April 1, 2014 at 13:26VPS as an anonymous proxy and not only ...
Today, every Internet user can purchase a VPS and use a remote server, for example, to host their own website or organize a DNS server. In this post I will talk about the non-standard use of VPS: how to create a personal anonymous proxy server and provide backup access to existing services.
Client ---> Internet Gateway (PF) --rdr -> Local Proxy Server (SQUID) --vpn -> VPS Proxy Server (SQUID) ---> Internet
For anonymous access to certain resources, we will create a special table of PF ip addresses:
In our scheme, the client uses a transparent proxy, so in PF you need to create a redirect:
We redirect traffic going from clients on ports 80, 443 to certain resources through a local proxy server (port 3129).
The following directives must be introduced into the standard SQUID2.7 configuration as a proxy for the local network:
We create a vpn tunnel between the Internet gateway and the VPS by installing the openvpn server (10.10.10.1) on the gateway, and the client on the VPS (10.10.10.250).
SQUID2.7 standard configuration with anonymous access.
Internet ---> VPS (PF) --vpn + stunnel -> Internet gateway (PF) ---> local server (HTTP, HTTPs)
Add a redirect to the PF firewall on VPS:
We will redirect traffic destined for the web server behind the Internet gateway to the local loopback address of ports 8180 and 4443, on which Stunnel runs.
It was possible, of course, to do without Stunnel, simply adding a static route and port forwarding on PF to the local server, but decided to experiment. In this case, Stunnel is required to proxy external traffic to the local web server (192.168.XXX.YYY). Stunnel configuration on VPS and Internet gateway:
So, you can provide backup access to the service through an additional white ip. For example, the domain
Initial data:
- VPS in Europe (OS FreeBSD8.3) with white ip (yyy.yyy.yyy.yyy)
- Internet gateway in Russia (OS FreeBSD8.1) with white ip (xxx.xxx.xxx.xxx)
- LAN behind the gateway with servers (HTTP-SERVER, HTTPS-SERVER, PROXY-SERVER)
Access to the Internet resource through an anonymous proxy server
Client ---> Internet Gateway (PF) --rdr -> Local Proxy Server (SQUID) --vpn -> VPS Proxy Server (SQUID) ---> Internet
PF Firewall on Internet Gateway
For anonymous access to certain resources, we will create a special table of PF ip addresses:
table persist file "/etc/pf/iplists/anonymsites.txt" In our scheme, the client uses a transparent proxy, so in PF you need to create a redirect:
$ext_ip="xxx.xxx.xxx.xxx"
$int_if="внутренний интерфейс"
rdr on $int_if proto tcp from $clients to port 80 -> $ext_ip port 3129
rdr on $int_if proto tcp from $clients to port 443 -> $ext_ip port 3129 We redirect traffic going from clients on ports 80, 443 to certain resources through a local proxy server (port 3129).
Local proxy server SQUID
The following directives must be introduced into the standard SQUID2.7 configuration as a proxy for the local network:
http_port 3129
# анонимность в сети
header_access From deny all
header_access Server deny all
header_access User-Agent deny all
header_access WWW-Authenticate deny all
header_access Link deny all
header_access X-Forwarded-For deny all
header_access Via deny all
header_access Cache-Control deny all
forwarded_for off
# направим весь пришедший трафик на родительский прокси сервер на VPS через vpn-туннель
cache_peer 10.10.10.250 parent 3128 0 no-query no-digest
cache_peer_access 10.10.10.250 allow all
never_direct allow all
OpenVPN Tunnel
We create a vpn tunnel between the Internet gateway and the VPS by installing the openvpn server (10.10.10.1) on the gateway, and the client on the VPS (10.10.10.250).
#Конфигурация OpenVPN сервера
mode server
tls-server
port 2080
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
tls-auth /etc/openvpn/keys/ta.key 0
topology subnet
ifconfig 10.10.10.1 255.255.255.0
keepalive 10 120
max-clients 10
comp-lzo
cipher DES-EDE3-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 4
mute 20
client-to-client
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
#Конфигурация OpenVPN клиента
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 2080
pull
topology subnet
user nobody
group nobody
persist-key
persist-tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/vps.crt
key /usr/local/etc/openvpn/keys/vps.key
tls-client
tls-auth /usr/local/etc/openvpn/keys/ta.key 1
cipher DES-EDE3-CBC
comp-lzo
verb 3
status /var/log/openvpn-status.log
log /var/log/openvpn.log
mute 20
VPS proxy server SQUID
SQUID2.7 standard configuration with anonymous access.
http_port 3128
#анонимность в сети
header_access From deny all
header_access Server deny all
header_access User-Agent deny all
header_access WWW-Authenticate deny all
header_access Link deny all
header_access X-Forwarded-For deny all
header_access Via deny all
header_access Cache-Control deny all
forwarded_for off
Backup access to servers (HTTP, HTTPs) from the outside
Internet ---> VPS (PF) --vpn + stunnel -> Internet gateway (PF) ---> local server (HTTP, HTTPs)
PF Firewall on VPS
Add a redirect to the PF firewall on VPS:
$ext_if="внешний интерфейс"
rdr on $ext_if proto tcp from any to $ext_if port 80 -> 127.0.0.1 port 8180
rdr on $ext_if proto tcp from any to $ext_if port 443 -> 127.0.0.1 port 4443
We will redirect traffic destined for the web server behind the Internet gateway to the local loopback address of ports 8180 and 4443, on which Stunnel runs.
Tunnel Stunnel
It was possible, of course, to do without Stunnel, simply adding a static route and port forwarding on PF to the local server, but decided to experiment. In this case, Stunnel is required to proxy external traffic to the local web server (192.168.XXX.YYY). Stunnel configuration on VPS and Internet gateway:
#stunnel.conf на VPS
pid = /var/run/stunnel.pid
debug = 4
output = /var/log/stunnel.log
cert = /usr/local/etc/stunnel/stunnel.cert
key = /usr/local/etc/stunnel/stunnel.key
sslVersion = SSLv3
options = DONT_INSERT_EMPTY_FRAGMENTS
ciphers = AES256-SHA
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = rle
[http]
client = yes
accept = 8180
connect = 10.10.10.1:8180
TIMEOUTclose = 0
[https]
client = yes
accept = 4443
connect = 10.10.10.1:4443
TIMEOUTclose = 0
#stunnel.conf на Интернет-шлюзе
pid = /var/run/stunnel.pid
debug = 4
output = /var/log/stunnel.log
cert = /usr/local/etc/stunnel/stunnel.cert
key = /usr/local/etc/stunnel/stunnel.key
sslVersion = SSLv3
options = DONT_INSERT_EMPTY_FRAGMENTS
ciphers = AES256-SHA
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = rle
[http]
accept = 8180
connect = 192.168.XXX.YYY:80
TIMEOUTclose = 0
[https]
accept = 4443
connect = 192.168.XXX.YYY:443
TIMEOUTclose = 0
So, you can provide backup access to the service through an additional white ip. For example, the domain
example.comin DNS can be mapped to the primary external ip, and the subdomain www.example.com(often an alias for the primary) can be mapped to the ip of the remote VPS.