface 
|
Howto add Transparent Proxy to JonDo
JonDo and JonDoDaemon do not offer a transparent proxy port nor DNS port. To redirect the traffic with firewall rules to JonDo you have to use a transparent proxy tool like tranSOCKS_ev and a local DNS server like HTTPSDNS daemon. Both tools can use JonDo like a upstream proxy for traffic anonymisation. tranSOCKS_ev works only with JonDonym premium services, HTTPSDNS daemon can use free mix cascades too.
The following tutorial is not for beginners.
Howto use tranSOCKS_ev
tranSOCKS_ev provides a transparent proxy port and forward incoming traffic to a SOCKS5 proxy like JonDo. It is developed at tiggersWelt.net. You can download an extented source archive transocks_ev.tar.bz2 (OpenPGP signature) from our server.
For compilation of transocks_ev.c the libraries libevent and developer files are requiered. Please install it with the package manager of your distribution.
> sudo aptitude install libevent-devUnpack the archiv, compile the software and install it by running:
> make && sudo make installCreate a new user for running tranSOCKS_ev:
> sudo adduser --system --disabled-password --group transocks_daemonStart tranSOCKS_ev proxy
> sudo -u transocks_daemon transocks_ev -H 127.0.0.1 -p 4008 -S 127.0.0.1 -s 4001parameter description -H IP The local IP-Address where tranSOCKS_ev should bind to -p port The local port where tranSOCKS_ev should listen for incoming connections -s port The port of your SOCKS5 server (JonDo listen port) -S IP The IP address of your SOCKS5 server (IP of JonDo) -f Keep the application in foreground The archive contains a sys-V-init script for Debian GNU/Linux to start the daemon at boot time (it works for Ubuntu and Linux Mint too). Copy the script to /etc/init.d/ and add it to the boot sequence:
> sudo cp init.d/transocks.debian /etc/init.d/transocks
> sudo insserv transocksYou can modify listen port and IP address of tranSOCKS_ev and upstream SOCKS5 proxy (JonDo) by edit the variables in the start script.
Howto use HTTPSDNS daemon
HTTPSDNS daemon is a small local DNS server. It redirects DNS queries over the HTTPS protocol to a HTTPSDNS server and uses JonDo proxy client for anonymisation of traffic. You can download the archive httpsdnsd.tar.bz2 (OpenPGP signature) from our server.
- HTTPSDNS daemon is written in Perl. The following Perl Modules are requiered by the HTTPS-DNS daemon:
Log::Log4perl,
Net::Server::Daemonize,
Net::SSLeay,
XML::Simple,
Net::DNS,
Net::DNS::NameserverYou may install the requiered modules from CPAN by:
> sudo perl -MCPAN -e shell
...
cpan> install Log::Log4perl Net::Server::Daemonize ....Or you may use the package manager of your distribution to install the modules:
> sudo aptitude install libnet-ssleay-perl libnet-server-perl libnet-dns-perl libxml-simple-perl liblog-log4perl-perl To install HTTPSDNS daemon unpack the archive and run the install script:
> sudo install.shCreate a new user for running HTTPSDNS daemon:
> sudo adduser --system --disabled-password --group httpsdns_daemon- Afterwards you can start HTTPSDNS daemon by: > sudo httpsdnsd --runasdaemon
It is possible to modify the behaviour of the daemon by command line arguments. For full description of all command line parameter have a look at the man page.
parameter description default value --host The local IP-Address where httpsdnsd should bind to. 127.0.0.1 --port The local port where httpsdnsd should listen for incoming connections. 4053 --https_proxy_port The port of of upstream proxy (JonDo listen port). 4001 --https_proxy_host The IP address of upstream proxy (IP of JonDo). 127.0.0.1 --runasdaemon Daemonize httpsdnsd --daemon-user UID for the daemon httpsdns_daemon --daemon-group GID for the daemon httpsdns_daemon The archive contains a sys-V-init script for Debian GNU/Linux to start the daemon at boot time (it works for Ubuntu and Linux Mint too). Copy the script to /etc/init.d/ and add it to the boot sequence:
> sudo cp init.d/httpsdnsd.debian /etc/init.d/httpsdnsd
> sudo insserv httpsdnsdYou can modify listen port and IP address of HTTPSDNS daemon and upstream proxy (JonDo) by edit the variables in the start script.
Improve performance of DNS resolution by using a DNS caching daemon
To improve the performance of DNS resolution you may use a DNS caching daemon like pdnsd or bind. The subdirectory "misc" contains sample configurations for both DNS servers. We recommed the light-weight daemon pdnsd, bind is overkill. Install pdnsd with the package manager of your distribution and copy the sample configuration to "/usr/share/pdnsd".
> sudo aptitude install pdnsd> sudo cp misc/pdnsd-httpsdns.conf /usr/share/pdnsd/
Edit the line AUTO_MODE in the file "/etc/default/pdnsd" and choose the httpsdns configuration.
AUTO_MODE=httpsdnsAfter restart of pdnsd the daemon is listen at port 2053. In case of cache missmatch it will ask the httpsdns daemon listen at port 4053 for DNS resolution. Adapt the firewall rules below and replace "4053" by "2053".
Firewall Rules
If tranSOCKS_ev and HTTPSDNS daemon were running you can add rules to your firewall to redirect the traffic of a user or a group to JonDo or JonDoDaemon. The following example for iptables redirects all outgoing TCP traffic of the user with UID anonuser over transocks_ev to JonDo, DNS traffic to HTTPSDNS daemon and rejects all other traffic of this user. You may use --gid-owner to redirect the traffic by group.
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner anonuser -m udp --dport 53 -j REDIRECT --to-ports 4053iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner anonuser -m tcp --dport 53 -j REDIRECT --to-ports 4053
iptables -t nat -A OUTPUT ! -o lo -p tcp -m owner --uid-owner anonuser -m tcp -j REDIRECT --to-ports 4008
iptables -t filter -A OUTPUT -p udp -m owner --uid-owner anonuser -m udp --dport 4053 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner anonuser -m tcp --dport 4053 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner anonuser -m tcp --dport 4008 -j ACCEPT
iptables -t filter -A OUTPUT ! -o lo -m owner --uid-owner anonuser -j REJECT
Hint: JonDo proxy client must not running with UID anonuser or may not running on the same computer!
| proxychains (Linux) |
Table of Content |
JonDo Interface
|
