Kurtis Velarde

Basic Self Hosted DNS/HTTPs Vagrant/Cloud Setup

Basic Self Hosted DNS/HTTPs Vagrant/Cloud Setup

Workflow attempts to setup semi anonymous http(s)/dns proxy with openvpn symmetric key. Vagrant VM is the client and cloud VM is the server.

Example Vagrantfile

Vagrant.configure("2") do |config|
  config.vm.box = "bento/ubuntu-20.04"
  config.vm.network "forwarded_port", guest: 3000, host: 3000

 config.vm.synced_folder "src/", "/host/code"

end

$ openssl enc -aes-256-cbc -in hi.txt -out hi.bin
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
$ strings hi.bin
Salted__

The private communication channel is implemented over a openvpn tunnel interface. Generate a symmetric private key and send it over the wire. Try openssl and ssh’ing it over:

Server config:

openvpn --genkey --secret secret.key

# Server side tunnel
openvpn --ifconfig 192.168.0.1 192.168.0.2 --dev tun --secret secret.key --daemon --log openvpnserver.log

# Client Side tunnel
openvpn --ifconfig 192.168.0.2 192.168.0.1 --dev tun --secret secret.key --daemon --log openvpnclient.log --remote my.cloud.ip

# into router with Masquerade for all Tun generated traffic
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o tun0 --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWRD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT


# Server squid file
apt-get install apache2-utils squid
touch /etc/squid/passwords
chmod 777 /etc/squid/passwords

htpasswd -c /etc/squid/passwords kris

cat <EOF > /etc/squid.conf >
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 24 hours
auth_param basic casesensitive off
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all
dns_v4_first on
forwarded_for delete
via off
http_port 3128
EOF

##
# DNS forwarding proxy listening on tun0 interface only
##

cat <<EOF > /etc/bind/named.conf.options
acl "trusted" {
        192.168.0.1;  # host1
        192.168.0.2;  # host2
};

options {
        directory "/var/cache/bind";

        recursion yes;                 # enables resursive queries
        allow-recursion { trusted; };  # allows recursive queries from "trusted" clients
        listen-on { 192.168.0.1; };    # ns1 private IP address - listen on private network only
        allow-transfer { none; };      # disable zone transfers by default

         forwarders {
                8.8.8.8;
                8.8.4.4;
         };

        dnssec-validation auto;

        listen-on-v6 { none; };
};
EOF
# Client test on server tail query logs to insure that dns request are being routed

# Client Side tunnel 

openvpn --ifconfig 192.168.0.2 192.168.0.1 --dev tun --secret secret.key --daemon --log openvpnclient.log --remote my.cloud.ip

curl  -x http://192.168.0.1:3128 --dns-interface tun0  -Ykris:mypass  --interface tun0 -H'Cache-Control: no-cache' http://ifconfig.me

=