<- proxychains (Linux) Table of Content JonDo Interface ->

Howto add Transparent Proxy to JonDo

JonDo and JonDoDaemon do not offer a transparent proxy port nor DNS port. To redirect the traffic with firewall rules to JonDo you have to use a transparent proxy tool like tranSOCKS_ev and a local DNS server like HTTPSDNS daemon. Both tools can use JonDo like a upstream proxy for traffic anonymisation. tranSOCKS_ev works only with JonDonym premium services, HTTPSDNS daemon can use free mix cascades too.

The following tutorial is not for beginners.

Howto use tranSOCKS_ev

tranSOCKS_ev provides a transparent proxy port and forward incoming traffic to a SOCKS5 proxy like JonDo. It is developed at tiggersWelt.net. You can download an extented source archive transocks_ev.tar.bz2 (OpenPGP signature) from our server.

  1. For compilation of transocks_ev.c the libraries libevent and developer files are requiered. Please install it with the package manager of your distribution. > sudo aptitude install libevent-dev

  2. Unpack the archiv, compile the software and install it by running: > make && sudo make install

  3. Create a new user for running tranSOCKS_ev: > sudo adduser --system --disabled-password --group transocks_daemon

  4. Start tranSOCKS_ev proxy

    > sudo -u transocks_daemon transocks_ev -H 127.0.0.1 -p 4008 -S 127.0.0.1 -s 4001
    parameter description
    -H IPThe local IP-Address where tranSOCKS_ev should bind to
    -p portThe local port where tranSOCKS_ev should listen for incoming connections
    -s portThe port of your SOCKS5 server (JonDo listen port)
    -S IPThe IP address of your SOCKS5 server (IP of JonDo)
    -fKeep the application in foreground
  5. The archive contains a sys-V-init script for Debian GNU/Linux to start the daemon at boot time (it works for Ubuntu and Linux Mint too). Copy the script to /etc/init.d/ and add it to the boot sequence: > sudo cp init.d/transocks.debian /etc/init.d/transocks
    > sudo insserv transocks

    You can modify listen port and IP address of tranSOCKS_ev and upstream SOCKS5 proxy (JonDo) by edit the variables in the start script.

Howto use HTTPSDNS daemon

HTTPSDNS daemon is a small local DNS server. It redirects DNS queries over the HTTPS protocol to a HTTPSDNS server and uses JonDo proxy client for anonymisation of traffic. You can download the archive httpsdnsd.tar.bz2 (OpenPGP signature) from our server.

  1. HTTPSDNS daemon is written in Perl. The following Perl Modules are requiered by the HTTPS-DNS daemon: Log::Log4perl,
    Net::Server::Daemonize,
    Net::SSLeay,
    XML::Simple,
    Net::DNS,
    Net::DNS::Nameserver

    You may install the requiered modules from CPAN by: > sudo perl -MCPAN -e shell

    ...
    cpan> install Log::Log4perl Net::Server::Daemonize ....

    Or you may use the package manager of your distribution to install the modules: > sudo aptitude install libnet-ssleay-perl libnet-server-perl libnet-dns-perl libxml-simple-perl liblog-log4perl-perl

  2. To install HTTPSDNS daemon unpack the archive and run the install script: > sudo install.sh

  3. Create a new user for running HTTPSDNS daemon: > sudo adduser --system --disabled-password --group httpsdns_daemon

  4. Afterwards you can start HTTPSDNS daemon by: > sudo httpsdnsd --runasdaemon

  5. It is possible to modify the behaviour of the daemon by command line arguments. For full description of all command line parameter have a look at the man page.

    parameter description default value
    --hostThe local IP-Address where httpsdnsd should bind to.127.0.0.1
    --portThe local port where httpsdnsd should listen for incoming connections.4053
    --https_proxy_portThe port of of upstream proxy (JonDo listen port).4001
    --https_proxy_hostThe IP address of upstream proxy (IP of JonDo).127.0.0.1
    --runasdaemonDaemonize httpsdnsd
    --daemon-userUID for the daemonhttpsdns_daemon
    --daemon-groupGID for the daemonhttpsdns_daemon
  6. The archive contains a sys-V-init script for Debian GNU/Linux to start the daemon at boot time (it works for Ubuntu and Linux Mint too). Copy the script to /etc/init.d/ and add it to the boot sequence: > sudo cp init.d/httpsdnsd.debian /etc/init.d/httpsdnsd
    > sudo insserv httpsdnsd

    You can modify listen port and IP address of HTTPSDNS daemon and upstream proxy (JonDo) by edit the variables in the start script.

Improve performance of DNS resolution by using a DNS caching daemon

To improve the performance of DNS resolution you may use a DNS caching daemon like pdnsd or bind. The subdirectory "misc" contains sample configurations for both DNS servers. We recommed the light-weight daemon pdnsd, bind is overkill. Install pdnsd with the package manager of your distribution and copy the sample configuration to "/usr/share/pdnsd". > sudo aptitude install pdnsd
> sudo cp misc/pdnsd-httpsdns.conf /usr/share/pdnsd/

Edit the line AUTO_MODE in the file "/etc/default/pdnsd" and choose the httpsdns configuration. AUTO_MODE=httpsdns

After restart of pdnsd the daemon is listen at port 2053. In case of cache missmatch it will ask the httpsdns daemon listen at port 4053 for DNS resolution. Adapt the firewall rules below and replace "4053" by "2053".

Firewall Rules

If tranSOCKS_ev and HTTPSDNS daemon were running you can add rules to your firewall to redirect the traffic of a user or a group to JonDo or JonDoDaemon. The following example for iptables redirects all outgoing TCP traffic of the user with UID anonuser over transocks_ev to JonDo, DNS traffic to HTTPSDNS daemon and rejects all other traffic of this user. You may use --gid-owner to redirect the traffic by group. iptables -t nat -A OUTPUT -p udp -m owner --uid-owner anonuser -m udp --dport 53 -j REDIRECT --to-ports 4053
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner anonuser -m tcp --dport 53 -j REDIRECT --to-ports 4053
iptables -t nat -A OUTPUT ! -o lo -p tcp -m owner --uid-owner anonuser -m tcp -j REDIRECT --to-ports 4008
iptables -t filter -A OUTPUT -p udp -m owner --uid-owner anonuser -m udp --dport 4053 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner anonuser -m tcp --dport 4053 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner anonuser -m tcp --dport 4008 -j ACCEPT
iptables -t filter -A OUTPUT ! -o lo -m owner --uid-owner anonuser -j REJECT

Hint: JonDo proxy client must not running with UID anonuser or may not running on the same computer!

 

<- proxychains (Linux) Table of Content JonDo Interface ->